When it comes to data breaches, the bill does not do nearly enough to put power back in the hands of the users.
In case you have not been following the news, earlier this week, Twitter was the subject of a very public data breach. A lot of very high profile accounts were hacked, including Elon Musk, Barack Obama, and Apple. There is of course wider context to it. The hack itself is a symptom of malicious user behaviour on Twitter and historically lax responses to it. In case you want to know more about this, Casey Newton’s newsletter ‘The Interface’ is a great place to start.
The short of the matter is that hacks are relatively common on the platform, as is spying. Twitter has a chequered history with cybersecurity. There have been several bitcoin related scams as well as spying missions that were carried out on behalf of the Kingdom of Saudi Arabia. I wish I could say that Twitter is the only company that undergoes these trials, but sadly that is not the truth. Cybersecurity incidents are fairly common and do not make the news as often as they should.
Anytime such incidents happen, a lot of the tech policy circles in India (and abroad) follow a similar cycle. First there is the shock, then the memes, finally closely followed by the line “this is why we need a data protection/privacy law”.
As someone who himself has been a part of following this reaction cycle a fair number of times. I want to use this crisis as an opportunity to look at how things might have been different for the user had the current data protection bill been in place. In case you do not want to read ahead, the short answer is that when it comes to breaches, the bill does not do nearly enough to put power back in the hands of the users.
Let us look at the case of Twitter. Here, the bill would classify the incident as a personal data breach since it is ‘unauthorised sharing of personal data’. Once the breach clause is triggered, a chain of events is set in motion. Firstly, Twitter would have to issue a notice as soon as possible to the (yet to exist) Data Protection Authority (DPA).
The notice should include the following things:
1. Nature of personal data which is the subject-matter of the breach;
2. Number of data principals affected by the breach;
3. Possible consequences of the breach; and
4. Action being taken by the data fiduciary to remedy the breach.
Keep in mind that this was a very public breach, Twitter is very visible as a platform (as compared to say, a bank) and has been fairly transparent about the whole incident. But the personal data protection bill itself does not require this notice to be visible to the public. Instead, once the breach is reported to the Authority, it is the latter’s call regarding whether the users should be informed about the breach at all.
There are actually a host of problems with the structure outlined above. The way I look at this law, is that it has three major stakeholders to manage, the government, users, and the companies it is supposed to regulate. Part of managing that is to provide some power back to the users, who have next to no control over their privacy.
Being subject to a breach is likely one of the worst things that could happen to your data. Especially since once an unauthorised entity has access to it, they can share it far and wide for very little cost, and that can come back to haunt you, especially if it is something as sensitive as your address or your bank details.
Hence it makes sense for you to know when your data has been subject to a breach. But under the current scope of the law, there is so much opacity in the whole process. Firstly, companies are not required to make their breaches public, so it might be impossible to know when your personal data has been compromised.
Secondly, there is no set of defined rules that the DPA has to follow to decide which breaches should and should not be made public. Thirdly, data in India, and of Indians, is subject to a lot of breaches. This means two things. One, that it is going to be hard to track when companies do not go to the DPA regarding breaches. Two, when they do, it is going to be a fairly transaction intense process for the DPA to consider whether each breach is worth informing to the user about.
All of this is highly problematic. Because when we hear about attacks like the one that happened to Twitter, our first impulse is to reach out for a world where data protection is taken more seriously. But the bottom line is that even having a law in place is not going to be as effective as we make out to be. Instead, when it comes to breaches, the bill in its current form does not do a lot to put power back in the hands of the user, and that is a sad reality.
To fix this, there are two things we can look at. Firstly, defining a set of standards in the bill that mandate the DPA to compel the fiduciaries to share information regarding the breach to the data principal. Doing so would limit the amount of discretion that exists in the system while making sure that the information is not shared with users if there is a national security consideration in the mix.
Secondly, and this is radical, is to compel data fiduciaries to share information regarding breaches of personal sensitive data and critical personal data with the users. Especially since if information such as bank account details or health records are being leaked to bad actors, people should have a right to know.
I would argue that both of these solutions are a better scenario compared to the one we have in the bill today. The need of the hour is to put more power back in the hands of the users, and that begins with fiduciaries being more transparent with personal data.