The government released the much-anticipated draft Digital Personal Data Protection Bill 2022, requiring entities that manage data to exercise greater caution in handling users’ data. A penalty of up to INR 500 Cr may be imposed for non-compliance with the provisions of the Bill.
The Bill states that the government will form the Data Protection Board of India (Board) to determine non-compliance with the provisions of the act and impose penalties.
“If the Board determines on conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crores in each Instance,” the government said.
In the event of a personal data breach, direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals.
Penalties To Be Decided By The Indian Data Protection Board
The Board requires that all entities handling data comply with its orders. However, an appeal against any order of the Board can be made before the High Court within 60 days of the date of the order being contested.
If the Board is of the opinion that any complaint may more appropriately be resolved by mediation or another process of dispute resolution, it may direct the concerned parties to attempt resolution of the dispute through mediation by a body or group of persons.
While determining the amount of a financial penalty to be imposed, the Board will focus on various aspects such as the nature, gravity and duration of the non-compliance, the type and nature of the personal data affected by the noncompliance, repetitive nature of the non-compliance, whether the person, as a result of the non-compliance, has realised a gain or avoided any loss, according to the draft.
Moreover, the Board will also consider whether the person took any action to mitigate the effects and consequences of the non-compliance and the timeliness and effectiveness of that action.
The Board will also look into whether the financial penalty to be imposed is proportionate and effective, and the likely impact of the imposition of the financial penalty on the person.
It must be noted that the government withdrew the Personal Data Protection Bill, 2021 in August after 81 amendments were proposed by a joint parliamentary committee (JPC).