India is the second-largest internet market in the world, with more than 760 million active internet users. Both the Consumer Protection Act 2019 and the Digital Personal Data Protection Act (DPDP Act) of 2023 offer a multi-faceted approach to protecting individuals’ data in the digital age.
Data protection laws aim to safeguard the personal information of individuals, fostering a sense of trust that their data will be handled responsibly. On the other hand, consumer protection law seeks to ensure that individuals are not misled or subjected to unfair practices when engaging with businesses and services. On the other hand, the CPA protects consumers from unfair practices and misleading business and service interactions. Consumers can seek compensation through the appropriate consumer redressal commission if their data is breached. The CPA also allows individuals to file complaints as a class.
Both DPDP and CPA have jurisdiction to inquire into unlawful/unauthorised disclosure of personal data. However, the DPDP Act has a broader scope, primarily because the definition of a ‘data principal’ under the DPDP Act is more expansive than that of a ‘consumer’ under the CPA. Central Consumer Protection Authority (CCPA) has many powers, including investigating complaints about unfair trade practices or violations of consumer rights. The CCPA can also take action on its own or when directed by the central government. The CCPA under Section 20 of the CPA-2019 can pass an order for the discontinuation of unfair practices. Further, under Section 88 of the CPA, failure to comply with such an order of the CCPA may entail imprisonment for a term extending to six months in addition to a fine extending to twenty lakh rupees, or both. Further, the CCPA can also approach the appropriate Consumer Redressal Commission to protect and enforce consumer rights as a class.
Individual consumers have the option of seeking compensation by approaching the appropriate consumer redressal commission. However, DPB does not contemplate payment of compensation to the affected data principals. Therefore, individuals who are consumers as defined under the CPA can seek compensation for a breach of their personal data. Further, given that the CPA also recognises the right of individuals to make a complaint as a ‘class’, it is possible for individuals aggrieved from a data breach, including owing to negligence, to seek compensation under the CPA.
Data Privacy and Protection Bill, 2019 bill states that data processors can only process personal data for the purpose it was collected for. It also states that data controllers are liable for the actions of data processors. Thus, the digital protection to individuals under CPA includes disclosure of personal information given in confidence by a consumer as an unfair trade practice unless “such disclosure is made in accordance with the provisions of any law for the time being in force”.
Related Posts:
PURPOSE, PREAMBLE, EXTENT CONSUMER PROTECTION ACT 2019 NOT OVERRIDING ANY OTHER LAW
SALIENT NEW ASPECTS OF CONSUMER PROTECTION ACT, 2019
DEFINITIONS IN CONSUMER PROTECTION ACT 2019: NEW ADDITIONS
NCDRC AND CONSUMER DISPUTES REDRESSAL COMMISSIONS IN INDIA
VARIOUS FORA OF CONSUMER PROTECTION COUNCILS IN INDIA
CENTRAL CONSUMER PROTECTION AUTHORITY: THE REGULATOR
EXPLAINED: PRODUCT LIABILITY UNDER THE CONSUMER PROTECTION ACT 2019
MEDIATION PROCESS UNDER THE CONSUMER PROTECTION ACT 2019
UNFAIR CONTRACTS AND UNFAIR TRADE PRACTICES DEFINED UNDER CPA 2019
JURISDICTIONS, COMPLAINTS, APPEALS, AND PUNISHMENTS UNDER CONSUMER DISPUTE REDRESSAL COMMISSIONS