Digital Impunity or Sovereign Immunity? State Liability in Cyber Breaches.
India is building one of the world's most ambitious digital infrastructures and with that ambition comes a growing risk. Cyber attacks on government institutions are no longer rare or isolated incidents.
INTRODUCTION
India is building one of the world's most ambitious digital infrastructures and with that ambition comes a growing risk. Cyber attacks on government institutions are no longer rare or isolated incidents. The past decade has seen three significant government data breaches, but two stand out in particular. The Aadhaar data leak of 2018 which exposed the personal details of over a billion Indians.1 The AIIMS Delhi ransomware attack of 2023 which wiped out one of the country's most critical hospitals, compromising sensitive patient records.2 Recently, a teenage student posted on X (formerly Twitter) exposing serious security flaws in the CBSE's Online Screen Marking (OSM) portal a system that handles the answer sheets of millions of students.3 Each of these incidents raises a critical question: what happens when it is the government itself that fails to protect individual’s data? If a private company leaked your information, the path to accountability while not easy is at least familiar. But when a state institution is responsible, the legal landscape becomes questionable. Who to hold accountable? What remedies does the law actually offer? And most importantly, does the law even keep up with the scale of the problem?
BACKGROUND
Critical Infrastructure refers to the systems and services essential to a nation's functioning hospitals, power grids, financial networks, and government portals. A disruption to any of these can cascade across society.4 Data Breach is a security incident where unauthorised individuals gain access to sensitive information personal data, financial records, or government databases often through cyberattacks, malware, or human error.5 In India, the legal framework governing these threats includes the Information Technology Act, 2000,6 the Digital Personal Data Protection Act, 2023 (DPDPA),7 and CERT-In (the Computer Emergency Response Team), which handles incident reporting and response. When government systems are breached, the concern is uniquely serious the state holds your most sensitive data, yet remains the least accountable party when it fails to protect it.
CRITICAL ANALYSIS
The Central Issue
Whether the Indian law actually hold the government accountable when it fails to protect data? On paper, the answer seems promising. The Information Technology Act, 2000, the Digitial Personal Data Protection Act, 2023, and CERT-In (Indian Computer Emergency Response Team) together form a framework that acknowledges cyber threats and places obligations on data handlers. But a framework existing on paper and one delivering real remedies to real citizens are two very different things.
Who Is Actually Responsible?
One of the most immediate problems a breach victim faces is figuring out who to hold responsible. A single government digital system involves multiple layers, the department that owns the data, a private contractor that built the portal, and a vendor whose product may have introduced the vulnerability. When the CBSE's OSM portal exposed critical security flaws, no entity was straightforwardly liable. Under Section 43A of the IT Act and Sections 8(5) and 33 of the DPDP Act, obligations run primarily toward regulatory compliance and state-directed penalties not toward compensating affected individuals leaving citizens to navigate a web of actors with no clear answer.8
The Statutory Framework
The statutory framework reveals how crumbled the situation is. Under the IT Act, Section 43A places liability on "body corporates" that fail to maintain reasonable security practices but government departments do not squarely fall within this definition, creating a gap. Section 66 criminalises dishonest or fraudulent computer-related acts, targeting individual bad actors rather than institutional failures. Sections 70 and 70A empower the government to declare "protected systems" and establish (National Critical Information Infrastructure Protection Centre) NCIIPC yet these provisions focus on securing systems , not remedying breaches after they occur. Section 70B establishes CERT-In as the nodal agency for incident response, but its mandate is technical coordination and reporting.9
The DPDP Act adds further layers without resolving the core problem. Section 8 places general obligations on Data Fiduciaries to implement appropriate security safeguards, but the standard of "appropriate" remains dynamic.
Mainly, Section 17 of the DPDP Act exempts the state from data protection obligations where processing is undertaken for purposes of national security, public order, or sovereignty. This exemption is broad and subject to no meaningful judicial oversight mechanism within the Act itself. The very entity holding the largest volumes of citizen data “the government” can lawfully sidestep the Act's core protections by invoking Section 17. For a citizen whose data has been compromised through a government operated system, this provision is the most significant barrier to accountability the statute creates.
The above mentioned provisions create a compliance architecture which revolves around institutional reporting and regulatory enforcement not a citizen-facing remedy when a government operated system fails.10
CONSTITUTIONAL RECOGNITION WITHOUT CLEAR REMEDY
In K.S. Puttaswamy v. Union of India (2017),11 the Supreme Court held that privacy is a fundamental right and that informational privacy falls squarely within its scope. This principle found direct application in the context of Aadhaar when the Court in Justice K.S. Puttaswamy (Retd) v. Union of India (2018)12 examined the Aadhaar scheme itself, acknowledging that the mass collection and centralised storage of biometric data by the state must be proportionate and subject to adequate safeguards. Yet constitutional recognition of a right and a workable remedy for its breach are not the same thing. The 2018 Aadhaar judgment confirmed that the state cannot collect your data arbitrarily but when the 2018 Aadhaar data breach exposed over a billion records, affected citizens had no clear legal pathway to compensation. Puttaswamy tells you a wrong has occurred. It does not tell you how to get remedy for it.
The Government Exemption Problem
Both the IT Act and the DPDP Act permit the government to override data protection obligations on grounds of national security and public order. These exemptions are broad and loosely defined, creating a situation where the entity most capable of failing to protect your data also holds the greatest legal cover to escape scrutiny.
In Nilabati Behera v. State of Orissa (1993),13 the Supreme Court confirmed that the state can be directed to pay compensation for fundamental rights violations. It’s Significant but cyber breaches do not map neatly onto traditional state action. Proving that inadequate cybersecurity directly caused a citizen's harm remains a formidable challenge.
A Framework Full of Contradictions
Privacy is constitutionally protected, yet post breach remedies remain undefined. The government is obligated to safeguard data, yet exempt in broad circumstances. Regulation exists, yet accountability remains fragmented. India has the scaffolding of accountability what it lacks is the mechanism to make that accountability real.
COMPARATIVE ANALYSIS: INDIA v. EUROPEAN UNION
India's DPDP Act and the European Union's General Data Protection Regulation (GDPR)14 share a common goal which is protecting personal data but approach is very different. The GDPR is built on a rights based foundation. Article 5 enshrines data protection principles including purpose limitation, data minimisation, and accountability as binding obligations. Article 82 grants individuals an explicit right to compensation from any controller or processor whose breach caused them damage material or non-material. The DPDP Act, by contrast, takes a regulatory approach. Section 8 places obligations on Data Fiduciaries to maintain security safeguards, but does not grant citizens a corresponding right to sue for damages. Where the GDPR creates a direct private right of action, the DPDP Act routes grievances through the Data Protection Board under Sections 27 onwards a regulatory body empowered to impose penalties on defaulters, not to compensate victims. On breach notification, GDPR Article 33 requires controllers to notify supervisory authorities within 72 hours of discovering a breach, and Article 34 mandates direct notification to affected individuals where the breach poses a high risk. India's Section 16 of the DPDP Act requires notification to the Board, but places no obligation to directly inform affected citizens within a defined timeframe. The sharpest difference lies in government exemptions. Article 23 of the GDPR permits member states to restrict data protection obligations for national security purposes, but such restrictions must be necessary, proportionate, and subject to judicial oversight. India's Section 17 of the DPDP Act grants the state significantly broader exemptions with no comparable oversight mechanism built into the statute itself. Both frameworks are attempting to solve the same problem. The EU has simply built more accountability into its architecture and India's framework is still catching up.
Conclusion
Cyber breaches in government operated digital infrastructure are not merely technical failures they are failures that directly affect the privacy and fundamental rights of citizens. Indian law has moved in the right direction. The IT Act, the DPDP Act, and constitutional recognition of informational privacy together signal that data protection is taken seriously as a legal concern. Yet when a public authority is the one that fails, accountability becomes uncertain. Identifying the responsible party is difficult, compensation mechanisms are underdeveloped, and broad government exemptions can shield the state from accountablity and judicial scrutiny. The central challenge India faces is not the absence of regulation the framework exists. But that regulations does not apply when a government authority is involved in the data breaches.
A way forward:
The government collects personal data from its citizens from the moment they are born until they die. Aadhaar, medical records, tax details, educational certificates the state holds more information about you than any private company ever could. That level of data collection must come with an equal level of responsibility. When a government breach happens at this scale, paying compensation is not a practical solution. What matters more is that the government tells citizens exactly what happened, whose data was affected, and what steps are being taken to fix it. Where possible, affected citizens should be helped to update or replace their compromised credentials. India can learn from the EU here. The GDPR requires governments and organisations to inform both regulators and affected individuals when a breach occurs, within a strict timeframe. It also limits how broadly governments can exempt themselves from accountability. India's DPDP Act is a step in the right direction but it needs to go further. When the government holds your most sensitive information, being accountable for its safety should not be optional.
1 Resecurity, 'PII Belonging to Indian Citizens, Including Their Aadhaar IDs, Offered for Sale on the Dark Web' (Resecurity, 31 October 2023) https://www.resecurity.com/blog/article/pii-belonging-to-indian-citizens-including-their-aadhaar-ids-offered-for-sale-on-the-dark-web accessed 16 June 2026.
2 Yash Raj and Dr Kritika Nagpal, 'Cybercrime, Data Breaches & Cybersecurity In India' (2025) 12(4) TIJER 54, 55.
3 Maitri Porecha, '19-year-old student hacked CBSE's OSM portal, exposed severe vulnerabilities' The Print (New Delhi, 26 May 2026) https://theprint.in/feature/19-student-hacked-cbses-osm-portal-vulnerabilities/2942305/ accessed 12 June 2026.
4 IBM, 'What is critical infrastructure?' (IBM) https://www.ibm.com/think/topics/critical-infrastructure accessed 13 June 2026.
5 Palo Alto Networks, 'What is a data breach?' (Palo Alto Networks) https://www.paloaltonetworks.com/cyberpedia/data-breach accessed 13 June 2026.
6 Information Technology Act 2000.
7 Digital Personal Data Protection Act 2023.
8 Information Technology Act 2000, s 43A (as amended by Information Technology (Amendment) Act 2008), and s 70B; Digital Personal Data Protection Act 2023, ss 8(5) and 33.
9 Information Technology Act 2000, ss 43A, 66, 70, 70A and 70B.
10 Digital Personal Data Protection Act 2023, ss 8 and 17.
11 Justice KS Puttaswamy (Retd) v Union of India (2017) 10 SCC 1.
12 Justice KS Puttaswamy (Retd) v Union of India (2018) 1 SCC 809.
13 Nilabati Behera v State of Orissa (1993) 2 SCC 746.
14 Regulation (European Union) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1, arts 5, 23, 33, 34, 82.