Notification of Data Breach under the Data Protection Bill, 2019

In this digitized world, Data has become the most valuable asset for any business who wishes to gain a competitive advantage in any market. According to a survey from Deloitte, 49% of respondents say that analysis of data collected helps them make better decisions, 16% say that it better enables key strategic initiatives, and 10% say it helps them improve relationships with both customers and business partners. (1) While data proves to be an indispensable asset for any business, such businesses should also assume strict responsibility towards protection of such data especially when the data concerns the personal information of the masses.

In May, 2019, the data of approximately 300 million Indian users on the Swedish mobile app, Truecaller, was leaked and sold for 1.5 lakhs on dark web (4). In October,2019, Group IB, a Singapore based cyber security company, found that more than 1.3 million credit card and debit card details from Indian banks were being sold for $100 apiece (3). Later the same year, the State Bank of India (SBI), due to one of its servers being unprotected resulted in the exposure of the data of its 422 million customers. The server contained partial bank account details, bank balances and phones numbers of them (4).  

Above are a few of the many cases concerning breach of data which lead to the formalization of Data Protection Bill in 2019 which is currently being examined by the joint parliamentary committee. Under this Bill, Clause 25 provides that, data fiduciary (the legal entities storing and processing data) will notify the Data Protection Authority (DPA) about any breach which is likely to cause any harm to data principal. The notice shall contain about the nature of breach, number of people affected, consequences of breach and steps taken to remedy the breach. A failure to report such a breach as per the law can attract, as per Clause 57, a penalty of up to Rs 5 crore or 2 percent of its total worldwide turnover, whichever is higher. (5)

The flaw in this clause is that it gives power to the data fiduciary to decide, whether or not a breach is ‘likely to cause any harm’ and thereby should they notify it? this language of the Bill can allow the fiduciaries to circumvent their obligation of notifying the DPA of any breach at all. The bill should provide for stricter provisions in the sense that it should provide for reporting of any and all kinds of breach whether harm is anticipated by the data fiduciary or not.

Another important aspect missing from the current law is that the Bill does not provide for any time-frame within which the data fiduciary are required to notify the DPA about the breach. Other laws like the European Union’s General Data Protection Regulation imposes a timeline of 72 hours on all data processors to inform the regulator (6) and there is no reason why such time frame cannot be provided for under the Act especially after experiencing the enormity of harm (abovementioned) that can be caused.

The Bill defines legal entities who process and store data as ‘data fiduciary’ to emphasize the fiduciary relationship that the legal entities hold with their consumers, however, the Bill gives authority to the DPA to determine whether the data principal, the person whose data has been breached, should be informed about it or not. Given the record of bribery cases within the administrative agencies, the regulators supposed to be regulating any particular industry might be bought by that very industry (7). It is, therefore important to establish a provision regarding informing the consumers of any breach that is notified to DPA to ensure transparency in its workings.

Since the Bill is yet to be established as a full working law, hopefully the parliamentary committee examines the above loopholes and prepares an Act that ensures greater protection for Indian citizens in the case of a data breach.

CONTINUE READING

The case of Aruna Shanbaug that changed the Euthanasia laws...

0
It is my Belief that death is a friend to whom we should be grateful, for it frees us from the manifold ills which are our lot - Mahatma Gandhi. As human beings, out the umpteen desires that we have, one of them is definitely to have a peaceful death....

Justice D Y Chandrachud’s path-breaking Verdict in the Sabarimala Case of...

0
“Will the quest for equality and fraternity be denuded of its content where women continue to be treated as children of a lesser god in exercising their liberties in matters of belief, faith and worship? Will the pursuit of individual dignity be capable of being achieved if we deny...

After repealing section 377, its time to Legalise Same-Sex Marriage in...

0
A draconian, archaic law that criminalized homosexuality was struck down in a historic judgment given by the Supreme Court in 2018. Two years after the judgment, the LGBTQ (lesbian, gay, bisexual, transgender, and queer) community has now sought legal recognition of their relationships. As the social stigmas surrounding the LGBTQ...

Modern Day Book Burning a.k.a Internet Shutdowns

0
The internet has become an indispensable element in our society for all the obvious reasons. For the majority of users, not a single day goes by where we don't 'need' the internet and the lack of a reliable and fast connection can feel paralyzing. An internet shutdown refers to...

Letter to UNHRC – Dr Kafeel Khan, Punished Because He’s Muslim

0
Kafeel Khan, a doctor by profession and a social activist has been targeted by Yogi Government since 2017, in 3 years he had been maliciously arrested 3 times & imprisoned for around 14 months on the false charges set up against him at many instances. Now he is absolved...

Prison Life In India and its Aftermath

0
Everyone prays to never see the bars of prison in their lifetime. Yet, as fickle as life is, it is quite hard to predict the future. It is in everyone’s benefit to know a little bit about prison life; for movies and cinemas do not do justice to the...