The India Privacy Act: Ensuring Data Security and Accountability by Dr. Pavan Duggal, Dr. Prashant Mali, Puneet Bhasin & Bikash Barai

The India Privacy Act represents a significant step towards robust data protection and privacy standards in the country. During a recent panel discussion on the CESO platform, experts in cyber law—Advocate Dr. Pavan Duggal, Advocate Dr. Prashant Mali, and Advocate Punita Shetty—explored the Act's key provisions and their implications for businesses. Moderated by Vikash Parekh, the session emphasized the importance of data security, the role of intent in data breaches, and the responsibilities of data fiduciaries and processors. This blog distills the discussion into actionable insights for organizations navigating this new regulatory landscape.

 

 

Here is the verbatim discussion:

you could say rang a bell with me The Moment I Saw The Act was with respect to intent so if you see the concept of personal data breach under this particular act it is talking about unauthorized sharing of data it even talks of unauthorized uh uh you know data breaches that may happen let's say with or without intention so it could even happen let's say you have not intentionally done the ACT you may not be a hacker who is attacking a particular system but if unintentionally this entire activity has happened let's say from your employee of at your end to secure your systems so the concept of men's Ria is what we see very importantly whether or not you are guilty in intentionally doing this act of a data breach doesn't come so when you are going to be uh let's say pulled up by the board uh the question I never meant it the the entire argument you know I never meant it I never thought of it it was not in my knowledge of it these these kind of arguments are never going to work and primarily even if with or without your knowledge the fact that this act has occurred a breach has occurred you will have to demon demonstrate justifiably that you know what steps were taken by you prior how you were secure reasonably whatever uh you know assessments data audits you had undertaken what kind of security you have and obviously after the breach what steps you have taken thereafter to notify uh the victims of the breach what steps you have taken to secure them so uh you know it's going to be a a lot of responsibility upon organizations which are going to be data fueres collecting data data processors unlike the kind of regime that we have today unfortunately in India today we don't really have that kind of a mindset in organizations organizations are collecting data selling data left right the large Enterprises how does it impact the startups so you can combine uh both of them together and and um yeah over to you Punit we we'll go to everybody with this question like how what are the top things that you see it's going to impact both the Enterprises as well as the startups I think you are on mute it it was not in my knowledge of it these these kind of arguments are never going to work and primarily even if with or without your knowledge the fact that this act has occurred a breach has occurred you will have to demonstrate justifiably that you know what steps were taken by you prior how you were secure reasonably whatever uh uh you know assessments data audits you had undertaken and what kind of security you have and obviously after the breach what steps you have taken thereafter to notify uh the victims of the breach what steps you have taken to secure them so uh you know it's going to be a a lot of responsibility upon organizations which are going to be data fiduciaries collecting data data processors unlike the kind of regime that we have today unfortunately in India today we don't really have that kind of a mindset in organizations organizations are collecting data selling data Left Right Center that's like the methodology of business today in India so a lot of it is going to undergo a c change and one of the most important highlight that you know I would like to put forth is about the concept of a personal data breach so wherein it is not with intent without intent that's not something that's even going to be considered by the board and in line with the personal data breach concept I would like to highlight the meaning of personal data so unlike the previous laws that bipoc sensitive personal data and personal uh personally identifiable data uh this particular Act as a merger of both so anything that is going to identify you as you whether it may be your name your health data your email ID your IP address so the bation that this is an aggravated offense in case of let's say it is your medical health data and not your other identifiable information the definition of personal data does not have this kind of a bation so this is one of the points one of the highlights and I would lead it leave it to the rest.

 

Highlights:

Role and Responsibility of Data Fiduciaries and Processors

  • Data Fiduciary: Responsible for determining the purpose and means of processing personal data.
  • Data Processor: Handles data on behalf of the data fiduciary, ensuring adherence to compliance measures.

Intent and Accountability

  • The Act emphasizes that both intentional and unintentional data breaches are subject to penalties.
  • Organizations must demonstrate due diligence and reasonable security measures to mitigate liability.

Broad Definition of Personal Data

  • Merges previous categories of sensitive personal data and personally identifiable information.
  • Encompasses any information that can identify an individual, including names, health data, email IDs, and IP addresses.

Breach Notification and Remedial Actions

  • Mandatory breach notifications to the Data Protection Board and affected individuals.
  • Post-breach responsibilities include notifying victims and taking steps to secure their data.

Penalties for Non-Compliance

  • Significant fines up to ₹250 crore per violation.
  • Criminal liability for severe breaches, emphasizing the importance of stringent data protection measures.

 

The India Privacy Act demands significant adjustments from organizations, both large and small. By understanding its key provisions and preparing adequately, businesses can navigate this new regulatory environment effectively. The CESO platform remains dedicated to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.

 

Speakers:

Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


https://x.com/pavanduggal
https://in.linkedin.com/in/pavanduggal

 


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.

https://x.com/AdvPrashantMali
https://in.linkedin.com/in/prashantmali

 


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".

https://x.com/cyberlawpuneet
https://in.linkedin.com/in/advpuneetbhasincyberlawyer

 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform