There is a clear need for a uniform legislative definition of harm. The definition would reinforce the Act’s constitutional values of dignity, autonomy, and informational self-determination, while ensuring legal certainty, consistent adjudication, and proportionate enforcement.
Introduction
The term “harm” occupies a peculiar position in the Digital Personal Data Protection Act, 2023 (DPDPA). While it conspicuously appears in the definitional provision, Section 2(u) for “personal data breach”, in Section 14 discussing the data principal’s right to nominate a representative and under Section 27, discussing mandates to the Data Protection Board of India (DPBI), the very term “harm” itself has not been defined.1 The term does have decisive legal consequences but the architecture of the DPDPA does not provide any content to make it operative.2 Such ambiguities in Indian statutory drafting are not new. For nearly a decade, the Information Technology Act, 2000 used the term “damage” in Section 43 before judicial interpretation clarified its nature. In this context, the absence of a definition of “harm” is not merely an inconvenience but rather an invitation to adjudicative inconsistency that cuts against the statute’s own constitutional foundations.
The discussion in this article argues that the DPDPA’s failure to define “harm” creates uncertainty in enforcement, interpretation, and penalty assessment. It proposes a clear statutory definition encompassing material and non-material harms, grounded in constitutional values, to ensure consistency, fairness, and effective data protection while avoiding arbitrary or inconsistent regulatory outcomes.
The operative presence of “harm” in the DPDPA
Section 2(u)
Section 2(u) DPDPA defines a “personal data breach” as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data”.
Even though the term “harm” is not explicitly mentioned, the breach notification obligation pursuant to Section 8(6) is based on the fact that in the event of a breach, there arises an instant notification duty with no harm-capacity threshold irrespective of whether the breach has the capacity to harm the data principals.3 The absence of a threshold discussing harm thus, creates a subsidiary definitional problem, wherein every unauthorised access, however trivial will technically trigger a notification that produces compliance inflation, diluting its protective function.
Section 27
The definitional gap caused by the absence of a definition of harm is most prominently seen in Section 27. Data principals submit their complaints to DPBI pursuant to Section 27 wherein the DPBI will then determine whether the data fiduciary has failed in its compliance duties.4 Section 27 empowers the DPBI to impose monetary penalties specified in Schedule the DPDPA upon determining contravention.5 The Schedule then ties the quantification of the penalty to be ascertained by “nature, gravity and duration” of the non-compliance.6 However, neither provision define what is this nature of “harm” to a data principal that needs to be established, or the standard of proof to govern its determination. The Board will thus be left to construct its own jurisprudence with no legislative anchor on the subject.
Section 14
Section 14 permits data principals to nominate other individuals to exercise rights on their behalf in an event of incapacity.7 The provision assumes that the rights it protects — access, correction, erasure and grievance redressal — are sufficiently consequential to survive the death of the data principal. The link between the rights and harm prevention is self-evident but unstated. The silence is not immediately problematic but becomes one when the court or the DPBI is called upon to determine posthumously, the threshold of harm that the deceased data principal’s rights were intended to guard against.
Sections 6 through 9
Sections 6—9 DPDPA lays down a comprehensive framework for how consent is to be obtained for processing personal data, however, it fails to articulate “harm” as an explicit threshold for determining the unlawfulness of processing.8 The legitimacy of processing data in the absence of consent under Section 7 is only permitted for specific purposes which carry an implicit harm-avoidance rationale.9 However, without a statutory definition of harm, the implicit proportionality calibration that underlies this provision remains opaque and susceptible to inconsistent application.
Interpretational uncertainty
The absence of a threshold for harm
One of the most fundamental uncertainties in the DPDPA comes from the fact that there is no identifying point to determine when a data processing or breach becomes “harmful”. This is a concern because data related consequences may exist across a spectrum, wherein in one end, a large-scale disclosure of sensitive financial information may lead to direct monetary loss and on the other end, a minor unauthorised disclosure may not have big tangible consequences.10 The Act does not offer any guidance to determine where this harm may begin.
In the absence of a proper statutory direction to determine harm, the following frameworks may emerge:
1. A subjective harm framework: Wherein harm is determined on the basis of the individual data principal’s experience. This approach may be sensitive to personal vulnerabilities but will be risky and unpredictable since identical breaches may yield different outcomes depending on individual perception.11
2. Objective harm framework: In this framework, harm is assessed on the basis of whether a reasonable person in the same position would suffer harm. This may enhance consistency but may overlook structural inequalities. When a neutral reasonable person’s standard if not properly calibrated could undervalue harm experiences by marginalised groups. 12
The DPDPA does not indicate which framework should govern. This raises the risk of inconsistent application by the DPBI, potentially varying across cases or types of data fiduciaries.
The problem of correct taxonomy of harm
Even if a threshold were to be established, uncertainty would still persist with respect to the kinds of harm that are legally cognizable. In such instances, comparative data protection framework recognises these multiple categories such as material harm, non-material harm, harm over autonomy such as loss of control over personal data and lastly systemic harm from losing trust over the system.13
The Act does not clarify whether non-material or autonomy-based harms can be actionable and this omission will have constitutional implications. For instance, with respect to right to privacy, it was determined in Puttaswamy case14 that, privacy is grounded in dignity, autonomy and informational self-determination wherein values cannot be merely reduced to financial loss. Thus, a regime that only recognises material harm would diverge from the constitutional foundation. In contrast, the European Union’s (EU’s) General Data Protection Regulation, 2016 (GDPR) explicitly includes non-material harm.15 Judicial interpretation through various cases has confirmed that distress or anxiety can be compensated if its real and linked causally to a violation. In both S. Nambi Narayanan v. Siby Mathews16 and Nilabati Behera v. State of Orissa17, the Supreme Court affirmed that compensation will be awarded for non-tangible harm such as trauma, humiliation and reputational damage. While the analysis in these cases can be used as analogical support instead of direct authority, they still affirm that constitutional remedies cannot be confined to merely pecuniary loss.
However, no equivalent clarity of this nature is provided in the DPDPA. The DPBI may thus either exclude such claims due to a lack of statutory basis or recognise them inconsistently, eventually undermining both deterrence and compensatory approaches.
Complexities involving the establishment of cause
Even if harm were to be recognised, establishing cause in data protection cases can be a complex case. Data flows through multiple agencies and time-frames and can be difficult to monitor.
Example: financial loss after a data breach can be the result of a chain of events, involving multiple intermediaries, external factors and independent criminal activities.
No causation standards are specified within the DPDPA and as a result, adjudication is left to general principles under the Indian tort law. The doctrines under the Indian tort law system are not designed to deal with digital ecosystems and the outcome may misalign with the protective intent of the Act.18 Specifically, traditional requirements for establishing direct cause may fail to capture systemic harms that emerge from large-scale data practices such as surveillance driven models, even if the DPDPA does reference such models for determining harm to individuals.19
Complexities involving the calibration of penalties
The DPDPA’s Schedule prescribes a penalty of up to Rs 250 crores for the failure to implement security safeguards and Rs 200 crores for violations involving data of minors.20 However, this determination of penalty is tied to harm and only references general factors such as the “nature, gravity, and duration” of non-compliance. Scholarship on administration of penalty shows that in the absence of a concrete concept of harm, the calibration of penalty will become discretionary to the point that it may create risks of both under and over-enforcement. Penalties can be disproportionately imposed to the actual harm or be insufficient to reflect serious violations. This weakens both fairness and deterrence.21
Possibility of filling the gaps without legislative action
Constitutional interpretation
The most principled interpretive resource is the privacy framework developed in K.S. Puttaswamy (Privacy-9J.) v. Union of India.22 It is understood to protect bodily integrity, mental integrity and informational self-determination. Any interferences with privacy rights must satisfy proportional requirements. When applied to the DPDPA, it would suggest that harm includes any impairment, actual or likely of these protected interests. Such interpretation supports the recognition of non-material and autonomy-based harms and aligns the statute with constitutional values. Puttaswamy case primarily addresses State action. Extending its principles to private data fiduciaries requires a form of horizontal application that remains doctrinally unsettled in Indian law.23 While the DPDPA must be interpreted consistently with constitutional rights, the mechanism for importing constitutional harm concepts into statutory adjudication is unclear.
Purposive interpretation
The Statement of Objects and Reasons to the DPDPA emphasise balancing individual rights with legal data processing.24 A purposive reading would infer that harm includes the consequences which the Act seeks to prevent, such as financial, physical or reputational damage. However, purposive interpretation does not have the legal certainty that comes with explicit statutory language and its conclusions are inherently provisional, while varying across jurisdictions and thus limits its efficacy as a substitute for statutory language.25
Comparative law
The EU’s GDPR provides a detailed articulation of harm that covers all aspects such as financial, reputational, emotional and social consequences, as well as loss of control over data.26 Similarly, in UK, the regulatory practice under the Data Protection Act, 2018 (UK) and ICO (Information Commissioner’s Office) guidance recognises multiple harm categories while excluding trivial claims.27 While these regimes are instructive, they are not binding in the Indian legal regime. Their adoption would require a deliberate and consistent comparative reasoning by the DPBI, something that is yet to be established in Tribunal practice. While selective borrowing can risk inconsistency and normative distortion, they can also serve as great guides that readily available for a speedy drafting and incorporation of provisions into the current Indian regime on data protection.28
Regulatory Guidance
The DPBI and the Central Government have the powers to issue guidelines and rules to clarify the concept of “harm”.29 While this route offers great flexibility and speed of incorporation, the subordinate legislation cannot substitute for a statutory definition. Guidelines may lack the necessary authority, permanence, and democratic legitimacy of primary legislation. Making this vulnerable to legal challenges. Judicial observances in cases such as Indian Express Newspapers (Bombay) (P) Ltd. v. Union of India30 and State of T.N. v. P. Krishnamurthy31 observed that guidelines may be supplemental but cannot resolve the structural gap.
The case for legislative intervention
From the discussion above, it has become evident that a statutory definition of harm is absolutely necessary, keeping the following elements in mind:
1. The existing Rule of Law: Wherein individuals and organisations must know in advance as to what constitutes harmful conduct and its consequences. An undefined harm standard will undermine legal certainty.
2. Coherence with the constitutional standards: Since the enforcement of DPDPA which is rooted in privacy must be reflective of dignity, autonomy and informational self-determination in a consistent manner.
3. Effective deterrence: In the absence of a defined concept of harm, the penalty regime risks either a chilling legitimate processing or failing to prevent harmful conduct.
Thus, a workable statutory definition would have to define “harm” as any adverse consequence caused, being caused, or likely to be caused to a data principal, including but not limited to32:
“1. Discrimination.
2. Financial loss.
3. Loss of autonomy over personal data.
4. Loss of employment or livelihood.
5. Other significant economic, social, or personal disadvantages.
6. Physical injury or safety risks.
7. Psychological distress.
8. Reputational damage.”
This definition is inspired from the GDPR framework, not derived from it. Adjudicators would still have to consider various contextual factors such as the nature of the data, the context in which it was being processed, the vulnerability of the data principal and the reasonable expectations at the time of collection.33
This approach has several advantages. It aligns with constitutional principles by explicitly including dignity and autonomy harms while also recognising informational self-determination as an independent interest. Most importantly, it incorporates a contextual analysis that allows harm to be assessed in a manner that is relative to the norms governing specific data relationships. Lastly, it also remains open-ended, enabling the recognition of new harm categories as technology evolves.
Conclusion
The silence of the DPDPA on what precisely constitutes harm may not just be a minor drafting omission, but rather a structural weakness that adversely impacts its operative provision. As observed from Sections 2, 6-9, 14 and 27, the Act implicitly relies on harm as a triggering and calibrating factor and still fails to define its threshold or evidentiary standards. The resulting interpretational uncertainty forces the DPBI to navigate subjective, objective, or risk-based frameworks without legislative guidance, and to determine causation and penalties in an inconsistent and potentially arbitrary manner. Even if the DPBI or the judicial authorities refer to constitutional interpretation, purposive reading, comparative frameworks, and regulatory guidance, it is still a partial solution that inherently limits them since such a solution lacks authority, clarity, and uniformity that only statutory articulation can fulfil.
There is a clear need for a uniform legislative definition of harm. The definition would reinforce the Act’s constitutional values of dignity, autonomy, and informational self-determination, while ensuring legal certainty, consistent adjudication, and proportionate enforcement. Most importantly, the recognition of both material and non-material harms, and incorporating a contextual and forward-looking approach, would strengthen deterrence without stifling legitimate data practices. Ultimately, without explicitly defining harm, the DPDPA risks undermining its own protective purpose; with it, the Act can evolve into a coherent and effective data protection regime.
*Legal Counsel, Blancco Technology Group. Author can be reached at: pen.paper.law@gmail.com.
**Jr. Legal Counsel, Blancco Technology Group. Author can be reached at: shayna.jagtap@gmail.com.
1. Digital Personal Data Protection Act, 2023, Ss. 2(u), 14 and 27.
2. Sriya Sridhar, “The Elephant Not in the Room: The DPDPA’s Failure to Regulate Behavioural Tracking” (7-5-2024) Law School Policy Review, available at <https://lawschoolpolicyreview.com/2024/05/07/the-elephant-not-in-the-room-the-dpdpas-failure-to-regulate-behavioural-tracking/> last accessed 15-4-2026.
3. Digital Personal Data Protection Act, 2023, S. 8(6).
4. Digital Personal Data Protection Act, 2023, S. 27
5. Ibid
6. Digital Personal Data Protection Act, 2023, Sch.
7. Digital Personal Data Protection Act, 2023, S. 14.
8. Digital Personal Data Protection Act, 2023, Ss. 6, 7, 8 and 9
9. Digital Personal Data Protection Act, 2023, S. 7.
10. Daniel J. Solove, “A Taxonomy of Privacy” (2006) 154 University of Pennsylvania Law Review 529—531.
11. Ryan Calo, “The Boundaries of Privacy Harm” (2011) 86 Indiana Law Journal 1145—1146.
12. Ryan Calo, “The Boundaries of Privacy Harm” (2011) 86 Indiana Law Journal 1147—1149.
13. Daniel J. Solove, “A Taxonomy of Privacy” (2006) 154 University of Pennsylvania Law Review 524—529.
14. K.S. Puttaswamy (Privacy-9J.) v. Union of India, (2017) 10 SCC 1.
15. General Data Protection Regulation, 2016, Recital 85.
16. S. Nambi Narayanan v. Siby Mathews, (2018) 10 SCC 804
17. (1993) 2 SCC 746 : 1993 SCC (Cri) 527.
18. Digital Personal Data Protection Bill, 2023. PRS Legislative Research, “The Digital Personal Data Protection Bill, 2023 Ministry: Electronics and Information Technology”, available at <https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023> last accessed 15-4-2026.
19. Digital Personal Data Protection Bill, 2023.
20. Digital Personal Data Protection Act, 2023, Sch.
21. Jerry L. Anderson and Amy Grace Vaughan, “Environmental Penalties: Discretion and Disparity” (2023) 42 Stanford Environmental Law Journal 7.
23. Anujay Shrivastava, “Indian Supreme Court’s Judgment on ‘Horizontal Application’ of Fundamental Rights: An ‘Unconstitutional Informal Constitutional Change’?” (31-1-2023) IACL-AIDC Blog, available at <https://blog-iacl-aidc.org/2023-posts/2023/1/31/indian-supreme-courts-judgment-on-horizontal-application-of-fundamental-rights-an-unconstitutional-informal-constitutional-change> last accessed 15-4-2026.
24. Digital Personal Data Protection Act, 2023 S. 8 <https://www.dpdpa.com/dpdpa2023/chapter-2/section8.html> accessed 15 April 2026.
25. Maneka Gandhi v. Union of India, (1978) 1 SCC 248; Internet Governance Blog (Centre for Internet and Society) available at<https://cis-india.org/internet-governance/blog> last accessed 15-4-2026.
26. General Data Protection Regulation, 2016, Recitals 85 and 75.
27. Vidal-Hall v. Google Inc. 2015 EWCA Civ 311; Data Protection Act, 2018, S. 168 (United Kingdom).
28. Vaibhav Dharod and Kevin Tauro, “Assessing India’s Digital Personal Data Protection Act, 2023: A Comparative Study with the GDPR” (2025) 7(2) Indian Journal of Law and Legal Research 1325.
29. Digital Personal Data Protection Act, 2023, S. 40.
30. (1985) 1 SCC 641 : 1985 SCC (Tax) 121 : (1986) 159 ITR 856.
32. General Data Protection Regulation, 2016, Recitals 85 and 75, and Art. 82.
33. Anujay Shrivastava, “Indian Supreme Court’s Judgment on ‘Horizontal Application’ of Fundamental Rights: An ‘Unconstitutional Informal Constitutional Change’?” (31-1-2023) IACL-AIDC Blog, available at <https://blog-iacl-aidc.org/2023-posts/2023/1/31/indian-supreme-courts-judgment-on-horizontal-application-of-fundamental-rights-an-unconstitutional-informal-constitutional-change> last accessed 15-4-2026.