#DataProtectionTop10: Protecting whistleblowers, digital security researchers, and vulnerability testers
In Part 10 of the #DataProtectionTop10 series, we discuss the need for protection of whistleblowers, digital security researchers, and vulnerability testers. As per Clause 25 of the Personal Data Protection Bill, 2019 only the data fiduciaries can report data breaches to the Data Protection Authority, not the whistleblowers. If clause 25 in its current form becomes the law then people will be dissuaded from whistleblowing. Further, though the Bill provides protection to researchers under Clause 38, there are no clear protections provided for skilled cyber security researchers who conduct vulnerability testing. Therefore we recommend that the Bill must make amendments to provide clear provisions detailing the procedure for security researchers, vulnerability testers and whistleblowers. Section 43 of the Information Technology Act, 2000 must also be amended to prevent vexatious legal claims and proceedings against vulnerability testers and cyber security experts.
This is the last post in the #DataProtectionTop10 series. In these past 4 weeks, through 9 posts, we discussed the issues with the Personal Data Protection Bill, 2019.
Here is a quick recap: We started off the series by discussing the issues with the preamble of the Bill; namely, lack of clarity on the objectives of the Bill (part 1). Then we saw in part 2 how certain provisions in the Bill (particularly the provisions for Governmental access to non-personal data and the provision for sandboxes) are a tool for giving preference to the private sector and the fiscal interests of the State over the informational privacy of the users. Next, we looked at the consent provisions under the Bill (part 3). The provisions under the Bill that allows the processing of personal data without the consent of the users grant the State undue access to personal data and the exception given to employers has the potential to encourage workplace surveillance.
In part 4, we analysed the issues with the rights guaranteed to the users under the Bill and we found that though the Bill grants certain rights, the exercise of those rights have been made difficult, and hence there is a need to strengthen the rights of users. In part 5, we looked at the issue of voluntary verification of social media accounts. And saw how this ‘voluntary verification’ may lead to a mandatory verification situation as well as advanced targeting and profiling of users.
In part 6, we discussed the issues with the data localisation policy of India. The Bill mandates the storage and processing of ‘critical data’ only in India, without defining what ‘critical personal data’ is. The Central Government has been given the discretion to notify critical personal data. Further, this policy also disrupts the free and open nature of the internet. Then. In part 7, we looked at a very important issue of surveillance reforms. The exemptions granted to the State from the obligations under the Bill are very wide and enable the State to conduct surveillance of the people.
In part 8, we saw the issues with the regulatory architecture envisaged under the Bill: the Data Protection Authority. The various provisions under the Bill such as the constitution of the Selection Committee, Central Government’s power to issue orders to the DPA impedes the independence and accountability of the DPA. Lastly, this week in part 9, we discussed certain other issues with the Bill such as the lack of provisions in the Bill to facilitate transition into the new regime and the overriding effect of the Bill over the Right to Information Act, 2005.
In today’s post, we discuss the ramifications of not provisioning protection to whistleblowers, digital security researchers, and vulnerability testers. India has witnessed an epidemic of data breaches in recent times, including the high profile cases of Mobikwik, Air India, and Dominos. The data losses in these breaches are huge, with potentially millions of users affected. The economic impact of data breaches is also tremendous. An IBM study reported that the average data breach in India cost Rs 14 crore, an increase of 9.4% from 2014. The per unit data cost increased by 10% to Rs 5,522. The report also noted that the average time to both detect and contain a breach went up from 221 days to 230 days and from 77 to 83 days respectively. This further indicates a significant amount of information and data loss for users. The need for improved security standards is clear, and this can only be achieved if security researchers and penetration testing is undertaken on an increased scale.
Clause 25 of the Bill, relating to the Data Protection Authority (DPA), states that the users should be informed about a breach of their personal data only after the DPA considers the severity of harm, and decides if the data fiduciary should inform affected users. There are two issues with this provision: firstly, as we had discussed in Part 4, the discretion to inform the affected users is left to the DPA and that the users are not informed directly, stifling the exercise of rights of users under the Bill; secondly, the Bill casts the duty of reporting a breach of data to the DPA on the data fiduciary.
The mandate under Clause 25, that only a data fiduciary can report the breaches to the DPA, creates problems for whistleblowers within a data fiduciary. Often, the users are unaware of the breach of data protection obligations by the data fiduciary particularly in relation to the breach of the limitation of purpose obligation, unauthorised sharing, or a non-notification of a security event. This information asymmetry prevents the users from enforcing their rights. Now, if any personnel working with the data fiduciary comes to know about the data breach or other breach of obligations under the data protection law, they cannot inform the users as it is for the data fiduciary to report such breaches and lapses to the DPA rather than whistleblowers. If clause 25 in its current form becomes the law then people will be dissuaded from whistleblowing.
Digital security researchers and vulnerability testers are another class of people who are important players in the cybersecurity arena. With our increased dependence on technology, data breaches have become the order of the day. We often come to know about these data breaches not from the data fiduciaries but from independent researchers. For example, the Mobikwik data breach and the Facebook data breach that were reported recently were brought into light not by the companies themselves but by independent researchers. Given the key role played by digital security researchers and vulnerability testers in exposing data breaches, it is unfortunate to note that they are not protected under the Bill.
Though the Bill provides protection to researchers under Clause 38, there are no clear protections provided for skilled cyber security researchers who conduct vulnerability testing. Even under the current laws, such persons are not protected and are often threatened with vexatious legal claims and proceedings. Section 43 of the Information Technology Act, 2000 which penalises hacking does not make any difference between malicious hackers and ethical security researchers. Even when the researchers have acted in good faith, it is no defense under the section. Data fiduciaries exploit this leeway in the provision to press charges against cybersecurity researchers who expose data breaches in their companies. For instance, in one of our earlier posts, we have discussed how a security researcher called Dissent Doe who had exposed the data breach that happened at 1to1Help was sued before the High Court of Karnataka for the disclosure of this data. In light of this incident, we had also highlighted the need to change the National Cyber Security Policy and build legislative protections within the framework of the Personal Data Protection law.
It is important to provide in the Bill protections for personnel of the respective data fiduciary who disclose the breach of obligations under the data protection law by data fiduciaries. Therefore, the Bill should include a streamlined mechanism to encourage personnel of the respective data fiduciary to report such data breaches without any fear of retaliation or retribution.
Digital security researchers, and vulnerability testers play a key role in keeping the users safe and informing them about data breaches. Informing users about breaches in their data promptly is very important to mitigate the damage caused by such data breaches and take corrective actions. In addition to the direct breach notification to users we recommended in part 4 of this series, the Bill must be revised to provide clear provisions detailing the procedure for security researchers, vulnerability testers, data breach reporting and whistleblowers. It is also important to amend S. 43 of the Information Technology Act, 2000 to prevent the data fiduciaries from bringing vexatious legal claims and proceedings against vulnerability testers and cyber security experts. We also recommend that the Schedule to the Bill be amended to include narrowly tailored good faith exceptions for vulnerability testers and cyber security experts.
The decision of the Supreme Court in Justice K.S. Puttaswamy v. The Union of India (2019) 1 SCC 1, which declared right to privacy as a fundamental right and recognised informational privacy as a facet of the right to privacy, is certainly a win against the State and non-state actors who intrude into our privacy and exploit our data. However, in order for us to actually exert control on how our data is collected and used we need a strong data protection law: a data protection law that puts informational privacy of the individuals before any other considerations such as the growth of India’s digital economy. We would like to stress on one important point that data is not a commodity that should be harnessed through data protection legislation, rather it is what constitutes our identity.
Our data protection law needs to be cured of the issues that we have pointed out through this series. Provisions like clause 35 severely weaken our data protection law and will not withstand the test of constitutionality. We do not want a data protection law that undermines our right to informational privacy by giving the State immense control over our data and preference to the private sector. We want a strong and user-centric data protection law that would empower the users against the exploitation of their data. A sound data protection law is the need of the hour: this is essential not only for safeguarding the informational privacy of the individuals but is also integral for other issues such as India’s trade relations with other countries.
Through this series, we had hoped to draw out some of the fundamental problems with the impending Personal Data Protection Bill, 2019 and suggest solutions to strengthen the law. We fervently hope that we will soon get a data protection law that upholds the key tenets of data protection. Thus, we urge the Central government to make the necessary amendments to the Bill, so as to provide users with a powerful tool against exploitative data fiduciaries, data processors, and state agencies in this data-driven world.
This is the final post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here, part 2 here, part 3 here, part 4 here, part 5 here, part 6 here, part 7 here, part 8 hereand part 9here.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.