Will Digital Personal Data Protection Bill Finally Protect Users From Data Breaches?

Will Digital Personal Data Protection Bill Finally Protect Users From Data Breaches?

SUMMARY

In the past two years, Indians have seen multiple data breaches, highlighting the need for a law that lays out guidelines for companies in case of/to prevent leaks

Similar to the EU’s General Data Protection Regulation (GDPR), the Indian government has also proposed the establishment of a Data Protection Authority

But it is unclear if the laws will govern only future data breaches or it will also protect users from past leaks

The first introduction of the Data Protection Bill in the year 2018 sought to protect individual personal data from misuse and unauthorised access by regulating the storage, processing and use of such data. However, the debate on the treatment of data breaches in the country has only intensified with the government’s updating the first draft of the Digital Personal Data Protection Bill.

According to the current draft of the Digital Personal Data Protection Bill, all data fiduciaries are answerable to data owners on information related to data processing under an RTI mandate within the Bill. The Bill further exempts some ‘to be notified’ entities from sharing information for reasons ranging from national security to the nature and volume of personal data processed.

Similar to the EU’s General Data Protection Regulation (GDPR), the Indian government has also proposed the establishment of a Data Protection Authority. This ‘authority’ will, besides other controls, also have powers to investigate data breaches, impose penalties for non-compliance and issue guidelines, if any.

“While the Bill does not delve deep into compliances or obligations in the event of a data breach, the central government will be issuing further direction in this matter,” Abhishek Malhotra, managing partner, TMT Law Practice told Inc42. 

“In the interim, the CERT-In Directions, 2022, released earlier this year, will provide for the obligations, compliances and notices necessary at the time of a data breach. However, users must note that neither regulation affords a user’s right to prosecute for loss of their personal information by the data fiduciary,” he added.

The Rising Problem Of Data Breaches In India

A recent study by the Ponemon Institute found that the cost of a data breach in India is $2.21 Mn, with the healthcare sector being the most affected. Notably, the recent data breach in the AIIMS Hospital was a wake-up call to the industry.

According to reports, the hospital stores and caters to nearly 4 Mn patients and in the aftermath, hackers sold data of 150K+ users. The consequences of such a data breach can be alarming (cue, the Ashley Madison data breach from 2015, where hackers are still extorting users).

In the past two years, Indians have seen multiple data breaches ranging from leaks at startups such as BigBasket, MobiKwik, Cleartrip, Pine Labs and Unacademy and large businesses such as WhatsApp, Vi, Air India and Domino’s.

This simply means that Indian companies are not doing enough to protect their data and the consequences are negative – financial losses, loss of consumer trust, and damage to a company’s reputation.

Even the government has been criticised for its failure to protect the personal data of citizens (remember the multiple data breaches from the Aadhaar and NIC databases).

Another reason for the high cost of data breaches in India is the lack of data protection laws. There are no specific laws in India that deal with data security and data breaches. This means that companies can get away with not taking data security seriously and that they can suffer significant financial losses in the event of a data breach.

What The Government Is Doing?

According to Eucloid’s cofounder and COO, Anuj Gupta, section 11 of the draft Bill mentions the provision for the government to notify certain data fiduciaries as ‘significant’.

“Any company classified as a significant data fiduciary will have to appoint a Data Protection Officer who will be based out of India. The company will also have to incur increased overheads and scrutiny in terms of periodic data audits,” he said.

But, the classification will most likely be applicable to big tech companies despite the ambiguity that keeps the parameters open. It is also unclear if the laws will govern only future data breaches or will also protect users from past leaks.

“While this is a good step to bring in additional data protection measures, this classification will need to strike a balance between being too protectionist and being too liberal,” Gupta added.

Since the data breaches have also raised concerns about leakages to third parties without their consent, the Bill has come out with clauses making data fiduciaries (even the government) answerable to data owners. Yet, it excluded any mention of data breaches that have already occurred and the protection of data already on the dark web.

According to experts, the government needs to invest in better security measures to protect the personal data of citizens, raise security awareness and bring about stringent laws. But the current ambiguity in definitions and the clause ‘as may be prescribed’ has not been very helpful in deducing the state of users protection in case of data breaches.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Will Digital Personal Data Protection Bill Finally Protect Users From Data Breaches?-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Will Digital Personal Data Protection Bill Finally Protect Users From Data Breaches?-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Will Digital Personal Data Protection Bill Finally Protect Users From Data Breaches?-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Will Digital Personal Data Protection Bill Finally Protect Users From Data Breaches?-Inc42 Media
Will Digital Personal Data Protection Bill Finally Protect Users From Data Breaches?-Inc42 Media
You’re in Good company