This article is part of a series on the operational impacts of India's DPDPA. The full series can be accessed here.

Published: August 2024

Contributors:

Rishi Anand

Chirag Jain

Shreya Singh

Navigate by Topic

India's need for tighter cybersecurity has been growing with increasing digitization and connectivity, both locally and globally. While India's government has taken steps to enhance cybersecurity measures through policies and regulations, there has been a rapid surge in cyber incidents, including ransomware attacks, phishing schemes and data breaches.

Regarding data security, in 2022 the Indian Computer Emergency Response Team, the national agency tasked with performing various functions around cybersecurity, issued directions related to information security practices, procedures, prevention, response to and reporting of cyber incidents.

Since then, the government's initiatives indicate a shifted focus on regulating and imposing higher penalties on data fiduciaries, given their crucial influence on managing the flow of personal data, rather than putting their whips down against cybersecurity incidents.

Prevention versus cure

India's Digital Personal Data Protection Act defines a personal data breach as "any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data."

While this definition has more or less remained identical through all drafts of the data protection legislation deliberated by the government prior to the DPDPA's passage, there has been a major shift in the regulatory approach compared to the foremost framework, the Personal Data Protection Bill, released in 2018. While the 2018 framework enumerates the obligations of data fiduciaries in the case of a personal data breach in finer detail, the DPDPA outlines the broad contours of the obligations within just two provisions under Section 8.

First, as a preventive measure, the DPDPA requires data fiduciaries to take reasonable safeguards to protect personal data in their possession or under their control, including with respect to any processing undertaken by them or on their behalf by a data processor. Second, as a corrective measure in the case of a breach event, the DPDPA requires data fiduciaries to inform the Data Protection Board, as well as each affected data principal, of such personal data breach.

As such, the DPDPA neither sets out the security standards nor suggests the relevant safeguards or guidelines would be outlined under any delegated legislation or rules. This leaves data fiduciaries with some room and flexibility to determine their own processes and guardrails based on the nature of the personal data they process.

However, before going back to the drawing board, it would be prudent for data fiduciaries to take a cue from existing legislation on the subject, the most fundamental being the Sensitive Personal Data or Information Rules, which set out a two-fold baseline standard for when a body corporate would be considered in compliance with reasonable security standards and procedures.

First, the body corporate must have comprehensively documented information security programs and policies commensurate with the nature of the personal data being protected. Second, it must implement security control measures as per such documented policies and be able to demonstrate the same to the authorities in case of an information security breach.

If a parallel is to be drawn with the DPDPA, the prerequisite for compliance by the data fiduciary would be formulating organization-level security policies and awareness modules for both the technical aspects of the security safeguards and the systematic processes that will be triggered in case of data breaches. However, merely documenting, building and implementing processes and policies may not be enough to demonstrate the reasonable security safeguards taken by a data fiduciary.

Given the heavy quantum of fines prescribed under the DPDPA, data fiduciaries ― especially those processing sensitive personal data, like financial, health and children's information ― should invest in their cybersecurity infrastructure and conduct regular training sessions and awareness programs to instil readiness among in-house departments like legal, IT, business and customer services, and procure adequate cyber liability insurance policies to offer comprehensive protection.

Penalty assessment

The DPB has the power to impose fines of up to INR250 crore for failure to implement reasonable security safeguards to prevent a personal data breach.

To determine the monetary penalty to impose, the DPB will consider the nature, gravity and duration of the breach; the type and nature of the personal data affected; any action taken to mitigate the effects and consequences; and the timeliness and effectiveness of any mitigative action. Hence, it is crucial for a data fiduciary to assesses the foregoing factors while formulating its security policies and implementing a cybersecurity infrastructure.

A quick look at practices in other relevant jurisdictions indicates authorities, like the European Data Protection Board, Ireland's Data Protection Commission and the U.S. Federal Trade Commission, have become increasingly stringent in imposing penalties in cases when there has been a conscious failure to take reasonable steps to secure data and fix critical vulnerabilities identified by data fiduciaries.

The DPDPA does not set out the timelines, manner or form in which data fiduciaries are obligated to inform the DPB and affected data principals of any personal data breach. These details are expected to be provided under implementing rules.

When it comes to penalty assessment, another key factor to consider is how the DPB and CERT-In will interact once the DPDPA and its rules are enforced. Organizations are currently required to report cyber incidents, including data breaches, to the CERT-In within six hours of discovery.

Further, the scope of the CERT-In directives is much broader in terms of applicability and is not just limited to personal data breaches. To this end, there is undoubtedly an overlap in the reporting obligations of a data fiduciary for personal data breaches, allowing for penalties to be levied under both frameworks if authorities are not notified.

Despite this, there has not been a single instance of reprimand or levy of penalty by any authority to date. Therefore, to the extent penalties are concerned, the government may reassess and demarcate the authority, powers and functions of the DPB and the CERT-In regarding reporting cyber breaches and incidents.

Extrajurisdictional enforcement

The DPDPA's scope extends to the processing of digital personal data outside India in cases when the processing pertains to offering goods or services to data principals within the country.

This means data fiduciaries processing personal data in jurisdictions outside India must also comply with the DPDPA's provisions if the processing pertains to services or goods offered to Indian data principals.

However, enforcement of the extraterritorial application, specifically in cases of personal data breaches, is undoubtedly riddled with challenges. Enforcing the DPDPA on foreign entities may be inherently complex due to the jurisdictional limitations and differing legal frameworks of other countries.

Cooperation from international counterparts is crucial but often difficult to secure, leading to potential enforcement gaps.

Further, compliance by data fiduciaries offering their services and goods to data principals in India can incidentally, not systematically, be burdensome given the increased operational costs.

Right to compensation

The DPDPA imposes a substantial penalty of INR250 crore for data breaches, which is credited to the Consolidated Fund of India. Unlike many data protection laws, including the EU General Data Protection Regulation, the DPDPA does not compensate data principals whose personal data has been breached.

The absence of explicit provisions for compensating data principals, especially given that such measures were included in earlier drafts of data protection legislation, has been a contentious issue. While some argue the government aims to reduce frivolous litigation, others believe this lack of compensation may deter data principals from reporting data breaches altogether.

Additionally, since civil courts lack jurisdiction over matters arising from the DPDPA, data principals may be unable to seek compensation either from the DPB or the courts.

To ensure the DPDPA's efficacy, it is imperative to clearly define the roles of the CERT-IN and the DPB and to establish precise guidelines for reporting personal data breaches. Moving beyond mere awareness programs, it will be interesting to observe how the government plans to incentivize users to report such incidents, thereby fully realizing the DPDPA's objectives.

The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.