The Broadband India Forum (BIF), which represents big technology companies, on Thursday said the severe penalties proposed by the government under the data protection Bill are not appropriate. The penalty caps, however, should be raised in a phase-wise manner in line with the development of the country’s compliance and enforcement landscape, it added.
The comments from the representatives of companies like Google, Amazon and Meta comes amid an ongoing public consultation process on the draft digital personal data protection Bill that lays the rights and duties of the citizen and obligations for data fiduciaries to use collected personal data lawfully.
Currently, the quantum of maximum penalty on a data fiduciary in case of breach of the provisions under the Bill is proposed at `500 crore. Besides, the government has time and again said the data protection board will decide the penalties based on the extent of data breach and the fine of `500 crore might get multiplied by the number of persons affected by the breach.
“Since this is India’s first attempt at a comprehensive data protection law, severe penalties would not be appropriate. The draft Bill should further identify a more graded penalty structure which is commensurate with the degree of harm that a violation or non-compliance may invite,” BIF said in a statement.
In comparison to countries like Malaysia and Thailand, which are also in process of implementing a data protection law, the magnitude of financial penalties in India is greater, it added.
Among other things, the forum has urged the government to provide a sufficient time to comply with the provisions of the law after its implementation. Some provisions such as cross-border data flow, consent seeking, language options to data principals etc would require the companies to make changes to their business processes.
In a meeting with stakeholders on the Bill, minister of state for IT and electronics Rajeev Chandrasekhar had said that the government will give enough transition time to companies to comply with the new legislation.
BIF has also raised concerns over the definition of personal data in the Bill and asked for its simplification so that data fiduciary can give an itemised notice to the data principal containing a description of personal data sought to be collected and the purpose of processing of such data.
Further, the forum has also raised the issue about the minimum age of children for use of personal data and framework for withdrawal of consent in case the personal data is shared by a data fiduciary with another data fiduciary.
According to the provisions of the Bill, the companies will have to take verifiable parental consent before processing the data of children below 18 years of age. The companies are also barred from tracking or monitoring the behaviour of children or targeting advertisements at them, according to the Bill.