Q1 - What exactly counts as a “data breach” under DPDPA?
Under the Digital Personal Data Protection Act, 2023 (DPDPA), a data breach refers to any unauthorised processing, disclosure, access, alteration, or loss of personal data that compromises the confidentiality, integrity, or availability of such data.
Although the Act does not give a single-line definition, the meaning is clearly derived from Section 8(5), which outlines the duty of every company (Data Fiduciary) to protect personal data against breaches of security safeguards.
1. Legal Reference
Section 8(5) —
Every Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective compliance with the provisions of this Act and protect personal data in its possession from breach of security safeguards.In the event of such a breach, the Data Fiduciary shall notify the Board and each affected Data Principal in such manner as may be prescribed.
This means any event that results in a breach of security safeguards — whether caused by hacking, system failure, human error, or negligence — qualifies as a data breach under the DPDPA.
2. Common Types of Data Breaches
| Type of Breach | Description | Example Scenario |
|---|---|---|
| Confidentiality Breach | Unauthorized disclosure or access to personal data. | A hacker gains access to customer financial records through a misconfigured server. |
| Integrity Breach | Unauthorized modification, alteration, or corruption of data. | An employee changes stored customer addresses without authorization. |
| Availability Breach | Accidental or unlawful destruction or loss of access to personal data. | A ransomware attack encrypts customer data, making it unavailable. |
| Unauthorized Processing | Use of personal data beyond the scope of consent or lawful purpose. | A marketing firm uses collected email addresses to promote unrelated products without consent. |
3. Examples of Real-World Scenarios
A company accidentally uploads a file containing customer contact information to a public folder. Even if no malicious actor accesses it, this counts as a data breach because the information was exposed without authorization.
An employee exports customer data to an external USB drive for personal use. This qualifies as unauthorized processing and disclosure, both forms of breach.
A ransomware attack locks and steals customer data from a cloud database. The event compromises both confidentiality and availability, triggering the company’s obligation to report the breach to the Data Protection Board and the affected Data Principals.
4. Obligations Following a Breach
When a data breach occurs, the company (Data Fiduciary) must:
- Immediately assess the nature and scope of the breach.
- Notify the Data Protection Board of India and all affected individuals, as prescribed by rules (expected to mirror CERT-In’s 6-hour framework).
- Take remedial measures to contain and mitigate damage.
- Maintain breach logs and evidence for future audits.
Failure to report or safeguard against breaches may attract heavy penalties under Section 33(1) and the Schedule.
5. Penalties for Data Breaches
| Violation Type | Relevant Section | Maximum Penalty |
|---|---|---|
| Breach of security safeguards leading to data exposure | Section 8(5) | Up to ₹250 crore |
| Failure to notify the Data Protection Board or affected Data Principals | Section 8(5) read with Section 33(1) | Additional penalties or directions from the Board |
6. Key Takeaway
A data breach under DPDPA includes any unauthorized access, disclosure, alteration, destruction, or misuse of personal data that violates security safeguards.
Even unintentional leaks or temporary losses of access are treated as breaches if they risk harm to individuals.
Referenced Provisions:
- Section 8(5) – Obligation to protect personal data and notify breaches.
- Section 33(1) – Monetary penalties for violations.
- Schedule (Entry 2) – Breach of security safeguards punishable up to ₹250 crore.