[This post has been authored by Ms. Vasundhara, Managing Partner, Verum Legal and Mr. Mudit Kaushik, Counsel, Zeus IP. Part Two can be found here]
Data breaches have become an issue for companies in the digital era, with no entity being spared for direct or even indirect involvement in a breach. Recently, Dominos Indiawas subject to a data breach by an unidentified hacker who allegedly took over 20 crore order details from Domino’s India server. What must have been worrisome for Dominos India would have been the fact that they collect information such as their customer’s name, email address, contact details, location and their address.
The ongoing effects of the pandemic have only increased our dependence on technology, resulting in a massive collection of information, transfer of sensitive data and the resulting possibility of high-profile data leaks of smaller entities as well as major companies like Facebook, Mobikwik, Upstox etc. What adds to this problem in India is the lack of any direct provisions in existing legislation which effectively deal with such situations both from the perspective of a data subject as well as a person or entity handling data.
These trends of rampant infringement of rights relating to personal data have, fortunately, set the stage for plans of action which have been initiated by the Indian government and the judiciary in the K.S. Puttaswamy v. Union of India judgement (2017), to work towards securing the data privacy in India, declaring the right to privacy as a fundamental right. This judgment also clearly discusses giving rights to the data subject would encompass the ability of a person to control his existence on the internet and decide how any information, however small or big, is used, shared, stored and processed.
The Srikrishna Committeewas formed after the court directed the ruling party to form legislation for Data Privacy, which later tabled the draft of the Personal Data Protection Bill (The PDP or Bill, or PDP Bill) to the Ministry of Information and Broadcasting. Subsequently, the Personal Data Protection Bill (2019) [the PDP Bill 2019] was introduced after the legislature made amendments to the first draft of the Bill. This provisional law seeks to protect the personal data of individuals by creating a framework for processing such personal data by establishing a Data Protection Authority. The rights of individuals to safeguard their data while enforcing strict and clear norms to regulate such Data Fiduciaries are specifically elaborated in this law.
Duties of the Data Fiduciaries
As has been provided in the draft Personal Data Protection Bill (2019), a balance is to be created between the interests of the individuals concerning the use and dealing of their personal data and the interests of the entities owning the data of these individuals. It has been stipulated that a Data Fiduciary: those who have been given the right to access, use, store and deal with such data, must be permitted to share and utilise those personal data only in matters concerning the common welfare of Indian citizens. In fact, under the PDP Bill 2019, there are some important provisions for the duties of the Data Fiduciaries when they are handling data and how they are expected to safeguard the data subject’s interests. They are as follows:
Duty to report: As mentioned under Section 25 of the PDP Bill 2019, a “Data Fiduciary” is duty-bound to inform the Data Protection Authority of India, in case there has been a breach of the personal data that would be deemed harmful to the data principal. The PDP Bill 2019 also provides the Authority with an option to decide whether such breach shall be reported to the Data Principal and does not mandate it. As the Data Privacy Law in China, the PIPL says that in case data handlers believe a data leak may create harm to the individuals, they may be required to notify individuals. Similarly, the Germany Data Privacy Law and the UK Data Privacy Law also state that in case there is a substantial risk to the legally protected interests of natural persons, the controller shall notify the data subject of the personal data breach without delay. The POPIA – the South African Data Privacy law – mandates for a data handler to inform a data subject about a breach, “as soon as is reasonably possible”.
As it can be clearly seen, most of the legislation across the world, have avoided making it a direct liability of a data handler (Fiduciary, Processor, etc.) to inform a data subject, mandatorily in case their data has been breached or stolen. The provision that information shall be provided if “personal interests” are harmed by such breach leaves a broad ambit of defence for the handler. It is important for businesses to understand how to handle data and tackle data breaches to the best of their abilities, as data breaches are not treated kindly by the public. It leads to a massive impact on the reputation of the company handling such data and definitely leaves a user second-guessing the app or platform’s security.
The lack of strong directives to the handler, to inform subjects of the breach, definitely leads to a situation where the data handler might attempt to wriggle out of the liability it may face, after informing the data subject directly.
The PDP Bill 2019 has, pre-emptively mandated the setting up of the Data Protection Authority of India which will be the data protection organization. That the PDP Bill 2019 also explicitly states that the Data Fiduciary would be subject to legal consequences of a data breach that occurs, irrespective of whether it was the mistake of the Data Fiduciary or not. Additionally, when Section 25(1) and 25(3) of the PDP Bill 2019 are read together, the Data Fiduciaries are also required to report the data breach within a reasonable time. As the legislation has not narrowed down on a time frame to report the data breach as such, however, 72 hours after the Data Fiduciary notice the data breach would be considered to be ideal and sufficient, as has been defined in other global privacy laws.
Duty to maintain a record of Data breach: As mentioned under Section 25(2) read along with Section 25(4) of the PDP Bill 2019, the authorities may also direct the Data Fiduciary to have a detailed record of the data breach that has happened, while procuring the following information:
- Nature of personal data which is the subject matter of the breach;
- Number of data principals affected by the breach;
- Possible consequences of the breach;
- Action being taken by the data fiduciary to remedy the breach; or
- A detailed description in phrases if in the condition that such information is not attainable due to loss of technology, damage to technology or any reason under which the technology is inaccessible in which the data had been stored. In such situations, a recorded statement might prove useful for the authorities in the case of litigation or fact-checking.
Duty to take Remedial action: Under Section 25(5) read along with Section 25(6) of the PDP Bill 2019, a Data Fiduciary is required to take any appropriate measures at the earliest possible time to alert the Data Authority regarding a data breach. The Authority shall then determine whether such breach should be reported by the Data Fiduciary to the data principal. In deciding this, the Data Authority shall take into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.