Editor’s note: The Data Protection Bill series carefully examines the various sections of the draft Personal Data Protection Bill, 2018 as laid down by the Justice Srikrishna Commission and submitted to MEITY for approval. This is Part VIII of the series.
The Personal Data Protection Bill, 2018 imposes a series of obligations on data fiduciaries in relation to transparency, security and accountability under Chapter VIII. These obligations ensure that a data principal is made aware of the practices of the data fiduciary, and allows him as well as the Data Protection Authority to ensure that the fiduciary’s practices are within the boundaries of the data protection law.
The obligations prescribed under Chapter VII of the Bill are quite comprehensive. However, issues can be found in terms of discretion granted with respect to data breach notifications, as well as with the introduction of the category of ‘significant’ data fiduciaries.
Transparency requirements through notice.
The transparency requirements in relation to the notice to be provided to the data principal are comprehensive, including information on the categories of personal data collected, general purposes of processing, procedure for exercise of rights, contact details, etc. These are prescribed both as a fundamental privacy principle under Section 8, as well as an obligation on data fiduciaries under Section 30.
Data breach notifications under the Bill
In addition to the transparency obligation, the Bill also introduces the much-needed data breach notification requirements under Section 32. The requirement, however, requires the notification to be provided only to the data protection authority (DPA). Data principals will be notified of the breach only on the direction of the DPA. Moreover, under this section, the notification to the DPA is required to be made only if the data fiduciary is of the opinion that the breach is likely to cause ‘harm’ to the individual.
To understand this, first, a personal data breach is defined quite broadly under the Bill to include any unauthorized or accidental disclosure, acquisition, sharing, altering, etc., of data. The next definition that needs to be looked at is of ‘harm’ under the Bill. This definition is quite lengthy, including bodily or mental injury, identity theft, loss of reputation, discriminatory treatment, etc. The definition is an inclusive one, but it is unclear what else can be covered under it if it does not squarely fall under one of the ten categories listed.
Discretion granted with the notifications
Now, consider the Cambridge Analytica issue. The sharing of the data was a case of unauthorized disclosure, which is a clear violation of the law, and falls within the definition of a ‘personal data breach’. The next issue is of the harm caused to the data principals as a result, which in this case was the manipulation of voters for the purpose of elections. This does not fall under any of the listed categories of ‘harm’ under the definition.
The result of this is that often, it will be left to the discretion of the data fiduciary to assess if the ‘harm’ has been or is likely to be caused by the personal data breach in question. Considering cases like the UIDAI dismissing several data breaches related to it as harmless, this discretion is a concern. The fact will have to be considered that there may be entities which do not have a proper understanding of what can cause ‘harm’ in the digital era. At the same time, the notions of harm may change greatly as new uses of data are explored, such as the Social Media Communication Hub’s proposed moulding’ of public opinion. Further, many entities may use this discretion and the outlined definition of harm to conceal leaks.
Discretionary notifications to data principals
Further discretion is also granted to the DPA to decide whether data principals must be informed of data breaches. This will be required only when the risk to the harm is significant or when an action is required on the part of the data principal to mitigate the risk. Such a practice, however, can result in a data principal being kept in the dark with respect to his data. Further, it reduces the transparency with the data trust scores awarded (discussed below).
Privacy by design
Security and accountability obligations have also been prescribed under the Bill in the form of requirements of privacy by design and the requirement of security safeguards under Sections 29 and 31 respectively. These are both welcome principles. The requirement of security safeguards will be applicable even to processors as well as to exempted activities under the Bill, which ensures some amount of security.
DPIA, Audit requirements for ‘significant’ data fiduciaries
The Bill also prescribes a second category of requirements for conducting a Data Protection Impact Assessment, data protection audits and record keeping obligations. It further requires the appointment of a Data Protection Officer. For organizations that fall within the extra-territorial jurisdiction prescribed (Discussed in Part II of the Series), a DP Officer must be appointed within India.
This category of requirements will apply only to ‘significant’ data fiduciaries. This is a new category of data fiduciaries which will be specified by the DPA, and will be subject to a higher standard of obligations. The DPA is to notify data fiduciaries or classes of data fiduciaries as ‘significant’ data fiduciaries, taking into consideration factors like volumes and sensitivity of data processed, turnover, the risk of harm, use of new technologies and any other factors. Such significant data fiduciaries are required to register with the DPA, and will be subject to higher penalties for violations.
Impact of separate requirements for significant fiduciaries
The restriction of DPIA and other requirements to significant data fiduciaries will come as a relief to the many companies and start-ups which don’t process data extensively. Issues, however, arise with the determination of a given data fiduciary as a significant data fiduciary. This is likely to become contentious given the higher costs involved for compliance. The Bill, however, does not specify the rights of a data fiduciary to contest its classification as one.
For instance, even if the DPA were to classify a category of companies as significant data fiduciaries, a particular company may say on account of smaller quantities of data being processed, wish to question its classification as a significant data fiduciary. Simultaneously, other issues will arise, such as to whether identification of significant data fiduciaries will be sufficiently done. Another issue is whether there will be sufficient transparency to the decisions of the DPA with respect to a given classification.
Contracts with data processors
Lastly, the Bill also requires contracts to be in place between data fiduciaries and processors under Section 37. This section further requires processing by data fiduciary only on the instructions of the data principal. The requirement of security safeguards applies to data processors as well. Apart from this, the Bill doesn’t specify further obligations on the processor.
Thus while the data processor does not have specific obligations imposed on him in relation to data protection, it can be inferred that the data controller will have to ensure this compliance. Thus the data fiduciary will have to ensure the engagement of processors, who will ensure that the fiduciary’s obligations under the law are met. One factor to be considered here is whether the additional requirements for significant data fiduciaries need to apply to significant data processors as well, as an added measure of security.
Data trust scores and codes of practice
Another factor that is relevant here is the recommendation for the DPA to issue codes of practice for standards of security safeguards for fiduciaries and processors under Section 61. Such standardized codes of practice, which are to be in the nature of best practices can certainly help in simplifying the selection of data processors and other parties. Periodic certification models for compliant companies can also be considered here. For instance, the Privacy shield granted by the EU simplifies the selection of US-based entities which are compliant with the General Data Protection Regulation’s requirements.
In addition to these, the Bill has introduced a ‘data trust score’, which will be awarded to significant data fiduciaries who demonstrate compliance with the requirements of the data protection law. This is another welcome move which can ease off the selection of a given data fiduciary. At the same time, measures must be in place to ensure that the data trust score is awarded in a fair and transparent manner by the DPA.
Thus, the transparency and accountability measures are quite extensive, though some more work is required with a few provisions.
The next part of the series deals with the enforcement mechanism established under the Bill.
The author is a lawyer specializing in technology, privacy and cyber laws. She is also a certified information privacy professional.