When the Digital Personal Data Protection Act, 2023 (“DPDP Act”) came into existence, it was speculated that the Act would erect a shield around personal data, one which could be misused by fraudulent actors to hide their unlawful conduct behind the veil of privacy. Many raised concerns that the enforcement actions would become complex and less effective.

The Delhi High Court’s decision in Dabur India Ltd. v. Ashok Kumar & Ors. (2025), decisively dispelled this apprehension. The judgment emphasised that the DPDP Act was never intended to protect unlawful and fraudulent conduct. On the contrary, court considered it as an enabling framework. DPDP Act is a framework which preserves privacy while ensuring that accountability is not undermined by privacy in the digital ecosystem.

BACKGROUND OF THE CASE:

The present suit under Section 20 of the Code of Civil Procedure, read with Section 27 of the Trademarks Act, 1999, has been filed by the Plaintiff, Dabur India Limited, seeking, inter alia, permanent injunction and damages in respect of infringement of its various intellectual properties, including the trademark “DABUR”, copyright in the labels and packaging of its various products, passing off and unfair competition. The present suit is part of a batch of matters relating to domain names being registered by unknown third parties infringing trademark rights of various brand owners and implementation of Court orders by different concerned entities including the Domain Name Registrars.

The grievance in the present matter is that there are various domain names and websites, registered/hosted by unknown individuals who started using the mark “DABUR” and depicting various products of “DABUR”.  It was found that there are 7 infringing domain names which hosted fake websites impersonating Dabur, offering distributorships, franchises, and employment, and collecting money from unsuspecting consumers through fraudulent bank accounts. The registrants of the impugned domain names concealed their identities by using “privacy protect” services offered by Domain Name Registrars (DNRs). WHOIS information was either masked, incomplete, or outright fictitious. The email addresses, phone numbers, PAN/Aadhaar details, and bank account information used by the fraudsters were fake or untraceable.

Once injunctions were issued and domains were blocked, the perpetrators abandoned those domains and reappeared using newly registered ones, repeating the same fraudulent scheme. The Plaintiff has also preferred an application under Order XXXIX Rule 1 & 2 read with Section 151 of the Code seeking, inter alia, ad-interim ex-parte injunction restraining various websites/entities engaged in infringement of Plaintiff’s copyright, trademarks etc. This Court vide order dated 3rd March, 2022, had passed an order of interim injunction restraining the concerned Defendants, who are Registrants of the infringing domain names, from infringing the Plaintiff’s marks. Given the similarity of the issues involved, the Court eventually conducted a consolidated hearing of the batch matters. Simultaneously, the Cyber Crime Unit (IFSO) of the Delhi Police commenced coordinated investigations, FIRs were registered, arrests were made, and charge-sheets were filed in several connected cases.

ISSUES:

1. What are the obligations and liabilities of a DNR in respect of an alleged infringing domain name registered with the said DNR? And whether the same are sufficient for protecting the intellectual property rights of third parties?

2. What measures may be directed by the Court to be implemented by the DNRS and Registry Operators to safeguard the Trademark Rights of the Plaintiffs?

3. What measures may be directed by the Court against DNRs who refuse to comply with the Court Orders?

COURT’S OBSERVATION AND FINDINGS

The consolidated matters raised several common issues, including the investigation of financial frauds and the role played by banks, discrepancies in payment details such as beneficiary account mismatches and functioning of name look-up facilities, mechanisms for enforcement of court orders including the appointment of grievance officers by Domain Name Registrars (DNRs), and the operation of privacy-protection features. It was held by the Court “Moreover, the failure of DNRs to comply with Court orders would necessitate stringent measures to be taken, including blocking of their services in India that may be ordered by Courts, as where there is consistent violation of IP rights along with attempts to defraud innocent public of their hard earned monies and also assist in commission of offences, the same would have a significant impact upon the society at large, leading to disrupting the public order…Offering of privacy by default to registrants is one of the reasons for proliferation of illegal domain names. Thus, unless and until a registrant requests for privacy protect, the same should not be offered as a default mechanism…The Government and various institutions including Central Government, State Governments, Autonomous Institutions, Judicial Bodies, Tribunals, Income Tax Department, GST Department and Critical Bodies such as Army, Navy, Airforce, ISRO, Atomic Research Bodies, etc. ought to create their own list of names that can be misused so that such domain names can be placed in the reserved list.”

INTERMEDIARY SAFE HARBOUR AS A CONDITIONAL PROTECTION:

A key aspect of court’s reasoning concerns the responsibilities of Domain Name Registrars and other intermediaries once infringement and fraud came into picture. The Court discussed the Information Technology Act, 2000, especially Section 69 and 79, read with Rule 3 of the Intermediary Guidelines, 2021 in this respect. Section 69 empowers the Central Government to direct intermediary to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource. Section 79 provides safe harbour to intermediaries if they perform due diligence, provided that if there is an absence of actual knowledge or notice of unlawful activity. Rule 3 of the Intermediary Guidelines imposes obligation of performing due diligence obligations on the intermediaries, including the duty to prevent intellectual property infringement and to provide information under the intermediary’s control to the government or Law Enforcement Agencies (LEA) within 72 hours.

The Court relied on various landmark cases to clarify that right to privacy is not absolute and is not above accountability of the intermediaries. In Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), the Supreme Court held that the right to privacy is not absolute and can be encroached in circumstances where there is a valid law, a legitimate state aim, and proportionality in the restriction. Similarly, in Neetu Singh v. Telegram FZ LLC (2022), the Delhi High Court held that the Intermediary Guidelines, 2021 do not obviate the duty of Telegram as a platform to take all effective steps required to protect intellectual property rights.

The court clarified that once a registrar acquires actual knowledge, whether through a judicial order or credible notice, any continued facilitation of infringing domain names, refusal to disclose registrant information, or delay in compliance cannot be justified. In such situations, the protection given to intermediaries ceases to operate as immunity cannot extend to conduct that knowingly enables unlawful act. The ruling thus affirms that safe harbour is contingent and is forfeited when intermediaries persist in enabling infringement after notice.

DPDP IS AN ALLY NOT A HURDLE:

DPDP Act was portrayed as a hurdle to investigation and enforcement, relying on Sections 4 and 6 to argue that personal data is protected from unauthorised processing. The Court observed that Section 4 itself permits processing either with consent or for legitimate purposes, and Section 7 expressly lists such legitimate uses, especially, Section 7(e) recognises compliance with court orders as a legitimate purpose for processing data.

Moreover, Section 17 provides certain exemptions permitting processing of data without consent of Data Principal. Section 17(a) exempts right to privacy and allows processing if it is necessary to enforce legal right of another person, Section 17(b) exempts right and allows processing of data on judgment or order of court or tribunals respectively, Section 17(c) exempts the right and allows processing of data if it is in the interest of the prevention, detection, investigation or prosecution of any offence. This section demonstrates that the Act never intended to obstruct investigations instead it enables the court and LEAs in investigating the offence.

In line with Puttaswamy and Telegram case, the Court reaffirmed that privacy is not an absolute right and is subject to reasonable restrictions. Right to privacy cannot be weaponised to shield illegality. The DPDP Act, therefore, does not weaken enforcement; it provides a mechanism within which privacy and accountability coexist.

DYNAMIC INJUNCTIONS AND BANKING MECHANISMS:

Lastly, the court emphasised that judicial remedies must evolve to address the speed and adaptability of digital fraud, acknowledging that infringers frequently migrate to new domain names once existing ones are blocked, the court endorses the use of dynamic and dynamic+ injunctions to prevent remedies from becoming redundant. Importantly, it extends the enforcement framework to include financial institutions, recognising that digital fraud is ultimately executed through banking mechanisms.

TRADEMARK INFRINGEMENT THROUGH DOMAIN NAMES AS PUBLIC WRONG:

The court rejected the traditional understanding of trademark infringement as a civil dispute confined to private rights between a proprietor and an infringer. Taking into consideration the realities of the digital ecosystem, it recognised that the misuse of well-known trademarks through deceptive domain names, particularly for impersonation and financial exploitation, produces consequences that extend well beyond the trademark owner. The Court observed that “any misuse of the same by registration of fraudulent domain names and creation of fake websites results in erosion of the integrity and goodwill of the business house and name, as also leads to consumer deception”. On this basis, the court conceptualises such disputes as occupying a hybrid legal space, concerning not only trademark law but consumer protection, cybercrime and financial fraud.

WAY FORWARD:

The Dabur judgment is a significant case in India’s evolving digital jurisprudence. It makes clear that data protection and privacy laws are not designed to protect the wrongdoers, but to protect legitimate interests of people while enabling effective legal enforcement. As the cases of online fraud and digital offences increase in future, the courts would also adopt dynamic remedies that would address both present and future harm.

Going forward, the DPDP Act will continue to function as an enabling statute, one that safeguards individual rights without limiting the power of the state or the judiciary in the performing their functions. The Dabur judgment reaffirms a fundamental principle of law, “law is meant to prevent mischief, not to protect it”. In this balance between privacy and accountability, the DPDP Act emerges not as a hurdle, but as a powerful ally in preserving trust, legality and order in the digital space.