Asheeta Regidi Dec 12, 2017 12:27:09 IST
This article is Part 11 of a multi-part series explaining the recently issued white paper on data protection in India. The responses to the white paper will help in the formulation of India’s future data protection laws. You can read Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, Part 9 and Part 10.
Part 10 of this series discussed the enforcement mechanisms that are needed to support the regulatory approach adopted. An important aspect of enforcement are the offences and penalties prescribed under the law. Lack of deterrent consequences is one of the key reasons why India’s current IT Act and Rules have failed to protect privacy, while the general data protection regulation (GDPR’s) threat of a €20 million fine has every business around the world on alert.
Limited compensation under the IT (SPDI) Rules
Looking at the IT (Sensitive Personal Data or Information) Rules, these contain most of the key privacy principles. The issue is with the lack of prescription of corresponding penalties. The only provision is Section 43A which allow compensation only if the body corporate failed to adopt reasonable security practices as prescribed under Rule 8, and this resulted in a wrongful loss to the victim. There is no prescribed consequence for other violations of the rules, such as the collection of data without consent, or using it for a different purpose than for which it was collected.
Protections beyond consent
Another key drawback in current laws is that the protections do not extend beyond consent. For example, this was among the key considerations in the WhatsApp Facebook case, which was dismissed at the Delhi High Court level (this was before the fundamental right to privacy was recognised). It was a crucial factor then that users had consented via the terms and conditions to changes in privacy practices.
Consider also the case of Sitesearch in the US, where the company bought payday loan applications and sold them to third parties, which included fraudsters, who used the data to steal more than $25 million from user accounts. Such careless buying and selling off of data should not be justifiable in the name of consent. While safeguards such as requiring that companies transfer data to only to companies with a comparable level of privacy provisions help, these must be backed up by huge penalties for violations.
Back up privacy safeguards with penalties
The drawbacks of the current laws indicate that prescribing suitable offences, penalties and remedies is a crucial aspect of protecting data. The current laws, for instance, only punish disclosure of data in various forms, while the actual concerns of a data protection law are much broader in scope. Care must be taken while framing the law to ensure that every crucial privacy safeguard is backed up by a suitable consequence for non-compliance.
The White Paper recommends the prescription of imprisonment and fines such that they adversely affect the data controller, or the entity involved, both financially and reputationally, thereby serving some deterrent value.
Linking offences with factors other than financial loss
Another specific issue that arises is with the requirement to have adequate security standards, which if not complied with, draws no consequences unless actual loss results. While prescribing offences, it is important that the offence not be linked with a financial or other ‘loss’ to the victim, but to other factors.
More stringent consequences, for instance, must be linked to the loss of more sensitive data. International laws thus require the punishment to be determined based on factors such as the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, the nature of data involved and the number of persons affected. International laws also prescribe variable quantum of fines, such as the GDPR which prescribes an upper limit of 4 percent of the company’s annual global turnover.
Establishing liability for negligence
Another issue that arises is if the data loss was the result of negligence. The Aadhaar Act, for instance, punishes only deliberate and not negligent disclosures of data. This is an important factor with respect to a data protection law since the cost of negligence can be very high in this field.
For example, consider the Equifax data breach, the breach of a credit information company, leading to the loss of crucial data of over 143 million Americans. This breach was the result of a vulnerability in their web application software, a vulnerability that was discovered and for which a patch had been issued at least 2 months before the actual hack. The breach of this crucial data was thus the result of negligent, or non-implementation of the patch.
Checks for implementation of security standards
This also points to another pressing issue — the increasing use of IT, which leads to an increasing number of vulnerabilities and points of attack. These vulnerabilities are discovered and used by cybercriminals much faster than the ability of agencies like CERT and NIST to resolve and remove them. The result is that hundreds of patches are released regularly, making it very difficult to monitor their implementation. Much like the lack of proper mechanisms to check the adoption of adequate security standards, there is also a lack of mechanisms to ensure that the technology in use is regularly updated. The cost of implementation and monitoring is another concern with this.
Establishing consequences for violative investigations
Another privacy concern is with violative or unauthorised investigations. A landmark privacy judgment in India is the Canara Bank case, which struck down a provision in a law, which allowed the authorisation of ‘anyone’ to conduct investigations and demand the production and seizure of documents, including bank documents. Such a wide delegation of powers can allow any and everyone, even unscrupulous actors, permission to gain access to confidential data, which should not be allowed.
This case draws attention to an important aspect of data protection — it must be ensured that investigations, at all times, must be authorised, and by authorised personnel only. Any violations, or even exceeding of powers must be punishable.
Unauthorised surveillance and monitoring
The importance of preventing and penalising unauthorised investigations comes to light when looking at the widespread surveillance being carried out today. Authorised governmental surveillance, in the form of interception, decryption, or monitoring of traffic data, is governed under other IT Rules, such as the IT (Interception, Monitoring and Decryption) Rules, 2009, issued under Section 69 of the IT Act, and the IT (Monitoring and Collection of Traffic Data) Rules, 2009, issued under Section 69B of the IT Act. Both rules prohibit the unauthorised interception/ monitoring/decryption of the information and the monitoring/collection of traffic data respectively. Both rules also prohibit the disclosure of the information collected.
The only prescribed penalties, however, are under Sections 69 and 69B, which punish persons who fail to assist in the interception, etc., or the monitoring of traffic data. One other consequence is under Section 72 of the IT Act, which will punish the unauthorised disclosure of such data acquired in the exercise of powers under the Act. This section, however, will not apply or punish a wrongful exercise of power, such as unauthorised collection of data. This is unclear. Thus, though the rules contain crucial privacy safeguards, these are not backed up by adequate, deterrent consequences, making them little more than protection on paper.
In addition to governmental surveillance, workplace surveillance and even surveillance by private parties through CCTV cameras have become common today.
Data Breach Notifications
Lastly, along with determining penalties and compensation, imposing a requirement for data breach notifications is very important. The advantage of a data breach notification is two-fold, one the authorities and the victims are aware that their data has been compromised, and second the fear of reputational damage serves as an incentive to comply with data protection obligations and ensure its security. This should also include penalties for failing to notify the authorities and the people.
Delaying/ avoiding data breach notifications
The Uber breach cover-up also reveals another issue — that many businesses will tend to avoid the disclosure of data breaches altogether. Laws must consider even more stringent penalties in such situations, since paying off the hackers is hardly a solution for protecting the victims.
Some jurisdictions permit companies to inform the people once the situation is under control, in order to prevent the spread of panic. This is a factor that needs to be considered carefully before it is adopted in India since it should not result in the encouragement of delayed disclosures, as seen with Uber or even the Equifax breach. The GDPR also allows an exemption when factors like encryption or pseudonymisation are applied to the data, ensuring that even if the data was accessed, it is secure.
Key questions raised in the White Paper
In view of these issues, the White Paper has presently sought comments on the following key questions with respect to offences, penalties and compensation under the new law:
- What are the types of acts in relation to data protection which should be considered to be offences?
- What penalties should be imposed on the data controller as well as the recipient of the data? What should their quantum be?
- Who will investigate the offences?
- For what violations should penalties be prescribed? How should penalties be determined or calculated? What factors should the authority take into consideration?
- Should the penalty be linked to a percentage of worldwide turnover or should there be a fixed upper limit?
- Should the amount of penalty vary for different categories of data controllers?
- Should there be a provision for blocking market access of a defaulting data controller in case of non-payment of penalty?
- What is the nature, type and extent of loss or damage suffered by an individual in relation to which he can claim compensation? What factors must be taken into account while calculating compensation? What are mitigating circumstances?
- Should there be an obligation on controllers to grant compensation on their own?
- How should a data breach be defined? When should authorities/ people be notified?
- What details should the individual be informed of?
- Any other views?
Part I of the series explores the definitions of personal data and sensitive personal data, Part II of the series examines the jurisdiction and territorial scope of data protection laws, Part III of the series explores cross-border data flows and data localisation, Part IV deals with exemptions to data protection law, Part V deals with notice and consent, Part VI deals with the big data challenge to privacy principles, Part VII deals with processing of sensitive personal data, Part VIII deals with ensuring data quality, Part IX deals with new rights against discriminatory AI decisions, marketing, etc., and Part X deals with adopting a co-regulatory approach.
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.
Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.