One of the first things Companies look for in the Data Protection Bill is what is the cost of non compliance. It appears that the Government has been a little generous to the industry in this respect.
The first observation that we can make is that there is no “Criminal Punishment” specified in this Act. Earlier there was one section on “De-Anonymization” of anonymized information which had a criminal penalty. But any criminal penalty for contravention of DPDPA is well covered under ITA 2000 and hence there was no need to indicate the criminal punishment in this Act.
The purpose of this Act was to replace Section 43A and define “Reasonable Security Practices” more elaborately for the purpose of improving the compliance to nudge the industry to take pro-active measures to protect Personal Data. Even Protection of Non Personal Data under this Act was redundant as it stepped on the ITA 2000 provisions.
Hence it was a good move to restrict the penalties to the Civil liabilities and tag it only to contraventions of this Act related to personal data.
The schedule of penalties are as given below:
It may be observed that the schedule avoids the “Percentage of Turnover” method which when applied would have been one additional ground for dispute.
Also penalty has been separately prescribed for not following the Reasonable Security Practice which causes a data breach from not notifying the data breach to the regulator and affected data principals or additional obligations of a Significant data fiduciary such as not appointing a DPO, Not Appointing a Data Auditor, Not conducting Data Protection Impact assessment.
The non compliance not leading to a data breach may be fined upto Rs 250 crores while a data breach may add another Rs 200 crores to the fine taking it to Rs 450 crores (maximum). In case of Significant Data Fiduciaries failing to implement additional measures, an additional Rs 150 crores may be imposed as penalty.
All Data Fiduciaries or Data Processors not fulfilling the additional obligations regarding minors may also face an additional Rs 200 crores as penalty.
Thus the maximum cumulative penalty per instance of an investigation of a data breach/non compliance could have added upto Rs 800 crores. But section 25 puts a cap of Rs 500 crores.
The penalty for Data Fiduciary and Data Processor for non compliance are both similar and there is no concession to the Data Processor.
In comparison, if we look at the top 5 GDPR fines upto date they range from a maximum of Rs 6375 crores down to Rs 233 crores. By capping the penalty at Rs 500 crores, the Government has been extremely fair and considerate and perhaps generous to the Tech industry.
The Data Protection Board will however have the discretion to apply other yardsticks to reduce the penalty. It is expected that initially the penalties may be lower and may be increased gradually as the compliance becomes more mature.
In extreme cases, the Data Protection Board may apply the Maximum penalty limit of Rs 500 crores “per instance” by recognizing multiple instances of failure which may be in time or type of failures etc.
One way by which “Instances” can be segregated and considered as “Multiple instances” could be when there was an opportunity for the organization to correct a breach incident and by lethargy or otherwise the organization procrastinated and a repetitive breach occurred. The immediate remedial action can assist the organization in containing the breach to a single instance.
It is time for CFOs to make provision of upto Rs 500 crores or cover it by Cyber Insurance so that at least the next breach risk is covered.