In Part 10 of the #DataProtectionTop10 series, we discuss the need for protection of whistleblowers, digital security researchers, and vulnerability testers. As per Clause 25 of the Personal Data Protection Bill, 2019 only the data fiduciaries can report data breaches to the Data Protection Authority, not the whistleblowers. If clause 25 in its current form becomes the law then people will be dissuaded from whistleblowing. Further, though the Bill provides protection to researchers under Clause 38, there are no clear protections provided for skilled cyber security researchers who conduct vulnerability testing. Therefore we recommend that the Bill must make amendments to provide clear provisions detailing the procedure for security researchers, vulnerability testers and whistleblowers. Section 43 of the Information Technology Act, 2000 must also be amended to prevent vexatious legal claims and proceedings against vulnerability testers and cyber security experts.
This is a companion discussion topic for the original entry at https://internetfreedom.in/dataprotectiontop10-protecting-whistleblowers-digital-security-researchers-and-vulnerability-testers/