What are the legal obligations of online platforms to protect user data from breaches?

Introduction
In an age dominated by digital services, online platforms such as e-commerce websites, social media networks, streaming platforms, fintech apps, and cloud services hold vast volumes of personal data. This includes names, contact information, passwords, financial data, biometric records, and behavioral patterns. As custodians of this data, these platforms carry significant legal obligations to protect it from unauthorized access, misuse, leaks, and breaches. In India, these obligations arise from a combination of statutory law, sector-specific regulations, and emerging data protection frameworks, notably the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology Act, 2000.

1. Obligation to Implement Reasonable Security Practices (IT Act, 2000)
Under Section 43A of the Information Technology Act, 2000, if a body corporate or online platform is negligent in implementing and maintaining reasonable security practices, and this results in wrongful loss or gain due to a data breach, it is liable to pay compensation to the affected person.

The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 further require online platforms to:

  • Formulate and publish a privacy policy

  • Clearly disclose security practices, data collection purposes, and consent procedures

  • Use ISO/IEC 27001 standards or equivalent frameworks as a benchmark

  • Implement access controls, encryption, audit trails, and regular security testing

Failure to follow these practices can lead to legal action, penalties, and reputational damage.

2. Data Protection Obligations Under DPDPA, 2023
The Digital Personal Data Protection Act, 2023 imposes specific, enforceable obligations on Data Fiduciaries (which include online platforms). Key obligations include:

a. Purpose Limitation and Minimization
Platforms can only collect personal data for specified, lawful purposes and must limit the data to what is necessary. Collecting unnecessary data or using it for unrelated purposes violates legal standards.

b. Implementation of Security Safeguards
DPDPA mandates platforms to implement technical and organizational measures to prevent data breaches. This includes:

  • Encryption of sensitive data

  • Regular audits and vulnerability assessments

  • Role-based access control

  • Anonymization and de-identification where appropriate

c. Breach Notification
If a data breach occurs, the platform must report the breach to the Data Protection Board of India (DPBI) and may be required to notify affected users. Prompt notification is crucial for users to take precautionary measures and for the regulator to assess the extent of harm.

d. Consent and Transparency
Platforms must obtain clear, informed, and unambiguous consent from users before collecting their personal data. They must also provide easily accessible privacy notices explaining what data is collected, how it is used, and whom it is shared with.

e. Data Retention and Deletion
Platforms are required to retain personal data only for as long as necessary for the purpose it was collected. Once the data is no longer needed or consent is withdrawn, it must be securely erased unless otherwise required by law.

f. Grievance Redressal Mechanism
Online platforms must appoint a Grievance Officer and publish their contact details. Users should be able to lodge complaints related to data breaches or mishandling, and receive timely resolution.

3. Obligation to Conduct Data Protection Impact Assessments (for Significant Platforms)
If an online platform qualifies as a Significant Data Fiduciary—due to the volume and sensitivity of data it handles, its impact on national interest, or its use of AI—it may be required to:

  • Appoint a Data Protection Officer (DPO)

  • Perform Data Protection Impact Assessments (DPIA) before initiating high-risk processing

  • Undergo periodic security audits and compliance checks

This ensures that high-risk processing activities, such as biometric analysis or profiling, are evaluated for their potential harm before being launched.

4. Compliance with Sector-Specific Regulations
Certain sectors impose additional cybersecurity obligations:

  • RBI (for banks and fintech): Requires compliance with cybersecurity frameworks and reporting breaches within specific time frames

  • IRDAI (for insurance platforms): Mandates data encryption and disaster recovery protocols

  • SEBI (for stock platforms): Requires strong IT governance and audit trails

  • MeitY Guidelines: May issue CERT-In directions on handling, reporting, and responding to cyber incidents

Non-compliance can lead to regulatory sanctions, license suspension, or financial penalties.

5. International Obligations and Cross-Border Transfers
Platforms operating across borders must comply with foreign data protection laws like the GDPR (EU) or CCPA (California), which require high levels of security and breach notification.

The DPDPA also mandates that cross-border data transfers can only be made to whitelisted countries and must ensure that user data remains adequately protected overseas.

6. Penalties for Non-Compliance
Under the DPDPA, failure to protect user data or notify breaches can result in:

  • Financial penalties up to ₹250 crore per breach incident

  • Suspension of data processing activities

  • Additional compensation to affected individuals

  • Public censure or compliance audits by the DPBI

Under the IT Act, individuals can also claim damages or compensation for harm suffered due to the platform’s negligence.

7. Examples of Breach Accountability

  • In 2020, the BigBasket data breach led to the exposure of over 20 million user records. Users demanded clarity and compensation, highlighting the importance of breach preparedness.

  • In 2021, the Domino’s India breach raised concerns over how payment and location data was stored and protected.

  • Globally, companies like Equifax and Facebook have paid millions in fines for failing to protect user data.

8. Best Practices for Legal Compliance
To meet their legal obligations, online platforms should adopt:

  • Privacy-by-design principles in product development

  • Regular penetration testing and security audits

  • Two-factor authentication for admin access

  • Employee training on data privacy

  • Secure API management and cloud configurations

Conclusion
Online platforms are legally obligated to act as responsible stewards of personal data. India’s legal landscape, led by the IT Act and the DPDPA, places significant responsibility on platforms to implement robust cybersecurity measures, obtain informed consent, provide transparency, and ensure breach response readiness. Compliance not only avoids legal penalties but also builds trust, enhances customer loyalty, and promotes long-term business sustainability in the digital era.

Priya Mehta

Posts