This is to understand the applicable law on a certain day in India and specifically about laws that are published by gazette notification but are awaiting a followup rule publication.
Representative Chronology:
Day 1: IT act 2000 is passed and has 43A section for corporate body responsibility for data protection. This has very low penalty defined for violations.
Day 20: A new law DPDP 2023 is approved by the president, but not yet notified since the "rules"/ guidelines under the law are still being discussed with the stakeholders. This law removes section 43A from the 2000 law. This has a very high penalty defined for cybersecurity violations.
Day 30: A data breach happens due to gross negligence by a company and it gets fixed in some days.
Day 40: The aforementioned "rules" are published for DPDP. The enforcement "board" members are also announced so the law is a ground reality now.
So on day 31, can someone sue the company for negligence under 43A section even though the section 43A stands removed?
On day 41, can someone retroactively sue the company for negligence of day 30 under DPDP?
