Tougher Indian Data Protection Rules Expected This YearData Protection Bill for India With Stronger Enforcement Due by End of August
In the past week, two new developments happened in the Indian data regulation space. On Monday, the country's IT minister announced a timeline for the approval of the long-overdue Data Protection Bill, and a state IT minister said that the government is working to put an end to companies skirting data breach disclosure laws.
Data Protection Bill
India’s Data Protection Bill, which seeks to establish strong data privacy rules and protect citizens' data, is expected to be approved by Parliament by the end of the monsoon session in August, according to local publication The Economic Times, citing an interview with Ashwini Vaishnaw, union minister of railways, communications and electronics and information technology, by news agency PTI.
The first draft of the bill was prepared by a committee headed by Justice B.N. Srikrishna in 2018. Over the last four years, multiple iterations of the bill have been presented in the assembly by a 30-member parliamentary committee, only to be sent back to the drawing board. The upcoming draft of the Data Protection Bill will not be significantly different from the current draft.
There is currently "no plan to scrap the draft data protection legislation that has undergone detailed consultation and parliamentary panel deliberations," Vaishnaw reportedly says.
The Data Protection Authority is the entity charged with protection and regulation of personal data in India. It will be a more effective regulator than the Computer Emergency Response Team in India, says Na. Vijayashankar, executive chairman at the Foundation of Data Protection Professionals in India.
"The DPA will be a larger body with more members and independent of the ministry," says Vijayashankar, who is also the founder and director of the Cyber Law College.
He says the rollout of data protection norms may not be easy for companies to comply with, since they have operated with virtually no regulation so far.
"Private companies today are powerful enough to ask the IT Ministry to issue statements that favor its purposes. The industry has its own reservation regarding data breach reporting as it could damage their reputation," he says.
Vijayashankar says companies must view data breach reporting as a measure to help data regulatory authorities prevent similar incidents from recurring.
Data Breach Reporting
The Information Technology Act 2000 makes data breach reporting for companies mandatory. According to the act, a company that does not report a breach to CERT-In would be liable for a maximum penalty of 100,000 rupees ($1,324).
In 2017, CERT-In published a notification reiterating that any corporate entity that suffers a cybersecurity breach is mandated to report the incident. Non-reporting is a criminal offence.
But social media giants Twitter and Meta claimed statutory exemption for content on their platforms under the pretext of being intermediaries, aka platforms that only host content and are not the original creator of content.
In February 2021, the government released a new rule that brought these social media companies within the scope of the law.
Rule 7 of the IT Rules 2021 says: "Where an intermediary fails to observe these rules, the provisions of sub-section (1) of section 79 of the Act shall not be applicable to such intermediary and the intermediary shall be liable for punishment under any law for the time being in force including the provisions of the Act and the Indian Penal Code."
If an intermediary fails to comply with the IT regulations, it will lose its status as an intermediary.
Twitter is an example of this, says Pavan Duggal, an Indian Supreme Court advocate and founder and chairman of the International Commission on Cyber Security Law.
"After the minimum statutory requirement period for compliance with IT Rules 2021 expired, it was found that Twitter had failed to comply. Therefore, Twitter's exemption from legal liability was turned down, and the company found itself facing four different first information reports, or FIRs, from four different states in India," he says.
An FIR is a written document made by the police when they first receive information about a crime having been committed.
Twitter has not been penalized so far and has requested a ruling in the four states in which FIRs were filed.
Where CERT-In Fails
CERT-In has quasi-judicial powers, which means that in addition to issuing advisories, it has regulatory powers.
But Vijayashankar says that beyond notifying companies that haven't reported data breach incidents, CERT-In has not used its judicial powers due to lack of will.
Ratan Jyoti, chief information security officer at Indian financing firm Ujjivan Finance, tells ISMG that while CERT-In has identified the types of cybersecurity incidents to be reported, the categories provided are quite broad and the exact definition of such incidents is not included.
For example, he says compromise of critical systems and information, targeted scanning or probing of critical networks and systems are currently undefined.
While the rules to regulate entities exist, the lack of enforcement, according to Vijayashankar, stems from companies "manipulating CERT-In into not taking corrective measures."
"If there's a ransomware attack that uses a certain malware or method of encryption, CERT-In can save another company from becoming a victim by sharing information about the attack," he says.
Duggal echoes Vijayakumar's sentiments, saying that having a "paper tiger provision" is different from effective enforcement.
"There have been instances in which there has been a complete lack of enforcement of the existing frameworks of data protection. The enforcement is entirely driven by political will. Unless the government decides to make a test case out of an erring company, people will be under the impression that they have the ability to maneuver," he says.
Jyoti's says the rules for reporting and the impact level should both be well defined and reports should be made to a single agency. Currently, he says, banks are reporting to the Reserve Bank of India, CERT-In and the National Critical Information Infrastructure Protection Center," he says.
At a recent event in Bengaluru, Rajeev Chandrasekhar, the union minister of state for electronics and IT, said the government is likely to take a tougher stand on companies, "announcing laws that will put an end to companies not disclosing data breach incidents," The Economic Times reports.
Duggal says the development is a step in the right direction. "We are links in the cybersecurity chain, and the chain is as strong as the weakest link. Until companies report security incidents, the ecosystem cannot be developed to make it more secure," he says.
"The law should be made stringent," Jyoti says, and organizations should take the law in good spirit, considering that the reporting would help other organizations as well the country as a whole."