DPDP Bill, 2022: Failure to secure personal data or report data breaches will attract highest penalties

Key takeaways on data breaches from the 2022 Bill:

• The Bill requires companies to adopt reasonable safeguards to prevent personal data breaches. Non-personal data breaches are no longer covered.
• In case of personal data breaches, companies must report the same to the Data Protection Board of India and all affected users.
• Failure to comply with the data breach-related requirements can attract a fine of up to ₹250 crores, the highest band of penalty under the Bill.

The Indian government on November 18 released the Digital Personal Data Protection Bill, 2022, which proposes hefty penalties for companies that fail to safeguard the personal data of users. The IT Ministry has invited feedback from the public on the draft Bill by December 17, 2022. The feedback may be submitted on the MyGov website.

Read: A Complete Guide To India’s Digital Personal Data Protection Bill, 2022

What does the 2022 Bill require from Data Fiduciaries?

The Bill requires:

• Reasonable security safeguards: Every Data Fiduciary and Data Processor must “protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.” Earlier versions of the Bill (covered below) prescribed more exact measures that must be implemented by Fiduciaries, along with requiring them to review measures periodically.
• Reporting breaches to Board and affected individuals: In case of a personal data breach, the Data Fiduciary or Data Processor must notify the Data Protection Board of India and each affected Data Principal, “in such form and manner as may be prescribed” later by the Board or the government. An affected Data Principal includes “any Data Principal to whom any personal data affected by a personal data breach relates.” The 2022 Bill does away with the 72-hour reporting timeline that was there in the 2021 Bill.
• Adopting measures directed by the Board: In the event of a data breach, the Data Protection Board may “direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals.” This is similar to the 2021 Bill.

A personal data breach is defined by the Bill as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”

Notably, the Bill does not cover non-personal data breaches as non-personal data has been left out of the ambit of this Bill.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Advertisement. Scroll to continue reading.

Penalties for violations

The 2022 Bill prescribes the highest quantum of penalties for data breach-related offences:

1. Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach: Penalty up to ₹250 crores
2. Failure to notify the Board and affected Data Principals in the event of a personal data breach: Penalty up to ₹200 crores

For comparison, most other offences attract a maximum fine between ₹50 to ₹150 crores.

IFF comments on data breach provisions in DPDP Bill 2022

In its comments and recommendations on the bill, which it otherwise described as “bereft of first principles at several places,” the Internet Freedom Foundation noted some positives too, among which are changes in the reporting procedure for data breaches:

“A significant issue with previous iterations of the bill was that they did not require data fiduciaries to notify data principals in the event of a breach. Thus, users whose data has been breached, would not have even known that their data has been compromised. Clause 9(3) of DPDPB, 2022 addresses this concern by mandating fiduciaries to notify the Board and Data Principals whenever there is a breach, irrespective of its nature. Clause 20(3) then empowers the Board to issue directions to Data Fiduciary to adopt urgent measures to remedy personal data breach or mitigate any harm caused to Data Principals,” it said, adding: “While this is welcome, there would be an overlap between the role of the Board and the Computer Emergency Response Team, which is supposed to respond to data breaches currently”.

How have the provisions on data breaches changed over the years?

Security safeguards

What the 2018, 2019, and 2021 Bills said: All three versions of the bill have the same provisions regarding security measures that data fiduciaries must implement while processing personal data. These measures must include: 

“(a) use of methods such as de-identification and encryption;

(b) steps necessary to protect the integrity of personal data; and

Advertisement. Scroll to continue reading.

(c) steps necessary to prevent misuse,”

• The DPA was empowered in the 2019 and 2021 versions of the draft to set “standards for security safeguards to be maintained by data fiduciaries and data processors under section 24” 
• In addition, data fiduciaries and processors must periodically review their security procedures in a manner specified by regulations. 

Reporting breaches to the Authority

What the 2018 and 2019 Bills said: The 2018 and 2019 versions said that data breaches should be reported when they were “likely to cause harm to any data principal.”

What the 2021 Bill said: The 2021 draft required all data breaches to be reported to the Data Protection Authority (DPA), and report on the remedial measures being taken for the same. It also said that such a notice of a breach “shall be in a form as specified by regulations.”

• The “likely to cause harm” phrase was removed in the 2021 version since the Committee held that the carve-out allows room for too much ambiguity. 
• The format of the notice of data breaches was not subject to regulations in the 2018 and 2019 iterations as in the 2021 version. 

Reporting timeline

What the 2018 Bill said: It said that data breaches should be reported to the DPA “as soon as possible and within such period as may be specified by regulations”, and after accounting for the time taken to enact immediate and urgent measures to remedy or mitigate the effects of the breach.

What the 2019 Bill said: The 2019 Bill retained the provisions of the 2018 version on reporting timelines.

What the 2021 Bill said: The 2021 draft fixed the reporting timeline of any data breach to 72 hours. The Committee felt that the reporting window should be realistic and finite. 

Informing data principals and direction on mitigating harm

What the 2018 and 2019 Bills said: In the earlier drafts of the Bill, it was up to the Data Protection Authority to decide whether a data breach should be reported by a fiduciary to a principal or not 

What the 2021 Bill said: In case of a breach of personal data, the Bill said that the DPA shall “direct the data fiduciary to report such breach to the data principal” after it has accounted for the severity of the breach and the harms caused by it. It also clearly states that the DPA may direct the specific measures that a data fiduciary must take to mitigate the harm caused to the data principal.

Advertisement. Scroll to continue reading.

• The 2021 bill gives the DPA the power to direct data fiduciaries to enact specific measures to mitigate harm. 
• All three versions of the bill required the data fiduciary to notify the data breach “conspicuously” on its website 

Non-personal data breaches

What the 2018 and 2019 Bills said: Both the earlier versions of the draft released in 2018 and 2019 did not have provisions for non-personal data, including in cases of breaches.

What the 2021 Bill said: “‘Data breach’ includes personal data breach and non-personal data breach” said the 2021 draft, widening the ambit of the types of data protected by the law. The 2021 bill says: “The Authority shall, in case of breach of non-personal data, take such necessary steps as may be prescribed”. 

Penalties for contravention of provisions

What the 2018 Bill said: In the 2018 Bill, the penalty amount “may extend to” five crore rupees or two per cent of the worldwide turnover of the preceding financial year for violations including a lack of action on data breaches.  

What the 2019 Bill said: The 2019 bill retained the provisions of its previous iteration with regard to penalties. 

What the 2021 Bill said: The 2021 version of the bill penalised various contraventions of its provisions by data fiduciaries, which included an “obligation to take prompt and appropriate action in response to a data breach under section 25”, changing the term “data security breach” from the 2019 version. It capped the maximum penalty applicable for violations to five crore rupees or two per cent of its worldwide turnover of the preceding financial year, whichever is higher. 

Stakeholders’ views on data breaches

• Bring provisions in line with international standards: Udbhav Tewari, Public Policy Advisor at Mozilla, had said at MediaMama’s event that the provisions on data breaches need to live up to international standards, despite being an improvement over the existing framework in India. He recommended that the reporting window be shortened, and the DPA should not be involved without a compelling reason otherwise. 
• Enforcement outcomes: Tewari flagged lax enforcement, saying that despite RBI and CERT-In inquiries, “there still hasn’t been a time where a data breach has been properly fined.”
• Proportionate penalties: Neha Chaudhari from Ikigai Law said that the penalty amount should be decided after considering the size of the company, the extent of the harm, etc. 
• Privacy officer’s perspective: Ali Khan, head of Governance, Risk, Compliance & Audit at ZS Associates Inc., said during a panel discussion by global privacy officers that dealing with data breaches is not just about reporting them to authorities but being able to understand their reasons and impact. He also stressed on an enabling environment where regulators cooperate with and facilitate affected companies to deal with data breaches  

Guiding principles for regulations around data breaches 

The 2021 JPC report recommended the following principles to guide the DPA as it frames regulations on data breaches. These were: 

• Privacy: Privacy of data principals must be ensured when the DPA posts details of the data breach.
• Reporting delays: The data fiduciary is responsible to explain the delay, and is liable for harm caused to the principal due to it.
• Maintaining records: The DPA was asked to log all data breaches irrespective of harm to the data principal.
• Conditional non-disclosure: The DPA can exempt data fiduciaries from disclosing certain data breaches that occur “in spite of precautions as an act of business rivalry or espionage to harm the interest of data fiduciary”, and provided the interests of the data principal are not harmed.

Updated: The IFF’s comments on data breach provisions were added on November 23, 2022 at 11:45 AM 

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read: 

Advertisement. Scroll to continue reading.

• A Complete Guide to the Digital Personal Data Protection Bill, 2022
• Financial Data, Non-Personal Data And Algorithmic Transparency Should Be Regulated Separately
• Is defining non-personal data possible? Is anonymising it a good idea?
• Considering intellectual property rights over non-personal data
• Why does the Indian government want to regulate non-personal data?