Personal Data Protection Bill: Notification Of Data BreachesBloombergQuintOpinion
Over the last few years, there have been a number of highly-publicised data breaches at the biggest internet and data companies in the world. A common thread amongst these data breaches is that most of these companies do not like to disclose the breaches to customers. Over the last decade Google, Yahoo, Uber, Whatsapp, Microsoft, and Equifax have all been accused of failing to notify their customers that their confidential information had been compromised by external hackers or internal leaks or errors. The information that has been compromised during these data breaches has ranged from passwords to credit card information to personal chats.
Public disclosure of a data breach brings along with it, significant reputational harm along with the threat of lawsuits by customers, investors, and regulators. It should therefore not come as a surprise that many of the biggest data companies are reluctant to disclose the data breaches. Most of them justify their silence on the grounds that there was no evidence to suggest that customers were being directly impacted by the breach.
The PDP Bill On Data Breach Notifications
The Personal Data Protection Bill, 2019, which is currently being examined by the Joint Parliamentary Committee has a provision requiring all data fiduciaries (the legal entities storing and processing data) to disclose data breaches to a proposed Data Protection Authority. Clause 25 of the Bill requires every data fiduciary to inform the DPA of the nature of personal data that was compromised, the number of consumers who were affected, possible consequences of the data breach and the action taken by the data fiduciary to remedy the breach.
The law is silent on time-frames for notifying the data breach.
Instead, these timelines will be specified in regulations framed by the DPA. As per Clause 25, it will be the responsibility of the DPA to decide whether the data fiduciary is required to report the data breach to its consumers after taking into consideration the severity of the breach and the harm that may be caused to consumers. A failure to report such a breach as per the law can attract, as per Clause 57, a penalty of up to Rs 5 crore or 2 percent of its total worldwide turnover, whichever is higher.
When Does A Data Fiduciary Have To Notify The DPA Of A Breach?
The biggest red flag in the wording of Clause 25 is that a data fiduciary has to inform the DPA of a breach of personal data processed by it only when such a breach is likely to cause harm to any data principal. Given the sordid history of cover-ups by internet companies in the past and the many disincentives for reporting data breaches, it is very likely that the current wording of Clause 25 will result in a large number of data fiduciaries simply not reporting a data breach to the DPA.
Rather than provide such leeway to the data fiduciaries, India should require data fiduciaries to report each and every breach to either the DPA or the consumer, depending on the severity of the breach.
Such a standard would lay down a clear obligation and foster greater transparency, as well as competition amongst the industry for better data security mechanisms. It would be a mistake to assume that these companies have enough of an incentive to invest enough in data security mechanisms. The fear of adverse publicity will do wonders on this front.
Compromising On Data Fiduciary Framework?
One of the other most obvious problems with Clause 25 is that it does not require data fiduciaries to directly inform their consumers that their data has been compromised. The decision of the drafters to vest this responsibility in the DPA contradicts their decision to adopt a data fiduciary framework as the theoretical basis of India’s new data protection law.
In the eyes of the law, a ‘fiduciary’ relationship is one in which a party managing the interests of another party is required to always act in the best interests of the latter. A common example of a fiduciary relationship is the duty owed by directors to the shareholders of a company. The directors, who are essentially managing the investments of the shareholders, are always required to act in a manner that benefits the shareholders. This includes the duty to make candid disclosures of information to the shareholders and potential investors about issues plaguing the company. Given this understanding of a fiduciary relationship, one would have expected that India’s data protection law would impose a duty on all data fiduciaries to expeditiously inform all their consumers in case of a data breach.
It makes little sense for a third party, like the proposed DPA, to be taking this call when the fiduciary relationship is between the customer and the entity handling the data.
If the government wants to persist with Clause 25 in its present form, it should simply drop the entire data fiduciary framework as the basis of this law.
How Did The Government Arrive At Clause 25?
In the whitepaper put out by the Justice BN Srikrishna Committee, it was mentioned that the law that was being drafted by the committee may require data fiduciaries to directly inform all of their consumers of a data breach. This would have been in line with the concept of a fiduciary obligation. It would have also been similar to some of the requirements under the European data protection laws. In its final report, the Srikrishna Committee appears to have pivoted towards the current form of Clause 25, where the decision regarding notifying consumers of data breaches depends on the DPA and the data fiduciaries are relieved of the responsibility of making that decision. The report does not provide good enough reasons for this new approach. It also does not explain how this requirement for the DPA to take the call fits into the data fiduciary relationship that forms the foundation of the law.
In the interests of transparent law making the government should disclose, who or what, influenced the present wording of Clause 25.
The Problem With Delegating Powers To The DPA
Theoretical issues aside, there are serious practical issues with how Clause 25 has been drafted. The law is entirely silent on timelines for companies to notify a data breach to the DPA. Given how crucial an issue this is for citizens from a data protection standpoint, there is simply no reason to delegate this responsibility to the DPA. Other laws, like the European data protection law categorically imposes a timeline of 72 hours on all data processors to inform the regulator.
The problem with delegating such powers to the DPA, is that most regulators in India tend to be captured by the very industry they are supposed to regulate.
There are hardly any regulators in India which inspire faith in their independence, which is why it is always a bad idea to give them too much rule-making power. On the other hand, if Parliament was to set critical issues such as timelines in stone in the text of the parent statute, the private industry would be denied any opportunity to lobby weak regulators for changes in the law.
Hopefully, the Joint Parliamentary Committee scrutinising the draft data protection law will recommend amendments to Clause 25 to ensure greater protection for Indian citizens in the case of a data breach.
T Prashant Reddy is a Bengaluru-based advocate and co-author of ‘Create, Copy, Disrupt: India’s Intellectual Property Dilemmas’.
The views expressed here are those of the author, and do not necessarily represent the views of BloombergQuint or its editorial team.