Data Protection Bill: A Discussion With Justice SrikishnaIn a Fireside Chat, Leader of Committee That Drafted Bill Addresses Its Provisions
Retired Supreme Court Justice B.N. Srikrishna, who headed the committee that drafted the proposed Indian data protection bill, which the Parliament will consider in the coming weeks, acknowledges that the bill's breach notification requirements will need further clarification.
"Once a Data Protection Authority is appointed, there will be more clarifications in place regarding breach notification. We have just given a broad framework [in the bill]," Srikrishna said in a "fireside chat" at Information Security Media Group's recent Fraud and Breach Summit in Bengaluru. He also defended the bill's proposed penalties for violations and covered a broad range of other subjects.
The bill would require notifying the Data Protection Authority of breaches. Srikrishna said that once the authority is established, it would determine the kind of breaches that need to be reported.
"The DPA will give a time frame for breach notification and whether or not a breach deserves to be notified to customers," Srikrishna said. "The DPA would have to come out with clear-cut guidelines on breach notification to do away with confusion."
Under Section 69 of the bill, two levels of penalties are prescribed for violations. The first level is of up to 2 percent of total worldwide turnover [gross revenue], and the second is up to 4 percent. The actual penalties applicable will vary based on the violation and will be made clear by the DPA.
In some cases, where criminal intent can be detected, i.e., the violation was committed intentionally, knowingly or recklessly, then those behind the violation could face up to 5 years of imprisonment, the bill says.
Attorney Rahul Matthan, a partner at the law firm Trilegal who questioned Srikrishna in the fireside chat, asked why a data fiduciary - an organization that handle's consumers' data - should face a substantial fine if a third party was at fault, as the bill proposes. "In such cases can't we levy the penalty only on the transactional value of the data breached?" he asked.
Srikrishna argued, however, that it's tough to attach a value to data, so the best method would be to penalize on the basis of a percentage of annual turnover. "Hopefully, this will ensure that data breaches are no longer taken lightly by companies. The whole idea is make sure that breaches impact you financially so that you do not take it as a joke. It is a serious thing."
Concept of Consent
Just like the European Union's General Data Protection Regulation, India's proposed personal data protection bill emphasizes the right to consent.
The bill says that the data fiduciary must provide notice to individuals and obtain their consent before processing their data. Further, individuals have the right to obtain a summary of their personal data held with the fiduciary and seek correction of inaccurate, incomplete or outdated data.
Matthan contended: "The concept of consent is fundamentally broken. It is so difficult to understand what exactly you are consenting for. Often users end up consenting to these big privacy policies. Very few of them actually read through the entire thing. Corporations often use that as a way to get off the hook because if something happens, they will turn their back and say that consent has been taken."
Srikrishna acknowledged that obtaining consent could prove challenging in certain circumstances.
"I also agree that it is not possible to take direct consent in every case," he said. "If I walk into a hotel today, the CCTV cameras will capture me for security reasons. The fact that I have agreed to visit the hotel means I have agreed for things required for security. But yes, the hotel cannot use my picture for any other purpose. For that it needs to have my consent."