Notification and Process of Reporting:

A data breach can be broadly defined as a security incident that affects the confidentiality,
integrity or availability of personal data.

The threshold for what security incidents are considered data breaches varies per jurisdiction.
In general, there will be a personal data breach whenever: any personal data is lost, destroyed,
corrupted or disclosed, if someone accesses the data or passes it on without proper
authorization, or if the data is made unavailable, for example, when it has been encrypted by
ransomware, or accidentally lost or destroyed.

This includes breaches that are the result of both accidental and deliberate causes. Examples of
personal data breaches may include:

 access to personal data by an unauthorized third party;

 sending personal data to an incorrect recipient;
 loss of computing devices containing personal data being lost or stolen;
 alteration of personal data without permission; and
 loss of availability of personal data.

Under Article 33 and 34 of GDPR:

Article 33: “Notification of a personal data breach to the supervisory authority”

1. In the case of a personal data breach, the controller shall without undue delay and, where
feasible, not later than 72 hours after having become aware of it, notify the personal data breach
to the supervisory authority competent in accordance with Article 55, unless the personal data
breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the
notification to the supervisory authority is not made within 72 hours, it shall be accompanied
by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a
personal data breach.

3. The notification referred to in paragraph 1 shall at least:

a) describe the nature of the personal data breach including where possible, the categories
and approximate number of data subjects concerned and the categories and approximate
number of personal data records concerned;
 b) communicate the name and contact details of the data protection officer or other contact
point where more information can be obtained;
c) describe the likely consequences of the personal data breach;
d) describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible
adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the
information may be provided in phases without undue further delay.

5. The controller shall document any personal data breaches, comprising the facts relating to
the personal data breach, its effects and the remedial action taken. That documentation shall
enable the supervisory authority to verify compliance with this Article.

Article 34: ‘Communication of a personal data breach to the data subject’

1. When the personal data breach is likely to result in a high risk to the rights and freedoms
of natural persons, the controller shall communicate the personal data breach to the data
subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall
describe in clear and plain language the nature of the personal data breach and contain
at least the information and measures referred to in points (b), (c) and (d) of Article
33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be required
if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational
protection measures, and those measures were applied to the personal data
affected by the personal data breach, in particular those that render the personal
data unintelligible to any person who is not authorised to access it, such as
encryption;
(b) the controller has taken subsequent measures which ensure that the high risk to
the rights and freedoms of data subjects referred to in paragraph 1 is no longer
likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a
public communication or similar measure whereby the data subjects are
informed in an equally effective manner.
 4. If the controller has not already communicated the personal data breach to the data
subject, the supervisory authority, having considered the likelihood of the personal data
breach resulting in a high risk, may require it to do so or may decide that any of the
conditions referred to in paragraph 3 are met.

GDPR penalties and fines

Now the Brexit transition period has ended, there are two versions of the GDPR (General Data
Protection Regulation) that UK organisations might need to comply with: 

 The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the
processing of UK residents’ personal data; and 
 The EU GDPR, which continues to apply to the processing of EU residents’
personal data. 

The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global
turnover – whichever is greater – for infringements. The EU GDPR sets a maximum fine of
€20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for
infringements.

However, not all GDPR infringements lead to data protection fines. Supervisory authorities
such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions,
including:

 Issuing warnings and reprimands;

 Imposing a temporary or permanent ban on data processing;
 Ordering the rectification, restriction or erasure of data; and
 Suspending data transfers to third countries.

Case law in India:

Modern Indian case laws on data protection and privacy emanate from the decision by the
Supreme Court of India ('the Supreme Court') in Justice K S Puttaswamy and Anr v. Union of
India and Ors [Writ Petition (Civil) No. 494 of 2012] ('Puttaswamy'). In Puttaswamy, the
Supreme Court unanimously held that the right to privacy was an intrinsic element of the
promise of the right to life and personal liberty protected under Article 21 of the Constitution,
and that it included, at its core, a negative obligation to not violate the right to privacy and a
positive right to take all actions necessary to protect the right to privacy. Puttaswamy changed
the contours of Indian privacy law, the interpretation of the existing privacy rules, and raised
the spectre of a robust common law tort of violation of privacy, independent of statutory rules.

The Supreme Court went on to clarify that any law that encroached upon the right to privacy
would be subject to constitutional scrutiny, and would have to meet the three-fold requirement
for:

 Legality;
 Necessity; and
 Proportionality.

Furthermore, the Supreme Court crafted a positive obligation on the Government to enact
legislation that adequately protects the right to privacy. Presently, various High Courts are
dealing with data protection issues from a post-Puttaswamy perspective. While a clear judicial
trend cannot be identified, it is evident that data collection and processing efforts in India must
evaluate and anticipate the impact of Puttaswamy on Indian data law.

Other decisions of impact from the Supreme Court include:

 R Rajagopal and Ors v. State of Tamil Nadu [Writ Petition (Civil) No. 422 of 1994],
which recognised tortious remedies for breach of privacy and the ability to seek
damages for invasions of privacy; and
 Mr X v. Hospital Z [Civil Appeal No. 4641 of 1998] that dealt with privacy-related
implications of disclosures of health data. The Court held that in a conflict between the
right to privacy and public interest, public interest would override an individual's right
to privacy.
 In the post-Puttaswamy landscape, different High Courts have been grappling with the
exercise of various dimensions of privacy rights. Notably, Subhranshu Rout Gugul v.
State of Odisha [BLAPL No. 4592 of 2020], Sri Vasunathan v. the Registrar General,
High Court of Karnataka and Ors [General Writ Petition No. 62038 of 2016], and
Dharamraj Bhanushankar Dave v. State of Gujarat and Ors [SCA No. 1854 of 2015],
are recent decisions by different High Courts on the contours of the right to erasure and
the right to be forgotten. Varying stances were adopted by each of these courts, and it
is safe to assume that until the Bill comes into effect, the scope and impact of these
rights will continue to be judicially debated.
  In addition, the Competition Commission of India, the country's anti-trust regulator, is
presently hearing multiple complaints that involve the misuse of data in connection
with arguments on both abuses of dominance and anti-competitive practices among
certain companies.

https://www.dataguidance.com/notes/india-data-protection-overview

India does not have a stand-alone personal data protection law to protect personal data and
information shared or received in a verbal or written or electronic form. Though, protections
are available, they are contained in a mix of statutes, rules and guidelines.

The most prominent provisions are contained in the Information Technology Act, 2000 (as
amended by the Information Technology Amendment Act, 2008) read with the Information
Technology [Reasonable Security Practices And Procedures And Sensitive Personal Data Or
Information] Rules, 2011 (SPDI Rules). It is the primary law in India dealing with cybercrime
and electronic commerce. SPDI Rules, as the name suggests, only cover data and information
which is exchanged in an electronic form and not those received through non-electronic
communication form.

When this IT Act, 2000 came into force on October 17, 2000, all the laws and procedures in
reference to the given Act lacked the protection and provisions required to protect one’s
sensitive personal information provided electronically. This eventually led to the introduction
of the Information Technology Bill, 2006 in the Indian Parliament which then led to the
Information Technology (Amendment) Act, 2008 whose provisions came into force on October
27, 2009. It inserted Section 43A in the Information Technology Act, according to which, if:

a corporate body possesses or deals with any sensitive personal data or information, and is
negligent in maintaining reasonable security to protect such data or information, which thereby
causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable
to pay damages to the person(s) so affected.

Also Section 72A, according to which:

the punishment for disclosure of information in breach of lawful contract and any person may
be punished with imprisonment for a term not exceeding three years, or with a fine not
exceeding up to five lakh rupees, or with both, in case disclosure of the information is made in
breach of lawful contract.

Penalty for the same is mentioned in Section 72 of the IT Act. The Section provides that:

any person who, in pursuance of any of the powers conferred under the IT Act Rules or
Regulations made thereunder, has secured access to any electronic record, book, register,
correspondence, information, document or other material without the consent of the person
concerned, discloses such electronic record, book, register, correspondence, information,
document or other material to any other person, shall be punishable with imprisonment for a
term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx.
US$ 3,000) or with both.

Section 75 mandates that provisions of this Act shall also apply to an offence/contravention
committed outside India by any person if the conduct constituting an offence involves a
computer/computer network located in India.

However, the scope and coverage of the IT Act and Rules are limited. Majority of the
provisions only apply to ‘sensitive personal data and information’ collected through ‘computer
resource’. The provisions are restricted to corporate entities undertaking the automated
processing of data and consumers are only able to take enforcement action in relation to a small
subset of the provisions. There is no provision on data localisation which was the major concern
and reason for the ban of the Chinese apps in India.

In order to address these limitations, India needed a comprehensive data privacy law.

EU AND LANDMARK JUDGEMENT:

The Court of Justice of the European Union (CJEU) issued its judgment in the Schrems II case
C-311/18 (the Judgment) which invalidated the EU-US Privacy Shield (a framework for
regulating exchanges of personal data for commercial purposes between the European Union
(EU) and the United States) and called into question the extent to which data exporters that fall
within the scope of the EU General Data Protection Regulation (GPDR) can rely on the
European Commission's Standard Contractual Clauses for international data transfers (SCCs).

We explain below the effect of the Judgment on cross-border data transfers and what
companies outside Europe and the US, whether acting as data exporters (if their data processing
operations are caught by the GDPR) or importers of data from the EU, should consider when
entering into SCCs.

Relevance outside Europe (and the US)

The rapid rise in technological developments, digital networks and global inter-connectivity
has spurred an immense reliance on data. In our digital economy, data is more valuable than
ever. For businesses operating on a global scale, international transfers of data are an essential
element of daily business operations.

Companies located outside Europe may, for example, store personal data on cloud servers
hosted in the EU, share employee data with a parent or subsidiary of their group based in the
EU, or receive customer data from affiliated entities or business partners in the EU. All of these
data flows potentially involve a regulated transfer of personal data that would be caught by the
GDPR.

As a result of the continuous growth in the volumes and use of data and the introduction of the
GDPR in 2018 – now considered as the "gold standard" of data protection laws across the globe
– there has been an increase in global regulation in this area, and public and media awareness
of data sharing and ownership. Sanctions for failure to comply with these rules can be severe
and the reputational damage may be even more significant.

International data transfers and the GDPR

Under the GDPR, cross-border data transfers outside the EU may take place if the country to
which data is exported is deemed to ensure an adequate level of data protection, as assessed by
the European Commission. The few countries that have been approved to date include
Argentina, Canada, Japan, New Zealand and Switzerland, but the list does not include major
markets such as Brazil, India, China, Australia and most of the APAC region, the Middle East
and Africa.

Personal data can be transferred from the EU to "non-adequate" third countries if the controller
(i.e. the entity that determines how and why personal data is processed) or processor (which
processes personal data on behalf of a controller) implements appropriate safeguards. The most
commonly-adopted safeguards are the SCCs, which are a number of template forms of
agreement approved by the European Commission. The SCCs are entered into between the data
exporter and data importer with the aim of protecting personal data leaving the European
Economic Area and ensuring that the individual data subjects have a right of redress. The SCCs
have been the predominant foundation of cross-border personal data transfers from the EU for
many years.

The Judgment raises uncertainties as to the use of SCCs for the cross-border transfer of personal
data. The Judgment requires many organisations to reassess their processing of personal data
that are caught under the GDPR and make immediate changes in how they transfer such data
to third countries that are not included on the European Commission's adequacy list at this
stage.

The European Commission, however, has confirmed that it is working on alternative

instruments for international transfer of personal data, including a review of the existing SCCs.

It is likely that the European Commission views the position created by the Judgment as
somewhat invidious for data controllers. After all, the European Commission itself has
historically recognised that it is appropriate for assessments as to the adequacy of a third
country's legal framework to be carried out by the Commission and not by individual
companies. Without an objective regulatory standard being applied to a third country, the
prospect is open for controllers to take differing views as to whether or not the SCCs represent
adequate safeguards on a case-by-case basis, which from a regulatory perspective seems to fall
short of the fundamental aim of the GDPR: to ensure consistent protection of individuals'
privacy rights.

It is not practical for businesses to cease data flows immediately and there is a pressing need
for the European Commission, the European Data Protection Board and the various European
data protection authorities to issue clear guidance or further regulation as to the approach that
should be taken by controllers.

KEY IMPLICATIONS OF THE JUDGMENT

The Judgment raises uncertainties as to the use of SCCs for the cross-border transfer of personal
data. The Judgment requires many organisations to reassess their processing of personal data
that are caught under the GDPR and make immediate changes in how they transfer such data
to third countries that are not included on the European Commission's adequacy list at this
stage.
The European Commission, however, has confirmed that it is working on alternative
instruments for international transfer of personal data, including a review of the existing SCCs.

It is likely that the European Commission views the position created by the Judgment as
somewhat invidious for data controllers. After all, the European Commission itself has
historically recognised that it is appropriate for assessments as to the adequacy of a third
country's legal framework to be carried out by the Commission and not by individual
companies. Without an objective regulatory standard being applied to a third country, the
prospect is open for controllers to take differing views as to whether or not the SCCs represent
adequate safeguards on a case-by-case basis, which from a regulatory perspective seems to fall
short of the fundamental aim of the GDPR: to ensure consistent protection of individuals'
privacy rights.

It is not practical for businesses to cease data flows immediately and there is a pressing need
for the European Commission, the European Data Protection Board and the various European
data protection authorities to issue clear guidance or further regulation as to the approach that
should be taken by controllers.

IMPACT ON BUSINESSES OUTSIDE THE EU AND THE US

The majority of non-EU businesses will not be directly subject to the GDPR; however it does
potentially have extraterritorial effect that means this cannot be completely discounted,
particularly where entities operate as part of a global business or sell to consumers in Europe.
In the absence of timely further guidance from regulators, companies that fall under the scope
of the GDPR should consider:

 assessing their data transfer flows which are subject to GDPR and identifying the
countries to which they transfer such personal data. For countries that are not on the
adequacy list, they will have to determine suitable methods to transfer the personal data
to those countries: for example, using BCRs for intra-group transfers instead of SCCs,
if available;
 developing a due diligence procedure and updating compliance programs that allow for
the monitoring of relevant aspects of the legal system and practices of third countries
to which personal data is transferred;
 considering additional provisions that may need to be included in the SCCs, generally
and on a case by case basis; and
  monitoring further guidance from the European Commission, the European Data
Protection Board (an EU body in charge of the application of the GDPR) and European
supervisory authorities.

The above measures represent a significant burden on companies and we would be surprised if
there is an immediate rush by businesses to respond to the Judgment but, as it stands, the impact
of the Judgment suggests that these steps will be necessary.

Non-EU businesses that import data under SCCs may need to:

 put in place mechanisms to assess whether their countries data protection laws and
practices allows them to comply sufficiently with the SCCs;
 if part of a group with operations in Europe, consider at group level whether to seek to
have BCRs approved by a data protection authority;
 consider how to reassure business partners in Europe and be prepared to receive specific
questions from data exporters and to provide evidence regarding practices and
procedures that are in place to protect personal data, including the type of security
measures that are used; and
 consider the terms of any particularly significant data importing agreements; many
commercial agreements, for example, contain force majeure provisions or change in
law provisions which may be applicable when there is a change in interpretation of
applicable law. The Judgment may therefore allow for contractual rights to be exercised
that would enable the exporting party to terminate or suspend the agreement, or revisit
commercial terms to deal with the costs of compliance. If the possibility of losing a
material contract exists, then the business may want to consider how it will respond and
whether it is possible to have any practical workarounds available to conduct the data
processing activity in question in an approved adequate jurisdiction.

https://blog.ipleaders.in/judicial-interpretation-of-data-protection-and-privacy-in-india/