The joint parliamentary committee on personal data protection has re-introduced a recommendation of heavy penalties for serious data violations in its final report with fines up to Rs 15 crore ― or 4% of global turnover ― while lesser violations will have a limit of Rs 5 crore (or 2% turnover). If the provision becomes a law, it will pose a strong deterrent for social media giants and top tech companies such as Facebook, Instagram, Google, Amazon, and Apple.
The final report, submitted in the parliament yesterday, brought back penalties ― the provision had been left to the government in the draft report ― quite in line with the original provisions in the 2019 Data Protection Bill, as well as the European Union’s General Data Protection Regulation (GDPR).
The joint parliamentary committee had witnessed heated discussions on the proposal to drop the clauses. Committee chair and senior BJP leader PP Chaudhary had agreed that the penalties need to be restored with a cap on the terms of the quantum of fines after opposition MPs registered their objections.
The turnaround by the committee follows the dropping of the provision in the draft report, where the committee had left the matter of penalty quantification in the hands of the central government. “In the committee’s view, such quantification may not be feasible as there are no clear mechanisms to quantify the ‘world-wide turnover’ of the company and that too along with its group entities. Also keeping in view the rapidly changing dynamics of the evolving digital technologies, the committee feels that it would be prudent to enable the government to quantify the penalties,” the panel had said in its draft report of November.
The panel members include Jairam Ramesh, Manish Tewari, Vivek Tankha, and Gaurav Gogoi (from the Congress), Derek O’Brien and Mahua Moitra (from the Trinamool Congress), and Amar Patnaik and Bhartruhari Mahtab (from the Biju Janata Dal) who had voiced their objections to the specific formulation on penalties being done away with. The lack of specificity would have spelt relief for internet giants, especially since many of them have been under regulatory scanner across the globe over massive user-info violations, data breach, unlawful processing and lax oversight.
In the final report, the committee brought back also the penalty clause of the higher of Rs 5 crore, or 2% of global turnover, for certain provisions, including failure to take prompt and appropriate action in response to a data security breach; failure to register with the proposed data protection authority; failure to undertake a data protection impact assessment or conduct a data audit; and failure to appoint a data protection officer.
The highest penalty of the higher of Rs 15 crore, or 4% of global turnover, would be for violations in processing of personal data of users and children; failure to adhere to security safeguards; and violations in transfer of personal data outside India.
The re-introduction of the penalties will be a worrying fact for companies such as Facebook and Instagram, which have been under the scanner in the country over various violations, including a CBI inquiry over the Cambridge Analytica episode. The difficulties for companies have only been compounded after revelations by former Facebook employee and whistleblower Frances Haugen, who had highlighted the ineptness of the social media giant in content moderation across the world as well as in India, accusing the group of prioritising profits over safety.
There have been allegations also of data violations against Amazon and its handling of data in India.
The panel report says in case of violations by a state, the penalties will be capped at Rs 15 crore for serious breach and Rs 5 crore for those of a lesser nature.