- The time frame for a data fiduciary to report a data breach to a Data Protection Authority needs to be shortened
- Compensation due to harm categorised as psychological manipulation will be hard to ascertain
- The burden is on data principal to establish harm
These were some of the key points raised at MediaNama’s ‘Decoding India’s Data Protection Bill’ event held on January 19 and 20, 2022, wherein Supreme Court advocate Vrinda Bhandari, Executive Director for Center for Internet and Society Amber Sinha, Senior Resident Fellow at Vidhi Center for Legal Policy Lalit Panda, and lawyer Prasanna S, shared their thoughts on the Data Protection Bill 2021 and the Joint Parliamentary Committee (JPC) report on the Bill, both of which were tabled in Parliament in December 2021.
This discussion was organised with support from Google, Flipkart, Meta, and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.
Why should the burden be on users to establish harm?
Prasanna said that under Section 64 or 65 of the bill, the burden is on the data subject to establish harm, loss, or damages. While Section 64 of the bill lays down the procedure for adjudication, which includes imposing penalties by an Adjudicating Officer, Section 65 is about the circumstances under which a data principal may be eligible for compensation.
- Rights will have to be litigated as one: “This placing of burden, in effect, means that all of the rights here – almost all of the rights will have to be litigated,” he said. He reasoned these rights have not been granted under the statute, and “it needs to be effectuated only through litigation”.
Recommendation: Prasanna recommended that this provision be done away with and instead proposed an incentive for people to file such complaints as many of these harms are not foreseeable. “In fact, Puttuswamy clearly says one of the reasons why privacy needs to be protected as a fundamental right, is because not all harms are foreseeable, forget about being able to establish that the harms have occurred,” he added.
Why does the time frame for reporting data breaches need to be reduced?
“I do think very intuitively, that 72 hours seems like a lot. If you know that a breach happened. And you’re pretty sure that you know, data of certain nature, it could be very sensitive data also has been breached… it could be you know, at large, could be in the dark web, something could be going on with it. Why 72 hours is a question.” —Lalit Panda.
Too many unanswered questions: Panda questioned whether a company needs that amount of time to report a data breach. He wondered why a company that has faced a breach could not email a DPA immediately. “Will everybody be busy trying to handle the breach? So you can’t even bother sending an email to the Data Protection Authority? Do you? Are you trying to figure out, you know, what is going on, which kind of data got breached, you’re still trying to get confirmation?” he added.
Recommendation: Although Panda did not specifically recommend anything, it is safe to assume that he wants the reporting time to be lowered.
What can you do when DPA does not allow a breach to be known?
The panelists were asked what a user can do in case the Data Protection Authority rules that a breach reported by a data fiduciary does not need to be publicised, or does not need to be intimated to victims of the breach. Section 25 of the Bill lays down the procedures for a data fiduciary to report a breach and the powers of a data protection authority in regards to how to deal with it.
Recommendation: Supreme Court advocate Vrinda Bhandari said that one can approach the High Court with a writ petition. “You could potentially direct the DPA to direct the data fiduciary to take action if you believe that that has been inadequate. You could also seek compensation,” she said.
Laws have to be brought in to make policies compatible with the bill
In response to a question on policies under the National Digital Health Mission and how it would comply with the data protection bill once it becomes a law, Lalit Panda pointed out that Section 12 of the bill said that if one wants to use a function of a state, then it has to be authorised by law.
Recommendation: “So, as soon as this law comes in NDHM will have to have a law put in place, suggesting that this kind of processing is now authorised,” Panda said.
How to ascertain compensation amount for harms?
Panda said that when it comes to compensation, it would be hard too evaluate how to calculate the amount based on the harm. “What is the harm of a bigger magnitude? What is the harm for smaller magnitude, and I see a lot of issues with that but it makes sense that some nature of harm has to have been shown, because it’s not possible to compute any kind of compensation just because of violation of law,” he said.
Recommendation: Prasanna recommended the creation of a separate compensation measurement mechanism where these harms are not foreseeable. “..much like how we have penalty computation mechanisms, right, we will need compensation mechanisms, which will then incentivize users to actually litigate for privacy,” he said.
- Data Protection Bill: Lower age of consent, limit data portability, strengthen data breach rules, and introduce more grounds for processing data #NAMA
- A Complete Guide To The Data Protection Bill, 2021
- Data Protection Bill 2021: How Data Fiduciaries Must Handle The Personal Data Of Children
- Data Protection Bill 2021: What Is The Protocol When Data Breaches Occur In India?
- Data Protection Bill 2021: What Are The Obligations Of Data Fiduciaries?
What changes do you want in the Data Protection Bill from a company’s perspective? Do leave a comment.