wordpress blog stats
Connect with us

Hi, what are you looking for?

How does India’s Digital Personal Data Protection Bill address Data Breaches?

The data protection bill aims to prevent breach scenarios by requiring data collectors to put in place “reasonable security safeguards” to secure data already in their possession.

Ad: India’s Data Protection Bill is here, and your business                needs to adapt. K&S Digiprotect, with its team of data                      protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!

Picture this: Your bank experiences a data breach and information such as your email address and mobile number have become public. Soon your phone gets flooded with calls from dozens of scammers and spam callers. 

While this might be annoying, things can get much worse if more and more of your information keeps getting leaked through subsequent data breaches. A cybercriminal could pool all that information together, create a comprehensive profile of who you are, and could potentially steal your identity. Both these issues attempt to be addressed in the newly released data protection bill. 

Read the Bill Summary here

How does the bill define a data breach?

The bill says that “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data,” would constitute a data breach. And specifies that personal data is any data that can reveal the identity of an individual. 

What companies must do once a breach occurs: 

The bill puts in place a Data Protection Board to conduct inquiries into complaints about data breaches, direct companies to take urgent remedial and mitigation measures during a data breach, and also to impose fines of up to Rs.250 crores on those data collectors that fail to put in place reasonable safeguards. In case of a data breach, data collectors must inform the Data Protection Board and all the people who would be affected by the breach. 

The bill says that the “form and manner” in which the data collectors have to inform both the Board and the affected individuals can be prescribed later by the government. This provision was present in the 2022 and 2021 versions of the bill as well (the 2021 version said that the notice of a breach must be in a form as specified by regulations.”) Without this, companies could very well just put a message in very fine print on their websites or use other methods to make the notice of a breach occurrence as inconspicuous as possible. If a data collector fails to report a data breach, they can be fined for an amount of up to Rs. 200 crores.

Previous versions of the data protection bill (2018 and 2019) said that data breaches should be reported when they are likely to cause harm” to the affected individuals. This was concerning because it let the data collectors decide whether a breach could result in harm or not, leaving room for ambiguity. Thus, starting from the 2021 version of the bill, data collectors were required to inform the Board of all data breaches. But this version left it up to the board to decide whether the affected people must be informed or not. So if your data was breached and the Board didn’t think it would cause you any harm, companies would be under no obligation to inform you, effectively preventing you from taking any action to protect your data.

Advertisement. Scroll to continue reading.

Article continues below ⬇, you might also want to read:

How should companies prevent data breaches under the data protection bill

It requires data collectors to put in place reasonable security safeguards to protect the personal data in their possession, including the data they are processing and the data being processed on their behalf by data processors.

What is worth pointing out here, is that the bill does not clearly define what these safeguards are. While the 2018 and 2019 iterations of the bill gave out details of the kind of safeguards companies must have in place (like the de-identification and encryption), the current version leaves it up to the companies to decide what kind of safeguards they must employ. 

Concerns with how the bill addresses data breaches: 

  1. Overlap of responsibilities: The data protection bill allows the Data Protection Board to issue directions to data collectors on how to remedy a personal data breach. This provision was also present in the 2022 version of the data protection bill. Commenting on the issue posed by this, Internet Freedom Foundation (IFF) pointed out in 2022 that this leads to “an overlap between the role of the [Data Protection] Board and the Computer Emergency Response Team.” 
  2. Absence of reporting timeline: Another concern with the bill is that it doesn’t specify a clear timeline within which data collectors must inform the board and the affected individuals about a breach. Previously, the 2021 version of the bill had a clear timeline of 72 hours within which data collectors must report a breach to the board. But even when there was a window, experts found it insufficient. Speaking about the 2021 version of the bill, Udbhav Tewari, Public Policy Advisor at Mozilla, felt that the time period should be reduced. However, with no timeline at all, data collectors are free to take as much time as they want before reporting an issue, thereby leaving people’s data vulnerable for longer periods of time.
  3. Proportionate penalties: The bill imposes hefty penalties for failure to put in place reasonable safeguards to prevent data breaches and for failure to report the data breaches. But what the bill doesn’t consider is that the same rules cannot apply to both larger and smaller internet companies. These penalties were also present in the 2022 version of the bill, commenting on these, Neha Chaudhari, from Ikigai Law, had said in 2022 that the penalty amount should be decided after considering the size of the company, the extent of the harm, etc.

STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!


Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...


Jio is engaging in many of the above practices that CCI has forbidden Google from engaging in.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ