Sec 43A of the IT Act (Amendment) 2008 lays down the liability of the corporate houses, if they fail to secure any personal data which is in their possession, or in which they deal and says that such corporates fail to protect the data, they shall be liable to pay damages which would be paid as a compensation to the victim. While doing so, the upper limit of damages, and the consequent compensation has not been defined. Now, as per your query, I must tell you that an undefined upper limit of damages does not mean that the party at fault has an unlimited liability towards the victim.
In such cases where the limits of the compensation or the damages are not defined, the quantum and limit of such compensation depends upon the discretion of the judges, in which they are guided by various practical considerations particularly the degree of the offence and the legislative intent. If the offence is a very serious one and the legislature framed the laws with the intention of imposing severe sanctions on such offender, the judge would place the damages or fine at a higher amount. But if the offence is not so serious, and the legislative intent is to reform the small offenders, the judge would keep the compensation or fine at a comparatively lower amount. In sum and substance, the threshold of compensation would be subjective and determined as per the situation.
Further, not defining the limits mean that the legislation has a futuristic approach in the sense that it would save the legislature the burden of amending the laws to redefine compensation every now and then. The amount that may seek significant today may not be of much value tomorrow. We have ample examples in the IPC where the fine is 100 rupees, 500 rupees, 1000 rupees etc. When such legislations were framed, these amounts had a very high value, but now, they do not mean anything. While it doesn’t always come in the way of giving higher compensation then the prescribed limit, but they remain there, defeating the purpose of compensation itself.