Full text of the proposed bill can be accessed here.
Penalties and Compensation
A data principal who has suffered harm due to any violation of this Bill (or its rules and regulations), by a data fiduciary or a data processor, has the right to seek compensation from the party at fault. The data processor is only liable where it has acted negligently, acted outside or contrary to the instructions of the data fiduciary, not incorporated adequate security safeguards, or violated specifically applicable provisions of the Bill.
In case of breach of the following obligations, the data fiduciary may be liable for penalty up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher-
- Obligations in case of Personal data breach;
- Obligation to undertake data protection impact assessment;
- Obligation to conduct data audit;
- Obligation to appoint data protection officer;
- Obligation to register with the Authority (See Section 69).
In case of breach of the following obligations, the data fiduciary may be liable to the penalty up to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher-
- Data Protection Obligations, as defined in the Bill;
- Obligation to process personal data in accordance with the Bill;
- Obligation to process sensitive personal data in accordance with this Bill;
- Obligation to process sensitive personal data in accordance with this Bill;
- Obligation to undertake appropriate security safeguards in accordance with this Bill;
- Obligation to transfer personal data in accordance with this Bill (See Section 69).
Other penalties include:
- Five thousand rupees per day, for failure to comply with the request made by data principal regarding his/her rights (See Section 70).
- Ten thousand rupees per day, for failure to submit any report or information to the Authority (See Section 71).
- Twenty thousand rupees per day for failure to comply with directions or orders issued by the Authority (See Section 72).
The Bill also contains a provision for general penalty of up to one crore rupees, in case no specific penalty is provided, for failure to comply with any provision of this Bill, or with any rules made hereunder (See Section 73).
Offences
The intentional or reckless obtaining, disclosure, transfer or sale of personal data, which harms the data principal, is punishable with imprisonment of up to 3 years and/or a fine of up to two lakh rupees (See Section 90).
For similar actions involving sensitive personal data, the entity is punishable with imprisonment for a term not exceeding five years or shall be liable to a fine which may extend up to rupees three lakhs or both (See Section 91).
The re-identification and/or processing of de-identified personal data without consent is punishable with imprisonment of up to 3 years and/or a fine up to two lakh rupees (See Section 92).
An entity charged with re-identification will not be liable if it proves that:
(a) the personal data belongs to the person charged with the abovementioned offence; or
(b) the data principal whose personal data is in question has explicitly consented to such re-identification or processing as per the provisions of this Bill (See Section 92).
Offences punishable under the Bill are cognizable and non-bailable (See Section 93).
For offences committed by a company, every person who, at the time the offence was committed was in charge of conducting the company’s business, is deemed to be guilty of the offence and may be proceeded against and punished accordingly. Such person is not liable if he/she proves that the offence was committed without her knowledge or that she had exercised all due diligence to prevent the commission of such offence (See Section 95).
For offences committed by any department of the Central or State Government, or any authority of the State, the head of the department or authority is deemed to be guilty of the offence and may be proceeded against and punished accordingly. Such person is not liable if he/she proves that the offence was committed without her knowledge or that she had exercised all due diligence to prevent the commission of such offence (See Section 96).
Data Protection Authorities
The Bill empowers the Central Government to establish a Data Protection Authority of India (“Authority”), having a chairperson and six full-time members appointed by the committee consisting of the Chief Justice of India, the Cabinet secretary, and one expert nominated by Chief Justice of India. (Refer to Sections 49 and 50 of the Bill)
The Authority is responsible for protecting the interest of data principals, prevent misuse of personal data, ensure proper compliance with this Bill and promote awareness about data protection. In addition to these general responsivities, the Bill further provide specific functions of the Authority. (Refer to Sections 60-67 of the Bill)
To dispose the matters related to penalties the Authority is required to have a separate adjudicating wing, headed by the adjudicating officer. Adjudicating Officers shall be persons of ability, integrity and standing, and must have specialized knowledge of, and not less than seven years professional experience in the fields of constitutional law, cyber and internet laws, information technology law and policy, data protection and related subjects. (Refer to Section 68 of the Bill).
This post is authored by Arjun Kansal and Ashwini Arun, Associates, BananaIP Counsels.
