SUMMARY
In the past two years, Indians have seen multiple data breaches, highlighting the need for a law that lays out guidelines for companies in case of/to prevent leaks
Similar to the EU’s General Data Protection Regulation (GDPR), the Indian government has also proposed the establishment of a Data Protection Authority
But it is unclear if the laws will govern only future data breaches or it will also protect users from past leaks
The first introduction of the Data Protection Bill in the year 2018 sought to protect individual personal data from misuse and unauthorised access by regulating the storage, processing and use of such data. However, the debate on the treatment of data breaches in the country has only intensified with the government’s updating the first draft of the Digital Personal Data Protection Bill.
According to the current draft of the Digital Personal Data Protection Bill, all data fiduciaries are answerable to data owners on information related to data processing under an RTI mandate within the Bill. The Bill further exempts some ‘to be notified’ entities from sharing information for reasons ranging from national security to the nature and volume of personal data processed.
Similar to the EU’s General Data Protection Regulation (GDPR), the Indian government has also proposed the establishment of a Data Protection Authority. This ‘authority’ will, besides other controls, also have powers to investigate data breaches, impose penalties for non-compliance and issue guidelines, if any.
“While the Bill does not delve deep into compliances or obligations in the event of a data breach, the central government will be issuing further direction in this matter,” Abhishek Malhotra, managing partner, TMT Law Practice told Inc42.
“In the interim, the CERT-In Directions, 2022, released earlier this year, will provide for the obligations, compliances and notices necessary at the time of a data breach. However, users must note that neither regulation affords a user’s right to prosecute for loss of their personal information by the data fiduciary,” he added.
The Rising Problem Of Data Breaches In India
A recent study by the Ponemon Institute found that the cost of a data breach in India is $2.21 Mn, with the healthcare sector being the most affected. Notably, the recent data breach in the AIIMS Hospital was a wake-up call to the industry.
According to reports, the hospital stores and caters to nearly 4 Mn patients and in the aftermath, hackers sold data of 150K+ users. The consequences of such a data breach can be alarming (cue, the Ashley Madison data breach from 2015, where hackers are still extorting users).
In the past two years, Indians have seen multiple data breaches ranging from leaks at startups such as BigBasket, MobiKwik, Cleartrip, Pine Labs and Unacademy and large businesses such as WhatsApp, Vi, Air India and Domino’s.
This simply means that Indian companies are not doing enough to protect their data and the consequences are negative – financial losses, loss of consumer trust, and damage to a company’s reputation.
Even the government has been criticised for its failure to protect the personal data of citizens (remember the multiple data breaches from the Aadhaar and NIC databases).
Another reason for the high cost of data breaches in India is the lack of data protection laws. There are no specific laws in India that deal with data security and data breaches. This means that companies can get away with not taking data security seriously and that they can suffer significant financial losses in the event of a data breach.
What The Government Is Doing?
According to Eucloid’s cofounder and COO, Anuj Gupta, section 11 of the draft Bill mentions the provision for the government to notify certain data fiduciaries as ‘significant’.
“Any company classified as a significant data fiduciary will have to appoint a Data Protection Officer who will be based out of India. The company will also have to incur increased overheads and scrutiny in terms of periodic data audits,” he said.
But, the classification will most likely be applicable to big tech companies despite the ambiguity that keeps the parameters open. It is also unclear if the laws will govern only future data breaches or will also protect users from past leaks.
“While this is a good step to bring in additional data protection measures, this classification will need to strike a balance between being too protectionist and being too liberal,” Gupta added.
Since the data breaches have also raised concerns about leakages to third parties without their consent, the Bill has come out with clauses making data fiduciaries (even the government) answerable to data owners. Yet, it excluded any mention of data breaches that have already occurred and the protection of data already on the dark web.
According to experts, the government needs to invest in better security measures to protect the personal data of citizens, raise security awareness and bring about stringent laws. But the current ambiguity in definitions and the clause ‘as may be prescribed’ has not been very helpful in deducing the state of users protection in case of data breaches.
