[This post has been authored by Ms. Vasundhara, Managing Partner, Verum Legal and Mr. Mudit Kaushik, Counsel, Zeus IP. Part One can be found here]
International Precedents and Comparison
While every nation in the world strives to ensure the digital security of its citizens, there are very few legislative developments to back up the claim. The General Data Protection Regulations of the European Parliament that became effective from May 2018, is a unique legal framework that enforces a unilateral form of data security laws that all EU members comply with, to ensure the protection of the European market as a whole.
Both the GDPR law as well as the PDP Bill 2019 places capturing of consent at an extremely high pedestal – giving the right to a data subject to deciding whether they want their data to be collected, what data they wish to share and how, and thereby shifting the liability and decision making on their data going out to the Data Fiduciary, directly on them.
Concerning the differences and comparative points of the law, there are some crucial factors. While the GDPR offers some amount of exception clauses, the PDP Bill 2019 gives the central government-wide discretion for exempting specific sub-divisions of the government from the PDP Bill 2019 on the grounds of public order, national security and/or national sovereignty.
However, both the GDPR law as well as the PDP Bill, along with the UK Law, Germany Law and the Law in China lay down that the breach should mandatorily be brought into the knowledge of the various data privacy and protection authorities and the data subjects should only be informed if the data handlers feel that the breach might jeopardize or affect the interests of the data subjects.
| Country | Law | Relevant Provision |
| India | The Personal Data Protection Bill, 2019 | Section 25 (5): The Authority may, in addition to requiring the data fiduciary to report the personal data breach to the data principal under sub-section (5), direct the data fiduciary to take appropriate remedial action as soon as possible and to conspicuously post the details of the personal data breach on its website. |
| United Kingdom | Data Protection Act 2018 | Chapter 4: Section 68: a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must inform the data subject of the breach without undue delay. |
| Germany | Federal Data Protection Act | Chapter 4: Section 66: If a personal data breach is likely to result in a substantial risk to the legally protected interests of natural persons, the controller shall notify the data subject of the personal data breach without delay. |
| EU | General Data Protection Regulation | Article 34: When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. |
| South Africa | Protection of Personal Information Act | Chapter 3: Section 22: Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, notification must be made as soon as is reasonably possible after the discovery of the compromise, to the individual, in a defined manner. |
| Singapore | Personal Data Protection Act | 26D. – (2) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances. |
Challenges Ahead
While the PDP Bill 2019 has had its fair share of criticisms, it is much-needed legislation that is absolutely necessary for the forthcoming years of digital growth considering India’s cyber and internet world has been governed with one legislation (The Information Technology Act, 2000), and the need for a more robust data-dealing law is only becoming increasingly obvious.
Interestingly, the very person who created the initial draft of the PDP Bill 2018, Justice BN Srikrishna, opposed the newly amended draft, claiming that the inception of this law “Can turn India into an Orwellian state” opining that this law will continue to be ineffective and borderline detrimental to cyber security measures provided there is “Judicial oversight on government access”.
The PDP Bill 2019 has the right measure of regulation as well as liberty, with legal provisions that help both the data subjects and Data Fiduciary safeguard their rights as well as take action in case of a breach, lack of security etc. Data breaches result in reputational damage to an organization and could put an individual at the risk of facing personal damage that could be of magnitudes more far-reaching than expected.
The most crucial issue is the exemptions that are provided to specific parts of the government that may not be under the purview of the PDP Bill 2019 on the grounds of public order, national security and/or national sovereignty, as already mentioned.
Another aspect that the legislation fails to deal with or consider is the situation regarding the small businesses which manually take information from data principles, store and use them in a manner that can barely qualify as “secure”. A unique solution must be created to tackle this soon-to-be emerging issue as even a small-scale data breach is still a breach and is still a loss to the citizens of India.