140th Day Of Lockdown

Maharashtra53560136843518306 Tamil Nadu3086492506805159 Andhra Pradesh2445491547492203 Karnataka1886111055993398 Delhi1461341316574131 Uttar Pradesh126722767212120 West Bengal98459671202059 Bihar8274154139450 Telangana8075157586637 Gujarat71064542382652 Assam5883842326145 Rajasthan5249738235789 Odisha4592731785321 Haryana4163534781483 Madhya Pradesh3902529020996 Kerala3433121832109 Jammu and Kashmir2489717003472 Punjab2390315319586 Jharkhand185168998177 Chhatisgarh12148880996 Uttarakhand96326134125 Goa871259575 Tripura6161417641 Puducherry5382320187 Manipur3752204411 Himachal Pradesh3371218114 Nagaland30119738 Arunachal Pradesh223115923 Chandigarh1595100425 Meghalaya11154986 Sikkim9105101 Mizoram6203230
Technology Other News 18 Jul 2020 Tech This Week | The ...
The writer is a policy analyst at the technology and policy programme of The Takshashila Institution. The views expressed here are personal.

Tech This Week | The Personal Data Protection Bill in the context of the Twitter hack

Published Jul 18, 2020, 6:50 pm IST
Updated Jul 18, 2020, 6:50 pm IST
When it comes to data breaches, the bill does not do nearly enough to put power back in the hands of the users.
The need of the hour is to put more power back in the hands of the users, and that begins with fiduciaries being more transparent with personal data.
 The need of the hour is to put more power back in the hands of the users, and that begins with fiduciaries being more transparent with personal data.

In case you have not been following the news, earlier this week, Twitter was the subject of a very public data breach. A lot of very high profile accounts were hacked, including Elon Musk, Barack Obama, and Apple. There is of course wider context to it. The hack itself is a symptom of malicious user behaviour on Twitter and historically lax responses to it. In case you want to know more about this, Casey Newton’s newsletter ‘The Interface’ is a great place to start. 

The short of the matter is that hacks are relatively common on the platform, as is spying. Twitter has a chequered history with cybersecurity. There have been several bitcoin related scams as well as spying missions that were carried out on behalf of the Kingdom of Saudi Arabia. I wish I could say that Twitter is the only company that undergoes these trials, but sadly that is not the truth. Cybersecurity incidents are fairly common and do not make the news as often as they should. 


Anytime such incidents happen, a lot of the tech policy circles in India (and abroad) follow a similar cycle. First there is the shock, then the memes, finally closely followed by the line “this is why we need a data protection/privacy law”. 

As someone who himself has been a part of following this reaction cycle a fair number of times. I want to use this crisis as an opportunity to look at how things might have been different for the user had the current data protection bill been in place. In case you do not want to read ahead, the short answer is that when it comes to breaches, the bill does not do nearly enough to put power back in the hands of the users. 


Let us look at the case of Twitter. Here, the bill would classify the incident as a personal data breach since it is ‘unauthorised sharing of personal data’. Once the breach clause is triggered, a chain of events is set in motion. Firstly, Twitter would have to issue a notice as soon as possible to the (yet to exist) Data Protection Authority (DPA). 

The notice should include the following things: 
1.    Nature of personal data which is the subject-matter of the breach;
2.    Number of data principals affected by the breach;
3.    Possible consequences of the breach; and
4.    Action being taken by the data fiduciary to remedy the breach.


Keep in mind that this was a very public breach, Twitter is very visible as a platform (as compared to say, a bank) and has been fairly transparent about the whole incident. But the personal data protection bill itself does not require this notice to be visible to the public. Instead, once the breach is reported to the Authority, it is the latter’s call regarding whether the users should be informed about the breach at all. 

There are actually a host of problems with the structure outlined above. The way I look at this law, is that it has three major stakeholders to manage, the government, users, and the companies it is supposed to regulate. Part of managing that is to provide some power back to the users, who have next to no control over their privacy. 


Being subject to a breach is likely one of the worst things that could happen to your data. Especially since once an unauthorised entity has access to it, they can share it far and wide for very little cost, and that can come back to haunt you, especially if it is something as sensitive as your address or your bank details. 

Hence it makes sense for you to know when your data has been subject to a breach. But under the current scope of the law, there is so much opacity in the whole process. Firstly, companies are not required to make their breaches public, so it might be impossible to know when your personal data has been compromised.


Secondly, there is no set of defined rules that the DPA has to follow to decide which breaches should and should not be made public. Thirdly, data in India, and of Indians, is subject to a lot of breaches. This means two things. One, that it is going to be hard to track when companies do not go to the DPA regarding breaches. Two, when they do, it is going to be a fairly transaction intense process for the DPA to consider whether each breach is worth informing to the user about.

All of this is highly problematic. Because when we hear about attacks like the one that happened to Twitter, our first impulse is to reach out for a world where data protection is taken more seriously. But the bottom line is that even having a law in place is not going to be as effective as we make out to be. Instead, when it comes to breaches, the bill in its current form does not do a lot to put power back in the hands of the user, and that is a sad reality. 


To fix this, there are two things we can look at. Firstly, defining a set of standards in the bill that mandate the DPA to compel the fiduciaries to share information regarding the breach to the data principal. Doing so would limit the amount of discretion that exists in the system while making sure that the information is not shared with users if there is a national security consideration in the mix. 

Secondly, and this is radical, is to compel data fiduciaries to share information regarding breaches of personal sensitive data and critical personal data with the users. Especially since if information such as bank account details or health records are being leaked to bad actors, people should have a right to know. 


I would argue that both of these solutions are a better scenario compared to the one we have in the bill today. The need of the hour is to put more power back in the hands of the users, and that begins with fiduciaries being more transparent with personal data.  

Click on Deccan Chronicle Technology and Science for the latest news and reviews. Follow us on Facebook, Twitter