In recent times, India has taken significant steps towards safeguarding personal data through the enactment and enforcement of THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023, of 2023¹(hereinafter PDPA). This legislation has been designed to regulate the processing of digital personal data, acknowledging the dual importance of respecting individuals’ rights to protect their personal information while also recognizing the necessity of processing such data for lawful purposes. Within this framework, this new Act outlines a redressal and complaint mechanism. If a data processor (any entity processing personal data on behalf of a Data Fiduciary) or a Data Fiduciary (an individual or entity determining the purpose and means of processing personal data) is implicated in a data breach, the Act empowers the Data Protection Board to investigate the matter under Section 33 and impose penalties as specified in the schedule. However, a notable concern regarding this legislation is the absence of provisions for compensating the victims of a data breach, which diverges from established international legal precedents. Under the law, a person whose data has been breached can make a complaint to the Board and accordingly, the Board has been given the power to inquire about such data breach incident and provide any urgent remedial measures under section 27.  Further, the Board can also issue directions including levy of penalty on the person involved for data breach. However, even in that particular section, there is no mention of any compensation or any terminologies specifying compensation to be provided under the law. Hence, in this article, a need arises to delve into the analysis of the right to compensation for victims of data breaches under few legislations across the world.

European Union-

Under Article 82 of the General Data Protection Regulation (GDPR) , the right to compensation and liability is statutorily provided. According to clause 1 of the Article, any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. This provision satisfactorily deals with providing an adequate remedy to the victim who has suffered a data breach. Moreover, it is important to mention that this Article does not limit itself to only material damage but also includes non-material damage if caused due to infringement of any provision.

Recently, the Court of Justice of the European Union (CJEU) has also given a landmark ruling in this aspect wherein the Court has clarified the scope of this provision vis-à-vis the right to compensation. Therefore, this clarity has come in the case UI v Österreichische Post AG ² (the ‘Austrian Post Case’) wherein the questions before the Court were-

1. Does the award of compensation under Article 82 GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation? 
2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence? 
3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?

In regard to these questions, the Court answered them in a way that shall promote the rights of compensation of victims rather than restricting it. Firstly, the Court held that there are three essentials which are required to establish the right of compensation. Such essentials are firstly, that there must be some material or non-material damage, secondly, there must be an infringement of these Regulations, and thirdly, there must be a nexus between the damage and the infringement wherein the damage is a result of an infringement. ³ Therefore, merely a violation of GDPR does not confer a right to compensation unless there is some damage also accounted to it.

Now dealing with the third question, the CJEU held that there is no requirement of a certain threshold of seriousness to claim the right of compensation. The Court was highly of the view that when no threshold has been pointed, in such cases, only showing that there has been  damage caused is enough to claim compensation. This view is also supported by the Court on the grounds that one of the main objectives of the GDPR is to maintain a uniform and consistent application of regulations aimed at protecting the fundamental rights and freedoms of individuals concerning the processing of their personal data within the European Union (EU). The Court highlighted a concern that implementing a threshold could potentially impact the coherence of the GDPR system across EU member states, given that the availability of damages could differ based on how each national court interprets and applies this threshold. Hence, no certain threshold is required to show and merely, if the person has been upset because of the infringement of the data breach and there is some damage caused to the person claiming compensation, the compensation shall be awarded. ⁴

Further dealing with the second question, the court was hesitant to come out with any fixed compensation policy and left this matter for national courts to decide the quantum based on their Member State policies. The court was of the view that in the absence of EU rules on the matter, it is for the national legal order of each Member State to establish procedural rules for actions intended to safeguard the rights of individuals, in accordance with the principle of procedural autonomy, on condition. However, the CJEU opined that financial compensation must only be regarded as ‘full and effective’ if it allows the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety, without there being any need, for the purposes of such compensation for the damage in its entirety, to require the payment of punitive damages. Hence, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with. Thus, the intent of the court was to ensure that a liberal approach shall be adopted wherein the victim of the data breach is adequately compensated in cases where the person has actually suffered damages.

The United Kingdom-

In the United Kingdom, the governing law regarding Data Protection is the 2018 Data Protection Act which is basically an enacting law to align with the General Data Protection Regulation (GDPR), which is a comprehensive data protection regulation in the European Union. Similar to GDPR, the UK law under section 168 ⁵ also states that the right to compensation for the victims of a data breach has to be provided in accordance with Article 82 of the GDPR law. Moreover, the definition of non-material damage has also been elaborated by making it clear that non-material damage also includes distress. Moreover, section 169 further enlarges the scope of compensation by making it clear that the person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the GDPR, is entitled to compensation for that damage from the controller or the processor.

However, the approach of UK Courts in regard to compensation is not as liberal as that of the European Union. The UK Supreme Court in the case of Lloyd v. Google has held that damages are not awardable for a mere loss of control of personal data under the old DPA regime ⁶ . Further, the court observed that Section 13 of the DPA cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the DPA ⁷. The court came to a conclusion based on two major reasons i.e.-

1. The wording of section 13(1) of the DPA is inconsistent with an entitlement to compensation based solely on proof of a contravention of the DPA (i.e. an underlying breach in and of itself does not automatically entitle an individual to damages); and
2. Whilst the Court of Appeal in Vidal-Hall1 held that damages were capable of being awarded for an infringement of section 13(1) of the DPA for distress where the distress suffered was more than de minimis, to interpret section 13(1) even wider than this as entitling individuals to damages for a mere infringement of their data rights which causes no material damage nor even distress would require an extension to the rights conferred by the DPA which is not permissible by the law. 

Thus, the court while ensuring that the compensation be provided to the victim of the data breach observed that the same compensation is only allowed when a de minimis threshold is met by the complainant-victim. ⁸ Therefore, compensation as a right was upheld but the threshold was declared to be comparatively high when compared to the threshold provided by CJEU.

Singapore-

In Singapore, the right to compensation is not as lucid as above-mentioned countries. In terms of data protection within Singapore, the Personal Data Protection Act 2012 is the governing law. The scope of this Act is to govern the collection, use and disclosure of personal data by organisations, to establish the Do Not Call Register, and to provide for its administration. Under this Act, Section 48-O provides a remedy to a person who has suffered any loss or damage due to contravention of provisions of the law, or if there has been any breach of personal data. In such cases, the provision does not provide an in-built remedy in the law but establishes a right of private action in favour of a person who has suffered loss or damage. Such a person then has the right of action for relief in civil proceedings in a court. Further, the court in regard to the relief action of the victim can provide relief by way of injunction, declaration, damage, or any alternative which it finds judicious. Hence, Singapore also does not restrict the right of compensation to the sufferer and instead ensures its promulgation.

CONCLUSION

In conclusion, acknowledging and addressing the imperative need for compensating victims of data breaches stands as an essential facet in the realm of data protection. When an entity, either knowingly or unknowingly, benefits from a data breach, it sets a concerning precedent. The true sufferer, whose personal information is compromised, finds themselves devoid of adequate remedies and reparation. This disparity underscores the importance of establishing a mechanism for compensating those affected by such breaches.

Furthermore, the absence of accessible investigation sources and the weighty burden of proof required prior to filing a complaint often dissuade individuals from reporting breaches according to this new law. The fear of potential repercussions as per the provisions under PDPA, including being penalized for a perceived false case, stifles the willingness to come forward with legitimate concerns. This aspect necessitates thoughtful consideration, prompting a call for the legal system and courts to evolve and establish a jurisprudence that prioritizes and advocates for the compensatory rights of the complainants. It could be better if the section 27 of PDPA could be read down or shall be amended to ensure that compensation to victim as a legal right is fully established under the Indian jurisdiction.

In fostering a legal environment that not only penalizes the wrongdoers but also ensures that those harmed are duly compensated, we can promote trust, accountability, and a sense of justice within the data protection framework. Striking this balance is essential to effectively safeguard individuals’ data rights and foster a society that values and upholds the principles of fairness and restitution.