By
Over a year after the Digital Personal Data Protection Act 2023 (DPDP Act), India eagerly awaits its implementation through its rules, and establishment of the Data Protection Board.
Yet again, reports suggest that the rules will be released for public consultation ‘soon’. This provides yet another opportunity to examine some of the finer details of the law, and expectations from its implementation. As instances of personal data breaches continue rising at an alarming rate, it is important to understand the reporting obligations under the law. The DPDP Act mandates entities and businesses to report personal data breaches to the Data Protection Board of India (Board) and notify each affected individual.
A personal data breach may involve a breach of confidentiality (unauthorized access or accidental disclosure), a breach of integrity (unauthorized or accidental alteration), or a breach of availability (unauthorized or accidental destruction or loss of access).
Reporting Obligations under DPDP Act vis-vis a Risk Based Reporting Obligation
The reporting obligations under the DPDP Act differ from international practices. The EU GDPR requires reporting breaches to authorities and individuals when there is a risk/high risk to freedom and right of individuals.
Singapore mandates notification of breaches when it could result in ‘significant harm’ or ‘significant scale’, while Canada’s law requires reporting if the breach poses a real risk of significant harm. These approaches contrast with India’s blanket requirement to report all breaches.
To ensure effective implementation of risk-based approaches, national laws and regulatory institutions prescribe criteria to assess the risk for identifying notifiable breaches.
In Canada, assessment of ‘real risk of significant harm’ is based on two factors – the significant harm (harm such as bodily harm, humiliation, reputation damage, financial loss, identity theft etc.) and the presence of a real risk of such harm depending on the sensitivity of the personal data involved in the breach and the probability of its misuse. The European GDPR considers factors like the type of breach, data sensitivity, and potential consequences for individuals.
Singapore uses more objective criteria to determine level of risk. Breach of individual names or 23 categories of prescribed personal data implies significant harm whereas breach of personal data of 500 or more individuals is breach of significant scale.
Though the scope and criteria for defining a personal data breach and the reporting thresholds vary among jurisdictions, they mandate specific thresholds that must exist to report personal data breaches to individuals or national authorities. This contrasts with India’s blanket approach to reporting which hopefully will have more clarity and nuance in the imminent rules.
Designing an Effective Breach Reporting Rules
Although the DPDP Act authorises government to frame rules regarding the mode, method, and timeline for reporting breaches as delegated legislation, it is a well-recognized principle that a rule-making body must operate within the authority conferred upon it by the parent Act. Therefore, specific exemption from reporting obligations is unlikely.
A risk-based approach, while potentially more efficient, could lead to over-reporting or under-reporting due to subjective assessments of harm. Inaccurate assessments of the severity of breaches, result in either excessive reporting of minor breaches or failure to report significant ones. This could attract fines, penalties, and cause reputational damage and erosion of consumer trust.
Given the volume of data and frequency of breaches, notifying each incident to the affected individual and the Board promptly is challenging. The rules must ensure effective resource utilization by entities and stakeholders. Additionally, potential for breach notification fatigue could diminish the perceived seriousness of breaches, leading to reduced proactive responses from individuals.
While the DPDP Act does not classify personal data breaches, the rule making power in respect of mode and manner of reporting may permit the executive to propose a varied reporting structure for breaches of different types and scales. For example, a compressed reporting timeline for high-risk and large-scale breaches could be contrasted with an annual or consolidated breach reporting mechanism for minor breaches with negligible potential for harm.
To avoid subjective interpretations of breach impacts, the rules should provide objective criteria for risk assessments, like the Singaporean law. This could include prescribing a set of personal data, the breach of which would amount to high-risk breaches, or specifying numbers of individuals affected for establishing scale. Conducting multi-factor risk assessments for each incident ensures consistency and defensibility in privacy programs.
The timeframe for reporting personal data breaches should be reasonable, allowing entities to accurately assess the impact. A short timeline, as mandated by CERT-IN Rules for reporting data breaches, may not allow entities to accurately assess the impact of the breach.
The rules should also address breaches by data processors processing data on behalf of data fiduciaries. Immediate notification to the fiduciary upon a processor’s awareness of a breach is crucial. The principal entity, after assessment, may then be required to report to the Board.
Nonetheless, effectiveness of the reporting obligations and how entities respond to it significantly depends on the role of the Board in enforcing the reporting obligations. Active and responsible enforcement will foster a culture of accountability and encourage holistic responses to the challenge of personal data breaches.
(Gangesh Varma and Yaqoob Alam work with Technology and Policy Practice at Saraf and Partners; Views are personal)
