Implication of Data protection Act in Corporate Compliance for Unicorns

Abstract

Unicorn startups are centered around technology. Mostly their business strategy is based on impact-producing, potent technology and pioneers in their domain. Unicorns need information to grow, innovate, and to maintain continuity and progression. However, using personal data comes with an inherent possibility of violating individual privacy and legal consequences. On the other hand, the growth of Unicorns depends on their ability to access personal data without limitations. Nonetheless, individuals and artificial persons want their private information and competitive edge to be legally protected. It can be difficult to find a just and durable equilibrium in this quickly changing industry. Sensitive data presents unique difficulties in terms of data usage, sharing, and protection. Sensitive information can be easily manipulated, which makes it possible to violate data protection regulations and jeopardize people’s privacy. Therefore, failure to comply results in serious consequences for data fiduciaries. In this article, we will discuss the effect of the Data Protection Act on corporate compliance for Unicorns; and discuss how the Data Protection Act can be leveraged to provide equilibrium. It seeks to shed light on the challenges, best practices, and recommendations for compliance within the dynamic and evolving regulatory framework of the Data Protection Act.

Introduction

India is home to the third largest number of unicorns worldwide.^[1]“From 2014-2025 the 10 year period that we will see, the Indian startup ecosystem is geared up for a 10X growth trajectory over these ten years, which is pretty phenomenal. We are expecting by 2025 the total number of unicorns to go up anywhere between 95-105 in India.”^[2] Unicorns are propelled by analytics and artificial intelligence (AI). In their haste to collect, store, analyze, process, share, and work together on large amounts of data, Unicorns frequently forget about the important part of getting consent. People’s choices to disclose personal information might not always be well documented, either overtly or covertly. Consent for such data sharing is sometimes not secured, resulting in a situation known as privacy poisoning,^[3] even when the objective is to provide end-users with relevant information and recommendations, particularly in services like e-commerce.

In order to offer distinctive customer propositions that are first to market which makes them pioneers, unicorns are constantly improving their functions. More consumer data is being collected in order to power analytics and AI engines as new features are developed. The risk increases as a result of the continuous effort to expand use cases. Furthermore, unicorns’ need to grow fast drives them to collaborate with outside parties or independent contractors, which adds another level of vendor risk. Unicorns are susceptible to possible data breaches since security is frequently seen as nothing more than a compliance exercise rather than as a means of facilitating value. Regulating organizations from all over the world have stepped in to enforce rules and norms in this field because data privacy is frequently given low importance. The Indian government, in order to regularize and guarantee adequate protection of personal data and appropriately maintain the balance between the privacy and processing of data for lawful purposes, passed the Digital Personal Data Protection Act 2023.⁴ The goal is to force businesses to take greater responsibility, surpassing simple compliance and extending accountability to each and every phase of data collecting. Although these regulations exist, data protection is often viewed as a compliance exercise where the focus is on fulfilling the ‘bare minimum’ criteria to meet assessment or audit outcomes requirements. An alarming statistic was found in an INC magazine survey that 60% of small firms close their doors within six months of a data breach or cyberattack.^[4] This concerning finding emphasizes the fact that, despite existing legal requirements like Section 43 of Chapter IX of the IT Act 2000^[5], data protection is not given high priority in organizations of all sizes. Unicorns that prioritize security incorrectly risk losing their competitive edge. A unicorn’s competitive advantage is mostly derived from its consumer data and insights, which could be stolen by a rival company, seriously harming the unicorn and undermining the value it seeks to generate. Individuals data is the engine that propels unicorns’ success. However, unicorns usually neglect their security procedures in their haste to become market leaders, leaving them open to data breaches. Unicorns must recognize the value of data protection and implement fundamental security procedures. This dual goal, which emphasizes a proactive approach rather than concentrating just on regulatory compliance and avoiding financial penalties, should comfort customers while also assisting in maintaining a competitive edge. The Digital Personal Data Protection Act 2023 establishes a thorough framework for the protection of personal data and lays out the obligations of organisations managing and processing digital data while respecting individuals’ rights in India. This Act expands the scope of its application, outlines the rights and responsibilities of the data principal (individual), the duties of data fiduciaries, and the penalties for violators, which include fines of Rs 200 crore for failing to fulfil child-related obligations and Rs 250 crore for failing to implement security measures to prevent data breaches.

Research Questions:

1. What specific practices and vulnerabilities in unicorns’ data policies breach data protection laws, posing risks to user privacy?

2. How does the new data protection act address challenges and requirements related to obtaining valid consent for unicorns?

3. What legal implications do companies face for data breaches under the data protection act, and how do these consequences compare internationally?

CHAPTER 1: UNVEILING UNICORNS: QUESTIONABLE DATA PRACTICES IN HIGH VALUE BUSINESSES

Unicorns are still making a big impression and coming up with creative solutions and concepts. There has been a discernible upsurge and change in the Indian unicorn ecosystem since 2020. The tendency is reflected in the widespread use of expressions in the media, such as “India’s unicorn party is only beginning” and “It’s raining unicorns for India.”

In 2020, Byju’s—an Edtech platform that offers online tutoring for kids in Grade 5 through a variety of competitive examinations including JEE, NEET, and IAS—became the third unicorn after Paytm and OYO Rooms. There have been several data breaches at Byju’s recently; one significant event was White Hat Junior, a business that Byju’s purchased.

A server breach that revealed users’ private information, including phone numbers, email addresses, names, addresses, ages, chat logs, user parents’ information, and staff chats, was discovered by an unnamed independent cybersecurity researcher and reported to the corporation. This information was readily available for anybody to view, copy, or download due to the server’s lack of protection.

The firm gathers user data for basic portal registration and authentication, but also for voice and chat logs between teachers and students/parents, as well as information on the classes and videos that users have seen the most frequently. Either the company’s servers or the servers of a third-party cloud service provider handle the company’s data storage.

Such a data breach has serious ramifications. Hackers could use the stolen data to commit further illegal acts, such as cloning ATM cards or using phone numbers and email addresses for financial theft. Additionally, compromised data leaves room for fraud, harassment, and even rivals using the information to their benefit.

Under US law, the data owner or commercial services provider can be held liable even if the breach is a result of a mistake by the data holder or cloud service provider. However, in the Indian context, there are currently no specific provisions for data protection. The IT Act of 2000^[6]contains limited provisions related to data breach, with Section 43A being the primary reference. Since this act was enacted in 2000, its scope and relevance in addressing contemporary issues are constrained. The recent WhatsApp data breach has raised serious concerns, as the compromised dataset reportedly spans 84 countries.

More than 32 million records of American users, according to the threat actor responsible for the hack, are included in the exposed data. Regretfully, a large portion of phone numbers are linked to inhabitants of Saudi Arabia (29 million), Egypt (45 million), Italy (35 million), France (20 million), and Turkey (20 million). Moreover, the aforementioned collection purports to contain phone numbers belonging to around 10 million Russians and more than 11 million British nationals.^[7]

Considering the landscape of India, in the recent case of Karmanya Singh Sareen & Anr v Union of India & Ors. WP(C) 7663/2016 ^[8], In this case, the Delhi High Court examined WhatsApp’s privacy statement. Certain rules were released in order to protect user interests. Before September 25, 2016, users who choose to totally cancel their “WhatsApp” accounts should have all of their data deleted from the “WhatsApp” servers; moreover, their data should not be shared with “Facebook” or any of its subsidiaries. If users choose to stay on “WhatsApp,” the court decided that “Facebook” or any of its group firms shall not have access to any of their current information, data, or details up until September 25, 2016. The court ordered WhatsApp to refrain from implementing the altered revisions to their privacy policy as an interim remedy.

As per the latest report of Hindustan times “The Maharashtra police have arrested a computer course dropout from Rajasthan for allegedly leaking database of Reliance Jio customers on a website. News of a data leak went viral on the internet on Sunday after a news report saying data of Jio customers was available on Magicapk.com. While some of them who accessed the site claimed to have seen their personal data including AADHAR card details, others said they did not find anything.”^[9]

The hack has significant ramifications since compromised phone numbers may be used for phishing scams, marketing campaigns, impersonation, and other criminal endeavours. People’s security and privacy are seriously threatened by the possible exploitation of such sensitive data.

Head of Cybernews research team Mantas Sasnauskas stressed the need for IT giants like Meta to take strong precautions to protect user data in this digital era. He emphasised the need to consider whether the Terms and Conditions’ prohibition on “scraping or platform abuse” is enough on its own. The event emphasises how crucial it is to keep up efforts to improve security and data protection protocols in order to shield users’ digital footprints from potential abuse and unauthorised access.

It is essential to set aside a sizeable budget for cybersecurity in addition to a sizeable budget for marketing and branding. Every business is required by the most recent IT Rules to designate a Nodal Officer who possesses knowledge of cybersecurity and cyber threat intelligence. It is a good idea to hire a third-party cybersecurity organisation to evaluate the company’s online presence on a frequent basis. Users must be promptly notified in the case of a data compromise.

Businesses may reduce the risk of data breaches and improve cybersecurity by putting the following strategies into practise:

1) Maintain Software Updating: Update software often to take advantage of security fixes and fix known flaws.

2) Put in place data backups: Make backups of important information so that, in the case of a data breach, access may be restored more easily.

3) Employee Education: Train staff members on cybersecurity recommended practises, stressing the value of creating complicated passwords and caution when opening attachments from unknown senders.

4) Improve General protection Measures: To bolster the company’s Défense against possible attacks, add more layers of protection, including firewalls and VPNs, to strengthen overall security.

CHAPTER 2: NAVIGATING CONSENT IN THE DIGITAL LANDSCAPE FOR UNICORNS

The Digital Personal Data Protection Act, 2023 (DPDP Act) in India places a significant emphasis on obtaining explicit consent as the primary legal basis for processing personal data. The new law is the first cross-sectoral law on personal data protection in India and has been enacted after more than half a decade of deliberations. With limited legitimate uses, entities, termed “data fiduciaries,” must adhere to a comprehensive framework designed to protect the personal data of individuals (“data principals”). The DPDP Act introduces enforceable measures, necessitating explicit permission from data principals before collecting or processing their information. Compliance with these regulations is imperative, given the substantial financial penalties associated with non-compliance.

Notice and consent requirements under the DPDP Act highlight the need for efficient mechanisms, with entities required to send notices within a reasonable time, even for previously obtained consents.

The new WhatsApp privacy policy, which permitted the sharing of user data with its parent company, was challenged in the Karmanya Singh Sareen v. Union of India case. The petitioners claimed that the new policy infringed upon the fundamental right to privacy guaranteed by Article 21 of the Indian Constitution. The case gained notoriety in the context of the broader discussion surrounding digital privacy and data protection. The question under discussion was whether Internet networking systems that let users send and receive text, audio, and video messages as well as data and make and receive audio and video conversations qualify as “telecommunication” services and are therefore governed by relevant regulatory bodies.

Similar to the GDPR and the CCPA, the DPDP Act contains specific “right to access” provisions that allow users to ask data fiduciaries what information an organization has about them and how it uses that information. Under the DPDP Act, data principals are specifically permitted to obtain a description of the shared data, a list of all other entities with whom the data has been shared, and an overview of the data they have provided, together with any additional information pertaining to personal data and its processing that may be required.

Consent management, including data mapping and the use of Consent Management Platforms (CMPs), is essential for organizations to track, manage, and automate consent processes while ensuring compliance with the high standards set by the DPDP Act.

The Act also introduces the role of “consent managers,” acting as single points of contact for consent options through transparent platforms. Overall, the DPDP Act imposes significant compliance burdens, particularly for client-facing and business-to-consumer entities, necessitating internal sensitization, privacy training, and awareness programs to ensure adherence to the Act’s protocols.

CHAPTER 3: INTERPRETING DATA BREACH CONSEQUENCES UNDER THE DPDP ACT AND GLOBAL COMPARISONS

India’s Data Protection Act 2023 (DPDP Act) is a thorough legal framework controlling two important factors to take into account are the need to process personal data for legitimate purposes and the understanding of people’s right to protect their personal data. The act essentially aims to achieve a balance between allowing the lawful processing of personal data in compliance with legal obligations and safeguarding individual privacy rights. The act also includes incidental or related issues relating to the handling of digital personal data. This points to a legislative desire to establish a thorough and sophisticated framework for managing the processing of digital personal data that recognizes individual rights as well as legitimate purposes for processing that data. The law places strict requirements on businesses that handle personal data, and noncompliance may have serious legal repercussions. Unicorn infractions can have severe financial penalties of up to INR 2.5 billion (about USD 30 million)^[10]. The DPDP Act further stipulates that violators may spend up to three years in prison. Notably, in the event of non-compliance, the Data Protection Board of India (DPBI) has the authority to impose jail time and monetary fines.^[11] In addition to legal sanctions, individuals impacted by data breaches may file civil claims against unicorns.^[12]

Unicorns risk fines of up to INR 250 crore if they don’t put in place sufficient security procedures to protect personal data. Moreover, there is a fine of up to INR 200 crore for not informing the DPBI and the impacted parties of a data breach as prescribed of it occurring under sub-section (6) of section 8 of the act. Penalties may reach two hundred and fifty crore rupees if Unicorns fails to comply with the Data Fiduciary’s duty to implement adequate security measures to prevent the breach of personal data as stipulated in sub-section (5) of section 8^[13] of the act. Additionally, fines under section 9 of the act might reach two hundred crore rupees if there is a breach of extra obligations regarding children.Penalties for failure to comply with additional requirements of a Significant Data Fiduciary under section 10^[14] may reach up to 125 crore rupees.Penalties for violating section 15^[15] of the act might be as high as ten thousand rupees. Penalties under section 32^[16] of the act for violating any term of a voluntary undertaking accepted by the Board To the degree that information is relevant to the violation for which section 28 procedures were started. Penalties for violating any further provisions of this Act or the rules established under it might reach fifty crore rupees. Any unauthorized or unintentional access, acquisition, use, disclosure, alteration, destruction, or loss of personal data is considered a data breach under the law. Unicorns are recommended to take proactive steps to ensure compliance and reduce these risks.

Unicorns can take a number of steps to comply with the DPDP Act and lessen the chance of data breaches. First and foremost, it is imperative to have strong security measures in place to prevent unauthorized access, disclosure, alteration, and destruction of personal data. These measures include technical, physical, and organizational safeguards. Another crucial step is getting people’s express consent before collecting or using their personal data. Unicorns should also make it a top priority to notify people in a transparent and straightforward manner about how their personal data will be used. Unicorns should have a clear data breach response plan in place and should act quickly in the unfortunate case of a data breach, notifying the DPBI and any affected parties.

Unicorns are especially prone to data breaches, and the DPDP Act places strict requirements on how they handle personal data. In order to minimize legal sanctions and possible civil litigation, companies need to carefully follow the DPDP Act, putting preventive measures in place and reacting quickly to data breaches in compliance with the law. Unicorns should read the DPDP Act carefully and consult with legal counsel to make sure all of its provisions are followed.

INTERNATION POSITION

The General Data Protection Regulation (GDPR)^[17] in the European Union and the California Consumer Privacy Act (CCPA)^[18] in the United States are two examples of international data protection legislation that are comparable to India’s Data Protection Act 2023 (DPDP Act). But there are a few significant variations.

The way consent is handled is one of the main distinctions. Unicorns must get individuals’ express consent under the GDPR before collecting or using their personal data. In accordance with the CCPA, unicorns must also get individuals’ agreement before collecting or selling their personal information. Nevertheless, not all data processing operations are subject to the DPDP Act’s requirement for express consent. Alternatively, unicorns may rely on implied permission for specific tasks, such serving people or defending the organization’s legal interests.

One important distinction is how transparency is handled. Unicorns are required by the CCPA and GDPR to inform individuals in a clear and straightforward manner about how their personal data will be used. The DPDP Act, however, is less explicit regarding the kinds of data that firms have to submit.

Unicorns must notify individuals of data breaches in accordance with all three laws. The DPDP Act, however, is less explicit regarding the notice period. Unicorns are required by the CCPA and GDPR to notify individuals of data breaches within 72 hours of becoming aware of them. Unicorns must give reasonable notice to the Data Protection Board of India (DPBI) and impacted persons in accordance with the DPDP Act.

Strong enforcement procedures are in place for all three statutes. Violations of the GDPR and CCPA result in fines of up to 4% of global annual revenue or EUR 20 million,^[19] whichever is higher. Violations of the DPDP Act results in fines of up to INR 2.5 billion (about USD 30 million).

Depending on the jurisdiction in which they conduct business, unicorns may face different legal repercussions from data breaches. There are a few overarching patterns, Unicorns who break the GDPR in the EU risk hefty fines of up to 4% of their yearly worldwide revenue, or EUR 20 million, whichever is higher. In addition, impacted parties may file legal actions against unicorns involved in data breaches. Unicorns that break the CCPA in the US may also be subject to hefty fines—up to $2,500—for each infraction.^[20] In addition, impacted parties may file legal actions against unicorns involved in data breaches.

The DPDP Act of India is still new, and its enforcement mechanism is unknown. Nonetheless, there are severe possible consequences for infractions, such as fines of up to INR 2.5 billion (about USD 30 million) and up to three years in jail. In addition, impacted parties may file legal actions against unicorns involved in data breaches.

Additionally,

• China: The GDPR and China’s Personal Information Protection Law (PIPL)^[21] are comparable in many ways. The PIPL, however, also increases the Chinese government’s ability to acquire personal information.
• Brazil: The GDPR and Brazil’s General Data Protection Law (LGPD)^[22] are comparable. The LGPD, however, is less explicit regarding the kinds of data that corporations have to give to individuals.
• Japan: Compared to the GDPR or CCPA, Japan’s Act on the Protection of Personal Information (APPI)^[23] is less extensive. Organizations are nevertheless required by the APPI to take precautions against unauthorized access, disclosure, modification, and destruction of personal data.

CASES

The State of Andhra Pradesh v. Syed Asifuddin and Ors. (2014)^[24]: Employees of Tata Indicom were detained in this instance for altering the electronic 32-bit number (ESN) that was pre-programmed into cell phones that were solely licensed to Reliance Infocomm. The court determined that altering source code entails violating both Section 65 and Section 43 of the Information Technology Act because the alteration was carried out without the owner’s consent.

In Warren v. DSG Retail Ltd.,²⁶ EWHC 2168 (QB), the UK High Court ruled in 2021 that businesses are accountable for data breaches, regardless of who committed them. According to the court, failing to protect data from hacking by unidentified third parties would not qualify as “misuse” for the purposes of the torts of breach of confidence and/or misuse of personal data.

Poona Auto Ancillaries Pvt. Ltd., Pune vs. Punjab National Bank, HO New Delhi & Others:^[25] “In 2013, in one of the largest compensations awarded in legal adjudication of a cybercrime dispute, Maharashtra’s IT secretary Rajesh Aggarwal had ordered PNB to pay Rs 45 lakh to the Complainant Manmohan Singh Matharu, MD of Pune based firm Poona Auto Ancillaries. A fraudster had transferred Rs 80.10 lakh from Matharu’s Account in PNB, Pune after Matharu responded to a phishing email. The complainant was asked to share the liability since he responded to the phishing mail but the Bank was found negligent due to a lack of proper security checks against fraud accounts opened to defraud the Complainant.”^[26]

CONCLUSION

In the fast-paced world of unicorn startups, where technological innovation is synonymous with success, the Digital Personal Data Protection Act 2023 (DPDP Act) emerges as a linchpin, steering these entities through the delicate balance between data-driven growth and the imperative of safeguarding digital privacy. Unicorns, driven by analytics, artificial intelligence, and a thirst for innovation, are navigating a landscape where the acquisition and utilization of vast amounts of data are pivotal to their strategies. The DPDP Act, with its comprehensive provisions, acts not only as a regulatory framework but as a beacon guiding unicorns toward responsible and ethical data practices.

The projected 10X growth of Indian unicorns over the next decade underscores the critical importance of a robust data protection regime. Compliance with the DPDP Act transcends legal obligations; it becomes a strategic imperative for unicorns to secure their foothold in an increasingly competitive and data-conscious market. Beyond the legal framework, the Act shapes a culture of accountability and transparency in data handling.

The research questions posed in this exploration delve into the intricate challenges unicorns face in aligning with the DPDP Act. Understanding the primary obstacles and leveraging insights from international data protection regulations, such as the GDPR, positions unicorns to proactively address concerns and navigate the nuances of corporate compliance in the realm of digital privacy. Real-world cases highlight the tangible consequences of data breaches, emphasizing the urgency for unicorns to prioritize cybersecurity and compliance.

The DPDP Act, with its stringent penalties and enforcement mechanisms, serves not only as a deterrent but as a guide for unicorns to fortify their data protection strategies, fostering trust among users and stakeholders. In a global context, the comparative analysis with international data protection laws establishes the DPDP Act as a benchmark for global competitiveness. Unicorns, operating on an international stage, recognize that adherence to the Act aligns them with global best practices, enhancing their credibility and resilience in the face of evolving data governance standards. The DPDP Act is more than a legal framework; it is a roadmap for unicorns to navigate the complex terrain of data privacy responsibly. By embracing the Act, unicorns not only mitigate legal risks but also position themselves as ethical leaders in the data-driven landscape. The Act, thus, becomes a catalyst for unicorns to forge a future where innovation and privacy coexist, fostering sustainable growth and societal trust in the transformative world of technology.

BIBLIOGRAPHY

Cases and Acts

1. Digital Personal Data Protection Act 2013, Act 22 of 2023

2. Information Technology Act, 2000

3. Part 4 of Division 3 of the California Civil Code

4. Karmanya Singh Sareen & Anr v Union of India & Ors. WP(C) 7663/2016

5. Personal Information Protection Law of the People’s Republic of China (2021)(Chairman’s Order No. 91)

6. Brazilian Data Protection Law (LGPD) (As amended by Law No. 13,853/2019)

7. Act on the Protection of Personal Information Act No. 57 of ( 2003)

8. State of Andhra Pradesh v. Syed Asifuddin and Ors. (2014) 2006 (1) ALD Cri 96

9. Warren v DSG Retail Ltd EWHC 2168 (QB)

10. Poona Auto Ancillaries Pvt. Ltd., Pune vs. Punjab National Bank, HO New Delhi & Others (2018)

Other References

1. ‘Case Studies: High-Profile Cases of Privacy Violation’ (SGR Law, 8 March 2019) <https://www.sgrlaw.com/ttl-articles/case-studies-high-profile-cases-of-privacy-violation/

> accessed 14 November 2023

2. Banerji O, ‘Case Study on Data Breach Scandal of Byjus’ (iPleaders, 12 September 2021) <https://blog.ipleaders.in/case-study-data-breach-scandal-byjus/> accessed 14 November 2023

3. Justice K.S. Puttaswamy v Union of India, ‘Fundamental Right to Privacy’ (Supreme Court Observer, 24 August 2022)

<https://www.scobserver.in/cases/puttaswamy-v-union-of-india-fundamental-right-to-priv acy-case-background/#:~:text=In%20a%20historic%20decision%20delivered,Part%20III%20on%20the%20whole.> accessed 14 November 2023

4. Hill M, ‘The Biggest Data Breach Fines, Penalties, and Settlements so Far’ (CSO Online, 18 September 2023)

<https://www.csoonline.com/article/567531/the-biggest-data-breach-fines-penalties-and-s ettlements-so-far.html> accessed 14 November 2023

5. Lapienyte J, ‘WhatsApp Data Leaked: 500 Million User Records for Sale Online – Cybernews’ (cybernews, 31 October 2023) <https://cybernews.com/news/whatsapp-data-leak/> accessed 14 November 2023

6. Bryan J, ‘Tips to Prevent a Security Breach at Your Company’ (Visual Edge IT, 14 March 2023) <https://visualedgeit.com/tips-to-prevent-a-security-breach-at-your-company/#:~:text=Software%20updates%20not%20only%20offer%20new%20features,data%20and%20lead%20to%20significant%20financial%20losses.>accessed 14 November 2023

7. ‘Yes Means Yes: Managing Consent Under India’s New Data Protection Law’ (S&R Associates, 20 September 2023) <https://www.snrlaw.in/yes-means-yes-managing-consent-under-indias-new-data-protecti on-law/>accessed 14 November 2023.

8. Meena S, ‘Section 43 of Information Technology Act, 2000’ (LexForti, 11 June 2021) <https://lexforti.com/legal-news/section-43-of-information-technology-act-2000/#Explan ation_Section_43_of_Information_Technology_Act_2000> accessed 14 November 2023

9. Youssef Khazbak, ‘MLGuard: Mitigating Poisoning Attacks in Privacy … – IEEE Xplore’ (IEEE XPLORE) <https://ieeexplore.ieee.org/document/9209670/> accessed 14 November 2023

10. Freeze D, ‘60 Percent of Small Companies Close within 6 Months of Being Hacked’ (Cybercrime Magazine, 16 October 2019) <https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/#:~:text=In%20fact%2C%2060%20percent%20of,to%20monitor%20s uspicious%20network%20activity.> accessed 14 November 2023

11. Rajnish Kumar, ‘Data Protection and Liability – Irtpms.Indianrailways.Gov.In’ (Data Protection and Liability) <https://irtpms.indianrailways.gov.in/site/uploads/reports/10.Data-Protection-and-Liabilit y-by-Rajnish-Kumar.pdf> accessed 14 November 2023

12. ‘Personal Data Protection Bill Proposes Jail Term for Executives, up to Rs 15 Crore Penalty for Data Misuse’ (The Economic Times, 4 December 2019) <https://economictimes.indiatimes.com/tech/internet/personal-data-protection-bill-propos es-jail-term-for-executives-up-to-rs-15-crore-penalty-for-data-misuse/articleshow/72370222.cms> accessed 14 November 2023

13. ‘CCPA vs GDPR Compliance Comparison’ (Entrust) <https://www.entrust.com/resources/hsm/faq/data-protection-security-regulations/ccpa-vs-gdpr#:~:text=GDPR%20includes%20fines%20of%20up,is%20subject%20to%20the%20regulation.> accessed 14 November 2023

14. ‘Penalties for Non-Compliance: United States: Global Data Privacy & Security Handbook: Baker McKenzie Resource Hub’ (Home) <https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/north-americ a/united-states/topics/penalties-for-non-compliance> accessed 14 November 2023

15. ‘Information Technology Act 2000: Ministry of Electronics and Information Technology, Government of India’ (Information Technology Act 2000 | Ministry of Electronics and Information Technology, Government of India) <https://www.meity.gov.in/content/information-technology-act-2000-0>accessed 14 November 2023

16. ‘WhatsApp Data of 3.8M Bangladeshis Stolen: Report’ (The Business Post, 27 November 2022)<https://businesspostbd.com/tech/whatsapp-data-of-38m-bangladeshis-stolen-report>acce ssed 14 November 2023

17. Tannvi, ‘Karmanya Singh Sareen v. Union of India’ (The Cyber Blog India, 24 January 2022) <https://cyberblogindia.in/karmanya-singh-sareen-v-union-of-india/#:~:text=The% 20court%20passed%20an%20interim,of%20September%2025%2C%202016%2C%20an d>accessed 14 November 2023

18. ‘Karmanya Singh   Sareen & V. Union  of India & Ors.’ (manupatra) <https://www.supremecourtcases.com/karmanya-singh-sareen-anr-v-union-of-india-ors/ accessed 14 November 2023

19. ‘Reliance Jio Data Leak: Computer Course Dropout Arrested from Rajasthan, Will Soon Be Brought to Mumbai’ (Hindustan Times, 13 July 2017) <https://www.hindustantimes.com/india-news/reliance-jio-data-leak-computer-course-dro pout-arrested-from-rajasthan-will-soon-be-brought-to-mumbai/story-iwPODWwaDLoo5Tv55fLIFJ.html> accessed 14 November 2023

[1] Hurun’s Global Unicorn Index 2023

[2] Debjani Ghosh, NASSCOM, President said

[3] Youssef Khazbak, ‘MLGuard: Mitigating Poisoning Attacks in Privacy … – IEEE Xplore’ (IEEE XPLORE) <https://ieeexplore.ieee.org/document/9209670/>accessed 14 November 2023 ⁴ Act No. 22 of 2023

[4] Freeze D, ‘60 Percent of Small Companies Close within 6 Months of Being Hacked’ (Cybercrime Magazine, 16 October 2019) <https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/#:~:text =In%20fact%2C%2060%20percent%20of,to%20monitor%20suspicious%20network%20activity.> accessed 14 November 2023

[5] Information Technology Act, 2000

[6] ‘Information Technology Act 2000: Ministry of Electronics and Information Technology, Government of India’ (Information Technology Act 2000 | Ministry of Electronics and Information Technology, Government of India)<https://www.meity.gov.in/content/information-technology-act-2000-0>accessed 14 November 2023

[7] ‘WhatsApp Data of 3.8M Bangladeshis Stolen: Report’ (The Business Post, 27 November 2022)<https://businesspostbd.com/tech/whatsapp-data-of-38m-bangladeshis-stolen-report>accessed 14 November 2023

[8] Karmanya Singh Sareen & Anr v Union of India & Ors. WP(C) 7663/2016

[9] ‘Reliance Jio Data Leak: Computer Course Dropout Arrested from Rajasthan, Will Soon Be Brought to Mumbai’ (Hindustan Times, 13 July 2017) <https://www.hindustantimes.com/india-news/reliance-jio-data-leak-computer-course-dropout-arrested-from-rajasth an-will-soon-be-brought-to-mumbai/story-iwPODWwaDLoo5Tv55fLIFJ.html> accessed 14 November 2023

[10] THE SCHEDULE [See section 33 (1)]

[11] ‘Personal Data Protection Bill Proposes Jail Term for Executives, up to Rs 15 Crore Penalty for Data Misuse’ (The Economic Times, 4 December 2019) <https://economictimes.indiatimes.com/tech/internet/personal-data-protection-bill-proposes-jail-term-for-executivesup-to-rs-15-crore-penalty-for-data-misuse/articleshow/72370222.cms>accessed 14 November 2023

[12] Rajnish Kumar, ‘Data Protection and Liability – Irtpms.Indianrailways.Gov.In’ (Data Protection and Liability) <https://irtpms.indianrailways.gov.in/site/uploads/reports/10.Data-Protection-and-Liability-by-Rajnish-Kumar.pdf>a ccessed 14 November 2023

[13] Digital Personal Data Protection Act 2023, s 8(5)

[14] Digital Personal Data Protection Act 2023, s 10

[15] Digital Personal Data Protection Act 2023, s 15

[16] Digital Personal Data Protection Act 2023, s 32

[17] General Data Protection Regulation ((EU) 2016/679) ( EU GDPR)

[18] Section 3, Title 1.81. 5 of the CCPA, added to Part 4 of Division 3 of the California Civil Code.

[19] ‘CCPA vs GDPR Compliance Comparison ’ (Entrust) <https://www.entrust.com/resources/hsm/faq/data-protection-security-regulations/ccpa-vs-gdpr#:~:text=GDPR%20i ncludes%20fines%20of%20up,is%20subject%20to%20the%20regulation.> accessed 14 November 2023

[20] ‘Penalties for Non-Compliance: United States: Global Data Privacy & Security Handbook: Baker McKenzie Resource Hub’ (Home) <https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/north-america/united-states/topics/pena lties-for-non-compliance> accessed 14 November 2023

[21] Personal Information Protection Law of the People’s Republic of China (2021)(Chairman’s Order No. 91)

[22] Brazilian Data Protection Law (LGPD) (As amended by Law No. 13,853/2019)

[23] Act on the Protection of Personal Information Act No. 57 of ( 2003)

[24] State of Andhra Pradesh v. Syed Asifuddin and Ors. (2014) 2006 (1) ALD Cri 96 ²⁶ Warren v DSG Retail Ltd EWHC 2168 (QB)

[25] Poona Auto Ancillaries Pvt. Ltd., Pune vs. Punjab National Bank, HO New Delhi & Others (2018)

[26] Meena S, ‘Section 43 of Information Technology Act, 2000’ (LexForti, 11 June 2021) <https://lexforti.com/legal-news/section-43-of-information-technology-act-2000/#Explanation_Section_43_of_Infor mation_Technology_Act_2000> accessed 14 November 2023