The bill has set up checks and balances for companies to ensure compliance
Companies are required to conduct data audits and undertake data protection impact assessment among other things
Bill permits companies to transfer personal data outside India with explicit user consent
The revised version of the personal data protection bill has proposed various penalties for companies contravening the bill’s guidelines. The highest penalty proposed is of INR 15 Cr or 4% of company’s global turnover in the last financial year, depending on whichever amount is higher, for violating the bill’s provisions for personal data processing and transfer.
The PDP bill has asked companies to take explicit user consent before processing or transferring sensitive personal user data outside India.
The bill defines sensitive personal user data as financial data, health data, biometric data, sexual orientation, transgender status, genetic data, caste or tribe, religious or political belief and more.
Another layer of penalty is proposed for companies failing to take appropriate action in response to a data breach, failing to undertake data protection impact assessment, conduct data audit and not appointing data protection officer. In these cases, a penalty of INR 5 Cr or 2% of the company’s global turnover in the previous fiscal year.
It remains to be seen whether the parliamentary committee, that is likely to debate on the points of the bill before it is passed, makes any changes in these stipulated penalties.
To put it in perspective, tech giants such as Facebook and Google earn billions in turnover every year. For the fiscal year 2018 ending December 31, 2018, Google posted revenue of $136.8 billion. At that rate, it would have to pay at least $2.7 Bn in fine for violating the law about data breach response.
Government On Data Privacy Regulations
The Supreme Court of India had made right to privacy a fundamental right in the landmark KS Puttaswamy Vs Union of India judgement of 2018. This judgement was followed by a lot of debate about ownership and protection of citizen data.
India’s commerce minister Piyush Goyal opined that countries must have sovereign right to use citizens’ data including personal, community, and public data, for the welfare of people. The minister was speaking at the G20 Trade Ministers’ held in June 2019.
IT Minister Ravi Shankar Prasad also said earlier that the government will not let the country’s data sovereignty to be compromised. He also pointed out that there should be a balance between data availability, utility, innovation and data privacy.
The first draft of personal data protection bill was published in 2018, after the submission of Justice Srikrishna committee report. Later in August 2019, Justice Srikrishna said at a right to privacy event, “A data protection bill is the need of the hour. We have to go beyond the stated intent of data collection to understand the motives and eventual uses to which it can be put.”