The Data Protection Bill, 2019 is back in public discourse, with the 30-member Joint Parliamentary Committee (JPC) tabling its recommendations after 78 sittings and almost six extensions of the submission deadline. The Bill, which was originally tabled in the Parliament on 11 December 2019 by the then electronics and information technology minister Ravi Shankar Prasad, seeks to secure the domestic cyberspace, estimated to have approximately 825 million users.
The Committee has recommended a slew of measures in its report tabled on December 16. Some of the key recommendations are: treating social media platforms as publishers and making them liable for content; inclusion of the non-personal data too under the ambit of the Bill; a transition period of 24 months from the date of notification of the Act; developing an indigenous international payments system as instances of data breach have come to the fore in the SWIFT system of global financial transactions.
Hefty penalties
The key takeaway though is the penalty set up, which will require the companies to cough up 2% of global turnover as penalty for minor offences and 5% for major contraventions of the provisions. For the transfer of personal data outside India, in violation of the provisions of the Bill, the data fiduciary will be liable to pay a penalty not exceeding ₹15 crore, or 4% of its total worldwide turnover of the preceding financial year, whichever is higher.
Offences like lack of “prompt and appropriate action” in response to a data security breach, failure to register with the proposed Authority under the Bill, contravention of obligation to undertake a data protection impact assessment, failure to conduct data audit, will invite penalty not exceeding ₹5 crore, or 2% of its total worldwide turnover in the preceding financial year, whichever is higher.
Both the provisions were in the original Bill and have been kept unchanged by the panel. Going forward, the ministry of electronics and information technology may formulate rules, taking into consideration the recommendations of the committee and table the amended Bill again in the Parliament. For the global tech behemoths like Facebook, Google, Netflix and Amazon, the penalty clause may be a cause of concern.
Also Read: Data privacy: How secure is secure?
The committee, however, has said that more flexibility is needed on penalties to benefit the start up ecosystem. “Digital technology is rapidly evolving and the quantum of penalty needed to be imposed would need to be decided taking into account these factors. Startups and smaller data fiduciaries engaged in innovation and research and development activities, etc. may also need to be considered separately.”
Global practice
The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws. Under the law, the data protection authorities can impose fines up to Euro 20 million (₹171 crore).
Ever since its roll out in May 2018, over 800 fines have been issued by the authorities under GDPR in the UK and the European Union. In the ongoing quarter of Oct–December, the total data breach fines imposed by the GDPR have reportedly touched Euro 1 billion (₹8,550 crore), which is 20 times more than the fines collected in the April–September period.
Ring-fencing government dept heads
The committee has also expressed concerns regarding the capacity of the government departments to protect the large volume of data that they collect. The government will also be significant data fiduciary, as per the provisions of the Bill. It has suggested that the ministries and departments establish Standard Operating Procedures to protect the data that is collected.
The onus of any offence, under the Act, will be said to be committed by a department, authority or body of state. “In view of the Committee, actually the offence should be said to be committed by any particular government data fiduciary and not by any department, authority or body of state.”
While the responsibility of any offence is placed on the head of the department concerned as per the Bill provisions, the committee has recommended ring-fencing the government department as this may impede the decision-making process. “The Committee feels that if the responsibility for any offence with respect to the provisions of this Act, is placed on the head of the department, it may impede decision making process in the department. In case of any offence under the provisions of this Act, the head of the department concerned should first conduct an in-house inquiry to determine the person or officer responsible for the particular offence and subsequently the liability may be decided,” it said.
Single window for complaints
The committee has also called for a single window system for deciding the penalties as well as compensation cases. “There is a provision of filing complaint to the data fiduciary by the data principal under Clause 32 and there is a provision of seeking compensation under Clause 64 by filing a complaint with the Adjudicating Officer,” said the committee,” stressing for the need of the Act to clearly lay down the procedure to be followed under both the situations.