Tech This Week | The non public Data Protection Bill in the context of the Twitter hack
When you have not been following the news, earlier this week, Twitter was the main topic of an extremely public data breach. A whole lot of high profile accounts were hacked, including Elon Musk, Barack Obama, and Apple. There is of course wider context to it. The hack itself is an indicator of malicious user behaviour on Twitter and historically lax responses to it. In case you need to know more relating to this, Casey Newton’s newsletter ‘The Interface’ is a fantastic place to start.
The short of the matter is that hacks are relatively common on the platform, as is spying. Twitter includes a chequered history with cybersecurity. There have been several bitcoin related scams together with spying missions which were carried out with respect to the Kingdom of Saudi Arabia. I wish I possibly could say that Twitter is the only company that undergoes these trials, but sadly that is not the truth. Cybersecurity incidents are fairly common , nor make the news as often as they should.
Anytime such incidents happen, most of the tech policy circles in India (and abroad) follow an identical cycle. First there may be the shock, then your memes, finally closely followed by the line “for this reason we desire a data protection/privacy law”.
As somebody who himself has been a part of third , reaction cycle a fair number of times. I wish to utilize this crisis as an possibility to look at how things might have been different for an individual had the existing data protection bill experienced place. Just in case you usually do not want to read ahead, the short answer is that with regards to breaches, the bill does not do nearly enough to place power back the hands of the users.
Let us consider the case of Twitter. Here, the bill would classify the incident as an individual data breach because it is ‘unauthorised sharing of personal data’. Once the breach clause is triggered, a chain of events is defined in motion. Firstly, Twitter would need to issue a notice as soon as possible to the (yet to exist) Data Protection Authority (DPA).
The notice should include the following things:
1. Nature of personal data which may be the subject-matter of the breach;
2. Number of data principals influenced by the breach;
3. Possible consequences of the breach; and
4. Action being taken by the data fiduciary to solution the breach.
Understand that this is an extremely public breach, Twitter is very visible as a platform (in comparison with say, a bank) and has been fairly transparent about the complete incident. However the personal data protection bill itself will not require this notice to be obvious to the general public. Instead, after the breach is reported to the Authority, it is the latter’s call regarding whether the users should be informed about the breach at all.
There are actually a host of problems with the structure outlined above. Just how I understand this law, is that it has three major stakeholders to manage, the federal government, users, and the firms it is supposed to regulate. Part of managing that is to provide some power back again to the users, who've next to no control over their privacy.
Being at the mercy of a breach is probable among the worst things that could happen to your data. Especially since once an unauthorised entity has access to it, they can share it far and wide for hardly any cost, and that may get back to haunt you, particularly if it is something as sensitive as your address or your bank details.
Hence it seems sensible that you should know whenever your data has been subject to a breach. But beneath the current scope of regulations, there is indeed much opacity in the complete process. Firstly, companies aren't necessary to make their breaches public, so that it might be impossible to learn when your personal data has been compromised.
Secondly, there is absolutely no set of defined rules that the DPA must follow to choose which breaches should and should not be made public. Thirdly, data in India, and of Indians, is at the mercy of a whole lot of breaches. This means two things. One, that it is likely to be hard to track when companies usually do not visit the DPA regarding breaches. Two, when they do, it will be considered a fairly transaction intense process for the DPA to consider whether each breach will probably be worth informing to an individual about.
All this is highly problematic. Since when we hear about attacks just like the the one which happened to Twitter, our first impulse is to reach out for a global where data protection is taken more seriously. However the important thing is that even having a law set up won't be as effective as we find out to be. Instead, in terms of breaches, the bill in its current form will not do a lot to place power back the hands of the user, and that is a sad reality.
To fix this, there are two things we are able to look at. Firstly, defining a couple of standards in the bill that mandate the DPA to compel the fiduciaries to share information regarding the breach to the info principal. Doing so would limit the amount of discretion that exists in the machine while making sure that the information isn't shared with users when there is a national security consideration in the mix.
Secondly, and this is radical, is to compel data fiduciaries to talk about information regarding breaches of personal sensitive data and critical personal data with the users. Especially since if information such as for example bank-account details or health records are being leaked to bad actors, people should have a right to know.
I'd argue that both these solutions are an improved scenario when compared to one we have in the bill today. The need of the hour is to place more power back in the hands of the users, and that commences with fiduciaries being more transparent with personal data.