Penalties in India's data protection bill fall short when compared to others: Experts

The provisions for penalties in India's proposed data protection law fall far short of other data protection legislation around the world, such as the European Union's General Data Protection Regulation or similar laws in China, legal experts said.

In the proposed Digital Protection Data Bill (DPDB) 2022, data fiduciaries are subject to fines of up to Rs 500 crore for non-compliance. Other than that, the bill includes a laundry list of penalties: up to Rs 250 crore for failing to take adequate precautions against data breaches; Rs 200 crore for failing to notify of a breach or complying with provisions related to children; Rs 10 crore for violating data localisation norms; Rs 150 crore when a significant data fiduciary fails to carry out their additional obligations under the proposed law.

Penalty provisions in the GDPR or in China, on the other hand, are much stricter.

"A key ingredient in those laws is the power to impose fines/penalties up to a particular amount as prescribed for offences (similar to the DPDB) or as a percentage of total worldwide turnover, whichever is higher," Avimukt Dar, Partner, IndusLaw told Moneycontrol.

"This ensures that bigger companies processing huge volumes of personal data, whose turnovers are massive also feel the pinch of non-compliance, instead of simply paying a statutory fine/penalty, which may be more significant for smaller players," Dar added.

However, he added that robust implementation of the bill's provisions would more effectively ensure adequate data protection than introducing stricter penalties.

"A prompt implementation approach by the Data Protection Board is crucial to reduce the frequency of data breaches, and at the same time further encourage lawful processing of data by ensuring that businesses take adequate steps to ensure compliance with the relevant data protection obligations," he said.

According to Abhinay Sharma, Managing Partner at ASL Partners, the fine under GDPR can be up to 10 million euros, or if it involves an organisation, up to 2 percent of the company's total global revenue for the prior fiscal year, whichever is higher.

The GDPR fined Meta $275 million for a data leak discovered last year that resulted in the personal information of over 500 million Facebook users being published online.

"Moreover, the Data Processing Agreement between the parties can provide for injunctive penalties, including restrictions regarding international transfers, deletion of personal data, etc," Sharma said.

In the case of the draft DPDB, the monetary penalty is only for breaches and non-compliances that the Data Protection Board, an adjudicating body to be established under the proposed Bill, deems significant.

The Data Processing Agreement may also impose injunctive penalties similar to those provided under GDPR, and data subjects may seek compensation through administrative hearings and legal appeals, Sharma added.

However, Dar of IndusLaw notes that the lower penalty under DPDB can be attributed to the smaller size of India's economy compared to that of the EU, as well as the government's goal to accelerate 'ease of doing business' and 'Make in India.'

"I think these two factors are much more relevant than simply saying India is not as serious about data breach as say the EU when comparing penalty sizes," he said.

Similarly, Rishi Anand, Partner at DSK Legal said, "Given that the DPDP Bill will be the first substantial step by India towards a data protection framework, it appears that the Government intends to take a balanced yet cautious approach while keeping the interests of both the Digital Nagriks (i.e., the data principals) as well as the data fiduciaries in consideration while imposing penalties. "

In addition to the penalties proposed for data breaches and other violations, the Personal Data Protection Bill 2019 included a provision for criminal liability. However, that provision has been removed in DBDB 2022.

Anand of DSK Legal notes that while some international jurisdictions (such as the EU, Japan, and Turkey) prescribe penalties in the form of fines, imprisonment, and sanctions, the global trend has been to only impose monetary penalties for data protection violations.

"In view of this, retention of only monetary penalties as the preferred deterrent for non-compliance under the proposed Digital personal data protection bill appears to be in line with the global practices from a practical standpoint," Anand said.

"The removal of such criminal liabilities can be said to be in the right direction as this will promote innovations by startups and SMEs, without fear of being imprisoned," Sharma of ASL Partners said.

Dar from IndusLaw opined that the removal of criminal liability under the DPDB was aligned (and followed the same pattern) with other laws such as as the Competition Act and the Foreign Exchange Management Act.

"There is a general regulatory consensus that placing business leaders at risk of personal liberty for bad or risky behaviour has a significant cost to the economy as the overall risks taken by entrepreneurs in India are much higher than in advanced economies," Dar said.

There are also complexities in the Indian criminal justice system, according to Dar, which may lead to situations in which the prosecution struggles to prove intent or recklessness by key management of a large company, while small founders struggle to get pre-trial bail.

Dar notes, however, that since the draft bill states that everyone must comply with the bill's provisions and the Data Protection Board's orders, noncompliance may result in imprisonment.

"Non-compliance with orders of the Board or obstruction of its officers in carrying out their duties would lead to contempt proceedings before the relevant High Court and may result in imprisonment," he added.

The proposed legislation also includes a set of provisions titled 'duties of data principal', which require a user to provide authentic information when claiming the right to erase or correct their data, not file a false or frivolous grievance or complaint with a data fiduciary or the board, and not provide false information or impersonate another person.

Non-compliance with the 'duties' would also result in penalties of up to Rs 10,000.

"Imposing penalty on an individual for submitting incorrect data appears to be too severe and strict. This ought to be relaxed and curtailed to a reasonable extent," Sharma of ASL Partners said.