THE FRAGILE ILLUSION OF PRIVACY

Lessons From The Apple Data Breach And Remedial Steps That Can Be Taken By India In Light Of The New Data Privacy Act

By K. Sidharth Reddy

1. INTRODUCTION

In an era where personal data is a currency as valuable as gold the Government has taken commendable steps towards protecting this aforesaid new age currency by enacting The Digital Personal Data Protection Act, 2023 and associated rules (“DPDPA”) with the aim to protect personal data, deter data aggregators from collecting more data than what is required and to ensure such breaches do not take place in India. The step taken by the Government to enact DPDPA is particularly relevant in light of the recent Apple Inc. (“Apple”) privacy breach that arose due to Apple’s voice assistant namely “Siri”[1] serves as yet another wake-up call. Apple, a company that has long prided itself on its commitment to security and user privacy, now finds itself at the center of controversy. The breach not only exposes vulnerabilities in even the most fortified digital ecosystems but also raises critical questions about how much control users truly have over their data especially with respect to voice assistants like Siri, as it continuously monitors conversations, potentially collecting sensitive personal data without explicit user consent. This undermines users’ right to control their own information, exposing them to unauthorized data access and surveillance risks.

This incident underscores the evolving nature of cybersecurity threats, the limits of corporate safeguards, and the urgent need for stronger regulatory frameworks. As we dissect the implications, one thing remains clear—data privacy is no longer a given; it’s a battle that must be fought continuously.

2. IMPLICATIONS

The recent breach of personal data by Apple’s Siri has raised concerns among users about the actual level of protection offered by technology companies, despite their claims of prioritizing data privacy. This incident is particularly alarming given Apple’s reputation as a leading advocate for user privacy in the smartphone industry. Furthermore, the settlement arrived at by Apple in the class action lawsuit[2] which prima facie amounts to a $95 million settlement but upon perusal of the finer details it can be discerned that individuals are entitled to receive a paltry compensation of $20 only upon satisfaction of the following conditions (“Relevant Conditions”):

• If the individual claiming the compensation has owned a Siri-enabled Apple device (such as an iPhone, iPad, Apple Watch, Mac, HomePod, or AirPods) in the United States between September 17, 2014, and December 31, 2024; and
• If the individual has experienced any unintentional Siri recordings during private or confidential conversations.

An analysis of the Relevant Conditions highlights the limited nature of the compensation being awarded to the affected users highlights the value given to data privacy of the users and citizens as the paltry compensation can be further disputed by analysing whether a conversation can be deemed as “private” or “confidential”.

However, data privacy should be of paramount importance to any company processing personal data as provided for under the California Consumer Privacy Act, 2018 (“CCPA”) and the California Privacy Rights Act, 2020 (“CPRA”)[3] which is the applicable law for Apple as the company is incorporated in California. The CCPA and CPRA (collectively referred to as “California Privacy Laws”) are akin to the European Union’s General Data Protection Regulation (“GDPR”)[4]. However, unlike the interpretation of GDPR by the European Courts which levies stringent deterrent penalties on any entity that breaches privacy of any individual in Europe, the American Courts did not interpret the penal provisions of the California Privacy Laws in a similar manner despite the similarities of provisions with GDPR and established precedents for levying exemplary damages. In this instant class action lawsuit against Apple, the American district courts elected to pass an award for damages which is more of a slap on the wrist despite a grave breach of privacy and utilizing personal data in an unauthorized manner.

Despite the heightened awareness of data privacy in developed countries, citizens’ personal data continues to be exposed to severe breaches, often with inadequate compensation. Thus, it is even more crucial for Indian legislators to deter such actions, given the insufficient awareness of data protection within Indian society. Hence, the onus falls on the Government to safeguard the valuable data of the world’s largest digital population which the DPDPA has been enacted for by the Government of India.

In light of the above, we will be analysing the relevant provisions of DPDPA that companies need to adhere by to ensure that they are not affected by penalties and we will also analyse how the Indian legislators can modify the DPDPA to further protect data privacy in our country.

3. ANALYSIS

Relevant provisions of DPDA:

Section 2(i): Definition of Data Fiduciary:

A data fiduciary means any person who, either alone or in conjunction with other persons, determines the purpose and means of processing personal data.

Section 2(j): Definition of Data Principal

A data principal means the individual to whom the personal data relates.

Section 3: Applicability and Scope

The Act applies to the processing of digital personal data within India. It also applies to processing outside India where any entity offers goods or services to individuals in India.

Section 4: Grounds for Processing of Data

Personal data must be processed only for lawful purposes, in a fair and transparent manner, and only after obtaining free, fair, and unambiguous consent from the data principal.

Section 5: Notice

Collection of personal data must be limited to what is necessary for the stated purpose, as specified in the notice provided to the individual while seeking consent. 

Section 6: Consent

Consent for collecting personal data must be free, specific, informed, unconditional, and unambiguous, expressed through a clear affirmative action. It must indicate agreement to process personal data for a specified purpose and be limited to data necessary for that purpose.
Such consent must be easily withdrawable, and upon withdrawal, data processing must cease within a reasonable period.

Section 8: General Obligations of Data Fiduciary

Data fiduciaries are required to implement reasonable security safeguards to prevent personal data breaches. They are solely liable for damages if any provision of the DPDPA is breached during the collection or processing of personal data.

Section 10: Additional Obligations of Significant Data Fiduciaries
The Government may notify a data fiduciary as a “Significant Data Fiduciary” based on factors such as the volume and sensitivity of personal data processed, risks to data principals or democracy, and concerns relating to state security or integrity.
Once classified, such fiduciaries are subject to additional compliance requirements, including appointing a Data Protection Officer, conducting audits, and meeting other obligations prescribed under the DPDPA.

Section 11: Right to Access Information about Personal Data

Data principals have the right to access their personal data and obtain information regarding how such data is being processed.

Section 12: Right to Correction and Erasure

Data principals may request correction, updating, completion, or erasure of their personal data.

Section 13: Right to Grievance Redressal

Data principals have the right to file complaints with data fiduciaries in case of violation of their rights. The grievance redressal mechanism must be simple and accessible.

Section 18: Data Protection Board

The Data Protection Board is the regulatory authority constituted under the DPDPA to handle complaints, ensure compliance, and impose penalties.

Section 33: Penalties

The DPDPA provides for monetary penalties for breaches of its provisions, which may extend up to INR 250 crore. Such penalties are credited to the Consolidated Fund of India.

Upon a brief analysis of the relevant provisions set out above it can be noticed that the DPDPA has incorporated the basic tenants of GDPR and California Privacy Laws including exemplary damages for breach and misuse of personal data, thus it is important for companies who intend to collect data to take comprehensive steps to be in compliance with DPDPA including but not limited to taking the following steps:

• Preparation of a consent notice and privacy policies in line with provisions of DPDPA;
• Ensuring technological measures are implemented to track the consent being provided along with scope of the consent being provided thus ensuring the data being collected does not exceed the scope of consent being provided; and
• Should be aware of the sensitivity of personal data being collected and implement technological measures to safeguard personal data for avoiding any breach of the same which in turn could lead to the companies attracting exemplary penalties.

While the above actions can be taken by companies who fall under the definition of data fiduciaries, the Central Government could take further steps towards improving the protection afforded to the citizens of India by amending provisions of DPDPA as outlined in the recommendations below.

4. RECOMMENDATIONS

Pursuant to the above analysis, the following actions are recommendable to be taken by the Central Government for further protecting the citizens of India:

• Data collection tax: To ensure companies adhere to a fundamental tenet of the DPDPA—limiting the collection of personal data—it is essential to enforce appropriate consequences. A viable approach is to introduce a data collection tax, wherein data fiduciaries are taxed based on the volume of data they collect. This would incentivize them to restrict data collection strictly to what is necessary for their business purposes.
• Prescribing relevant technological measures to protect personal data from any breach: While the DPDPA mandates the implementation of technological measures to protect personal data, it lacks quantifiable guidelines for micro, small, and medium-sized enterprises (MSMEs) to understand the necessary measures for compliance. To address this, the Central Government could establish a committee of technological experts to develop clear guidelines, ensuring that all data fiduciaries can effectively adhere to the DPDPA’s provisions.
• Utilization of the penalties being levied in a transparent manner: Section 34 of the DPDPA mandates that penalties imposed under Section 33 be credited to the Consolidated Fund of India. It is crucial to ensure that these funds are used for the welfare of data principals, including compensation for privacy breaches and their consequences. Therefore, the Government should establish guidelines ensuring transparency in the utilization of these funds, specifically towards enhancing the protection of privacy and personal data.

5. CONCLUSION

The Apple Siri privacy breach is a stark reminder that even the most privacy-conscious tech companies are not impervious to data vulnerabilities. While regulatory frameworks like the CCPA, CPRA, and GDPR establish strong data protection standards, inconsistent enforcement raises concerns about corporate accountability. India’s Digital Personal Data Protection Act, 2023 marks a significant step in India toward strengthening data privacy, ensuring that companies are held accountable and user data is safeguarded.

However, for the DPDPA to be truly effective, it must go beyond mere compliance mandates. Stronger enforcement mechanisms, transparent utilization of penalties, and well-defined technological safeguards are essential to prevent data misuse and protect user privacy. As the digital landscape continues to evolve, both regulators and corporations must remain proactive in upholding

data protection as a fundamental right as recognized by the Indian judiciary—because in today’s world, personal data is not just information, it is power.

[1] https://www.forbes.com/sites/moinroberts-islam/2025/01/03/siri-privacy-breach-apple-to-pay-95m-settlement-amid-spying-claims/

[2] Lopez et Al. v. Apple, 19-cv-04577-JSW (N.D. Cal.)

[3] Cal. Civ. Code §§ 1798.100–1798.199.100

[4] General Data Protection Regulations, (EU) 2016/679.