Data fiduciaries should report all data breaches to the Data Protection Authority (DPA) within 72 hours of becoming aware of them, the Joint Parliamentary Committee on the Personal Data Protection Bill 2019 has recommended in its report, which was tabled in Parliament on December 16.
The committee has also recommended that the DPA direct data fiduciaries to inform data principals of personal data breaches after considering the severity of the harm caused.
The earlier draft of the bill had no provisions for reporting breaches to data principals, and only required reporting to the DPA if the breach was likely to cause harm to data principals. There was also no specific timeline prescribed for reporting breaches.
What does the committee report say about data breaches?
The committee has recommended significant changes to the role of the DPA during a data breach and obligations of fiduciaries:
Scope: Data fiduciaries will be required to report all data breaches to the DPA.
- Earlier version: The earlier draft only required data fiduciaries to report breaches if they are “likely to cause harm to any data principal.”
- Reason for the change: The committee was of the view that the carve-out allowed to fiduciaries was presumptive and led to ambiguity.
Timeline: Data fiduciaries must be required to submit the notice to the DPA within 72 hours after becoming aware of the data breach, the committee recommended
- Earlier version: The earlier draft asked data fiduciaries to report breaches to the DPA ‘as soon as possible’ after accounting for urgent remedial measures that may need to be undertaken.
- Reason for the change: The committee felt the need for a realistic and finite time frame to report data breaches.
Urgent measures: The DPA has been empowered to direct the data fiduciary to take ‘any urgent measures’ to mitigate the harm caused to data principals.
- Earlier version: The earlier draft only allowed the DPA to direct data fiduciaries to take remedial actions without specifically empowering it to outline any measures.
Non-personal data: The committee suggests that the bill add a provision for non-personal data, saying only that the DPA shall ‘take necessary steps as may be prescribed.”
- Earlier version: The earlier version of the bill did not mention non-personal data.
Guiding Principles for Data Breaches
The committee recommends that the Data Protection Authority follow a set of guiding principles while framing regulations around data breaches, including the following points:
- Privacy: When posting details regarding the data breach, the DPA should ensure the privacy of data principals is protected
- Delays in reporting breaches: If data principal suffers immaterial or material harm due to the delay in reporting of the personal data breach by data fiduciary, then the fiduciary is:
- Liable to prove that the delay was reasonable.
- Responsible for harm suffered by the data principal due to the delay
- Log of breaches: The Authority should ask the data fiduciaries to maintain a log of all data breaches, to be reviewed periodically by the Authority, irrespective of the likelihood of harm to the data principal.
- Conditions for non-disclosure: When data breaches occur in spite of precautions as an act of business rivalry or espionage to harm the interest of data fiduciary, the DPA may allow the data fiduciary exemption from disclosing details, only in cases where that does not compromise the interest of data principal.
Corrigendum (19 Dec, 11:07 AM): An earlier version of this story incorrectly mentioned that the JPC report includes new requirements for reporting data breaches to data principals. No additional requirements have been imposed on that front. The article has been updated to reflect the same.
Get our white paper on the Data Protection Bill 2021 in your inboxWe may also reach out occasionally with our coverage of the Data Protection Bill and more.
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the JPC report: