Breach Notification , Critical Infrastructure Security , Cybercrime
U-Turn on Penalties Under India’s Data Protection BillLegal Experts Assess Impact of Parliamentary Committee Reintroducing Penalties
An Indian joint parliamentary committee drafting the country’s planned Data Protection Bill reversed its previous recommendation to drop clauses imposing set penalties for data violations, according to a report by The Economic Times.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The original draft of the 2019 Data Protection Bill penalized serious data violations with a maximum fine of 150 million rupees ($2 million) fine or 4% of its global turnover, whichever is higher. A "serious data violation" refers to incidents in which an organization fails to safely process the personal data of users, or fails to implement reasonable security measures, or violates extra-territorial data transfer procedures.
For less serious violations, such as failure to take appropriate breach response steps, failure to report an incident to the Computer Emergency Response Team, or CERT-In, or the National Critical Information Infrastructure Protection Center, failure to conduct an impact assessment or not appointing a data protection officer, the maximum penalty was either 50 million rupees ($650,000) or 2% of its global turnover, whichever is higher.
The parliamentary committee's revised version then dropped the flat penalties, citing complications in quantifying the actual global turnover of a company - owing to group entities and subsidiaries - and instead left it at the discretion of the government to decide the penalty sum.
This move faced heavy opposition from other parliamentary members in the joint committee. On Friday, according to The Economic Times, committee Chairman .P.P Chaudhary conceded to the opposition's demands and tabled the bill with the penalty caps reinstated.
Reasons for the U-Turn on Penalties
Explaining the reason for the reversal, cyber law educationist and e-business consultant Na. Vijayashankar tells Information Security Media Group that the original draft of the Personal Data Protection Bill 2019 that included the capped penalties had initially been scrapped due to the difficulty of calculating the actual global turnover owing to subsidiaries and global footprint.
Vijayashankar - who wrote "Cyber Laws For Every Netizen in India," the country's first book on cyber law - says that this led to some people believing that penalties had been scrapped altogether.
"But that wasn't the case. The initial draft said penalties imposed would be at the discretion of the government. They have now reintroduced the 4% and 2% clauses and reverted to the PDPB [Personal Data Protection Bill] 2019 draft to clear up the controversy," he says.
N.S. Nappinai, Supreme Court advocate and policy and investigation adviser to Maharashtra Cyber, backs the reintroduction of set penalties in the Data Protection Bill. She tells ISMG that the initial move to remove the mandated penalties of $2 million or 4% of annual turnover and leaving the penalty amount to be imposed for data violations at the discretion of the government was erroneous.
"The penalties should be included in the enactment and not be left to the government to decide or prescribe. There could be inconsistencies resulting from economic and political reasons. That which amounts to lawmaking cannot be delegated under the guise of rule-making," she says.
Questions remain as to whether heavier penalties can actually achieve the objective of seeing fewer data violations and whether Big Tech and social media heavyweights such as Facebook and Twitter will view data processing of Indian citizens with more caution.
Impact of Penalties on Data Violations
Inspector General of Police Brijesh Singh, who heads Maharashtra Cyber, tells ISMG that under the General Data Protection Regulation, heavy fines have worked, and the same could be applicable in India. "Heavy penalties may help nudge businesses to secure citizens' data and protect their privacy," he says.
Singh says that just because the upper limit of the penalty for serious data violations is capped at $2 million, it doesn't imply companies may face the highest penalty. "Similar to criminal law, the punishment is given in proportion to violations observed and steps taken," he says.
Vijayashankar shares that opinion. He says penalties would act as a deterrent, as there have been huge penalties imposed on large tech firms in the EU, leading to stronger cybersecurity vigilance and controls. An example is the $885 million fine that was imposed on Amazon in July for violating the GDPR's data protection norms.
Cyber law expert and Supreme Court advocate Karnika Seth also says that stringent laws will create a deterrent to companies committing data violations and make them more serious about practicing due diligence when it comes to processing people's data.
Will Penalties Act as a Deterrent?
Supreme Court advocate and founder and chairman of the International Commission on Cyber Security Law, Pavan Duggal, tells ISMG why he believes the rule for imposing higher penalties is a paper tiger and will not translate to fewer data violations.
"I don't think the $2 million penalty is going to act as a deterrent to India. This is because in our country, the law of torts is very poorly developed."
He says that regardless of the penalty amount the law imposes, the reality is that very few penalties are actually imposed and that penalization is a long, drawn-out process that involves high legal costs.
"If you're expecting a $2 million penalty being imposed, it is not going to happen. Establishing the violation, level of damage caused and the amount of money that needs to be awarded are going to be some of the challenges," Duggal says.
He says the only way to see effective deterrents in India is to focus on criminal liability. "Once an organization knows there's a Sword of Damocles hanging above, the chances of it complying with Indian law is going to be higher."
Nappinai agrees. She says that while higher penalties are meant to create deterrence, they don't necessarily amount to fewer violations. "Do we see fewer capital crimes just because there's a death penalty in place?" she asks.
She says the important question is whether the penalties could stifle businesses, especially startups, and hamper innovation.
"What can truly create deterrence is the enforcement of the law. EU has GDPR, but has that stopped data breach incidents or big tech from violating citizens' rights? It's important for people to be cognizant of their rights and the courts or tribunals to understand the seriousness of data protection," says Nappinai.
When people see the law actually being put to work, she says, fear would act as a deterrent.