Search
Close this search box.

Data protection – breach and consequences

India’s interest in data regulation and compliances have started getting serious in recent years. It has relied on the decades-old, Information Technology Act, 2000 to supplement the protection and penalizing requirements of information dealt, digitally. 

Data that is becoming controversial in nature, can be Personally Identifiable Information (PII) and/or non-personal. PII includes information by which a person can be identified- name, date of birth, financial information, health records, biometric etc., and non-personal information contains other information. For the longest of time, sensitive information in India has been regulated through the regulations under the Information Technology Act, 2000 for Sensitive Personal Data or Information (SPDI) Regulations. Protecting data of its nationals is still very rudimentary for developing countries. China, by exception, being the one to take drastic positions for protecting and controlling the data of its citizens.

India, recently has the BigTech companies committing investment goals, also being a market without deep penetration into e-commerce, India is an ideal country to be recruited for AI and ML initiatives and collecting information from data mining. The pandemic has forced legislators and regulators to evaluate data and its effects.

Data breach, essentially a leak of any data– providing access, right to modify or delete to any unauthorized person– is a data breach. 

CONSEQUENCES OF DATA BREACH FOR BUSINESSES AND THE NATION

  1. Revenue loss; 
  2. Regulatory fines and penalties;  
  3. Brand erosion;
  4. Loss of intellectual property; 
  5. Operational downtime;
  6. Security threat and negative impact on the sovereignty of the nation.

Globally, the legislative background for data handling has become stricter and protective. In 2018, GDPR made a very robust advent into the data management space followed by the position held by US, which believes, its data laws to be as stringent as the GDPR.

  1. The General Data Protection Regulation (GDPR) came into force at the initiation by the European Parliament in May 2018. It mandates data breaches to be reported to Information Commissioner’s Office (ICO) within 72 hours from its discovery. Breaches placing individuals at risk, have to be informed.
    GDPR penalties for less severe infringements, can be up to €10 M or 2% of the company’s worldwide annual revenue, whichever is higher.
    When infringements relate to principles associated with consent, right to data privacy, and the right to be forgotten – with fines up to €20 M, or 4% of the previous financial year’s worldwide annual revenue, whichever is the higher. A worldwide annual revenue is a significantly high threshold for large tech companies to ignore.
  2. US does not provide for any federal regulation, but includes the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA) which protects the personal information of the individuals. The HIPAA regulations are extremely stringent and pose enforcement challenges in developing countries.
  3. India’s Personal Data Protection Bill and the recent JPC Committee Report is influenced by GDPR, and aims to continue with the protection of personal data of individuals, establish a Data Protection Authority and impose impact assessment and handling obligations on fiduciaries.
    India has chosen a self-compliance, pre-emptive mechanism for managing its data challenges. It seems a more efficient way to initiate into the matter for a developing country like India.
    The penalty for failure to take prompt and appropriate action against a data security breach is not very high at INR 50 M or 2% of its previous financial year’s worldwide turnover, whichever is higher.
  4. For dealing with the complexities brought in by the growing e-commerce transactions, India’s National e-Commerce Policy of India (e-Commerce Policy) aspires to regulate cross-border data flow with anonymised sharing of community data.

The world has seen high penalties on Amazon, WhatsApp, and Google Ireland for data defaults. India is capable of going the same way, albeit after it has enacted and tested it.

  1. Amazon — €746 M (US $877 M) 
    Officials took on the case in Luxembourg, where Amazon’s main base in Europe rests. It is a bigger fine than imposed on Google (€50 M)
  2. WhatsApp – €225 M (US $255 M) 
    Ireland imposed €225 M GDPR penalty for WhatsApp’s failure to explain its data processing practices in its privacy notice.
  3. Google Ireland — €90 M (US $102 M)
    The French data protection authority (CNIL) imposed €90 M (US $102 M) on January 6, 2022 for how Google’s European arm implemented cookie consent procedures on YouTube.

PREVENTIVE FRAMEWORK

If India is relying more on self-regulation, then the US National Institute of Standards and Technology (NIST) provides voluntary guidelines to help mitigate organizational security risks, which can be used for building on the framework.

The biggest challenges for India will stem from the e-commerce space. Thus, the e-Commerce Policy (which is brought in under the Consumer Protection Act), is expected to offer the legal and technological framework for reigning in the marketplace tech giants, with cross-border data flow, data generated by users through e-commerce platforms, social media, search engines, etc. For platforms and social media formats, in early 2021, India rolled out the Intermediary Ethics Code which introduced concepts of Significant Social Media Intermediary as per the user base and compliance and grievance processes. Between the Intermediary Ethics Code and the e-Commerce Policy and the Data Protection Bill it appears that India is beginning to have its bases covered. 

For e-Commerce companies collecting SPDI in India and storing it abroad, they :

  1. cannot share these with other business entities outside India, for any purpose, even with the customer consent;
  2. cannot share these with any third party, for any purpose, even with customer consent;
  3. cannot share these with foreign government without the prior permission of Indian authorities;
  4. Indian authorities to have access to all such data stored abroad  immediately on request; 
  5. violation of any of these shall result in prescribed consequences (to be formulated by the Government).

The exception being data collected and residing outside India, B2B data sent to India as part of a commercial contract, software and cloud computing services involving technology-related data flows, or MNCs moving data across the border.

It is not all doom, supported by legislation and technology businesses have tools and practices which once adopted can prevent data breaches.

TECHNOLOGY TOOLS 

  1. Data discovery and classification 
  2. Data Encryption 
  3. Dynamic data masking
  4. User and entity behaviour analytics
  5. Change management procedure and auditing
  6. Identity and access management
  7. Backup and recovery

BEST PRACTICES 

  1. Patching and updating software as soon as upgrades are available.
  2. Privacy by design, specific to business;
  3. High-grade encryption for SPDI;
  4. Upgrading devices with no manufacturer support.
  5. Enforcing Bring Your Own Device security policies, viz., all devices to use a business-grade VPN service and antivirus protection.
  6. Enforcing strong credentials and multi-factor authentication with single sign-in and use of password manager.
  7. Data collection under free consent of users.

Sources:

  1. The 63 Biggest Data Breaches (Updated for February 2022) | UpGuard
  2. DraftNational_e-commerce_Policy_23February2019.pdf (dpiit.gov.in)
  3. NIST Cybersecurity Framework Addresses Risks to Critical Infrastructure | CSRC
  4. GDPR Fines & Data Breach Penalties (gdpreu.org)
  5. Data Security Explained: Challenges and Solutions (netwrix.com)
  6. 25 Biggest GDPR Fines To-Date | Latest GDPR Fines | Updated 2022 | Tessian
  7. What is a Data Breach & How to Prevent One (kaspersky.com)

This is only for informational purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein. Endeavoured to accurately reflect the subject matter of this alert, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This isn’t an attempt to solicit business in any manner.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our newsletter

Location

Level 18, One Horizon Center, Golf Course Road, DLF Phase–5, Sector 43, Gurgaon 122002, India

About
Navigation
Linkedin

Acknowledgements & Disclaimers

  • This website with its’ contents, are not advertisement, personal communication, solicitation, invitation, or inducement to legal advice or legal advice from Tag & Bench Associates (the “Firm”) or its founder or other members of the Firm;
  • It does not create an attorney-client relationship;
  • The Firm owns intellectual property rights in the website and its’ contents made available for information, only and Firm does not assume any responsibility for the accuracy and completeness of the same. The Firm has full right to proceed against infringers;
  • User will be governed under applicable laws or regulations of India;
  • The Firm does not collect any personal data other than cookies captured when you visit the website;
  • The Firm cannot undertake any legal representation through this website. Users are discouraged from sending any confidential information.
Agree
Disagree