Introduction

With the enactment of the Digital Personal Data Protection Act, 2023[1] (“DPDP Act”), several incongruities between the Information Technology Act, 2000[2] (“IT Act”) and the new privacy regime has been addressed through the repeal of legacy provisions by means of Section 44(2)[3]. However, data breach governance within the DPDP Act has not been entirely subsumed and continues to cooperate with the existing CERT-In incident reporting mechanism as established by the IT Act. With the phased implementation of the Act, starting from May 13, 2027[4], organisations will therefore be required to ensure dual compliance with both regimes, making it necessary to examine how these mechanisms interact and where structural inconsistencies persist.

Mapping CERT-In and DPDP Breach Notification Regimes

Currently, two distinct reporting mechanisms are slated for enforcement by the Union that, although they apply to overlapping classes of organisations, respond to different regulatory rationales and audiences. First, under Section 70B of the IT Act[5], the Indian Computer Emergency Response Team (“CERT-In”) has been appointed as the nodal cybersecurity incident authority tasked with coordinating information security practices and subsequent reporting of cyber incidents[6]. Under subsection 6[7] CERT-In is empowered to issue directions to service providers, intermediaries, data centres, body corporates and government organisations to report cyber incidents, maintain logs and assist incident response activities.[8] As per the Directions released in April 2022[9], under Rule 12 of CERT-In Rules, 2013[10], entities are required to report specified cybersecurity incidents, including data breaches, within six hours of noticing the incident.[11]

By contrast, the DPDP Act establishes a rights-centric personal data breach notification regime whereby, under Section 8(6) of the Act[12], in the event of a personal data breach, the Data Fiduciary must notify both the Data Protection Board of India (“DPBI”) and each affected Data Principal.[13] Under Rule 7 of the Digital Personal Data Protection Rules, 2025[14] (“DPDP Rules”), this duty is effectuated by requiring the fiduciary to inform both the affected individuals without delay about the nature, consequences and mitigation measures associated with the breach, as well as to submit a detailed report to the DPBI within seventy-two hours of awareness of such breach, unless extended by the Board.[15] Unlike the technical focus of the CERT-In Directions, the DPDP framework is more rights-centric to mitigate harm to data principals, a concern that assumes particular significance where the breach involves a vulnerable class of individuals, such as children, the Act otherwise treats as a distinct category requiring verifiable parental consent.

Institutional Overlap Between the DPDP Act and the IT Act Framework

Though the newly promulgated legislation seeks to introduce a rights-based framework to protect digital personal data, in the event of a data breach, simultaneous interpretation is evoked through the language of cybersecurity embodied under the IT Act. A single factual matrix, for instance, an unauthorised access to a user database, would therefore invoke two parallel legal identities, firstly, of a “cyber incident” mandating technical reporting to the national incident-response agency under Section 70B of the IT Act[16], and, secondly, a “personal data breach” requiring accountability towards affected individuals and the DPBI under the DPDP Act. These regimes do not contradict each other, rather, they initiate from different premises, where the former is aimed at network stability, while the latter is at individual harm, and as a result, no single authority emerges that owns the incident from its inception till the end.[17]

Consequently, instead of regulatory handoff, this dual characterisation produces an institutional overlap. Moreover, sectoral regulators may add additional compliance requirements when regulated entities such as the RBI and SEBI are involved. Presently, there is no hierarchical categorisation of the mandates within these statutes, and organisations, therefore, must comply with multiple authorities for the same incident, each seeking different information and timelines, transforming compliance from a single obligation into a process of regulatory coordination. 

This overlap turns sharper with the repeal of Section 43A[18] and consequently the SPDI Rules[19] post the DPDP enactment, whereby both security obligations and compensation were located within the IT Act itself. The new regime relocates liability and penalties under itself, while preventive cybersecurity supervision continues to operate through the surviving CERT-In architecture under the IT Act. In effect, the authority that first encounters the breach is not necessarily the authority that ultimately determines responsibility, separating prevention from accountability within the enforcement structure.

Misalignment in Regulatory Enforcement Architecture

A substantial segment of India's digital ecosystem constitutes children, since roughly 113 million internet users in the country are minors[20], including roughly 71 million aged 5–11 alone, most with routine smartphone and social-media engagement.[21] Given that such interactions are continuous, it can be inferred that large volumes of children’s digital personal data are necessarily collected and processed across online platforms. And therefore, the structural misalignment in our breach notification architecture weakens the protective promise that the DPDP sought to enact, particularly for this class of high-risk individuals whose digital exposure is expanding faster than the safeguards around them. The difficulty is not with the parallel operationalisation of the regimes, but rather that they converge on a similar set of incidents without a mechanism to distinguish between ordinary data subjects and those with heightened vulnerability. Such “all-purpose” statutory makeup feigns ignorance of the qualitative difference of data involving children, which is often generated in the absence of independent consent, mediated through guardians, and capable of producing long-term, irreversible damages once exposed.

Additionally, what makes the gap particularly troublesome is the sequencing in the statute, whereby though children have been expressly recognised as a vulnerable class under Section 9[22], and consequently violations involving them are treated as more serious, this recognition stems from the stage of penalty determination, after the breach has already run its course. There exists no corresponding obligation at the time of breach reporting to escalate urgency, modify notice contents, or prioritise guardians at the point of discovery. The existence of two temporal logics, that is, containment of the incident and mitigation of harm, may, for adult users, inconvenience these data principals due to delay in notification, but not substantially transform the nature of injury itself. For children, however, the absence of early differentiated reporting therefore converts delay itself into injury, since data, including their educational records, behavioural profiles, identity markers, etc., once exposed to breaches may be copied, aggregated, and re-contextualised across platforms, producing persistent reputational and security risks. By delaying the weight of vulnerability to the adjudicatory end of the process, the substantive commitments of the Act, which put forth mechanisms for verifiable parental consent and heightened duties of care, are compromised. Without incorporating these commitments into the reporting workflow itself, the law emerges as reactive rather than preventive, prioritising mere retrospective accountability. 

Data Governance Spillovers in the Gig Economy

The effects of the lack of synchronisation between the two regimes permeate beyond individual data subjects to produce wider institutional ramifications. The associated risks become more prominent with the implementation of the forthcoming privacy regime, given that it is being introduced in the backdrop of institutional unpreparedness, since the existing CERT-In compliance itself remains uneven.  Moreover, nearly 71 per cent of organisations struggle to interpret the DPDP Act, and almost 80 per cent have not aligned internal policies with it.[23] As a consequence, the unique demands of the newly enacted law continue to be interpreted through the lens of the surviving cybersecurity compliance, continuing to structure governance around technical reporting rather than lifecycle data governance. Since there is no unified statutory hierarchy between the frameworks, and given their differing timelines and enforcement objectives, what emerges is a rather predictable compliance bias. Organisations are incentivised to prioritise containment obligations first under the six-hour reporting mandate, and only thereafter to turn to the rights-based notification requiring evaluative harm assessment and user communication. This sequencing risks the central rationale of privacy protection, that it is meant to guide the response itself, not merely explain it afterwards. 

The challenge becomes more exponential when the data in question even be processed internationally. Under Section 16[24], the DPDP Act adopts a permissive transfer model that allows cross-border flow of data unless explicitly restricted to jurisdictions by the government, hence the legality of such transfer is generally predetermined.[25] The difficulty arises, however, at the event of breach. The absence of interpretive coordination with parallel regulatory assessments at the domestic level also extends to cross-border incidents, which are rather periodic and not episodic, and hence the operational burden is  greater. This multi-jurisdictional data compliance challenge assumes immediate labour significance as the platform work associated with it is no longer marginal. In 2020-21 alone India’s gig economy employed about 7.7 million workers, which is projected to reach 23.5 million by the end of the decade.[26] Algorithm management systems that continually monitor workers, generate performance metrics, allocate tasks based on behavioural data, determine compensation in case of disputes, and impose disciplinary actions, form the basis of contemporary gig work.[27] Since such datasets are frequently stored and processed across jurisdictions[28], dispute resolution makes lawful cross-border handling and disclosure of personal data indispensable. Remediation of labour disputes, therefore, ultimately rests on data governance clarity. If data transfers cannot be processed or shared with confidence for adjudication, disputes remain unresolved. 

Accordingly, it follows that coexisting compliance mandates generate a wide governance bottleneck, wherein at the individual level, protective response is weakened, at the institutional level, compliance becomes cumbersome, and ultimately, disputes are prolonged in digital markets. 

Proposed Reforms

The enforcement gaps identified above arise not merely from statutory silence but from the absence of an operational coordination architecture. The Data Protection Board should therefore adopt three institutional reforms to synchronise breach response and enabling lawful cross-border data handling. The chief factor behind the enforcement gaps identified above stems from the absence of an operational coordination architecture, and hence, the Data Protection Board (“DPB”) should adopt the following institutional reforms focused to synergise breach response and enabling seamless cross-border data handling.

Foremost, the DPB should institute a unified breach escalation classification system whereby, upon notification of a personal data breach under Section 8(6) of the DPDP Act[29], Data Fiduciaries must simultaneously label the incident according to its risk category, including the provision for a mandatory “child/ minor-related data” category. In the case of identification of children’s data within a compromised dataset, enhanced obligations, including guardian-directed notice, accelerated mitigation timelines, and temporary suspension of further processing, shall be triggered by default. Since, the current framework only conceptualises vulnerability at the stage of penalty determination, this reform is pertinent to prevent harm based on immediate differentiation at the stage of reporting itself, thereby making the regulation preventive rather than retrospective.

Second, a joint reporting interface administered by the DPBI, technically integrated with CERT-In, should be operationalised, since presently, a single incident generates parallel reporting obligations with distinct timelines, incites organisations to prioritise containment obligations first and then treat rights-based privacy notification as a subsequent compliance exercise rather than an integral part of the response itself. On detection of a data breach, the entity would be required to file a single structured report on the common portal with two simultaneous inputs, consisting of both technical incident indicators such as logs, vectors, affected systems, etc., as well as preliminary personal-data impact fields such as categories of data, affected users, and risk level. The system would then automatically route the technical components to CERT-In for containment directions, alongside triggering the Board’s workflow for user notification and mitigation guidance. Both agencies would update their directions on the same dashboard, and the entity’s compliance status is tracked against a unified timeline rather than separate deadlines. Through this concurrent channel, the current delay, where privacy safeguards start only after technical reporting is completed, could be addressed.

Third, the Board should create an expedited cross-border adjudicatory disclosure channel to specifically address labour and platform disputes. Although under the Act, personal data required for dispute resolution may be stored outside India, evidence from parallel jurisdictions shows that platforms either decline or delay disclosure of operational data, suspecting compliance risks in a high-penalty privacy regime.[30] Hence, the Board should issue standing approval categories allowing certified dispute-resolution bodies such as labour authorities, tribunals, and arbitration forums to access specific datasets without obtaining case-by-case clearance for limited predetermined purposes such as adjudication of worker deactivation or wage disputes through transfer mechanisms that are priorly approved and subject to audit logging. This ensures that entities have advanced compliance certainty, thereby enabling that evidence to be promptly produced, and preventing labour disputes from stalling on grounds of permissibility. 

Together, these reforms transform the role of the Board from an ex post breach penalty body to an operational regulator restoring coherence to a regime currently fragmented across parallel compliance systems.

*This blog is authored by Aparajita Banerjee, law student at Integrated Law Course, Faculty of Law, University of Delhi. Views expressed are personal.