A bank shared a customer’s savings account details with his employer, without asking him first. A consumer court just made that mistake cost real money — and a far bigger lesson for every organisation handling personal data in India.
What happened
During a labour dispute pending before the Lucknow Bench of the Allahabad High Court, an employer submitted a counter-affidavit that contained detailed savings account information belonging to one of its former employees, Pankaj Kumar Shukla. The account details had come from the State Bank of India — shared with the employer without Shukla’s knowledge or consent.
Shukla approached SBI for an explanation. Unsatisfied, he took the matter to the District Consumer Disputes Redressal Commission in Lakhimpur Kheri. The Commission’s finding was unambiguous: a bank cannot disclose a customer’s personal banking information to a third party without that customer’s permission. It ordered SBI to pay ₹20,000 in compensation for mental agony and hardship, plus ₹5,000 in litigation costs — roughly ₹25,000 in total, with 6% annual interest running from the date the complaint was filed.
On paper, it’s a single consumer dispute. In substance, it’s a preview of what non-compliance looks like under India’s evolving data protection regime.
Why this matters under the DPDPA
The Digital Personal Data Protection Act, 2023 exists precisely to close the gap this case exposes. Its core obligations read like a checklist against what went wrong here:
- Consent is not optional. A Data Fiduciary must have a lawful basis, ordinarily explicit consent, before processing or disclosing an individual’s personal data for any purpose beyond what it was collected for.
- Purpose limitation applies even to routine internal processes. Financial data collected to service a bank account cannot be repurposed for an unrelated legal proceeding involving a third party, however administratively convenient that might be.
- Data Fiduciaries carry the liability, not just reputational risk. Under the DPDPA, the penalties for such lapses go well beyond a consumer court’s compensation order — the Data Protection Board can impose financial penalties running into crores of rupees for significant, systemic failures to protect personal data.
- Grievance redressal has teeth. Shukla didn’t need a data protection regulator to get relief here; existing consumer law already recognised unauthorised disclosure as a deficiency in service. The DPDPA adds a dedicated enforcement layer on top of that.
For institutions that sit on large volumes of sensitive personal and financial data — banks, NBFCs, insurers, HR and payroll systems, healthcare providers, e-commerce platforms — this case is a reminder that the exposure isn’t hypothetical. It isn’t just about breaches by outside attackers. Some of the highest-risk moments happen through ordinary business processes: responding to a legal notice, verifying employment, sharing records between departments, or complying with a request from another organisation, all without pausing to ask whether consent or a lawful basis actually exists.
The compliance gap this reveals
Most organisations already have security controls against external breaches. Far fewer have built the internal discipline the DPDPA actually demands:
- Consent architecture — a documented, auditable basis for every category of data disclosure, not just at onboarding but at the point each new disclosure is contemplated.
- Purpose mapping — a clear record of what personal data was collected for, and a control that flags when a request falls outside that purpose.
- Third-party disclosure protocols — a defined process (including legal review) before personal data ever leaves the organisation in response to litigation, employer requests, or partner queries.
- Grievance and correction mechanisms — the DPDPA gives individuals the right to correct and erase their data; Shukla’s case shows what happens when that right is treated as an afterthought.
None of this requires exotic technology. It requires a compliance framework that is actually built into day-to-day operations, not filed away as a policy document.
The takeaway
₹25,000 sounds small next to the maximum penalties the DPDPA authorises. That’s exactly the point. This case shows how easily an unauthorised disclosure happens — not through malice, but through a routine process that skipped one question: do we have consent to share this? Under the DPDPA, that question needs an answer, every time, before the data moves.
At HedgeMount, we work with organisations across BFSI & Fintech, Healthcare & Pharma, IT & ITES, E-Commerce & Retail, Education & EdTech, and Manufacturing & Logistics to build exactly this kind of operational readiness — consent frameworks, purpose mapping, disclosure protocols, and grievance handling that hold up under scrutiny.
Fortify. Comply. Elevate.
Want to know where your organisation’s DPDPA readiness stands? Get in touch with HedgeMount.


