wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Protection Bill 2021: What is the protocol when data breaches occur in India?

In light of major data breaches in India, a parliamentary committee recommends key powers for the proposed data regulator.

Data fiduciaries should report all data breaches to the Data Protection Authority (DPA) within 72 hours of becoming aware of them, the Joint Parliamentary Committee on the Personal Data Protection Bill 2019 has recommended in its report, which was tabled in Parliament on December 16.

The committee has also recommended that the DPA direct data fiduciaries to inform data principals of personal data breaches after considering the severity of the harm caused.

The earlier draft of the bill had no provisions for reporting breaches to data principals, and only required reporting to the DPA if the breach was likely to cause harm to data principals. There was also no specific timeline prescribed for reporting breaches. 

What does the committee report say about data breaches?

The committee has recommended significant changes to the role of the DPA during a data breach and obligations of fiduciaries:

Scope: Data fiduciaries will be required to report all data breaches to the DPA.

Advertisement. Scroll to continue reading.
  • Earlier version: The earlier draft only required data fiduciaries to report breaches if they are “likely to cause harm to any data principal.”
  • Reason for the change: The committee was of the view that the carve-out allowed to fiduciaries was presumptive and led to ambiguity.

Timeline: Data fiduciaries must be required to submit the notice to the DPA within 72 hours after becoming aware of the data breach, the committee recommended

  • Earlier version: The earlier draft asked data fiduciaries to report breaches to the DPA ‘as soon as possible’ after accounting for urgent remedial measures that may need to be undertaken.
  • Reason for the change: The committee felt the need for a realistic and finite time frame to report data breaches.

Urgent measures: The DPA has been empowered to direct the data fiduciary to take ‘any urgent measures’ to mitigate the harm caused to data principals.

  • Earlier version: The earlier draft only allowed the DPA to direct data fiduciaries to take remedial actions without specifically empowering it to outline any measures.

Non-personal data: The committee suggests that the bill add a provision for non-personal data, saying only that the DPA shall ‘take necessary steps as may be prescribed.”

  • Earlier version: The earlier version of the bill did not mention non-personal data.

Guiding Principles for Data Breaches

The committee recommends that the Data Protection Authority follow a set of guiding principles while framing regulations around data breaches, including the following points:

  • Privacy: When posting details regarding the data breach, the DPA should ensure the privacy of data principals is protected
  • Delays in reporting breaches: If data principal suffers immaterial or material harm due to the delay in reporting of the personal data breach by data fiduciary, then the fiduciary is:
    • Liable to prove that the delay was reasonable.
    • Responsible for harm suffered by the data principal due to the delay
  • Log of breaches: The Authority should ask the data fiduciaries to maintain a log of all data breaches, to be reviewed periodically by the Authority, irrespective of the likelihood of harm to the data principal.
  • Conditions for non-disclosure: When data breaches occur in spite of precautions as an act of business rivalry or espionage to harm the interest of data fiduciary, the DPA may allow the data fiduciary exemption from disclosing details, only in cases where that does not compromise the interest of data principal.

Corrigendum (19 Dec, 11:07 AM): An earlier version of this story incorrectly mentioned that the JPC report includes new requirements for reporting data breaches to data principals. No additional requirements have been imposed on that front. The article has been updated to reflect the same. 

Get our white paper on the Data Protection Bill 2021 in your inbox

We may also reach out occasionally with our coverage of the Data Protection Bill and more.
By filling out this form, you agree to receive a copy of MediaNama's white paper and further information about MediaNama's work and services.

Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the JPC report:

Written By

Figuring out subscriptions and growth at MediaNama. Email: nishant@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ