Notification of Data Breach under the Data Protection Bill, 2019

In this digitized world, Data has become the most valuable asset for any business who wishes to gain a competitive advantage in any market. According to a survey from Deloitte, 49% of respondents say that analysis of data collected helps them make better decisions, 16% say that it better enables key strategic initiatives, and 10% say it helps them improve relationships with both customers and business partners. (1) While data proves to be an indispensable asset for any business, such businesses should also assume strict responsibility towards protection of such data especially when the data concerns the personal information of the masses.

In May, 2019, the data of approximately 300 million Indian users on the Swedish mobile app, Truecaller, was leaked and sold for 1.5 lakhs on dark web (4). In October,2019, Group IB, a Singapore based cyber security company, found that more than 1.3 million credit card and debit card details from Indian banks were being sold for $100 apiece (3). Later the same year, the State Bank of India (SBI), due to one of its servers being unprotected resulted in the exposure of the data of its 422 million customers. The server contained partial bank account details, bank balances and phones numbers of them (4).  

Above are a few of the many cases concerning breach of data which lead to the formalization of Data Protection Bill in 2019 which is currently being examined by the joint parliamentary committee. Under this Bill, Clause 25 provides that, data fiduciary (the legal entities storing and processing data) will notify the Data Protection Authority (DPA) about any breach which is likely to cause any harm to data principal. The notice shall contain about the nature of breach, number of people affected, consequences of breach and steps taken to remedy the breach. A failure to report such a breach as per the law can attract, as per Clause 57, a penalty of up to Rs 5 crore or 2 percent of its total worldwide turnover, whichever is higher. (5)

The flaw in this clause is that it gives power to the data fiduciary to decide, whether or not a breach is ‘likely to cause any harm’ and thereby should they notify it? this language of the Bill can allow the fiduciaries to circumvent their obligation of notifying the DPA of any breach at all. The bill should provide for stricter provisions in the sense that it should provide for reporting of any and all kinds of breach whether harm is anticipated by the data fiduciary or not.

Another important aspect missing from the current law is that the Bill does not provide for any time-frame within which the data fiduciary are required to notify the DPA about the breach. Other laws like the European Union’s General Data Protection Regulation imposes a timeline of 72 hours on all data processors to inform the regulator (6) and there is no reason why such time frame cannot be provided for under the Act especially after experiencing the enormity of harm (abovementioned) that can be caused.

The Bill defines legal entities who process and store data as ‘data fiduciary’ to emphasize the fiduciary relationship that the legal entities hold with their consumers, however, the Bill gives authority to the DPA to determine whether the data principal, the person whose data has been breached, should be informed about it or not. Given the record of bribery cases within the administrative agencies, the regulators supposed to be regulating any particular industry might be bought by that very industry (7). It is, therefore important to establish a provision regarding informing the consumers of any breach that is notified to DPA to ensure transparency in its workings.

Since the Bill is yet to be established as a full working law, hopefully the parliamentary committee examines the above loopholes and prepares an Act that ensures greater protection for Indian citizens in the case of a data breach.