Personal Data Protection Bill: Companies to face penalty for violation

On December 4, the Union Cabinet cleared the Personal Data Protection Bill (PDPB), which is due to be placed in the Parliament. It is likely to be introduced for discussion before the on-going winter session of the Parliament.

The bill constitutes three personal information data types, namely, sensitive data consisting of passwords, financial data, official identifier, sexual orientation, religious or caste data; critical data which will be characterized by the government every once in a while, and must be stored and handled only in India; and general data which is non-critical and non-sensitive.

The bill, when implemented, will require many private entities including Indian IT companies to review their policies regarding data protection and processing. The proposed bill applies to both the government and private firms established in India as well as abroad. Non-compliance to the regulation may lead to financial penalties up to ₹15 crore or 4% of their global annual turnover, in case of major violations.

However, the government is likely to give companies up to two years to comply with the regulations in the Data Protection Bill 2019 after it becomes a law

The draft Bill was submitted to the government by a committee led by the retired Supreme Court judge in July 2018. Aruna Sundararajan, one of the members of the Bill’s drafting panel, says, “Once the Bill is passed and notified, it will be implemented in a calibrated manner. The companies will get a lead time, but they will have to get their act together quickly as there is enough precedent set with GDPR.”

However, private companies and start-ups may have to completely renew their systems to meet the proposed regulations. The Bill seeks to give the control of the data in the hands of the people. It means organisations will have to seek the individual’s consent before taking any personal data and will have to notify them about the purpose of its use.

Within a year of its inception, over 200,000 GDPR cases were reported, and a total of 55 million fines were issued, according to the European Data Protection Board (EDPB). Overall, penalties around 38.7 crores were doled out.

The principal focus would be on balancing the need to improve technological progress. This will not only develop individuals’ trust with such enterprises, but will also help India gain and establish better trust on the larger global trade landscape.


Leave a Reply