In the new version of PDPA 2021 (We can start calling this DPA 2021 from now onwards) that is replacing PDPB 2019 has indicated under Section 57 that “Obligation to take prompt and appropriate action in response to a data breach under Section 25” would be one of the reasons under which a penalty of upto 2% of Total worldwide turnover or Rs 5 crores can be levied on a data fiduciary.
Section 25 of the Act states as follows:
Reporting of (***) data breach.
(1) Every data fiduciary shall by notice,(***) report to the Authority about the breach of any personal data processed by (***) such data fiduciary.(***)
(2) The notice referred to in sub-section (1) shall be in such form as may be specified by regulations and include the following particulars, namely:—
(a) nature of personal data which is the subject matter of the breach;
(b) number of data principals affected by (***) such breach;
(c) possible consequences of (***) such breach; and
(d) the remedial actions being taken by the data fiduciary (***) for such breach.
(3) The notice referred to in sub-section (1) shall be (***) issued by the data fiduciary within seventy-two hours of becoming aware of such breach.(***)
(4) Where it is not possible to provide all the information (***) provided in sub-section (2) at the same time, the data fiduciary shall provide such information to the Authority in phases without any undue delay.
(5) (***)
(5)The Authority (***)shall, after taking into account the personal data breach and the severity of harm that may be caused to the data principal, direct the data fiduciary to report such breach to the data principal and take appropriate remedial actions(***) to mitigate such harm and to conspicuously post the details of the personal data breach on its website.
Provided that the Authority may direct the data fiduciary to adopt any urgent measures to remedy such breach or mitigate any harm caused to the data principal.
(7) (***)(6) The Authority shall, in case of breach of non-personal data, take such necessary steps as may be prescribed.
The obligations under Section 25 subsections (1) to (5) refer to “Personal Data”. Sub section (6) empowers the Authority to prescribe necessary steps to be taken in case of Non Personal Data.
At this point of time the bill will therefore be not applicable to the notification of data breach of non personal data beyond what has been prescribed already under ITA 2000.
In the case of Non Personal Data Breach there is no harm caused to a data principal whose privacy is sought to be protected under this law. Hence any action required to be taken is not within the recommendations of the Supreme Court under the Puttaswamy Judgement. This is only an amendment to ITA 2000 and the powers now available to the CERT-IN Director.
This opens up a question on whether administrative fines can be levied for non personal data breach under DPA 2021 and if this provision stays, will it be considered as an “Extraneous Provision” to this law which over rides the powers of the Adjudicator and Appellate tribunal as well as the High Court which have jurisdiction for levying penalty for breach of non personal data under ITA 2000.
The idea that there has to be a single regulator for Personal and Non Personal Data is not a wise idea and this is likely to create confusion both to the judicial authorities as well as for the purpose of compliance.
It would also create one more level of overlap of the functions of a CISO and DPO in an organization since the DPO has to keep track on Non Personal Data Breach also where as the CISO also needs to keep track of Cyber and Information Security issues.
It is still not late for the Government to delete this aspect of data breach notification and also the applicability of the Act to non personal data under Section 2.
Naavi
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data