Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
Picture this: Your bank experiences a data breach and information such as your email address and mobile number have become public. Soon your phone gets flooded with calls from dozens of scammers and spam callers.
While this might be annoying, things can get much worse if more and more of your information keeps getting leaked through subsequent data breaches. A cybercriminal could pool all that information together, create a comprehensive profile of who you are, and could potentially steal your identity. Both these issues attempt to be addressed in the newly released data protection bill.
Read the Bill Summary here.
How does the bill define a data breach?
The bill says that “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data,” would constitute a data breach. And specifies that personal data is any data that can reveal the identity of an individual.
What companies must do once a breach occurs:
The bill puts in place a Data Protection Board to conduct inquiries into complaints about data breaches, direct companies to take urgent remedial and mitigation measures during a data breach, and also to impose fines of up to Rs.250 crores on those data collectors that fail to put in place reasonable safeguards. In case of a data breach, data collectors must inform the Data Protection Board and all the people who would be affected by the breach.
The bill says that the “form and manner” in which the data collectors have to inform both the Board and the affected individuals can be prescribed later by the government. This provision was present in the 2022 and 2021 versions of the bill as well (the 2021 version said that the notice of a breach must be in a form as specified by regulations.”) Without this, companies could very well just put a message in very fine print on their websites or use other methods to make the notice of a breach occurrence as inconspicuous as possible. If a data collector fails to report a data breach, they can be fined for an amount of up to Rs. 200 crores.
Previous versions of the data protection bill (2018 and 2019) said that data breaches should be reported when they are “likely to cause harm” to the affected individuals. This was concerning because it let the data collectors decide whether a breach could result in harm or not, leaving room for ambiguity. Thus, starting from the 2021 version of the bill, data collectors were required to inform the Board of all data breaches. But this version left it up to the board to decide whether the affected people must be informed or not. So if your data was breached and the Board didn’t think it would cause you any harm, companies would be under no obligation to inform you, effectively preventing you from taking any action to protect your data.
Article continues below ⬇, you might also want to read:
- India’s Data Protection Bill Tabled In The Lok Sabha: MPs Voice Concern
- Summary: India’s Digital Personal Data Protection (DPDP) Bill, 2023
- How India’s Digital Personal Data Protection Bill, 2023, Deals With Cross-Border Transfers Of Personal Data
- India’s Digital Personal Data Protection Bill, 2023: What Privacy Rights Do Individuals Have?
How should companies prevent data breaches under the data protection bill
It requires data collectors to put in place reasonable security safeguards to protect the personal data in their possession, including the data they are processing and the data being processed on their behalf by data processors.
What is worth pointing out here, is that the bill does not clearly define what these safeguards are. While the 2018 and 2019 iterations of the bill gave out details of the kind of safeguards companies must have in place (like the de-identification and encryption), the current version leaves it up to the companies to decide what kind of safeguards they must employ.
Concerns with how the bill addresses data breaches:
- Overlap of responsibilities: The data protection bill allows the Data Protection Board to issue directions to data collectors on how to remedy a personal data breach. This provision was also present in the 2022 version of the data protection bill. Commenting on the issue posed by this, Internet Freedom Foundation (IFF) pointed out in 2022 that this leads to “an overlap between the role of the [Data Protection] Board and the Computer Emergency Response Team.”
- Absence of reporting timeline: Another concern with the bill is that it doesn’t specify a clear timeline within which data collectors must inform the board and the affected individuals about a breach. Previously, the 2021 version of the bill had a clear timeline of 72 hours within which data collectors must report a breach to the board. But even when there was a window, experts found it insufficient. Speaking about the 2021 version of the bill, Udbhav Tewari, Public Policy Advisor at Mozilla, felt that the time period should be reduced. However, with no timeline at all, data collectors are free to take as much time as they want before reporting an issue, thereby leaving people’s data vulnerable for longer periods of time.
- Proportionate penalties: The bill imposes hefty penalties for failure to put in place reasonable safeguards to prevent data breaches and for failure to report the data breaches. But what the bill doesn’t consider is that the same rules cannot apply to both larger and smaller internet companies. These penalties were also present in the 2022 version of the bill, commenting on these, Neha Chaudhari, from Ikigai Law, had said in 2022 that the penalty amount should be decided after considering the size of the company, the extent of the harm, etc.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!