One of the concerns of the industry on DPDPA Rules which has not yet been addressed in the draft of the draft rules is about when does the Penalties under DPDPA will start being applied. For penalties to be applied, the DPB has to be first formed and afterwards a mechanism has to be built for reporting of data breaches. Data breaches may be reported directly by the Data Fiduciaries or by the complaints received from data principals. DPB may also recognize a data breach suo-moto from news paper reports and alerts from security research organizations.
It is possible for the MeitY to provide some extra time for applying penalties after fixing the compliance date. For example, once the DPB comes into existence and an operating website is set up to take care of data breach reporting, the date for compliance can be notified . The date for penalties to be considered can be the same date or another 3-6 months later. In between the DPB may consider application of the “Voluntary Undertaking” under section 32.
Apart from setting these dates, DPDPA Rules could have clarified how the “Voluntary Undertaking would function”.
The Section 32 states, “The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under section 28.(Ed: Inquiry)”. The voluntary undertaking may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicising such undertaking.
If an order for Voluntary undertaking is given and accepted by the erring data fiduciary, further proceedings on penalties are barred except that if the data fiduciary fails to adhere to the terms of voluntary undertaking, then the penalties will become applicable.
DPB should therefore set in motion a procedure for application of Voluntary undertaking as a measure for addressing low harm breaches or as a general measure of cautioning before severe action.
In particular it could have been provided in the DPDPA Rules that for SMEs and MSMEs, Voluntary Undertaking could be made applicable as a routine exercise. In fact DGPSI takes this into account and expects organizations to consider responding to DPB notices with a specific Voluntary Undertaking proposals.
In this context we can look at one instance where the Singapore authority used this provision recently.
In a data breach incident of Keppel Telecommunications & Transport Ltd (KTT) and Geodis Logistics Singapore Pete Ltd (GLS, using a ransomware, the attacker had exfiltrated 6287 images of proof of delivery of parcel recipients along with some employee data including passport numbers and Bank details. The access was with the use of the Vendor’s (GLS) user name and password.
Investigations could not find out how the malicious attacker had been able to secure the access credentials. There were also no malicious files or programmes present on the vendor’s computers, and no indication of compromise, data exfiltration, or unauthorised access on its systems.
After the incident, the organization initiated remedial plans which were accepted by the regulator for the Vendor (GLS). However KTT was fined $120000 for failure to protect the employee data.
If a similar incident had occurred in India, KTT as the Principal Data Fiduciary would be responsible for the incident for loss of employee data and GLS would be either a Joint Data Fiduciary or a Data Processor. If it is considered a Joint Data Fiduciary, it would face action under DPDPA 2023.
If GLS is considered as a Data Processor, KTT can initiate action against GLS for loss if its employee data as a contractual failure.
However,, the nature of the parcel delivery data could be open for debate. Should it be considered as belonging to GLS and as “Transaction Data”?. Is it the business data of GLS? or of KTT? Is it the personal data of the parcel recipients? Should we apply Section 72A of ITA 2000? or data breach provisions under ITA 2000? .. are interesting questions.
Open for debate.
Naavi