India made the major announcement in April 2022 that it will be enacting changes to its rules surrounding data protection.
Currently, parties affected by data breaches are obliged to inform the authorities within a reasonable period following the event happening or its knowledge of it being uncovered. The headline figure from the new announcement being promulgated by India is the new legal obligation being placed upon affected parties to notify the authorities of any concerning events involving cyber security within a time frame of 6 hours. The time starts to run from the time when the relevant person is either informed of such a breach taking place or being made aware by another party of it occurring.
The published guidance expressly applies to a broad range of parties such as:
The announcement entered the public domain by way of guidance issued by the Indian government and will apply to numerous aspects of data protection including (but not limited to):
In stark contrast to the England and Wales jurisdiction, India does not have an Information Commissioner. So, who then is responsible for enforcing Indian Data Protection laws? The answer to the question is the Computer Emergency Response Team (a.k.a. CERT-In).
The need to report data incidents to a regulator is a universal requirement but with some jurisdictional variations. Those classified as responsible for controlling personal information will be obliged to communicate promptly, openly, and honestly that such an incident has occurred. The new 6-hour-time limit for notifying the authorities demonstrates a very progressive approach from India. Once enacted it will place India will arguably place the Indian ahead of other jurisdictions on data protection reporting obligations including the UK, the Member States of the European Union, and a proportion of U.S. States. By way of an illustration for comparative purposes section, 67 of the Data Protection Act 2018 and Article 33 of the General Data Protection Regulation 2016 both oblige personal data controllers to inform the Information Commissioner in the jurisdiction of England and Wales within 72 hours whereas in India affected parties will need to be over 90% more efficient by reporting such events to the authorities inside the relevant 6-hour timeframe as set out in the guidance.
The guidance made clear the ambition for India to bring the new obligations into force from around the 27th of June 2022 which is incidentally around 60 days from when the announcement was made.
When this new legislation enters force lawyers will need to be warning their clients with a presence on the Indian sub-continent of their legal obligations to:
Lawyers should be advising affected clients to consider the limited time they have available to report under the newly restricted notification time limits. Practically clients are likely to be pushed for time when deciding to report to the Computer Emergency Response Team.
ASSESSING FIRMS
THE ARTICLE WAS WRITTEN USING THE FOLLOWING SOURCES
[1] Hunton Andres & Kurth – India to Require Cybersecurity Incidence Reporting within Six Hours – Hunton Privacy & Information Security Law Blog - 2nd May 2022 - India to Require Cybersecurity Incident Reporting Within Six Hours | Privacy & Information Security Law Blog (huntonprivacyblog.com)
[2] Government of India – No.2(3)/2022-CERT-In – 28 April 2022 CERT-In_Directions_70B_28.04.2022-2.pdf (huntonwilliamsblogs.com)
[3] Section 70B(6) Information Technology Act 2000
[4] Section 67 of the Data Protection Act 2018
[5] Article 33 of the General Data Protection Regulation 2016
General, Issues affecting the Legal Profession 18.04.2023
On 17th January 2023, the industry regulator, the Bar Standards Board decided to hand down an order imposing a ban on a barrister preventing him from continuing to practise after evidence emerged
Issues affecting the Legal Profession 12.12.2022
An up-and-coming freelance provider of legal services and SYKE, a market leading firm in the legal tech space, has released the results of a survey it has conducted into the largest hurdles
Issues affecting the Legal Profession 05.12.2022
A high-profile case hit the legal headlines in the Autumn of 2022 which centring around a legal professional who had accrued in excess of three decades as a lawyer and achieved the accolade of partner
Receive regular news, updates, upcoming events and more...
Please complete all the required fields.
Please provide a valid email address.
