A case of the past haunting the future

The Personal Data Protection Bill has fixed responsibility for data breaches, but leaks that have happened in the past may continue to create legal trouble

Written by Rishi Raj

July 10, 2023 06:00 IST

The onus of data breach as a result of theft by employees will lie with the company concerned. (IE)

One of the criticisms of the Indian Constitution is that it’s a lawyer’s paradise, which is a result of the presence of a large number of lawyers in the Constituent Assembly that was tasked with the drafting of the Constitution. Most of the clauses of the Constitution read simple and logical, but, when enforced, lead to several litigation—necessitating the Supreme Court’s intervention for a final interpretation. Therefore, the prime task of the government while coming out with any new legislation should be to ensure clarity and simplicity, so that implementation does not lead to major litigation.

Does the Personal Data Protection Bill, approved last week by the Union Cabinet, pass the test? It doesn’t seem so. While the provisions of the Bill is certainly an improvement over the one drafted by the Justice BN Srikrishna Committee in 2018 that was finally junked, it does not seem that the protection of citizens personal data as well ensuring that breaches are punished by law will be free of litigation battles.

Also Read

Beyond AI’s John Lennon resurrection

On the face of it, the objective of the Bill and its provisions, which are in the public domain (the changes made by the government post-public consultation will be known only when it’s presented in Parliament during the Monsoon session which begins from July 20), are very simple to implement. Simply put, it is supposed to work something like this: Citizens will decide what data of theirs need to be shared in what manner and how. For instance, if an individual has provided certain personal data for opening a bank account, the bank needs to seek the consent of the individual for the purposes it is to be used for. If the individual directs that the data concerned is strictly for the purposes of opening a savings account and should not be shared with anyone for any other purpose, the bank’s insurance selling or loan selling division also cannot use it to make calls to the individual to sell their products. If any breach happens, the individual can complain to the Data Protection Board and the bank will be penalised with a fine that can range between Rs 250-500 crore.

But there’s a lot of consumer data which is already with banks, online food aggregators, e-commerce platforms, and several other agencies that predate the cut-off date from which the Bill will become a law and come into force. What happens if data collected before the cut-off date gets breached after the Bill becomes a law? To surmount these kinds of legal challenges, the Bill empowers citizens to intimate all digital platforms to delete their past data. These firms will need to collect data afresh from users and spell out clearly its purpose and usage. They will be booked for data breach if they depart from the purpose for which it was collected. Further, the onus of data breach as a result of theft by employees will lie with the company concerned. So, for instance, if a citizen’s data is suspected to have leaked from a bank after the Bill becomes a law, the bank concerned cannot take refuge by saying that it was stolen by one of its employees in the past.

On the face of it, this sounds simple and easy to implement without any legal complications. But is it so? Not really, if one tests against the recent instance of leakage of data relating to Covid vaccination details of certain citizens. It was alleged that the breach was from the CoWIN platform, which the government denied. What came out in the public domain was that the data was allegedly stolen by the sons of a health worker in Bihar and the mobile number of citizens were fed to a bot to fish out other details.

Going by the provisions of the Bill, the hospital or health centre for which the health worker worked should be penalised because the responsibility of protecting the data lay with it.

The problem however will still arise as such stolen data will continue to exist in cyberspace and can surface from time to time. For instance, there have been several instances of Aadhaar data leaking in the past. Even though the responsibility for them may have been fixed, the fact is that data continues to be with the hackers and may continue to be fed to relevant software to fish out details which may float around again. In the first instance, the one responsible for primary responsibility can be penalised, but what happens in subsequent instances? Obviously, the same agency cannot be penalised every time.

Also Read

Twitter vs Threads: Battle between two is much more than bloated egos of their owners

The same scenario can be visualised with all platforms which are sitting on huge amounts of consumer data. It’s highly possible that with every data breach, the party which is primarily responsible for maintaining it will seek a legal recourse. The Data Protection Board, which will function like a civil court, will be the prime body to deal with issues of data breaches, fixing responsibility and levying penalties. But it is certain that parties concerned will challenge its rulings in higher courts of law.

This will be the biggest challenge in the implementation of the Data Protection Bill as all breaches in the future are likely to be traced to the past and the legal machinery will thus get saddled arbitrating huge numbers of disputes, which may be time consuming.

rishi.raj@expressindia.com

TOPICSData Protection Parliament

Get Live Share Market updates, Stock Market Quotes, and the latest India News and business news on Financial Express. Download the Financial Express App for the latest finance news. .

This article was first uploaded on July ten, twenty twenty-three, at zero minutes past six in the morning.