Personal data breach

From Justice Definitions Project

What is 'Personal  Data Breach'?

A personal data breach is a security incident that results in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of protected information. It occurs when sensitive data, such as financial records, identification numbers, or contact details, is accessed or shared without proper authorization.

While often associated with external cyberattacks, a breach can also result from internal negligence, such as misdirecting an email or losing unencrypted hardware. Organizations are legally obligated to manage these incidents rigorously to mitigate risks like identity theft, financial fraud, and reputational damage.

A personal data breach is not only about hacking or big cyberattacks. Even small mistakes like sending data to the wrong person, losing a device or using data for a different purpose can count as a breach. When we read Section 2(u) together with sections 8(5) of the Digital Personal Data Protection Act, it becomes clear that the law focuses on whether proper security measures were in place. So the idea of a breach is closely connected to how responsibly an organisation handles personal data.[1]

Official Definition of 'Personal Data Breach'

The term 'Personal Data Breach' as defined in legislation(s)

The Digital Personal Data Protection Act (DPDPA), 2023, provides a specific and comprehensive definition of a personal data breach to ensure high standards of data security and accountability.

According to Section 2(u) of the DPDP Act, 2023, a "personal data breach" means:

"any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data."

Legal provision(s) relating to 'Personal Data Breach'

Digital Personal Data Protection Act, 2023

Section 8(5) of the Act places a proactive duty on the Data Fiduciary to prevent breaches before they occur. A Data Fiduciary must take "reasonable security safeguards" to prevent a personal data breach. They are legally obliged to set up “reasonable security safeguards” to stop breaches before they start. This obligation extends to any processing undertaken by a Data Processor on their behalf.

Under Rule 6, companies must protect personal data through key safeguards such as encryption to make data unreadable to hackers, de-identification to remove personal identifiers so individuals cannot be easily traced and access controls to ensure that only authorized people can view or handle their data.

Duty to Inform in case of Personal data breach

Once a breach occurs, Section 8(6) of DPDPA and Rule 7 of DPDP kick in, the company has a non-derogable duty to notify two specific parties:-

  1. The Data Protection Board - The company must report the breach as soon as practicable. The 2025 Rules specify this should generally happen within 72 hours of the company becoming aware of the issue.
  2. The Data Principal - Unlike laws in some other countries that only notify you if the risk is “high”, the DPDPA is stricter. They must tell the data principal about the breach regardless of how severe it is. This transparency first approach ensures that the data principal can change passwords or freeze accounts immediately.

The Notification to the Data Principal must contain following things :

  1. Nature of the breach
  2. Potential consequences
  3. Remedial measures
  4. Business contact information of a person who is able to respond on behalf of the Data Fiduciary
Penalties and Inquiries

The legal weight of a "personal data breach" is backed by serious financial consequences found in Section 27 and Section 33 of the Act.

  1. The Inquiry - The Data Protection Board has the power to investigate any breach. They can step in and order urgent remedial measures to stop the bleeding while they figure out what went wrong.
  1. The Fines - The “Schedule” of the Act lists some of the heaviest penalties in Indian regulatory history:
  1. Failure to protect the data - Up to Rs. 250 Crores
  2. Failure to notify the Board or Individuals - Up to Rs. 200 Crores
Ancillary Terms
A. Personal Data

The DPDPA, under Section 2(t), defines it as "any data about an individual who is identifiable by or in relation to such data." This is a broad, technology-neutral definition.

B. Harm

While "harm" is used as a factor for determining penalties under section 2(v), the Act considers the impact of a breach on the Data Principal. Conceptual "harm" includes:

  • Identity theft or financial loss.
  • Loss of reputation or humiliation.
  • Discrimination or harassment.
C. Significant Data Fiduciary

If a breach occurs within a Significant Data Fiduciary, the legal scrutiny is higher. They are required to have conducted a Data Protection Impact Assessment (DPIA) (Section 10(2)(c)), which serves as a vital legal record to prove whether "reasonable safeguards" were actually in place prior to the breach.

'Personal Data Breach' as defined in international instrument(s)

Principal Treaty: The GDPR (EU/International Standard)

Although the General Data Protection Regulation (GDPR) is an EU regulation[2], it is recognized as the "gold standard" in international data law. Under Article 4(12), it defines a personal data breach as:

"...a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Council of Europe: Convention 108+

The Convention for the Protection of Individuals with Regard to the Processing of Personal Data (known as Convention 108+) is the only legally binding international treaty with a global reach (open to non-European states). While the original 1981 text focused on security measures, the 2018 Modernised Convention (Protocol CETS No. 223) explicitly introduces the obligation to notify "data breaches." It interprets a breach as:

"...security incidents which may seriously interfere with the rights and fundamental freedoms of data subjects," resulting from accidental or unauthorised access, destruction, loss, or alteration.[3]

International Organizations (IOs)

Multilateral bodies have established frameworks to govern their own data handling and to provide guidelines for member states:

  1. United Nations (UNDRR/UN Secretariat): The UN Office for Disaster Risk Reduction (UNDRR) defines a data breach as a security incident where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. It specifically notes that personal data breaches compromise Personally Identifiable Information (PII).[4]
  2. The World Bank: In its Data Protection and Privacy Framework, a "Data Breach" is defined as any breach of security obligations leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.[5]
  3. OECD (Guidelines on the Protection of Privacy): While the OECD Guidelines (2013) do not use a single "sentence" definition, they define the concept through the Security Safeguards Principle, stating that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.[6]

'Personal Data Breach' as defined in official government report(s)

48th Standing Committee Report (2023)

This report outlines the provisions of the Digital Personal Data Protection (DPDP) Bill regarding data breaches:

A breach is defined as any unauthorized processing, disclosure, acquisition, use, or destruction of personal data that compromises its confidentiality, integrity, or availability.  Data Fiduciaries are required to implement security safeguards to prevent breaches and must intimate both the Data Protection Board (DPB) and affected individuals in the event of an incident.

The DPB is empowered to inquire into breaches, issue directions for mitigation, and impose significant financial penalties. The report cites maximum penalties of ₹250 crore for failing to take reasonable security safeguards and ₹200 crore for failing to notify the Board and individuals.[7]

The DPDP Rules, 2025 derive authority from Section 40 which empowers the Central Government to prescribe procedures for breach notification, safeguards and compliance documents.

For repeated violations, the Board may advise the government to block access to the Fiduciary’s platform in the interest of the general public.

Digital Personal Data Protection Rules, 2025

This document focuses on the operationalization of the DPDP Act through specific rules:

Data Fiduciaries must inform affected individuals about a breach "without delay" and "at the earliest". Breach notifications must be in plain language and detail exactly what happened, the possible impact, and the specific steps taken to address the issue.  Notifications must include contact details for assistance to help people act quickly to reduce potential harm.

The Rules establish a digital-first Data Protection Board of four members to oversee compliance and simplify grievance redressal for citizens.

B.N. Srikrishna Committee Report (2018)

This early research document provides the conceptual underpinnings for India's data protection framework:

It suggests that only breaches posing a "likelihood of harm" to the rights of individuals should be mandatorily notified to the Data Protection Authority (DPA). The report proposes that the DPA should have the power to decide if a breach is severe enough to require direct notification to affected individuals.[8]

It acknowledges that establishing the scope of a breach is complex and suggests notification should occur as soon as circumstances surrounding the breach permit identifying its extent. It recommends a "Common Reference Framework" for security, stating that failure to notify a breach should make a fiduciary liable for penalties.

NBDA Annual Report (2022–23)

The News Broadcasters & Digital Association annual report discusses breaches from an industry standpoint, raising concerns about the 2022 Draft Bill:

The industry argues that fiduciaries should not be penalized for breaches resulting from cyber security incidents where they themselves are victims, as Internet-based systems can never be completely hack-proof. It points out a potential overlap in compliance, as entities are already required to report breaches to the Computer Emergency Response Team (CERT-In).[9]

The report suggests that penalty provisions should be dispensed with when a breach occurs unknowingly or unintentionally, especially given the lack of visibility some industries have over processed data.

Steering Committee on Fintech (2019)

This report discusses breaches specifically within the financial technology sector:

It recommends the use of fintech to bolster cybersecurity and fraud control to protect against money laundering and data theft.  The committee suggests that public sector financial firms should use Artificial Intelligence and Machine Learning in back-end processes to identify early warning signs of fraud and security risks.

It encourages the development of SupTech (Supervisory Technology) to enable regulators to monitor industry trends and identify irregularities in real-time.[10]

Working Group on Cyber Liability Insurance (2020)

This Working Group on Cyber Liability Insurance examined breaches from the perspective of risk transfer and insurance:

Breaches are grouped into loss types, including business interruption, data/software loss, and cyber ransom/extortion. It notes that under Section 43A of the existing IT Act, body corporates are liable for compensatory damages if negligence in data protection causes wrongful loss.[11]

The report highlights that cyber insurance can cover incident response costs, such as forensics, public relations, and legal defense.  It cites sector-specific rules, such as the RBI's requirement for banks to report cybersecurity incidents within two to six hours.

Data Protection White Paper (2017)

This white paper provided the initial analysis used to solicit public opinion on the draft law:

It classifies breaches into three groups: Confidentiality (unauthorized access), Integrity (unauthorized alteration), and Availability (accidental loss or destruction). The paper notes that detection can take a long time. It cites studies where retail and financial breaches took between 98 and 197 days to discover.[12]

It recommends that notifications include the type of breach, estimated date, number of individuals affected, and the steps being taken to minimize the impact. It explores a "notification matrix" where different time limits could be set based on the size of the organization to avoid overburdening SMEs.

'Personal Data Breach' as defined in case law(s)

Justice K.S. Puttaswamy (Retd.) v. Union of India - 2019 (1) SCC 1

In this case, the Supreme Court treated a personal data breach as a direct and serious threat to individual autonomy, dignity, and informational self-determination, with particular emphasis on the permanent compromise of biometric identifiers. The Court’s constitutional analysis significantly influenced the legislative architecture of the Digital Personal Data Protection Act, 2023 (DPDPA). Reflecting judicial concerns, the Act adopts an expansive understanding of a personal data breach. It covers not only accidental leaks but any unauthorized processing that undermines the confidentiality, integrity, or availability of personal data.

Justice D.Y. Chandrachud’s opinion in Puttaswamy characterized data breaches as multidimensional risks to fundamental rights. A central concern was the irreversibility of biometric theft: unlike passwords or tokens, biometric attributes such as fingerprints and iris scans cannot be reissued once compromised. The Court observed that once a biometric system is compromised, the compromise is effectively permanent. The judgment also warned that unauthorized access to personal data enables surveillance, commercial exploitation, and granular profiling of individuals, which can shape behavioral patterns and potentially distort democratic processes, including electoral decision-making. Further, the Court introduced the concept of “civil death,” and cautions that the suspension or misuse of Aadhaar-linked identity could result in an individual being excluded from essential services or rendered entirely dependent on the State’s data infrastructure. The Court additionally criticized the Aadhaar framework for weak institutional accountability and notes the absence of clear liability for the UIDAI in the event of data loss, misuse, or non-compliance.

The DPDPA translates these constitutional anxieties into a concrete statutory definition. Section 2(u) defines a “personal data breach” as any unauthorized processing of personal data, or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of such data. This formulation marks a shift from a narrow, leak-centric view of breaches to a systems-oriented risk model.

Several elements of the definition closely track the Court’s reasoning in Puttaswamy. First, the explicit inclusion of “unauthorized processing” captures the Court’s concern about unauthorized exploitation by both State and non-State actors, extending the concept of breach beyond accidental incidents. Second, the recognition of “loss of access” as a breach resonates with the fear of civil death, where individuals may be functionally excluded from their own identity or essential entitlements due to data system failures or misuse. Third, by covering compromises to confidentiality, integrity, and availability, the Act ensures that not only data theft but also data tampering or service denial qualifies as a reportable breach. This reflects a modern information security paradigm rather than a purely privacy-centric one.

The DPDPA also operationalizes the Court’s demand for accountability. Where Puttaswamy highlighted the lack of institutional responsibility under the Aadhaar regime, the Act places primary compliance obligations on Data Fiduciaries, including the duty to implement reasonable security safeguards and to report breaches. It mandates notification of personal data breaches to the Data Protection Board of India and to affected Data Principals, thereby addressing the earlier opacity around incidents and remedies.

In simple terms, the move from Puttaswamy to the DPDPA shows a shift from seeing data breaches mainly as a constitutional privacy problem to treating them as clear legal compliance violations.

Karthik Theodore  vs. The Registrar General, Madras High Court, Chennai and Ors.-2021 SCC OnLine Mad 2755

In this case, Madras High Court clarified key aspects of informational privacy and post-acquittal protection. The Court examined whether personal details in a judicial record should remain publicly accessible after the accused had been acquitted. It held that continued disclosure, when it serves no public purpose, can cause real harm.

The appellant sought removal of his name and identifying particulars from a 2014 judgment after his acquittal under Sections 417 and 376 of the IPC. He argued that public access to the judgment affected his reputation and employment prospects. The Madras High Court accepted that privacy forms part of the right to life under Article 21. It also recognized the Right to be Forgotten as a facet of that guarantee.

The Court balanced open justice with individual privacy. It found that once acquittal was final, unrestricted publication of the appellant’s identity was not necessary. It directed the Registrar General to redact his personal details from the judgment. It also ordered Ikanoon Software Development Private Limited to remove the unredacted version from its portal.

The ruling clarifies the object of the Digital Personal Data Protection Act, 2023. The statute permits lawful data use for judicial purposes, but it does not justify prolonged public exposure without need. Data protection extends beyond breach prevention. It includes control over unnecessary retention and publication once the legal purpose has ended.

Dabur India Limited v. Ashok Kumar (2025 SCC OnLine Del 9651)

In this matter, the court scrutinized the interplay between Section 2(t), which defines personal data as identifiable information, and Section 2(u), which defines a personal data breach. The court observed that the prevailing practice of default redaction by DNRs frequently allows malicious actors to operate under a "garb of privacy" to evade legal accountability. It was held that when data is masked to the point where it is no longer identifiable, it circumvents the core requirements of Section 2(t). Further, the court ruled that disclosing such data to a party with a legitimate interest, such as an aggrieved intellectual property owner, qualifies as authorized processing and specifically does not constitute a personal data breach under Section 2(u).

Xiaomi Technology India Pvt. Ltd. v. WWW. Xiaomi-India. XYZ (2025 SCC OnLine Del 9687)

The judicial findings in the Xiaomi case were anchored in Section 4 (lawful processing) and Section 7 (legitimate uses) of the DPDP Act. The court addressed the challenge posed by privacy protection services that shield and mask the identities of perpetrators involved in infringing domain names. The court determined that the occurrence of cyber fraud inherently establishes a legitimate interest, and categorized the resulting data disclosure as a lawful processing activity under Section 7. The court clarified that such actions fall outside the scope of an unauthorized personal data breach by framing the disclosure as a "legitimate use,"

Mother Dairy Fruit & Vegetable Pvt. Ltd. v. Kumar Prahlad (2025 SCC OnLine Del 9686)

In this case the court focused on delineating the boundaries of unauthorized data transmission by framing the disclosure as a "legitimate use,". While acknowledging that DNRs should generally protect personal data within the WHOIS database, the court held that they are mandated to disclose such information when directed by competent authorities or to satisfy a legitimate interest. The judgment emphasized that a personal data breach is fundamentally characterized by "unauthorised processing". Therefore, disclosing data to mitigate a violation of law is viewed as a proportionate and authorized encroachment on privacy rather than a breach of fiduciary duty.

Tata Sky Limited v. S G Enterprises (2025 SCC OnLine Del 9667)

This case involved an analysis of Section 2(t) regarding identifiable data and Section 3 concerning the extraterritorial application of the Act. The Plaintiff successfully argued that the masking of registrant details creates a vacuum of identifiable data, which directly facilitates large-scale public deception. The court’s findings centered on the principle that a request for data by an IP owner or a Law Enforcement Agency (LEA) in the context of cyber fraud constitutes a legitimate interest. This interest provides a lawful basis under the DPDP Act that overrides standard privacy redaction protocols, ensuring that transparency in the face of illegal activity is not penalized as a data breach.

Colgate Palmolive Company v. NIXI (2025 SCC OnLine Del 10063)

The Colgate judgment further refined the grounds for lawful processing under Section 4 and Section 7. The court was particularly concerned with the misuse of privacy features to facilitate fraudulent activities, such as deceptive job interviews conducted via infringing domains. The court affirmed that revealing information to parties with a legitimate interest is a regulated process under the DPDP Act by directing DNRs to forthwith disclose the details of the registrants. This ensures that privacy mechanisms intended for legitimate users do not become tools for shielding illegal conduct from discovery

HT Media Ltd. v. Pooja Sharma (2025 SCC OnLine Del 9685)

In this case, the court examined the "Privacy Protect feature" and the resulting anonymity afforded to fraudsters. The court established that while privacy remains the default legal position, disclosure must be the exception in cases of legitimate interest by invoking Section 4 (lawful purpose and consent) and Section 7 (legitimate use). The court held that seeking data for IP enforcement or cybercrime investigation by LEAs falls squarely within this exception.

Through categorizing these disclosures as legitimate uses under the DPDP Act, the judiciary has ensured that the necessary tracing of cybercriminals is not legally categorized as a personal data breach.

The materials under consideration demonstrate a direct and structural relationship between identity theft and financial fraud within the digital commercial environment. The examined cases reveal that impersonation, fabricated credentials, and misuse of personal identifiers form the operational foundation of organized economic deception.

`Identity Theft as the Structural Foundation of Financial Fraud

In the batch matters involving Dabur, Xiaomi, Mother Dairy, Tata Sky, Colgate, and HT Media, the court identified a recurring fraudulent scheme that relied upon false identity creation as a precursor to financial exploitation. Identity theft did not operate as a peripheral element. It constituted the central mechanism that enabled the fraud.

Fraudulent actors opened bank accounts using forged Aadhaar and PAN credentials. In multiple instances, the biometric data and photographs linked to those accounts did not correspond with the named account holders. This pattern indicates deliberate falsification of identity records rather than mere procedural irregularity. The perpetrators either misappropriated personal data or constructed fictitious identities capable of passing formal verification systems.

Once operational, these bank accounts functioned as instruments of deception. Victims transferred funds after fraudulent representations regarding employment, dealership rights, distributorships, or franchise opportunities connected to established commercial brands. The reputational capital of legitimate companies enhanced the credibility of these representations and induced financial reliance.

The accounts served as temporary repositories for illicit funds. Perpetrators withdrew or transferred money shortly after receipt and abandoned the accounts thereafter. The false identity infrastructure prevented effective tracing of the responsible individuals. Identity theft therefore operated as the enabling architecture of the financial fraud. Without fabricated or stolen credentials, the extraction and dissipation of funds would not have occurred in this manner.

A related dimension of financial misconduct appeared in proceedings before the Securities and Exchange Board of India in the case of Vivek Chauhan and Others And Pressure Sensitive Systems (India) Limited (2025 SCC OnLine SEBI-QJA 34), where securities manipulation formed the subject of regulatory scrutiny. Although the procedural posture differed, the underlying concern remained the same: financial transactions tied to identifiable persons. Accurate identity attribution remained essential for regulatory accountability and enforcement.

Empirical evidence from large-scale data compromise incidents reinforces this intersection. Breaches affecting organizations such as Air India and MobiKwik exposed sensitive personal identifiers. Criminal actors subsequently used such data to open fraudulent accounts or secure unauthorized credit facilities. Victims often bore the financial liability and reputational harm associated with these transactions.

The cases collectively establish that identity theft functions as the structural predicate of financial fraud in contemporary digital markets. The misappropriation or fabrication of personal identifiers creates the appearance of legitimacy, which in turn facilitates monetary extraction. Financial fraud thus represents the economic manifestation of identity manipulation.

Types of 'Personal Data Breach'

India (DPDPA)

India’s Digital Personal Data Protection Act (DPDPA) classifies personal data breaches differently than Western laws. In some countries, companies only have to speak up if a data leak is likely to cause ‘real harm’. India’s law skips that debate. If the data is not where it is supposed to be, it’s a breach.

Under Section 2(u) of the Act, a "personal data breach" is classified into five specific types of incidents:

Unauthorized Processing

This classification covers any handling of personal data that violates the Act or the consent provided. It includes data being used for a purpose other than what was specified in the notice, or data being processed by a third party (Data Processor) without a valid contract from the Data Fiduciary.

Accidental Disclosure

This identifies breaches caused by human or technical error rather than malicious intent. Examples include sending personal data to the wrong recipient via email, publishing a database publicly due to a cloud misconfiguration, or a "copy-paste" error in a public document.

Unauthorized Use or Sharing

This classification refers to situations where data is accessed or distributed by parties who do not have the legal right to do so. This includes malicious outsiders (hackers stealing a database) and insider threats (an employee downloading a customer list for their own gain).

Unauthorized or Accidental Alteration

Similar to the "Integrity Breach" in the UK, this classifies incidents where the data is changed. It includes unauthorized modifications that compromise the accuracy or reliability of the personal data, such as changing a user's financial records or medical history.

Unauthorized or Accidental Destruction or Loss of Access

This is the DPDPA’s equivalent of an "Availability Breach.

Specifics:

  1. Accidental deletion of data or physical damage to servers containing the data.
  2. Specifically covers ransomware attacks where the data still exists on the server but is encrypted and inaccessible to the organization and the user.

Global data protection laws in the US, UK, Canada, and Brazil classify personal data breaches using distinct frameworks ranging from technical impact to the specific nature of the data compromised.

International Experience

Brazil

Under the General Data Protection Law (LGPD) and the clarifying ANPD Resolution No. 15 of 2024, establishes a regime where not every security incident is a legal breach. The focus is on actual risk and structured recovery. Under Article 48 of the LGPD, the obligation to notify arises only if the incident is likely to result in “relevant risk or damage” to the subjects. This is further clarified by Article 5 of Resolution 15, which creates a “double filter”:

  1. A reportable event must significantly affect fundamental rights
  2. Involve high-risk data such as sensitive, financial or large-scale datasets

When a breach crosses this threshold, the notification process is strictly governed by Article 48, Paragraph 1 of LGPD. The communication must be made as soon as reasonably feasible and must contain a description of the nature of the affected personal data along with detailed information on the data subjects involved. To maintain transparency without compromising defense, the law requires an indication of the technical and security measures used for protection, provided they comply with the trade and industrial secrets. The controller must also explicitly state the specific risks related to the incident and provide the reasons for any delay in cases where communication was not immediate.[13]

Finally, the notice must outline the measures that have been or shall be adopted to reverse or mitigate the effects of the damage. Even if a breach is not reported, Article 14 of the Resolution requires an “Incident Registry” to be maintained for 5 years, documenting the internal investigation and the legal rationale for not notifying the authorities.

United Kingdom

The UK mechanism, governed by the UK GDPR and Data Protection Act 2018 utilizes a split notification system based on the severity of the risk.  [14]Under Article 33 of the UK GDPR, controllers are required to notify the Information Commissioner’s Office (ICO) within 72 hours of discovery unless the breach is unlikely to result in a risk to the rights and freedom of individuals.[15]

However, the threshold for notifying the data subjects themselves is significantly higher under Article 34, which only mandates communication if the breach is likely to result in a high risk, such as potential identity theft, fraud or physical harm. [16]To account for the reality of complex cyber forensics, Article 33(4) explicitly allows for “Phased Reporting”. This permits the controller to provide initial findings to the regulator quickly and follow up with more detailed supplementary information as the investigation unfolds, preventing the spread of misinformation while ensuring the regulator is kept in the loop.[17]

Canada

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) focuses on a qualitative assessment known as the “Real Risk of Significant Harm” (RROSH) rather than a rigid numerical or hourly trigger. Under Section 10.1(1), organisations must report any breach involving personal information if it is reasonable to believe the incident creates a RROSH. Section 10.1(7) provides an expensive definition of “significant harm”, including not just financial loss but also humiliation, damage to reputation or relationships and loss of employment or professional opportunities.[18]

To determine if the threshold is met, Section 10.1(8) requires a balancing test that weighs the sensitivity of the data against the probability that the information will be misused. Unlike the strict clocks found in Europe, Canada requires notification “as soon as feasible” under Section 10.1(6) prioritizing the accuracy and actionability of the notice so that victims can take clear steps for mitigation. Accountability is maintained through Section 10.3 which mandates that a record of every security safeguard breach be kept for at least 24 months, regardless of whether it met the reporting threshold.

United Arab Emirates

The UAE’s Federal Decree-Law No. 45 of 2021 (the UAE Data Protection Law)  aligns closely with the UK’s risk based model, emphasizing the impact on the individual over the mere existence of a technical glitch. Under Article 9(1), controllers must notify the UAE Data Office of any breach that would “prejudice the privacy, confidentiality and security” of the subject.[19]

Similar to the UK, notification to the data subject is only required if there is a high risk to their rights. Within the UAE's financial free zones, the rules are even more specialized. For instance, the DIFC Data Protection Law No. 5 of 2020 (Article 42) mandates reporting as soon as practicable while the AGDM Data Protection Regulations 2021 (Section 33) adopt a 72 hour window but place a heavy priority on the controller’s ability to demonstrate immediate mitigation measures to avoid further legal action.[20]

Research that engages with 'Personal Data Breach'

Research on personal data breach in India has primarily emerged from academic institutions, civil society organisations, policy think tanks and independent research bodies rather than governmental publications. These studies play an important role in shaping the conceptual understanding of personal data breach by situating it with broader debates on informational privacy, cybersecurity governance, digital infrastructure expansion and regulatory enforcement.

While statutory frameworks such as the Information Technology Act and the Digital Personal Data Protection Act, 2023 define personal data breach largely in terms of unauthorised access, disclosure, alteration or loss of personal data, non-government research examines the structural conditions that enable such breaches. These include excessive data collection, weak security practices, outstanding to third party vendors, fragmented regulatory oversight and lack of transparency in breach reporting.

Within the Indian justice context, this body of research contributes to understanding how personal data breaches affect access to remedies, institutional accountability and the realisation of the constitutional right to privacy. The following research documents illustrate how the concept has been developed beyond official documentation.

Research Document 1 - Internet Freedom Foundation - Cybersecurity and Data Breach Transparency Reports

Internet Freedom Foundation’s quarterly cybersecurity reports document major personal data breaches across sectors such as government databases, fintech platforms, healthcare systems and telecommunications. These reports compile publicly reported incidents, examine patterns in breach disclosure and assess institutional responses. The research covers personal data breach not merely as a technical incident but as a governance issue. It highlights how delayed notification, absence of mandatory public registries and inconsistent reporting standards prevent individuals from understanding risks and seeking remedies. The reports also connect breaches with procurement practices, vendor management failures and the expansion of digital public infrastructure.[21]

By framing breach disclosure as a transparency obligation linked to fundamental rights, the research builds the concept of personal data breach beyond statutory definitions. It emphasises that breaches undermine trust in digital governance and raise questions of accountability within both public authorities and private data fiduciaries.

Research Document 2 - Centre for Internet and Society - Privacy, Data Governance and Digital India Studies

Research produced by the Centre for Internet and Society examines personal data breach within the lifecycle of data governance, focusing on how collection, storage, sharing and retention practices create systemic vulnerability. Studies analysing Digital India initiatives, Aadhaar-linked services, digital health infrastructure and education platforms demonstrate how large-scale aggregation of personal data increases breach risks.

CIS research builds the concept by treating personal data breach as a foreseeable outcome of design choices rather than an exceptional event. It highlights the role of data minimisation failures, weak encryption standards, third-party vendor relationships and function creep in enabling breaches. The work also explores how welfare databases concentrate sensitive information relating to socio-economic status, thereby amplifying harms when breaches occur.[22]

Issues raised include limited institutional capacity for security audits, ambiguity regarding responsibility across data ecosystems and disproportionate impact on vulnerable populations. By linking technical architecture with legal responsibility, CIS research expands the conceptual understanding of personal data breach into a structural governance problem.

Research Document 3 - Academic and Policy Scholarship on Cybersecurity Governance and Incident Reporting

Academic and policy research examines personal data breach through regulatory design, comparative frameworks and user perception studies. Scholarship analysing India’s emerging data protection regime evaluates breach notification thresholds, enforcement challenges and cross-border data governance. Studies also investigate privacy risks arising from open government data, digital platforms and AI-driven systems.

This research extends the concept of personal data breach by linking incidents to questions of state capacity, corporate compliance incentives and institutional preparedness. Instead of focusing solely on legal definitions, academic work explores how digital ecosystems create cascading risks where breaches in one system affect multiple downstream services.[23]

The literature also highlights gaps in public awareness, absence of reliable breach statistics and challenges in attributing liability within complex digital supply chains. By situating breaches within broader cybersecurity governance debates, academic research contributes to understanding personal data breach as a policy and justice issue.

Research Gaps and Overlap in Research

Across these research documents, there is significant overlap in identifying core concerns such as weak breach disclosure practices, inadequate accountability of data fiduciaries, fragmented regulatory oversight and limited remedies for affected individuals. Most studies converge on the importance of transparency, data minimisation and independent oversight mechanisms.

However, important gaps remain. Empirical datasets measuring the frequency, scale and long-term impact of personal data breaches in India are limited due to voluntary reporting and corporate opacity. Sector-specific analysis is uneven, with emerging areas such as education technology, gig platforms and small digital service providers receiving comparatively less attention.

Another gap relates to procedural justice. While research extensively discusses rights and governance, there is limited examination of compensation mechanisms, litigation pathways and enforcement outcomes following breaches. Longitudinal studies tracking whether regulatory reforms improve breach prevention are also scarce.

Overlaps are visible in normative recommendations, particularly calls for mandatory breach notification, stronger audit requirements and clearer allocation of responsibility across digital supply chains. This convergence indicates growing consensus but also highlights the need for implementation-focused research.

Overall, non-government research plays a critical role in shaping the conceptual and practical understanding of personal data breach in India by revealing systemic vulnerabilities, institutional limitations and the real-world consequences of data governance failures.

Challenges

The Digital Personal Data Protection (DPDP) Act and its Rules present the following challenges regarding the mechanism for handling personal data breaches:

Universal Mandatory Reporting

Under the DPDP framework, every "personal data breach", defined broadly as any unauthorized processing or accidental disclosure that compromises data confidentiality, integrity, or availability, must be reported.

Unlike global standards like the GDPR, there is no "materiality threshold" or risk-based filter. Minor incidents, such as an HR employee accidentally emailing a payslip to the wrong recipient, are technically reportable breaches. This risks overwhelming the Data Protection Board (DPB) with trivial reports and causing "notification fatigue" among individuals.[24]

High-Precision "Forensic Readiness" within 72 Hours

Data Fiduciaries must provide a preliminary notice to the DPB "without delay" and a detailed report within 72 hours of becoming aware of a breach. Organizations often struggle to identify the full scope, nature, and precise timing of a breach within this window, especially in complex cloud or multi-vendor environments. The DPB requires "forensic-quality" information early, such as the number of users affected and specific remedial measures, even while internal investigations are still ongoing.

Verification of "Legacy" vs. "New" Breach Timelines

Establishing whether a breach occurred before or after the Act's full enforcement is a major legal and technical hurdle in 2026. The DPDP Act is non-retrospective; however, a "historical" leak (e.g., from 2023) rediscovered in 2026 can trigger liability if the data remains exposed or poses an "ongoing risk". Many organizations lack the mandatory one-year logs or deterministic data mapping required to prove a breach's exact origin, making them vulnerable to massive penalties of up to ₹250 crore for what might be legacy failures.

Way Ahead

The Digital Personal Data Protection Act, 2023 lays the foundation, but effective breach governance now depends on firm execution. A clear 72-hour reporting rule should be codified, with limited scope for phased updates where facts are still verified. The Data Protection Board must issue practical guidance and maintain a public breach registry to promote transparency. Sector-specific standards can reduce confusion and improve compliance.

Organizations should strengthen audit trails, internal response plans, and encryption standards to ensure forensic readiness. At the same time, state access to data must remain subject to necessity and proportionality. With consistent enforcement and informed citizens, India can build a credible breach response system that protects rights and supports long-term digital trust.

Related terms

  1. Data Leak / Data Leakage: Personal or sensitive data is exposed to people who should not see it.
  2. Unauthorized Processing: Personal data is used or handled in a way not allowed by law or consent.
  3. Privacy Breach: An incident where a person’s private information is improperly accessed or disclosed.
  4. Information Security Breach: A failure in security systems that allows data or systems to be compromised.
  5. Cyber Incident: Any significant disruption or suspicious activity affecting computer systems or networks.
  6. Security Incident: An event showing that a security rule may have been broken or a safeguard has failed.
  7. Data Security Breach: Compromise of protected or sensitive data due to weak or failed security.
  8. Cyberattack: A deliberate attempt by hackers to access, damage, or disrupt systems or data.

References

  1. IBM, https://www.ibm.com/think/topics/data-breach
  2. General Data Protection Regulation (GDPR), https://gdpr-info.eu/
  3. Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (Convention 108+), https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2018/09-10/Convention_108_EN.pdf
  4. UNDRR, https://www.undrr.org/understanding-disaster-risk/terminology/hips/tl0102
  5. Data protection and privacy laws, Identification for Development (World Bank ID4D), https://id4d.worldbank.org/guide/data-protection-and-privacy-laws
  6. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, https://www.oecd.org/content/dam/oecd/en/publications/reports/2002/02/oecd-guidelines-on-the-protection-of-privacy-and-transborder-flows-of-personal-data_g1gh255f/9789264196391-en.pdf
  7. 48th Standing Committee Report, 2023, https://acrobat.adobe.com/id/urn:aaid:sc:AP:008216af-507c-4fe5-bf7a-bb739f563451
  8. B.N. Srikrishna Committee Report, 2018, https://acrobat.adobe.com/id/urn:aaid:sc:AP:b5d5aed2-247c-48c5-a6be-b95906807d97
  9. NBDA Annual Report 2023-24, https://www.nbdanewdelhi.com/assets/uploads/pdf/NBDA_Annual_Report_2023-24.pdf
  10. Steering Committee on Fintech, 2019, https://acrobat.adobe.com/id/urn:aaid:sc:AP:46ace032-0d6d-45e8-9dbd-147ac58c4f67
  11. Working Group on Cyber Liability Insurance, 2020, https://acrobat.adobe.com/id/urn:aaid:sc:AP:fab7bfcf-e052-4795-bd0f-668e723f8ee7
  12. Data Protection White Paper, 2017, https://acrobat.adobe.com/id/urn:aaid:sc:AP:4c7aed1d-3a6b-40dc-8152-ca71fccf8016
  13. Brazilian Data Protection Law LGPD (Lei No. 13,709/2018, as amended), https://www.gov.br/anpd/pt-br/centrais-de-conteudo/outros-documentos-e-publicacoes-institucionais/lgpd-en-lei-no-13-709-capa.pdf
  14. Data Protection Act 2018 (UK), https://www.legislation.gov.uk/ukpga/2018/12/contents
  15. United Kingdom General Data Protection Regulation Keeling Schedule (showing changes by the Data Protection and Digital Information (No. 2) Bill), https://assets.publishing.service.gov.uk/media/645a655f2226ee000c0ae4ef/Keeling_Schedule_for_UK_GDPR_-_DPDI_No2_Bill_as_introduced.pdf
  16. Personal data breaches: a guide (UK ICO), https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/
  17. Personal data breaches: a guide (UK ICO), https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/
  18. Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
  19. UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data, https://uaelegislation.gov.ae/en/legislations/1972/download
  20. DIFC Data Protection Law No. 5/2020, https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/data-protection-law-difc-law-no-5-2020
  21. IFF's Cybersecurity Report for the Fourth Quarter of 2024 (Internet Freedom Foundation), https://internetfreedom.in/iffs-cybersecurity-report-for-the-fourth-quarter-of-2024/
  22. Digital India Report (Centre for Internet and Society), https://cis-india.org/internet-governance/files/digital-india-report.pdf
  23. Academic paper on cybersecurity governance and breaches (arXiv:2508.17962), https://arxiv.org/abs/2508.17962
  24. Data Breach Reporting in India: Legal Obligations and Best Practices (S.S. Rana & Co., October 21, 2025), https://ssrana.in/articles/data-breach-reporting-in-india-legal-obligations-and-best-practices/
Retrieved from "https://www.lawandjusticewiki.org/w/index.php?title=Personal_data_breach&oldid=12196"