wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Protection Bill: Burden on users to establish harm, problems in ascertaining compensation amount and more #NAMA

In a MediaNama discussion, experts attempt to poke holes in various aspects of the bill from the perspective of users’ rights.

Key takeaways

  • The time frame for a data fiduciary to report a data breach to a Data Protection Authority needs to be shortened
  • Compensation due to harm categorised as psychological manipulation will be hard to ascertain
  • The burden is on data principal to establish harm

These were some of the key points raised at MediaNama’s ‘Decoding India’s Data Protection Bill’ event held on January 19 and 20, 2022, wherein Supreme Court advocate Vrinda Bhandari, Executive Director for Center for Internet and Society Amber Sinha, Senior Resident Fellow at Vidhi Center for Legal Policy Lalit Panda, and lawyer Prasanna S, shared their thoughts on the Data Protection Bill 2021 and the Joint Parliamentary Committee (JPC) report on the Bill, both of which were tabled in Parliament in December 2021.

This discussion was organised with support from Google, Flipkart, Meta, and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.

Why should the burden be on users to establish harm?

Prasanna said that under Section 64 or 65 of the bill, the burden is on the data subject to establish harm, loss, or damages. While Section 64 of the bill lays down the procedure for adjudication, which includes imposing penalties by an Adjudicating Officer, Section 65 is about the circumstances under which a data principal may be eligible for compensation.

  • Rights will have to be litigated as one: “This placing of burden, in effect, means that all of the rights here –  almost all of the rights will have to be litigated,” he said. He reasoned these rights have not been granted under the statute, and “it needs to be effectuated only through litigation”.

Recommendation: Prasanna recommended that this provision be done away with and instead proposed an incentive for people to file such complaints as many of these harms are not foreseeable. “In fact, Puttuswamy clearly says one of the reasons why privacy needs to be protected as a fundamental right, is because not all harms are foreseeable, forget about being able to establish that the harms have occurred,” he added.

Why does the time frame for reporting data breaches need to be reduced?

“I do think very intuitively, that 72 hours seems like a lot. If you know that a breach happened. And you’re pretty sure that you know, data of certain nature, it could be very sensitive data also has been breached… it could be you know, at large, could be in the dark web, something could be going on with it. Why 72 hours is a question.” —Lalit Panda.

Too many unanswered questions: Panda questioned whether a company needs that amount of time to report a data breach. He wondered why a company that has faced a breach could not email a DPA immediately. “Will everybody be busy trying to handle the breach? So you can’t even bother sending an email to the Data Protection Authority? Do you? Are you trying to figure out, you know, what is going on, which kind of data got breached, you’re still trying to get confirmation?” he added.

Recommendation: Although Panda did not specifically recommend anything, it is safe to assume that he wants the reporting time to be lowered.

Advertisement. Scroll to continue reading.

What can you do when DPA does not allow a breach to be known? 

The panelists were asked what a user can do in case the Data Protection Authority rules that a breach reported by a data fiduciary does not need to be publicised, or does not need to be intimated to victims of the breach. Section 25 of the Bill lays down the procedures for a data fiduciary to report a breach and the powers of a data protection authority in regards to how to deal with it.

Recommendation: Supreme Court advocate Vrinda Bhandari said that one can approach the High Court with a writ petition. “You could potentially direct the DPA to direct the data fiduciary to take action if you believe that that has been inadequate. You could also seek compensation,” she said.

Laws have to be brought in to make policies compatible with the bill

In response to a question on policies under the National Digital Health Mission and how it would comply with the data protection bill once it becomes a law, Lalit Panda pointed out that Section 12 of the bill said that if one wants to use a function of a state, then it has to be authorised by law.

Recommendation: “So, as soon as this law comes in NDHM will have to have a law put in place, suggesting that this kind of processing is now authorised,” Panda said.

How to ascertain compensation amount for harms?

Panda said that when it comes to compensation, it would be hard too evaluate how to calculate the amount based on the harm. “What is the harm of a bigger magnitude? What is the harm for smaller magnitude, and I see a lot of issues with that but it makes sense that some nature of harm has to have been shown, because it’s not possible to compute any kind of compensation just because of violation of law,” he said.

Recommendation: Prasanna recommended the creation of a separate compensation measurement mechanism where these harms are not foreseeable. “..much like how we have penalty computation mechanisms, right, we will need compensation mechanisms, which will then incentivize users to actually litigate for privacy,” he said.

Advertisement. Scroll to continue reading.

Also Read:

What changes do you want in the Data Protection Bill from a company’s perspective? Do leave a comment.

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ