Editor’s note: The Data Protection Bill series carefully examines the various sections of the draft Personal Data Protection Bill, 2018 as laid down by the Justice Srikrishna Commission and submitted to MEITY for approval. This is Part X of the series.
In a significant improvement over the limited privacy related offences under the Information Technology Act, 2000, the proposed penalties imposed under the Personal Data Protection Bill, 2018 are on par with the General Data Protection Regulations (GDPR). The steep penalties under the GDPR combined with the vast extra-territorial jurisdiction prescribed triggered compliance with privacy laws at a large scale in companies across the globe.
The Personal Data Protection Bill having both these features — steep fines combined with extraterritorial jurisdiction — will certainly trigger the same reaction in companies in India and around the world. The enforcement mechanisms under the Bill, discussed in the previous part of this series, are thus supported through the penalties and offences prescribed under Chapters XI and XIII respectively.
Two levels of penalties and criminal offences
Under Section 69 of the Bill, two levels of penalties are prescribed — the first level is of up to Rs 5 crores or 2 percent of the total worldwide turnover, and the second is of up to Rs 15 crores or 4 percent of the worldwide turnover. These are prescribed for violations of the data protection law and are to be awarded by the Adjudicatory Officers, or the adjudicating wing of the Data Protection Authority. The actual penalties applicable will vary based on the violation.
In some cases, where criminal intent can be detected, i.e., the violation was committed intentionally, knowingly, or recklessly, then the persons behind the violation will also be punishable for criminal offences by criminal courts. Punishment for these can go up to 5 years of imprisonment or a fine of Rs 3 lakhs.
The Bill also allows compensation to be sought by a data principal.
Failure to adhere to data protection principles
A data fiduciary who fails to adhere to the data protection principles, such as the requirement for notice, or who takes inadequate consent, or who doesn’t provide the data principal with the option of withdrawing his consent, will be punishable with the higher level of penalty. For instance, the sharing of data collected for assessing a person’s health condition with an insurance company for advertising its services to that person will violate the requirement of consent as well as purpose limitation principle.
Processing without a lawful basis of processing
Processing of data without adhering to one of the lawful bases of processing, such as consent for a private company or in accordance with a law for the State will also be punishable with the higher level of penalty. The same will apply for illegal processing of sensitive personal data or children’s data. For instance, if a child’s data is processed without parental consent, this provision will be applicable.
Data localisation and cross-border transfer requirements
For failure to adhere to cross-border transfer requirements, i.e., to transfer data to another country without ensuring that standard contractual clauses or an approval of the Government is in place will attract the higher penalty.
For data localisation requirements, the two levels of penalty will not apply. Instead, this will be punishable under the category for residual violations for which no specific penalty is prescribed. This is a penalty under Section 73 of up to Rs 1 crore for significant data fiduciaries, and Rs 25 lakhs for all other cases, including normal data fiduciaries and data processors.
Penalty in relation to security safeguards and data breach notifications
Under current privacy rules, viz., Section 43A of the IT Act and the IT (Sensitive Personal Data) Rules, 2011, companies in India are required to maintain reasonable security practices. However, not having such practices amounted to a violation only if it resulted in a wrongful loss or gain to anyone. Under the new rules, not maintaining the reasonable security practices in itself, regardless of the ‘harm’ caused, will be punishable.
Failure to maintain security safeguards under Section 31, by data fiduciary or a data processor, will be punishable with the second, higher level of penalty. Significant data fiduciaries who fail to carry on a Data Protection Impact Assessment or a data audit will be punishable with a lower level of penalty.
It is unclear if a single failure on the part of the company in relation to security, such as a failure to update a single feature of their security practices, will also be punishable as a failure to maintain security safeguards. This is important in the current era where new flaws in security systems are found by the minute. For instance, it was the failure to implement a single security update which resulted in the Equifax breach of 2017, affecting the personal data of 143 million Americans. This breach would, however, still be punishable under other sections of the law.
Failure to act against a security breach, including the obligation of notifying the Data Protection Authority, will also attract the lower level of penalty.
Higher penalties for significant data fiduciaries
Significant data fiduciaries are subject to higher penalties. Apart from the specific penalties for failure to conduct a DPIA or audit as discussed above, the same lower level of penalty also applies if it fails to register as a significant data fiduciary with the DPA. Additionally, separate penalties prescribed under the law, apart from the two levels of penalties under Section 69, prescribe double the fine for a significant data fiduciary. These are discussed below.
Failure to uphold data subject rights
A failure to uphold data subject rights, such as a request for information on the personal data with the data fiduciary, or of a request to be ‘forgotten’, is punishable with a different penalty under Section 70. This is punishable with Rs 5,000 per day of the default subject to a maximum of Rs 10 lakhs for significant data fiduciaries and Rs 5 lakhs for others.
For failure to furnish reports, information, etc., under Section 71, the penalty goes up to Rs 10,000 per day up to Rs 20 lakhs for a significant data fiduciary, and Rs 10 lakhs for others.
For failure to comply with a DPA direction or order, under Section 72, the penalty goes up still higher to Rs 20,000 per day up to Rs 2 crores for all data fiduciaries. For a data processor, this can go up to Rs 25 lakhs.
For all remaining violations of the law, under Section 73, the penalty will be a maximum of Rs 1 crore for significant data fiduciaries, and Rs 25 lakhs for all other cases, including normal data fiduciaries and data processors.
Requirement of harm being caused
A good improvement over Section 43A is that the new penalties do not require ‘harm’ to have been done. The Bill allows a data principal to file a complaint not only for harm caused but also for the likelihood of harm being caused (Section 39). An adjudicating officer, further, can award penalties under the Bill not only when harm is caused, but also for a failure to comply with the provisions of the law, irrespective of whether harm was actually caused (Section 74).
These are good additions since often, the actual effects of a data breach are often felt much later. For instance, data that is disclosed may find its way to the dark web, where it can be accessed by any criminals for any criminal purpose. When a crime actually occurs, say phishing or the hacking of a bank account, it is often unknown where the data used for the crime was sourced from.
In determining the quantum of penalty, further, the Adjudicating Officer will need to take several factors into account, including the nature and gravity of the processing in question, the number of data principals affected, the level of harm suffered, the transparency measures and security safeguards put in place by the data fiduciary, the repetitive nature of the offence, etc.
Compensation under the Bill
Another important aspect of the Bill is that it allows the data principal to seek compensation under Section 75 if he suffers harm due to the violation of the law. This may be sought from a data fiduciary or from a data processor.
Criminal offences under the Bill
Chapter XIII of the Bill also prescribes a list of offence. The penalties discussed so far are civil penalties, awarded by the Adjudicatory Officer. The offences are criminal in nature, which can be awarded by a criminal court. The fact that these offences have been made cognizable and non-bailable, meaning that a warrant is not required for arresting a person under this law, and that bail will be awarded, has been criticized from many quarters for being too stringent in a data protection law. The very presence of the offences has been criticized as well.
However, while the GDPR does not list criminal offences, these can be found in other jurisdictions, such as under Singapore’s Personal Data Protection Act, or Hong Kong’s Personal Data (Privacy) Ordinance. Thus, while the presence of offences in a data protection law is not unusual, making them cognizable and non-bailable is too stringent.
Criminal offences prescribed under the Bill punish the following knowing, intentional or reckless acts. The first is obtaining, transferring or selling data, in violation of the law and which results in significant harm. This will be punishable under Section 90 and 91 with a fine of upto Rs 3 lakhs, imprisonment of upto 5 years or both.
The second is for the re-identification of data which was de-identified, without the consent of the data fiduciary or data processor. This offence will be a particular restriction for data used for research purposes, but on the other hand, will ensure that consent will have to be in place before the data is so used. This is punishable with 3 years or a fine of Rs 2 lakhs or both.
Application of penalties and offences to the State
The Bill clarifies how the offences are to apply to Central and State government departments or any authority of the State under Section 96. Here, the head of the department or authority shall be deemed to be guilty, unless he can prove that the offence was committed without his knowledge, or despite proper due diligence on his part.
However, the same clarity has not been provided with respect to how penalties will apply to State actors. For instance, if you consider the many websites that leaked Aadhaar related databases, these involved websites of governmental departments. These will not have a ‘turnover’. How the fines are to be imposed on such entities has not been clarified under the law.
Thus, the broad-ranging penalties prescribed under the Bill are welcome and are likely to serve as a deterrent to privacy violations. It is hoped that more clarity will be provided as to how the State and State actors are to be penalized for a violation of the law. Offences as cognizable and non-bailable is another issue that needs to be addressed.
The next part is the concluding part of the series and will discuss remaining issues including transitional implementation, retrospective application of the law and Aadhaar.
The author is a lawyer specializing in technology, privacy and cyber laws. She is also a certified information privacy professional.