NOVEMBER 28, 2023

By Mr M G Kodandaram, IRS. Assistant Director (Retd) Advocate & Consultant

Principal and Personal Data Breach

THE recently enacted Digital Personal Data Protection Act, 2023 (DPDP Act) aims to establish a framework for processing 'digital personal data', emphasizing individual rights and lawful data processing by fiduciary. Despite addressing various aspects related to personal data handling, the Act falls short in providing adequate protection for individuals facing 'harm' from personal data breaches.

The Act defines "digital personal data" as personal data in digital form and broadly mandates "personal data" as any information about an identifiable individual (Section 3(n) and (t) of DPDPA). Introducing the concept of a "personal data breach," the Act covers unauthorized processing and inadvertent actions compromising the confidentiality, integrity, or availability of personal data (section 3(u)). In such breaches, the affected individual, termed as Principal, becomes the victim of the harm. While the Act recognizes the need to protect principals from harm caused by fiduciary negligence, it adopts a regressive stance in terms of individual rights and privacy protection. Unfortunately, the legislation lacks provisions mandating remedies for claiming damages resulting from the harm caused by breaches, leaving affected individuals without legal recourse. This absence of redress provisions exacerbates the vulnerability of victims, denying them the necessary legal means to address breach consequences and seek compensation for endured harm. Both victims and citizens find themselves lacking sufficient protection against fundamental rights infringements, particularly when harm arises from breaches committed by fiduciaries, which is happening every day in large scale.

As previously discussed in my earlier writings, (Please read Inadequacies in the Digital Personal Data Protection Act, 2023 AUGUST 21, 2023, and India's Privacy Journey - Two Steps Forward, Three Steps Back TIOL-OCTOBER 25, 2023) both the victim and the citizen lack sufficient, if not satisfactory, protection against the infringement of fundamental rights. Additionally, it is alarming to observe that when harm arises from breaches committed by fiduciaries, the affected individual, (known as the principal) is compelled to endure the consequences without any explicitly provided remedy in the Act. In the subsequent part of this article, we will delve deeper into the legal implications of this stance and its impact on individuals facing the repercussions of personal data breaches.

Personal Data Protection Under IT Act 2000

Before the enactment of DPDPA, being the dedicated legislation to safeguard personal data, Section 43A of the Information Technology Act, 2000(IT Act), in conjunction with The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as the SPDI Rules), played a pivotal role for the protection of 'personal information' in digital form. In the SPDI Rules, "personal information" was defined as any data related to a natural person that, either directly or indirectly, in combination with other information available or likely to be available with a corporate body, could identify such an individual (Rule 3(i)). Rule 3 ibid, further specified the "personal data or information" of a person to include details such as (i) password; (ii) financial information like bank account, credit card, debit card, or other payment instrument details; (iii) physical, physiological, and mental health conditions; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any details related to the aforementioned clauses provided to a corporate body for service provision; and (viii) any information received under the mentioned clauses by a corporate body for processing, storage, or lawful contract fulfilment. These measures collectively aimed to guarantee that the corporate entities (fiduciary) responsibly handle and protect the sensitive personal data of the individual. In the event of a breach causing harm to the Individual / Principal, the stated provisions allowed for a claim of damages by the principal to address the incurred harm. The current DPDP Act lacks a comprehensive definition of such a nature as well as stipulation of compensation as a remedy as available as on date.

Section 43A of the IT Act, 2000, stipulated that if a corporate body, engaged in possessing, dealing, or handling any 'sensitive personal data,' (now called as 'Fiduciary' in the DPDP act) negligently failed to implement and maintain reasonable security practices and procedures, leading to wrongful loss or gain for any person, the said body corporate would be held liable to pay damages as compensation to the affected individual( called as 'Principal' in the DPDP Act). However, the existing DPDP Act, despite claiming to be comprehensive and protective of victims/citizens' rights, falls short in acknowledging available remedies. Specifically, it fails to include compensation for damages resulting from data breaches caused by the fiduciary.

Compensation Recommended by Sri Krishna Commission

The citizens were optimistic that the new legislation would enhance confidence for both principals and citizens, ensuring the protection of fundamental rights, as established by the highest court in its decision in the case of Justice K.S. Puttaswamy (Retd.) and Anr. vs Union of India and Ors., (2017-TIOL-311-SC-MISC-CB), affirming the Constitutional right to privacy. The Personal Data Protection Bill, 2019 (PDPB), stemming from the recommendations of the Srikrishna Commission, included provisions to shield citizens from the harms resulting from the illegal processing of personal data by fiduciaries.

In the section on Compensation to the principal, as outlined in the report titled "Free and Fair Digital Economy: Protecting Privacy, Empowering Indians" by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, the following observations were made: "There needs to be certainty in the ascription of liability so that the data principals are not made to run from pillar to post in search of finding the relevant fiduciary or processor in the link who was responsible for the damage caused. Therefore, joint and several liability to pay compensation would be attached to the data fiduciary and its processors with penalty being imposed so long as an infringement has been proven. Therefore, at the first instance, the aggrieved data principal will receive the compensation amount due to her. Thereafter, the division of liabilities of paying compensation will become a second order question.

A remedy needs to be provided under the law to compensate data principals for the harm caused to them due to infringements under the data protection law. The factors for deciding on the quantum of compensation being awarded could be largely similar to the factors set out under the penalties section".

After careful consideration of the challenges faced by the affected principal, the recommendations included: "Penalties may be imposed on data fiduciaries and compensation may be awarded to data principals for violations of the data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher. Offences created under the law should be limited to any intentional or reckless behaviour, or to damage caused with knowledge to the data principals in question. [Sections 69, 70, 71, 72, 73, 75 and Chapter XIII of the Bill]". (Refer Chapter 9: Enforcement - C. Penalties, Compensation and Offences- page 167 of the report)

Personal Data Protection Under PDP Bill, 2019

The PDPB placed before the parliament included crucial provisions to protect the rights of victims, as highlighted in the ensuing discussions. It is regrettable that this eagerly anticipated bill, subjected to thorough and resource-intensive parliamentary deliberation, has been withdrawn. The core elements of the bill aimed at safeguarding citizens from the harm caused, as evidenced by the subsequent discussions, have also been omitted in the current legislation.

The PDP bill's definition of "harm" encompassed a range of consequences, including bodily or mental injury, loss, distortion, or theft of identity, financial loss, loss of property, loss of reputation or humiliation, loss of employment, discriminatory treatment, subjection to blackmail or extortion, denial or withdrawal of a service, benefit, or good resulting from an evaluative decision about the data principal, restriction on speech, movement, or any other action arising from a fear of observation or surveillance, and observation or surveillance not reasonably expected by the data principal. Additionally, "significant harm" was defined as harm with an aggravated effect considering the nature of the personal data being processed and the impact, continuity, persistence, or irreversibility of the harm (Section 3(20) and Section 3(38) of the PDP Bill 2019). It may be noted that both the terms do not find a place in the current provisions.

The PDP bill mandated that every data fiduciary notify the Authority of any breach likely to cause harm to a data principal. The Authority, upon receiving such notice, had the responsibility to determine whether the breach should be reported to the data principal, considering the severity of potential harm or if action by the data principal was necessary to mitigate harm (clause 25). Further under clause 64 of the bill, any data principal suffering harm due to a violation of the Act, its rules, or regulations by a data fiduciary or data processor had the right to seek compensation. However, the current law denies citizens/victims such essential rights as they been kept away from the current statute.

The Way Forward

The status of the DPDP Act indicates that it has not been enforced yet. This non-enforcement allows victims to seek damages for harm caused by fiduciaries under the existing rules and IT Act. However, once the DPDP Act comes into effect, this recourse for victims will no longer be available, representing a backward step in safeguarding the rights of victims. Such a measure cannot be built around the proposed Rules in the making as the substantial law do not contain the relevant provisions. Now the principal is made to run from pillar to post in search of finding the relevant fiduciary or processor in the link who was responsible for the damage caused. Further the subject legislation has no provisions to claim compensation for the Harms by the principal. In such a situation is it proper to state that this law provides necessary protection for digital personal data breaches.

To address this issue, it is imperative to introduce an amendment or insertion in the existing legislation before its actual implementation. Failure to do so would result in individuals, principals, and citizens being deprived of a remedy for the violation of their fundamental rights by the fiduciaries. It is anticipated that lawmakers will pay attention to the concerns raised by citizens and take corrective measures to rectify this issue.

[The views expressed are strictly personal.]