Countries with low state capacity need to think strategically when new regulatory functions are entrusted to the government. Any new task given to a government body requires a careful assessment of how to make the best use of available resources.
India’s proposed data protection law would, if passed, require a similar assessment. The law would establish the Data Protection Authority of India (DPA)—an independent regulatory agency entrusted with the task of regulating the use of personal data across all sectors in the Indian economy. Indian regulators have been historically plagued by capacity constraints, so the DPA would need to build its capacity strategically so its resources are not disproportionately drained.
The Challenges Posed by Data Breaches
The proposed DPA’s obligation to handle data breach notifications provides one example of how the DPA would need to think strategically about accomplishing its tasks.
The Personal Data Protection (PDP) bill defines a personal data breach as “any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data principal.”
This definition clearly states that any sort of unauthorized or accidental disclosure of data is a personal data breach. It covers all sorts of attacks on databases containing personal data, accidental data leaks, and any other way data might be compromised. The involvement of the DPA when a data breach occurs is covered under Section 25 of the PDP bill.
Each time it received a report of a data breach, the DPA would perform many different activities according to this section. All of these would require significant organizational capacity. Once a data breach is reported, the DPA would have to decide the following:
- whether the company that suffered the breach must report the data breach to the consumers whose data was leaked,
- remedial measures to be undertaken by the company,
- whether to post details of the data breach on the DPA’s website, and
- whether the company that suffered the data breach must post the details of the breach on its website.
As a necessary corollary to these decisions, in certain cases the DPA would have to monitor the actions taken by businesses based on the DPA’s directions. It would also have to handle any grievances consumers may have as a result of this process.
Comparison With Other Countries
In order to assess the scale of data breach notifications, it might be helpful to look at data from the countries governed by the EU’s General Data Protection Regulation (GDPR). A survey conducted by a law firm in the EU finds that there have been more than 281,000 data breach notifications in the EU since the GDPR came into force. In addition, this is the second year where the aggregate of daily data breach notifications in the EU has experienced a double-digit growth rate. It also shows that data breach notifications are up 19 percent since January 2020. Individual data protection authorities have also published statistics, such as the Irish Data Protection Commission, whose 2020 annual report found that data breach notifications were up 10 percent from 2019.
The situation is similar in India. The Indian Computer Emergency Response Team (CERT-In)—India’s nodal agency for responding to and tracking cybersecurity incidents—reports a steadily increasing number of data breaches in its annual report. While CERT-In reported close to 50,000 incidents in 2015, the incidents rose to a number close to 400,000 in 2019. Other recent reports comparing data breaches in different countries also show that India is a large center for data breaches.
Since other data protection authorities are grappling with the issue of data breach notifications, it might be safe to assume India will face a similar scenario. The number of data breaches in the EU has been increasing since the GDPR has come into force, suggesting that India might face a similar surge in the number of notifications as soon as the obligations under the PDP bill became law. This would require a large investment in organizational capacity for the Indian DPA.
However, India is also a country with constrained resources, and it might be much more difficult for the Indian DPA to develop this capacity compared with European data protection bodies working under the GDPR. This necessitates a smarter way of thinking about how to develop more regulatory capacity.
To manage the issue of data breach notifications in a smart way, the DPA should regulate this issue strategically. For example, Section 25 allows that the DPA may require a business who has suffered a data breach to notify consumers in certain cases. It mentions that in making this decision, the DPA must take into account “the severity of the harm” to consumers. The DPA can also require the data fiduciary to take remedial measures and post the details of the breach on its website, based on its determination of the likelihood of harm. The DPA’s workload will therefore depend on how it defines what constitutes severe harm and how many cases meet this criterion.
It is important that the DPA think carefully about this criterion. A low threshold for harm would mean that many data breach notifications will be reported to the data principals. The DPA would consequently have to direct a larger number of data fiduciaries to undertake remedial measures, which would in turn lead to more DPA resources being diverted toward monitoring these remedial measures. It would also require more resources for handling any subsequent complaints against these remedial measures. Conversely, a high threshold will result in excluding many legitimate cases. The way the DPA interprets the term “severity of harm” will therefore affect how well the DPA is able to deploy resources to cope with its obligations under this section. Further, once a criterion is determined, the DPA can also use various technological means to filter through data breach notifications that require greater intervention.
The DPA should seek expert advice on how to define this threshold from existing agencies that perform similar functions. The DPA could then strategically direct its resources to sensitive sectors where there is no existing expertise. These sectors could be those that are not very well regulated, handle sensitive or critical personal data, have a higher likelihood of significant harm (aggravated harm) in case of a breach, or where a breach could harm vulnerable populations.
Since data breaches notifications are only going to increase with time, the DPA must ensure it builds capacity on a continual basis. It is also essential that the DPA is not seen playing catch-up with issues in the area of personal data protection. In order to achieve this, it is necessary that the DPA invest some capacity in strategically regulating key issues like data breach notifications. Strategic decisions like these become critical when low-state-capacity countries like India seek to develop new regulators with large mandates.
Carnegie India is doing a research project on building state capacity for the upcoming Data Protection Authority.