Data Privacy has become an utmost concern as cybercrimes against individuals by leaking or stealing their private data have become quite prevalent these days. In recent times, there also have been many grievances from the customers regarding data breaches by trusted companies or corporations such as Dominos, Air India, etc., which not only cost billions of dollars of revenue losses to the companies but also poses potential harm for the customers whose, “personal identifiable information” was leaked or stolen online.
This information is then used by cyber criminals to profit off of and cause trouble to the individuals whom such information belonged to. In order to protect individuals and their personal data from being mistreated the European Union (EU) enacted the General Data Protection Regulation (GDPR) in 2018 with an objective to implement a personal information protection policy that will help in reducing cybercrimes against the people residing in the EU.
The GDPR is a comprehensive set of rules and regulations devised in a way that it provides the citizens more control over their personal data and information. GDPR was enacted with the purpose of guiding and regulating the way the companies handle the personal and sensitive information of their customers i.e., the Data Subjects.
Such regulation and monitoring in turn eliminate potential data breach threats and ensures the collection, management, and transfer of data in a comprehensive and rightful manner.
In India, Right to Privacy was declared a fundamental right by the Hon’ble Supreme Court in 2017 in Justice K. S. Puttaswamy v. Union of India [(2017) 10 SCC 1]. Therefore, it is only recently that the concept of privacy was dealt formally by the Judiciary.
Every individual tends to leave behind some personal information while surfing through the Internet. The Indian Government, following the footsteps of GDPR has introduced the Personal Data Protection Bill, 2019 (PDP Bill), which strives to regulate the processing of personal data by corporate entities, multinational companies and the Government.
DATA BREACH NOTIFICATION UNDER GENERAL DATA PROTECTION REGULATION
According to Article 4 (12) of the GDPR, ‘personal data breach’ means and includes breach of security of an individual’s personal information which can consequently cause unlawful or accidental destruction, loss, illegal disclosure or access or alteration of personal information.
Notification of personal data breach is discussed under Article 33 of the GDPR, wherein Article 33(1) provides that the Data Controller, in case of a personal data breach, not later than 72 hours after becoming aware of such breach, shall notify to the Supervisory Authority in accordance with procedures that are given under Article 55 of the GDPR. In case of non-compliance with the said provision, the reasons of delay shall be provided to the Supervisory Authority.
The process of notification of the personal data breach to the Supervisory Authority is mentioned under Article 33(3) of the GDPR as follows:
- The notification should describe the nature of the information that was leaked or stolen. If possible, the notification should include the approximate number of individuals concerned with such breach, and categories and numbers of personal data records that was leaked.
- The names and details of the Data Protection Officers or any other contact person should be communicated from where more information can be procured.
- Further, the Data Controller should describe the consequences that would ensue due to such data breach.
- Lastly, the possible measures or steps proposed by the Data Controller to address the personal data breach are to be mentioned. These measures should include steps to mitigate the possible adverse effects of the personal data breach.
Furthermore, Article 34 of the GDPR stipulates that the personal data breach shall be communicated to the concerned Data Subject without any further delay. However, it is pertinent to note that such notification to the Data Subject is not mandatory if the Data Controller has taken appropriate protection measures, or has taken steps to eliminate potential peril to the rights and privacy of the individuals, or lastly, if the notification would involve a ‘disproportionate effort’. In such case, the notification should be made through public communication or any such similar method.
In case, the Data Controller fails to inform the Data Subject or the individual concerned about the data breach, the Supervisory Authority may require it to do so if there is a likelihood that the data breach would pose to be a threat for the Data Subject.
PERSONAL DATA PROTECTION BILL, 2019
The PDP Bill was proposed with the purpose of regulating and managing the personal information of the Data Subjects that is provided to companies and corporations. The Bill also provides for controls and measures, and the extent to which the corporations can access the personal information of their users. The Indian Parliament seeks to pass the Bill and establish a “Data Protection Authority” (the Authority) for the regulation of the PDP Bill. The enactment of the PDP Bill will require in future, for companies and corporate entities to alter their business models, practices and principles.
Section 3 (28) of the PDP Bill defines personal data as “data relating to a natural person which directly or in an indirect manner identifies such person, in a manner that it provides the trait, features, attributes or characteristics of the individual, either online or offline, or any other information and shall contain any inference drawn through such information for the purpose of profiling.”
Thereafter, Section 3(29) of the PDP Bill stipulates that “personal data breach” means any accidental or unlawful disclosure of information, which can be used, altered, destroyed or provides access to any sort of personal data, which is confidential in nature and can cause harm to the person concerned.
Section 25 of the PDP Bill enumerates the procedure for reporting a personal data breach which provides that:
1. The Data Fiduciary needs to inform the Authority about the breach of personal data and if such data breach can cause harm to the concerned individual.
2. The notice of such personal data breaches as mentioned above should include the following;
a) Nature of the personal data that was breached,
b) Approximate number of Data Principles affected by such data breach,
c) Possible repercussions of the data breach,
d) Measures taken by the Data Fiduciary to rectify the breach.
3. The notification is to be made by the Data Fiduciary to the Authority as soon as possible or within any time period as provided by the regulations.
4. In case it is not possible for the Data Fiduciary to provide all information at the same time, they are required to provide such information to the Authority in phases without any delay.
5. After, receiving the notice of data breach, the Authority is empowered to determine whether the notification of such breach is to be provided to the concerned Data Subject by considering the gravity of the harm that may come to the Data Subject due to the breach of information, or whether any action is required by the individual concerned to mitigate the harm.
6. In addition to the notification made, the Authority can ask the Data Fiduciary to take appropriate measures to rectify the situation and to simultaneously post the details of the data breach on its website.
PERSONAL DATA PROTECTION BILL AND GENERAL DATA PROTECTION REGULATION
As mentioned above, the PDP Bill was introduced after the enactment of the GDPR by the EU. The PDP Bill as well as the GDPR strive to protect the privacy rights of the individuals and regulate the extent to which such personal information is accessed by companies and corporations. The respective laws also provide for measures in case such personal information is leaked and stolen, and are likely to cause harm to the concerned person. Both the PDP Bill and the GDPR have a few similarities which are discussed below.
Article 33 of the GDPR provides for the notification of the personal data breach, similarly, Section 25 of the PDP Bill talks about the notification of breach of personal data. However, the GDPR provides minimum time limit of 72 hours within which such personal data breach is to notified to the competent Supervisory Authority unlike the PDP Bill, which does not provide any minimum time limit within which the Authority is to be notified.
Furthermore, Article 34 of the GDPR states that the Data Subject concerned with the personal data breach shall be duly notified. On the contrary, Section 25(5) of the PDP Bill states that it is at the discretion of the Authority to determine whether the respective Data Subject should be notified of the data breach or not.
Similar to the GDPR, the PDP Bill also requires the Data Fiduciary to notify the Authority, only if the information is, ‘likely’ to cause threat to the privacy of the Data Subject. The word ‘likely’ is used to clarify that if the leaked information will cause harm, then only such notification shall be issued; otherwise, in case, the likelihood of harm is absent, the need for issuing a notification is nullified.
The GDPR and PDP are some of the pivotal laws that will help in monitoring and regulating the privacy rights of the individuals against cybercrimes, and provide remedy to the corporations from incurring huge losses due to such data breaches, as well as the individual whose personal information was subject to the data breach. Protection of personal data is of utmost priority as it can pose to be a potential threat to the individual concerned.
Although, the PDP Bill was introduced in Lok Sabha in 2019, it is yet to be enacted. The PDP Bill is the need of the hour as it will help in reducing crimes concerning personal information of the individuals and strive to establish a safer cyber space and virtual environment. Once enacted, the PDP Bill will require to cause alterations in the business models, plans or operations of the corporations and regulate the extent to which corporate entities can access personal information of their users and also prevent the corporate entities from exploiting such information.
– Team AMLEGALS, assisted by Ms. Vaaridhi Jain (Intern)
For any queries or feedback, please feel free to connect with firstname.lastname@example.org or email@example.com