India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).
On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.
Part 9 of this series discusses “Penalties” under the PDPB Bill.
PENALTIES
The Bill prescribes varying penalties.
| Nature of Offence | Maximum Penalties |
| A data fiduciary’s failure to comply with its security and transparency obligations | The government has the right to prescribe penalties, but such penalties cannot exceed the higher of INR 150,000,000 or 4% of a data fiduciary’s worldwide turnover in the preceding year (or the higher of INR 50,000,000 or 2% of a data fiduciary’s worldwide turnover in the preceding year, depending on the nature of the offence). |
| A failure to comply with data principals’ requests in respect of data principals’ rights | Significant data fiduciaries: INR 1,000,000 Data fiduciaries: INR 500,000 |
| Failure to furnish reports and information to the Authority | Significant data fiduciaries: INR 2,000,000 Data fiduciaries: INR 500,000 |
| Failure to comply with orders or directions of the Authority | Data fiduciaries: INR 20,000,000 Data processors: INR 5,000,000 |
| Reidentification and processing of de-identified personal data without the consent of a data fiduciary or data processor | Both, imprisonment of up to 3 years and a fine which may extend to INR 200,000 |
| Offences for which specific penalties have not been provided | Significant data fiduciaries: INR 10,000,000 Data fiduciaries and data processors: INR 2,500,000 |
