25 February, 2020
Data, Bills, Breaches and Beyond… in India
Article: data protection and security
Despite the Data Protection Bill, a number of companies in India have fallen prey to information mishandling leading to chaos with hardly any of the organizations admitting their internal data fiasco.
Information, of the confidential kind, is not safe anymore.
And that's common knowledge.
The largest of companies to the smallest, in the corporate hierarchy, no one is has been able escape it so far.
The names of a cross section of companies whose informational infrastructure has been compromised in India include Google, Yahoo, Uber, Whatsapp, Microsoft, and Equifax.
The range of data catastrophe varies from passwords, credit card information to personal chats.
The magnitude of data misappropriation notwithstanding, many or most of these companies have not come out in public disclosing details of the breach. Hence most of the infamous data breaches in India have remained unannounced officially despite the presence of the Data Protection Bill, which requires a statutory disclosure of data breaches to a proposed Data Protection Authority.
The reason behind this is a plethora of troublesome aftermath of letting the world knows about information leakage like damage of reputation besides the threat of lawsuits by customers, investors, and regulators.
The commonest excuse of keeping quite being no direct impact on customers or third parties due to the infrastructural intrusion of information internally.
The PDP Bill
The PDP Bill on Data Breach Notifications called The Personal Data Protection Bill, 2019, which is currently under examination by the Joint Parliamentary Committee, has a provision requiring all data fiduciaries (the legal entities storing and processing data) to disclose data breaches to a proposed Data Protection Authority. Clause 25 of the bill requires every data fiduciary to inform the DPA of the type of the compromised personal data, the number of consumers ill affected by it, the probable results of the data breach and the action taken by the data fiduciary to solve the breach.
However, as per the data protection laws in India, there is no time frame that is specified to report about the data breach.Instead, it is to be specified in the regulations framed by the DPA. As per Clause 25, it will be the responsibility of the DPA to decide whether the data fiduciary is required to report the data breach to its consumers after taking into consideration the seriousness of the breach and the ill effects that it may have upon the consumers. A failure to report such a breach as per the law can attract, as per Clause 57, a penalty of up to Rs 5 crore or 2 percent of its total worldwide turnover, whichever is higher.
A prominent directive included inClause 25 is that a data fiduciary has to inform the DPA of a breach of personal data processed by it only when such a breach is likely to be harmful to any data principal.
However fearing many untoward consequences of reporting data breach to DPA is it's only expected of the companies to be ignorant of taking the matter to law.
Hence once it becomes mandatory for companies to take legal action against data fraud irrespective of its seriousness, corporate will invest in better data protection and security in order to avoid the repercussions of public exposure. The number of hacking cases will reduce automatically which will nominalize the vulnerability of the information system in India on the internet.
Another self contradictory aspect of Clause 25 is that it does not make it mandatory for data fiduciaries to directly inform their consumers of any data breach. That part opposes the base of India's new data protection law which propagates a sound data fiduciary framework.
In the eyes of the law, a 'fiduciary' relationship is that in which a party managing the interests of another party is expected to always act in the best interests of the latter.
With this concept of fiduciary relationship all data fiduciaries are expected to expeditiously inform the consumers in case of a data breach.
So if the government wants to continue with Clause 25 as it is, it should do away data fiduciary framework as the basis of it all.
The Justice BN Srikrishna Committee had at first recommended data fiduciaries directly inform all the consumers of a data breach.
However in its final report, the same Committee favoured the present form of Clause 25, where the DPA takes the decision of informing relieving the data fiduciaries of the obligation.
The problem with delegating such powers to the DPA, is that most regulators in India tend to be captured by the very industry they are supposed to regulate.
If the Parliament was to set critical issues such as timelines in stone in the text of the parent statute, the private industry would be denied any chance to lobby weak regulators for changes in the law. Hopefully, the Joint Parliamentary Committee scrutinizing the draft data protection law will recommend amendments to Clause 25 to ensure greater protection for citizens in data breach cases in India.
ISOEH has been the pioneer institute of data protection and ethical hacking in India.
Check out for yourself the ideal academic course to ensuring sacrosanct data protection and privacy.
Read on for more information on the Data Protection Bill.
