New Delhi: Any entity, including the state, company or individual, may be penalised up to Rs 15 crore or four per cent of their turnover for violating norms proposed under the draft Personal Data Protection bill.
The bill, submitted by the Justice Srikrishna Committee to the information and technology ministry, has proposed a jail term of up to three years for individuals found violating data protection rules under the bill in works.
“Where a data fiduciary contravenes any of the following provisions, it shall be liable to a penalty that may extend up to Rs 15 crore or four per cent of its total worldwide turnover of the preceding financial year,” according to the draft bill.
The bill has all entities, including the state, a company, any juristic entity or any individual that are involved in the processing of personal data.
The data protection framework in works mandates data fiduciaries to report data breach, get their data audited, take requisite permission before processing data, appoint data protection officer who will check various kind of compliances etc.
The bill has proposed imprisonment of up to three years or Rs 2 lakh or both if a person who obtains personal data, discloses, transfers or sells it, which harms the affected person.
In case of sensitive data, the violator can be punished with jail term of up to five years or Rs 3 lakh fine or both.
The bill proposes up to three-year jail or Rs 2 lakh fine or both if a person is found have knowingly or intentionally or recklessly re-identified personal data which has been de-identified by a data fiduciary or a data processor or without their consent.
Under the new framework, a violator can be penalised up to Rs 1 crore for significant breach and up to Rs 25 lakh penalty in all other cases where no separate penalty has been provided.
The bill has proposed creation of a Data Protection Authority, which will have the powers to investigate contravention to the framework in work. The authorised officer will have power to search any premise, books, documents, records where data is kept and seize any computer, device, records required for investigation or evidence.