Subscribe to get latest news delivered straight to your inbox


    Intimation of Personal Data Breach under the Draft Digital Personal Data Protection Rules, 2025.

    • 01.01.2025
    • By Jasman Dhanoa & Sanchit Shrivastava
    Saikrishna & Associates

    Introduction:

    • On 3rd January 2025, the Ministry of Electronics and Information Technology (“MeitY”) issued the Draft Digital Personal Data Protection Rules, 2025 (“Draft DPDP Rules”) for public consultation until 18th February 2025.
    • The Draft DPDP Rules have proposed the requirements for providing breach notification and reporting by a Data Fiduciary, registration and obligations of a consent manager, reasonable security safeguards, verifiable parental consent, etc.
    • Specifically, Section 8(6) of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) requires a Data Fiduciary to give intimation of a personal data breach to the Data Protection Board of India (“DPB”), which is yet to be established, and each affected Data Principal in the prescribed form and manner.
    • Rule 7 of the Draft DPDP Rules has proposed the requirements for a Data Fiduciary to report a personal data breach to the DPB and each affected Data Principal.

    Proposed requirements for intimation to the affected Data Principal:

    • Timeline: A Data Fiduciary has to intimate each affected Data Principal about any breach of personal data on “becoming aware of any personal data breach” in a concise, clear and plain manner and “without delay”. The term “without delay” has not been defined.
    • Manner of reporting: A Data Fiduciary has to intimate the affected Data Principal via his/her user account registered with the Data Fiduciary or any other mode registered with the Data Fiduciary.
    • Details to be intimated to the affected Data Principal:
      • a description of the breach including its nature, extent, timing & location of occurrence,
      • consequences arising from the breach that are relevant to the Data Principal,
      • measures undertaken by Data Fiduciary to mitigate risk,
      • safety measures that can be undertaken by the Data Principal to protect her interests, and
      • business contact information of the Data Fiduciary’s person who can respond to the Data Principal’s queries.

    Proposed requirements for intimation to the DPB:

    • Timeline: The Draft DPDP Rules has proposed two timelines for reporting personal data breaches to the DPB –
      • Intimation “without delay”: A description of the personal data breach including nature, extent, timing, location of occurrence and its likely impact must be notified to the DPB ‘without delay’ on becoming aware of any personal data breach. The term “without delay” has not been defined.
      • Intimation within 72 hours (extendable by the DPB upon request): Within 72 hours of becoming aware of any personal data breach the Data Fiduciary will have to report to the DPB with the following information –
        • updated and detailed information on the description of such a breach,
        • facts related to the events, circumstances, and reasons leading to the breach,
        • measures taken/proposed to be taken to mitigate risk,
        • findings on the person causing the breach,
        • remedial measures taken to prevent recurrence of the breach, and
        • report regarding intimations given to the affected Data Principals.
    • Manner of reporting: The Draft DPDP Rules are silent on the method or manner of reporting such personal data breach to the DPB.

    Other Sectoral Requirements for breach reporting

    • The reporting requirements on personal data breaches are in addition to similar other sectoral requirements under the CERT-In Directions, 2022 and Telecom Cyber Security Rules, 2024.
    • Reporting of Cybersecurity incidents: The CERT-In Directions require reporting of any cyber security incidents as given in Annexure-I of the CERT-In Directions which includes Data Leaks and Data Breaches within 6 hours. This was later clarified by CERT-In and the 6 hour timeline for reporting, with information to the extent available, required meeting of the following criteria, within 6 hours of noticing/ being brought to notice to the CERT-In:
      • Cyber or cyber security incidents of severe nature on any part of the public information infrastructure
      • Data Breaches/Leaks
      • Large-scale or most frequent incidents such as intrusion into computer resource, websites etc
      • cyber incidents impacting safety of human beings
    • Reporting of Telecom Cybersecurity incidents: The Telecom Cyber Security Rules mandate telecom entities to report ‘security incidents’ affecting its telecom network/telecom service within 6 hours of becoming aware and report the same to the Central Government. The telecom entity has to provide relevant details of the affected system including the description of such incident and within 24 hours, provide additional information on the number of affected users, duration, geographical area affected, extent to which functioning of telecom network/service is affected, and remedial measures taken/proposed to be taken.

    Breach reporting in other Jurisdictions

    Europe – General Data Protection Regulation, 2016

    • Threshold: A personal data breach must be notified to the Supervisory Authority in all cases, and to the Data Subject only if such a breach is likely to result in a high risk to the rights and freedoms of natural persons.

    Notifying the Supervisory Authority:

    • Timeline: The GDPR has prescribed two timelines for reporting personal data breaches to the Supervisory Authority –
      • Intimation without delay/ 72 hours (if feasible)
      • Intimation after 72 hours (with reasons for delay)
    • Details to be intimated:
      • Description of the nature of the personal data breach including categories
      • Number of affected Data Subjects & categories and number of personal data records, where possible
      • Name and contact details of the Data Protection Officer (“DPO”)
      • Description of the likely consequences of the personal data breach
      • Measures taken/proposed to be taken to mitigate possible adverse effects
    • Documentation Requirement: The Data Controller must document personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken to enable Supervisory Authority to verify compliance.

    Notifying the Data Subject (if required):

    • Timeline: The Data Controller/Fiduciary must communicate, without delay, the personal data breach to the Data Subject/Principal.
    • Manner of reporting: No specific method or manner of reporting personal data breach to the concerned Data Subject/Principal has been prescribed.
    • Details to be intimated:
      • Description of the nature of the personal data breach.
      • Name and contact details of the DPO.
      • Description of the likely consequences of the personal data breach.
      • Measures taken/proposed to be taken to mitigate possible adverse effects.
    • There is an exemption from notifying the Data Subject in case the Data Controller has:
      • implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person not authorised to access it;
      • undertaken subsequent measures which ensure that the high risk to rights and freedom of the Data Subject/Principal is no longer likely to materialize;
      • to implement disproportionate efforts. Instead, it can choose public communication/ similar measure to inform data subjects.
    • Direction by the Supervisory Authority: The Supervisory Authority can require the Data Controller to report the personal data breach to the Data Subject, in case it has not already done so, if it thinks that such a breach would result in a high risk.

    Singapore- Personal Data Protection Act, 2012:

    • Threshold: A personal data breach is notifiable by the organisation to the Personal Data Protection Commission (PDPC), and to each affected individuals only if, after an assessment, such personal data breach:
      • results in or is likely to cause significant harm to an affected individual (i.e., personal data breach relates to individual’s full name, identification number, etc.) or,
      • is, or is likely to be, of a significant scale (i.e. number of affected individuals is at least 500)

    Notifying the PDPC

    • Timeline:
      • Within 3 days.
      • More than 3 days accompanied with specific reasons and supporting evidence.
    • Information to be provided:
      • Date and circumstances of the organisation becoming aware of the breach.
      • Details of actions leading to the determination of a notifiable breach.
      • Description of the occurrence of the personal data breach
      • Number of affected individuals
      • Details of affected data such as types or classes of personal data involved.
      • The impact on affected individuals.
      • Remedial actions taken or planned to mitigate harm to individuals and measures to address causes or failures that facilitated the breach.
      • Intentions regarding informing affected individuals or the public and any guidance to mitigate harm.
      • Business contact details of an authorised representative.

    Notifying the affected Individual

    • Manner of reporting:
      • The organisation must notify each affected individual, after notifying the PDPC, in any manner as may be reasonable in such circumstances.
      • In case the organisation does not intend to give information to affected individuals, its notification to the PDPC must additionally indicate the grounds for not notifying the affected individuals.
    • Details to be intimated:
      • How and when the personal data breach was discovered.
      • Details of affected data such as the personal data or types of data relating to the individual.
      • The impact of the personal data breach on the individual.
      • Remedial actions taken or planned to mitigate harm to the individual & actions to address the causes or enabling factors of the breach.
      • Guidance to the affected individual on mitigating harm, such as preventing misuse of personal data.
      • Business contact details of an authorised representative.
    • Exemption from notifying affected Individual/Data Principal:
      • Personal data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data only within the organisation.
      • The concerned organisation after assessing that the data breach is a notifiable data breach, takes any action or implements any technological measure prior to the occurrence of such breach, that renders it unlikely that the personal data breach will result in significant harm to the affected individual.
      • Instruction/directions issued by a law enforcement agency/PDPC.
      • Waiver by the PDPC based on a written application by the organisation.
    Our Take

    The personal data breach reporting requirements under the Draft DPDP Rules have not incorporated regulatory best practices from laws governing personal data in other jurisdictions such as the EU and Singapore. These laws provide a threshold for reporting personal data breaches to the affected individual. For e.g. Reporting the personal data breach to affected individuals will be required only if the breach results in a high risk to the rights and freedoms of Data Principals or is likely to cause significant harm to the Data Principal or if the breach has occurred on a significant scale. No such threshold has been proposed under the Draft DPDP Rules which require reporting of every personal data breach irrespective of its effect or scale or severity. This would lead to overreporting by Data Fiduciaries about even minor personal data breaches which may not have a significant impact on the Data Principals.

    The MeitY should ideally undertake a whole-of-govt. approach and align personal data breach reporting requirements mandated by various departments/ministries, regulators, etc., to provide a single window portal for such reporting requirements. It will be important to align the personal data breach reporting requirements under the DPDP Act to similar requirements under various regulations such as the CERT-In Directions, Telecom cyber security rules, SEBI etc.

    The Draft DPDP Rules propose Data Fiduciaries to report personal data breaches to the Data Principal “without delay”. MeitY should clearly provide on the meaning of ‘without delay’ so that Data Fiduciaries have regulatory clarity regarding the timeline for reporting personal data breaches to Data Principals. Additionally, MeitY should also provide an option to the Data Fiduciary to provide information regarding the personal data breach to the DPB and the Data Principal in phases where it is not feasible to provide all the information at the same time.

    Links

    Draft Digital Personal Data Protection Rules, 2025 –  https://www.meity.gov.in/writereaddata/files/259889.pdf

    Digital Personal Data Protection Act, 2023 – https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

    CERT-In Directions, 2022 – https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

    Telecom Cybersecurity Rules, 2024 – https://dot.gov.in/sites/default/files/Telecommunications%20%28Telecom%20Cyber%20Security%29%20Rules%2C%202024.pdf?download=1

    EU General Data Protection Regulation, 2016 – https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

    Singapore’s Personal Data Protection Act, 2012 – https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=P11-#top

    Singapore’s Personal Data Protection (Notification of Data Breaches) Regulations, 2021 – https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?DocDate=20241014

    This article was originally published by Saikrishna & Associates

    Latest Blogs

    Latest Blog

    New Frontiers & Looking Forward | Animation in India

    • 10.03.2025
    • By Prafull Gade
    read article

    Latest Blog

    SXSW 2025: 11 Intriguing Film & TV Premieres Highlight a Big Time Festival Lineup

    • 07.03.2025
    • By The Credits
    read article

    Latest Blog

    ACE Files Copyright Infringement Lawsuits in U.S. Against Operators of Illegal IPTV Services

    • 04.03.2025
    • By Pamela Corante
    read article