Data protection Bill revised: Penalty up to Rs 200 crore if firms don’t have safeguards
COMPANIES dealing in personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore under the revamped version of the Data Protection Bill, The Indian Express has learnt. The Data Protection Board, an adjudicating body proposed to enforce the provisions of the Bill, is likely to be empowered to impose the fine after giving the companies an opportunity of being heard.
Penalties are expected to vary on the basis of the nature of non-compliance data fiduciaries — entities that handle and process personal data of individuals. Companies failing to notify people impacted a data breach could be fined around Rs 150 crore, and those failing to safeguard children’s personal data could be fined close to Rs 100 crore. In the previous version of the Bill, withdrawn earlier this year, the penalty proposed on a company for violation of the law was Rs 15 crore or 4 per cent of its annual turnover, whichever is higher.
The government is understood to be close to finalising the revamped Bill, internally being referred to as the ‘Digital Personal Data Protection Bill’, and come out with a final draft version this week. The new Bill will only deal with safeguards around personal data and is learnt to have excluded non-personal data from its ambit. Non-personal data essentially means any data which cannot reveal the identity of an individual.
ExplainedAllaying fears of consumersFines for data misuse prescribed in the previous version of the Bill were not seen as an effective deterrent. The higher penalties being proposed now will prompt entities to build strong safeguards to protect data and enforce fiduciary discipline.
In August, the government withdrew the earlier Personal Data Protection Bill from Parliament after putting in nearly four years and having gone through multiple iterations including deliberations a Joint Committee of Parliament. It said the government would soon finalise a “comprehensive legal framework” for the online ecosystem. The withdrawal came despite Union IT Miner Ashwini Vaishnaw stating in February 2022 that he hoped to get the Parliament’s nod on the Bill in the monsoon session.
In an interview with The Indian Express in September, Miner of State for Electronics and IT Rajeev Chandrasekhar had said companies would face punitive actions in the nature of financial penalties in the event of misuse of data and data breaches. In a tweet Tuesday, he reiterated this, stating that the upcoming data protection Bill will put an end to misuse of customer data with companies facing financial consequences.
“There will also be a strict or purpose limitation of data collected companies and the time till which they can store it under the new Bill,” said a senior government official who did not wish to be named. It is learnt data fiduciaries will be required to stop retaining personal data and delete previously collected data after the initial purpose for which it was collected was fulfilled.
The revamped version of the Bill is likely to be released along with an explainer and summary, on the lines of the recently published draft Indian Telecommunication Bill, 2022. The Bill will undergo extensive consultation and will likely be introduced in the Budget session of Parliament next year.