Over the last decade the world has witnessed a large number of highly-publicized data breaches at mammoth internet and data companies around the world. Market leaders like Google, Yahoo, Uber, WhatsApp, have all been involved in some case or the other related to data breach or leak by External Hackers or internal leakage. All of them have been accused of failing to notify their consumers that their confidential information have been leaked or compromised. The information which has been compromised during these breaches and leakage includes data like credit card details, passwords, etc. Data breaches that happen in these huge companies bring along with it, a significant loss of reputation of the company and also a threat that a customer and any investor may file law suit against the company. Therefore, it is of no surprise when these companies try to hide such breaches.
In India, last year, The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha and it is currently being examined by the Joint Parliamentary Committee. The Bill consists of a provision which requires all the Data Fiduciaries, i.e. the legal entities who are responsible for storing and processing data, to disclose of any data breach to the proposed Data Protection Authority (DPA). Clause 25 of the Bill requires the data fiduciaries to disclose to the DPA all the details about the breach such as, the nature of the breach, number of consumers affected by the breach, the steps taken by the data fiduciary to remedy the breach.
The Fault in Clause 25
The above mentioned clause is tangled with various lacunas which need to be dealt by the parliament before passing of the Bill and making it a law.
No time frame for notifying data breach
Clause 25 of the Personal Data Protection Bill, 2019 is silent on the time frame for notifying the data breach. Instead, according to clause 25, the responsibility of deciding timelines is given to the DPA, who are to specify the timelines through regulations framed by them. According to the clause the DPA is also responsible for deciding whether the data fiduciaries is required to notify to their consumers about the data breach. This is to be decided keeping in mind the severity of the breach and the harm which may be caused to the consumer because of the breach.
When to Notify of the Breach
The biggest lacuna in the wordings of clause 25 of the bill is that, it requires data fiduciaries to notify the DPA about the breach if such breach causes any harm to the data principal. Knowing the history of these internet companies, about their cover-ups and disincentive of reporting data breaches, it is very likely that these companies will remain silent on a large number of breaches and will not report the DPA about it. Instead of providing such leeway, the Bill should have obligated the data fiduciaries to report each and every data breach to either the DPA or the consumer, depending upon the severity of the breach.
Compromising on the Fiduciary framework
Another obvious issue pertaining to this clause is that, it requires data fiduciaries to report of the data breach to the DPA instead of reporting the consumer directly. The decision of the legislature to vest this responsibility in the DPA contradicts the very basis of the bill, i.e. fiduciary framework. The framers decided to adopt a data fiduciary framework as a theoretical basis of the new bill. It makes very little sense that, third parties such as the DPA, to be taking calls when the fiduciary relationship is between the consumer and the entity handling the data. The issue with delegating such powers to the DPA is that, most regulators in India are captured by the very industry they are supposed to regulate.
Clause 35 of the Bill
Clause 35 of the Bill gives unrestrained access to personal data by the Government. The Bill provides for various safeguards for privacy of the consumers. But clause 35 of the Bill empowers the Central Government to bypass all those, (a) in the interest of the sovereignty and integrity of India, security of the State, public order, etc, (b) for preventing any cognizable offence related to the aforementioned.
This clause is in sharp contrast to the 2018 draft bill. According to the draft bill of 2018, the Central Government was granted exemption only for “security of the State”, other than that according to the draft bill, processing of personal data “shall not be permitted unless authorized pursuant to a law, and in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.”
The 2019 bill does not contain any of these. Therefore, it’ll raise serious objections, especially in view of the recent allegations by WhatsApp and Google which point fingers to Government agencies. The exemption given to the Central Government under clause 35 undo the very objective sought to be achieved by the proposed law. There are no checks and balances on the powers given to the Central Government under this clause. Taking note of the recent allegations by Google and WhatsApp, the chances of this clause being misused is immense.
Edited by J. Madonna Jephi
Approved & Published – Sakshi Raje
1. The Personal Data Protection Bill, 2019, Bill No. 373 of 2019.
2. Bloomberg Quint, https://www.bloombergquint.com/opinion/how-the-personal-data-protection-bill-tackles-data-breaches (last visited 24th February 2020, 7:05 PM)