The quantum of penalties for data breach under the draft personal data protection Bill will be calculated based on the number of people affected, government sources said Saturday. “There is nothing in the language that says that `500 crore is for the entire data breach. The data protection board can take a view that if a thousand people are affected and there are a thousand complainants, the penalty would be calculated by multiplying Rs 500 crore with 1,000,” a source said.
The draft digital personal data protection Bill, which was released on Friday, proposes to penalise companies a maximum of Rs 500 crore in case of breach of provisions such as failure to take reasonable security measures to prevent data breach, not notifying the board about breach, and unauthorised collection or use of data, etc, as decided by the board.
“If somebody thinks that they have got benefits worth Rs 1,000 crore through data breach and paid only Rs 500 crore as penalty, they will get a rude shock as this won’t be the case,” the source said. “The Bill is under public consultation and based on that we will take a call (to amend the clause),” the source said, adding that Rs 500 crore is a signal to companies that if they violate the rights of consumers, he penalty table would be modified from time to time.
Also Read: New Data Protection Bill drops 4 contentious clauses
In the older version, the provision was for levying penalties 2-4% of total worldwide turnover of the firms concerned. This was opposed by global firms on the ground that revenue generated by data fiduciaries outside India may not have a link with processing activities in the country.
To deal with the compliance framework of the Bill, the government has proposed to invite a data protection board that will manage the receipt of complaints, compute and impose penalties, take decisions on matters, etc. When asked about the independence and regulatory powers of the board, the source said, “The board is not a regulator as the Bill is not about data economy. This is aBill that has to do with digital personal data protection and deals with the rights of data principal, the obligation of data fiduciary and creates an entity that will adjudicate disputes arising out of violations of the obligations by data fiduciary.”
It is a purely adjudicating mechanism and the appeals from that will lie with the high court, the sources added.
Further, the provision of the Bill will also be applicable to the government, which will make it liable in case of data breach just like any other entity dealing with data. “If there is a breach, the citizen can take the government to the data protection board. The government can be held accountable in case of a data breach as it also has the obligation to protect the data,” the source said.
Among key highlights of the Bill, the companies can transfer personal data to other countries or territories, which will be notified by the government after assessment. The data owners will also have the right to withdraw their consent on use of personal information by a data fiduciary, once the Bill becomes an Act.
