JPC report on data protection: Rs 15 crore penalty for data violations
New Delhi, Dec 17: The Joint Parliamentary Panel submitted its final report on personal data protection. In its report, it has re-introduced the recommendation of heavy penalties for serious data violations and even suggested fines up to Rs 15 crore or a 4 per cent of global turnover.
The panel also said that lesser violations will have a limit of Rs 5 crore or a 2 per cent turn-over. This would mean that if the suggestions become a law then it would prove to be a strong deterrent for social media companies and top tech giants.
The head of the panel, P P Chaudhary had agreed that the penalties need to be restored with a cap on the terms of the quantum of fines. The provision of penalty had been dropped in the draft report where the committee had left the matter to the Centre.
In November, the panel had said in its draft report, " in the Committee's view, such quantification may not be feasible as there are no clear mechanisms to quantify the 'world-wide turnover' of the company and that too along with its group entities. Also keeping in view the rapidly changing dynamics of the evolving digital technologies, the committee feels that it would be prudent to enable the government to quantify the penalties."
Further the panel also said that in the case of violations by a state, the penalties will be capped at Rs 15 crore for serious breach and in the case of a breach of a lesser nature it would be at Rs 5 crore.
With the report being tabled in the Lok Sabha, it will now be sent to the Ministry of Electronics and Information Technology(MeitY) for further examination. The recommendation in the report maybe accepted or rejected while redrafting the bill. MeitY will then table the bill before the cabinet which takes the final call on the draft. Once approved, it will then be brought before the Parliament for approval. It is speculated that the Personal Data Protection Bill will then be tabled during the Budget Session 2022.
The Bill deals with various kinds of data and it is impossible to distinguish between personal and non-personal. So, Committee opined that as privacy is the concern, non-personal data also must be dealt with in the Bill. A single administration and regulatory body are essential. All data must be dealt with by one Data Protection Authority (DPA).
The Committee has recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers, and be held accountable for the content they host.
The Committee has recommended that the Government should establish a mechanism for the formal certification process of all digital and IoT devices to ensure the integrity of all such devices with respect to data security. A new sub-clause may be inserted to enable DPA for framing the regulations to regulate hardware manufacturers and related entities. The Committee has stressed that the Government should set up a dedicated lab/ testing facility to provide certification of integrity and security of all digital devices.
The Committee has recommended that concrete steps must be taken by the Central Government to ensure that a mirror copy of the sensitive and critical personal data in possession of foreign entities be mandatorily brought to India in a time-bound manner. Further, it has been recommended that an extensive policy on data localisation must be prepared and pronounced by the Central Government for safe storage of data of Indians.
The Committee has recommended that a realistic time frame of 72 hours should be given to data fiduciary for reporting a data breach
The panel has favoured that penalty provisions for 'data fiduciaries' (those determining the purpose and means of the processing of personal data) be kept flexible. Small data fiduciaries engaged in innovation, research and development may be considered separately.
Recommendations Impacting Compliance
- Where the data principal has suffered immaterial or material harm owing to the delay in reporting of the personal data breach by the data fiduciary, the burden to prove said delay will lie on the data fiduciary. The Committee has recommended that the DPA should ask the data fiduciaries to maintain a log of all data breaches (both personal and non-personal), to be reviewed periodically, irrespective of the likelihood of harm to the data principal.
- The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of such period.
- There should be equilibrium in processing of data of employee by the employer and its use/misuse of data by the employer. The employee must also be given the opportunity to ensure that his or her personal data is not being processed for unreasonable purposes. Therefore, the Committee have recommended that the processing may happen if such processing is necessary or can reasonably be expected by the data principal.
- The Data Protection Officer plays a vital role under the provisions of this Bill, he or she should be holding a key position in the management of the Company or other entities and must have adequate technical knowledge in the field.
Other Recommendations of Significance
- An alternative to SWIFT payment system may be developed in India. The Committee has recommended that an alternative indigenous financial system should be developed on the lines of similar systems elsewhere such as Ripple (USA), INSTEX (EU), etc. which would not only ensure privacy but also give a boost to the digital economy.
- In the Committee's view, the existing media regulators such as the Press Council of India are not appropriately equipped to regulate the journalism sector that seeks to use modern methods of communication such as social media platforms or the internet at large. In this regard, the Committee has recommended the establishment of a statutory body for media regulation.