The landscape of Indian cyber law shifted significantly on August 11, 2023, with the enactment of the Digital Personal Data Protection (DPDP) Act. While the IT Act 2000 has long been the primary tool for prosecuting hackers and fraudsters, the DPDP Act introduces a sophisticated layer of accountability that changes how data-related cyber cases are litigated.
As we move through 2026, understanding the intersection of these two laws is vital for businesses and individuals alike.
1. From “Cyber Crime” to “Data Breach”
Under the old regime (IT Act), cyber cases were largely viewed through the lens of criminal intent—hacking, phishing, or identity theft. The DPDP Act shifts the focus to organizational accountability.
-
The Shift: A company is now legally a “Data Fiduciary.” If a hacker steals your data due to the company’s poor security, the case isn’t just about the “criminal” anymore; it’s about the company’s failure to protect you.
-
Case Impact: In future data leak cases (similar to the historic Air India or Dominos leaks), victims can now approach the Data Protection Board (DPB) to seek penalties against the company, independent of the police investigation into the hackers.
2. Mandatory Breach Reporting: No More Hiding
Previously, companies often brushed data breaches under the rug to avoid reputational damage.
-
The New Rule: Under the DPDP Act and the 2025 Rules, Data Fiduciaries must notify the Data Protection Board and each affected individual in the event of a personal data breach.
-
Impact on Cyber Litigation: This creates a transparent paper trail. In a cyber case, a victim can use the company’s own mandatory breach notification as evidence of negligence in a consumer or civil court.
3. Massive Financial Penalties
The IT Act 2000 often imposed fines that were “pennies on the dollar” for big tech firms. The DPDP Act introduces a “polluter pays” principle with teeth.
| Nature of Violation | Penalty under IT Act | Penalty under DPDP Act |
| Failure to protect data | Vague / Limited compensation | Up to ₹250 Crore per instance |
| Breach of Children’s Data | General penalties | Specialized, higher penalties |
| Non-fulfillment of duties | Minimal | Up to ₹10,000 for Data Principals |
4. The “Right to Erasure” in Cyber Stalking
One of the most profound impacts on personal cyber cases is the Right to Erasure.
-
Scenario: If an individual’s personal photos or information are being used for online harassment or cyberstalking, they can now demand the platform (the Fiduciary) delete that data once the “specified purpose” of its collection is over.
-
Legal Leverage: If a platform refuses to delete data after consent is withdrawn, they face the massive penalties mentioned above, giving victims much more leverage than a standard FIR might provide.
5. Interaction with the IT Act (Section 43A vs. DPDP)
It is important to note that the DPDP Act repeals Section 43A of the IT Act, which previously dealt with “Reasonable Security Practices.”
Expert Note: While the IT Act will still be used to put “bad actors” in jail for hacking (Sections 66, 66C, etc.), the DPDP Act will be the primary tool used to penalize the companies that allowed the data to be stolen in the first place.
6. Current Legal Challenges (2026 Update)
As of early 2026, the constitutionality of the DPDP Act is being tested in the Supreme Court (e.g., Venkatesh Nayak v. Union of India). Petitioners are concerned that:
-
Exemptions: The Government has broad powers to exempt its agencies from the Act in the name of “National Security.”
-
RTI Interaction: There are concerns that the Act might be used to block RTI (Right to Information) requests by labeling public information as “private data.”
Conclusion: A Double-Edged Sword
The DPDP Act 2023 provides a powerful shield for your digital identity, but it also demands a “Privacy-First” overhaul for every business in India. In cyber cases, the burden of proof is shifting: it’s no longer just about who stole the data, but how it was allowed to be stolen.
Is your business DPDP-ready? Failure to appoint a Data Protection Officer (DPO) or update your consent artifacts could result in penalties that far outweigh the cost of compliance.