The Centre will grab the penalties it collects from physical and online companies and platforms that misuse personal data.
The Digital Personal Data Bill (DPDP) said “all sums realised by way of penalties imposed by the Data Protection Board under this Act, shall be credited to the Consolidated Fund of India”.
Analysts said this clearly indicates the person whose data has been breached would not get any compensation.
While the Data Protection Board can impose a penalty of up to Rs 250 crore on an entity for a personal data breach, none of this goes to the user, who is the victim of the data breach.
Additionally, the bill removes section 43A of the IT Act, 2000, which provides such compensation.
On the other hand, the DPDP Bill allows the Data Protection Board to levy a penalty of up to Rs 10,000 if users fail to perform their duties as listed in the bill.
One of the duties, for example, is that users should not register false or frivolous grievances or complaints with a Data Fiduciary or the Data Protection Board.
Analysts said, “This provision could deter users from filing complaints in the first place in fear of a fine. A bill that’s about protecting the right to privacy of users should not be levying any penalties on users.”
Cyberspace advocate N.S. Nappinai said: “Absence of processes for compensation to data principals is an obvious miss. Section 43A IT Act provides for compensation to the data principal who may be victimised.”
“Naturally Section 43A IT Act is being deleted pursuant to the DPDP Act but no provision for compensation is provided and the simple remedy of approaching an authority would also stand deleted without alternatives being provided in the DPDP,” he said.
“Section 43A of the IT Act provides for damages payable by compensation to the affected person. However, the DPDP Bill has not touched on compensation payable to the affected person. This approach taken under the DPDP Bill is a deviation from several data protection legislations across the world,” Supratim Chakraborty, partner at Khaitan and Co, said.
He said the EU provides a specific right to the affected person in the form of seeking compensation for the damage suffered. However, others have welcomed the bill because it drops all criminal penalties for non-compliance under the DPDP Bill.
“The DPDP Bill only imposes monetary liabilities for any contraventions, in line with India’s moves towards de-criminalisation of economic offences. The DPDP Bill also allows entities to provide voluntary undertakings to the Data Protection Board for undertaking specific actions. This is a positive step in accordance with prevailing global best practices,” said Shardul Amarchand Mangaldas & Co in a statement.
The Digital Personal Data Protection Bill, 2023 aims to “provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes,” according to the ministry of information technology.
Companies and institutions can be penalised for non-compliance, and for failing to take reasonable measures to prevent data breaches.
With inputs from Reuters