Harsh penalties tip scales for producers of personal data, but leave startups vulnerable
The committee, which recently released the draft of the Personal Data Protection Bill, has been advocating a penalty scheme.
To this end, the panel appears to have largely borrowed from the European Union’s General Data Protection Regulation (GDPR).
The draft Bill prescribes a range of penalties that can go up to Rs 15 crore or 4% of the worldwide revenue of the data fiduciary (controller), including any group entity -- whichever is higher. Without a doubt, the amount in question is significant. The draft Bill also proposes certain grounds for levying penalties each day in case of continued default.
Undoubtedly, the fear of these penalties will compel entities to comply with the norms. However, it is worth examining whether such a strong deterrent is necessary. In today’s day and age, perhaps the most valuable asset of an enterprise is its goodwill. Companies strive to ensure that their reputation is not dented. For instance, after the Cambridge Analytica news broke out earlier this year, the public backlash forced the authorities as well as the party in question to take notice. The stock prices of Cambridge Analytica plummeted.
Therefore, the larger data controllers will in any case be wary of repercussions. The monetary penalty will only be a meagre percentage of their global revenue, but the damage to their reputation will have a far bigger impact.
The heat will be felt most by smaller companies and start-ups, which are struggling to get their footing in an already competitive market.
Interestingly, while examining the UK Data Protection Act, the draft Bill committee noted it is important that the sector, size, financials and other resources of the data controller are considered before imposing the financial penalty. The idea is “not to impose undue financial hardship on an otherwise responsible entity”, the committee remarked in the white paper.
It is pertinent to mention that similar criticism was made with respect to GDPR. Notably, GDPR has been in force for over three months now but no case of fining has come to light. This can only mean two things: either the deterrent is extremely effective, or there are no effective means of enforcing GDPR.
Like GDPR, the draft Bill allows a data principal (owner of personal data) to claim compensation from the data controller for any harm suffered.
The situation becomes complicated with the definition of ‘harm’ under the Bill, which not only comprises of elements such as bodily or mental injury, financial loss or loss of property, loss of reputation, but also loss of employment, loss of reputation, discriminatory treatment and denial of any service. To add to this, the burden of proof always lies with the data controller to establish that the violation had not taken place.
Perhaps, a system of checks and balances could have been introduced to ease the situation. For example, the Consumer Protection Act discourages the filing of vexatious complaints by imposing a cost on such a litigant. A similar approach has been adopted by the Supreme Court of India in the context of frivolous public interest litigations. This will help ensure only genuine claims for compensation are made.
The draft Bill states consequences for intentional and reckless violations such as imprisonment up to three years, a fine up to Rs 2 lakh, or both. This finds precedence in the Information Technology (IT) Act, but that law covers aspects other than data protection, such as cyber terrorism, computer-related offences, and cheating by impersonation.
More importantly, offence under the Bill is non-bailable and cognisable, which is not only extremely harsh, but also neglectful of the Code of Criminal Procedure and in variance with the IT Act.
It does not end here. The data-protection authority can suspend the business of an entity, restrict cross-border flow of data, conduct search and seizure, and more.
A raw deal for the industry
From the above, one cannot help but notice that the scales are tipped in favour of one stakeholder, the owner of personal data. In a bid to empower the data owner, it appears the draft Bill has unintentionally put the industry in a vulnerable position. In our view, it is essential to bring suitable changes to the draft Bill to ensure that the industry is not beaten down at a time when the world is entering one of the most dynamic phases of technology and entrepreneurship.
This is the last of a five-part series that analyses the draft Personal Data Protection Bill.
Harsh Walia is an associate partner at law firm Khaitan & Co. based in Delhi. Views are his own.