That mentioned, there are two areas—knowledge breaches and the obligations of serious knowledge fiduciaries—the place I imagine the federal government has exceeded its temporary. It has within the course of enormously elevated the burden on knowledge fiduciaries.
Rule 6 gives a definition of the time period “cheap safety measures” talked about in Part 8 of the DPDP Act. Consequently, knowledge fiduciaries now must put in place not less than seven distinct sorts of measures to safeguard in opposition to knowledge breaches.
Whereas I’ve no argument with as many measures as are crucial to guard knowledge, why all knowledge fiduciaries should implement these seven measures is past me. Part 8 solely required knowledge fiduciaries to take cheap safety safeguards.
The federal government ought to have left effectively alone and allowed particular person knowledge fiduciaries to find out what is affordable in their very own context. By insisting that everybody has to place in place all these measures, it’s disproportionately growing the burden on small knowledge fiduciaries.
Additionally of concern is the way wherein the foundations have prolonged the information breach notification obligations. Whereas the Act requires knowledge fiduciaries to offer discover “within the occasion of” a private breach, the foundations state that intimation have to be made “as quickly because the Information Fiduciary turns into conscious of it.”
As anybody who’s been concerned in a breach incident will let you know, data accumulates incrementally throughout such conditions, and whereas it’s simple to establish that one thing goes fallacious, it’s often laborious to inform whether or not it is because a hacker has damaged into the system or on account of another malfunction. Even after it’s clear that it’s a breach, it’s laborious to say with certainty exactly which knowledge principals have been affected.
If knowledge fiduciaries must notify a breach as quickly as they turn into conscious of it, most of them will over-report reasonably than threat being discovered non-compliant. This form of reporting may trigger panic amongst knowledge fiduciaries who can have been informed their knowledge was compromised, despite the fact that it was not.
The extra this occurs, the much less seemingly they’re to pay heed, as they might assume after some extent that each one notifications are false alarms. What’s worse is that the Information Safety Board will probably be so inundated with breach notifications that it’ll merely not be capable of take motion the place required.
The federal government had a chance to reframe how a knowledge breach may very well be dealt with. Not solely has it squandered that chance, it has positioned such a burden on knowledge fiduciaries and the board that its made issues worse.
This brings us to Rule 12(4) and the sneaky approach wherein it’s bringing knowledge localization again into consideration. Ever since Justice Srikrishna first included the idea within the 2018 draft of India’s knowledge safety regulation, I’ve argued in opposition to this insistence on the bodily storage of knowledge in India.
Fortunately, every subsequent draft of the regulation has diluted this idea, and the DPDP Act all however did away with it. With Rule 12(4) suggesting that important knowledge fiduciaries could must localize sure classes of private knowledge, it looks like the federal government is sneaking in a provision that all of us believed we’d seen the again off.
We are inclined to conflate location with entry—assuming that if knowledge is bodily located within the territory of India, it will likely be simpler to entry. This isn’t the case, simply as it’s fallacious to imagine that merely as a result of knowledge occurs to reside in a international jurisdiction, Indian regulation enforcement authorities won’t ever be capable of entry to it.
Reasonably than requiring companies to incur the appreciable price of constructing home knowledge centres, the federal government could be effectively suggested to barter treaties with as many jurisdictions as it could actually to safe quicker and simpler knowledge entry. In spite of everything, it doesn’t matter what legal guidelines we put in place, it’s seemingly that some knowledge we actually want will probably be mendacity someplace outdoors our grasp.
Regardless of these considerations, the foundations have shone a light-weight on many features of the DPDP Act. There was confusion over what consent managers have been anticipated to do. They’d been outlined within the regulation, however particulars have been scant. The foundations now make it clear that this time period has been launched to align with the nation’s knowledge empowerment and safety structure, and consent managers must be handled as such.
Equally, we now have much-needed readability on age-gating and the way the obligations below the regulation may be met. Common readers know that I’ve been making a case for age tokens. If coupled with privacy-preserving methods (corresponding to zero-knowledge-proof), this can enable knowledge fiduciaries to adjust to the necessities below Part 9 of the Act with out having to course of private data.
Rule 10 has offered a authorized foundation for simply such a framework, and I’m glad to see that knowledge fiduciaries can now reference digital tokens mapped to id and age.
All we want is for some entity (just like the Distinctive Identification Authority of India) to problem age tokens, and knowledge fiduciaries will be capable of use these to make sure they solely course of the private knowledge of a kid with parental consent. This is among the most superior ideas proposed within the guidelines. If applied, this might turn into the age-gating instance for the remainder of the world to undertake.
