The news is by your side.

The Data Protection Bill Includes a Penalty of Up to Rs 200 Crore for Firms Without Protections

Instead of the Data Protection Authority, the new draught proposes the establishment of an appellate body known as the Data Protection Board, as first reported by HT in August.

Companies that handle consumer personal data and fail to take adequate precautions to avoid data breaches might face fines of up to Rs 200 crore under the revised Data Protection Bill. The Data Protection Board, an adjudicating body proposed to implement Bill’s provisions, is expected to be empowered to impose the amount after hearing from the corporations.

Penalties are expected to vary depending on the degree of noncompliance by data fiduciaries businesses that handle and process persons’ personal data. Companies that fail to notify consumers affected by a data breach might face a Rs 150 crore fine, while those that fail to protect children’s personal data could face a Rs 100 crore penalty.

In the previous version of the Bill, which was withdrawn earlier this year, the penalty for a corporation breaking the legislation was Rs 15 crore or 4% of its annual revenue, whichever was greater.

The government is expected to release a final draught version of the modified Bill, internally referred to as the ‘Digital Personal Data Protection Bill,’ this week. The new Bill will solely address personal data security and is said to exclude non-personal data from its scope. Non-personal data is defined as any information that does not reveal an individual’s identity.

Fines for data misuse were not considered an effective deterrent in the prior version of the Bill. The increased penalties recommended now would encourage entities to put in place adequate safeguards to protect data and impose fiduciary discipline.

“There will also be a strict or purpose limitation of data collected by companies and the time till which they can store it under the new Bill,” said a senior government official who did not want to be identified. It has been learned that data fiduciaries will be compelled to stop retaining personal data and destroy previously gathered data if the original reason for which it was collected has been met.

The revised version of the Bill is expected to be presented alongside an explanatory summary, similar to the recently published draught Indian Telecommunication Bill, 2022. The Bill will be subjected to wide comment before being submitted in Parliament during the Budget session next year.

Comments are closed, but trackbacks and pingbacks are open.