Penalty Without Remedy is Not Justice:

Under the Digital Personal Data Protection (DPDP) Act, 2023, India has reached a landmark in data governance, but it has done so by creating a "relief-less" right. While the Act allows the State to impose penalties of up to ₹250 crore on negligent companies, those funds flow directly to the State. The individual or the "Data Principal" whose privacy is violated, who faces identity theft, or whose sensitive health records are exposed, is entitled to zero guaranteed compensation under the statute.

The Regression: From Section 43A to Statutory Silence

For over a decade, Indian law recognized the necessity of individual remedies. Section 43A of the Information Technology Act (2000/2008) provided a clear, citizen-facing remedy: if a company’s negligence caused you "wrongful loss," you could claim direct compensation.

The original intent of scrapping Section 43A was to replace it with a broader, more comprehensive framework that aligned with global standards like the GDPR. Instead, the 2023 Act has effectively "written out" the victim from the relief equation. We have moved from a limited but functional individual right to a total legal vacuum for the citizen.

Where the Law Fails 

The DPDP Act 2023 provides no direct right for a Data Principal to claim compensation from a Data Fiduciary. This is not a matter of legal technicality.

1.  It violates the foundational legal maxim of ubi jus ibi remedium -( where there is a right, there is a remedy).The Supreme Court held in Puttaswamy that privacy is a fundamental right. When a fundamental right is breached, the individual must have a direct personal remedy. That is not optional. It is constitutional.

Its a global failure. While the EU's GDPR (Article 82) and California's CCPA (section1798.150) grant citizens a direct right to sue for damages, India’s current law treats data protection as revenue collection for the State. 

Our Demands to Parliament and MeitY (Ministry of Electronics & IT)

We call upon the Ministry of Electronics & IT and the Parliament of India to introduce the following amendments to the DPDP Act:

1. Restore Individual Compensation Rights: Introduce a provision equivalent to the Section 43A of the IT Act that grants every Data Principal an enforceable right to claim monetary compensation from the Data Fiduciary whose negligence or breach caused them verifiable harm. .
2. Bifurcate Penalties and Relief: The Act must explicitly distinguish between (a) financial penalties payable to the Consolidated Fund of India as a deterrent, and (b) compensation payable to the aggrieved individual as a remedy.
3. Empower the Data Protection Board: Amend the Act to give the Data Protection Board explicit statutory power to award binding, enforceable compensation to complainants after determining liability  in addition to imposing penalties. The Board should not merely suggest mediation. It must be equipped to deliver justice, not just accountability.
4. Establish a Victim Compensation Fund: Create a statutory Victim Compensation Fund, seeded from a defined portion of the penalties collected under the Act. This fund would provide timely, accessible relief to affected individuals particularly in cases where the Data Fiduciary is insolvent, has gone offshore, or cannot be readily traced. No victim of a data breach should go uncompensated simply because the wrongdoer has the means to avoid a direct claim.

Legal Basis: This petition is filed under the right to petition guaranteed by Article 19(1)(a) of the Constitution of India. It is independent of any political party, foreign entity, or corporate interest.

By signing below, you are telling Parliament and MeitY that you expect the DPDP Act to be amended  before May 2027  to restore and guarantee the individual citizen's right to compensation for data breaches.