The first thing one noticed in GDPR when it was implemented in 2018 was the fear it induced in the Data Controllers about the “Penalty” which could go upto 4% of global turnover or Euro 20 million. Since then there have been hundreds of penalties above Euro 20 million on the basis of the turnover.
The biggest GDPR fine is Euro 746 million imposed by Luxemberg authority on Amazon, followed by 405 million euros on Meta imposed by Ireland authority and 225 million euros imposed on WhatsApp,. There are at least 9 more penalties above Euro 20 million on organizations including Marriot International, British Airwars, Enel Energia, TIM, H & M online shop, and Google.
Not all these fines are based on actual data breaches causing loss to the community. They may be related to non compliance of various issues such as general data processing principles, insufficient legal basis for processing etc.
These fines have left a bitter taste in the mouth of these agencies which have made them distrust all such regulations including the Indian proposals in the past.
There is no doubt that this “Fear” induced some awareness about the law but the feeling that many supervisory authorities were perhaps raising revenue through the penalties to fund their existence rather than enabling the community for better compliance.
We must appreciate that the Indian DPDPB 2022 has taken a different approach.
Firstly it has pegged the penalty at Rs 500 crores per instance. At the same time it has provided a “Voluntary Undertaking system” which if accepted can close any penalty proceedings.
DPB may also suggest mediation to resolve the issues before it imposes the penalty.
It has also mandated that any inquiry will not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person.
To cap it all Section 25 of DPDPB 2022 states that while determining the penalty, the Board will take into account the likely impact of the imposition of the financial penalty on the person.
This is the most humane feature in any penalty system that we can expect. This means that SMEs and MSMEs need not fear that they would be forced to shut shop on one instance of data breach since penalty would be proportionate also to the capacity of the organization to bear. On the other hand, the GDPR approach would shut down most SME/MSMEs and only allow Big Tech companies to be able to bear the brunt of data breach fines.
Let us appreciate this approach that recognizes that if the Data Fiduciaries seize to exist, there will be no data business and hence they cannot be eliminated with a threat of elimination.
May be this soft attitude could dent the business of many of us who are professionals advising “Compliance” and providing “Consultancy” and “Audit” services. But ultimately we should all support a fair system that does not try to drive compliance by fear. Persuasion and appreciation of the benefit of the society should be the guiding factor for imposing penalties and perhaps that suggestion is available in the draft Bill.