|
|
The Data Protection Bill 2021
(This Bill has since been withdrawn and a new Version is expected to
be presented ) |
|
Section |
CHAPTER X
PENALTIES AND COMPENSATION |
| 57 |
Penalties for contravening certain provisions of (***) Act.
(1)Where the data fiduciary contravenes any of the following
provisions, namely:-
(a) obligation to take prompt and appropriate action in
response to a data (***) breach under section 25;
(b) failure to register with the Authority under sub-section (2)
of section 26;
(c)obligation to undertake a data protection impact assessment
by a significant data fiduciary under section 27;
(d)obligation to conduct a data audit by a significant data
fiduciary under section 29;or
(e)appointment of a data protection officer by a significant
data fiduciary under section 30,
it shall be liable to (***)such penalty(***) as may be
prescribed (***), not exceeding five crore rupees or two percent
of its total worldwide turnover of the preceding financial year
whichever is higher
(2)Where a data fiduciary contravenes any of the following
provisions, namely:—
(a) processing of personal data in violation of the
provisions of Chapter II or Chapter III;
(b) processing of personal data of children in violation of the
provisions of Chapter IV;
(c) failure to adhere to security safeguards as per section
24;or
(d) transfer of personal data outside India in violation of the
provisions of Chapter VII,
it shall be liable to (***) such penalty(***) as may be
prescribed (***) not exceeding fifteen crore rupees or
four per cent. of its total worldwide turnover of the preceding
financial year, whichever is higher.
(3) For the purposes of this section, (***)
(a) the expression "total worldwide turnover" means the gross
amount of revenue recognised in the profit and loss account or any
other equivalent statement, as applicable, from the sale, supply or
distribution of goods or services or on account of services
rendered, or both, and where such revenue is generated within India
and outside India.
(b) it is hereby clarified that "total worldwide turnover" in
relation to a data fiduciary is the total worldwide turnover of the
data fiduciary and the total worldwide turnover of any group entity
of the data fiduciary where such turnover of a group entity arises
as a direct result of the processing activities of the data
fiduciary, having regard to factors, including
(i) the (***) activities of the data fiduciary and the group
entity are aligned in relation to the processing and use of data;
(ii) there exist a relationship between the data fiduciary and
the group entity specifically in relation to the processing activity
undertaken by the data fiduciary; and
(iii) the degree of control cxercisecd by the group entity over
the data fiduciary or vice-versa, as the case may be.
(c) where any of the (***) provisions referred to in this section
has been contravened by the State, the maximum penalty shall not
exceed five crore rupees under sub-section (I), and fifteen crore
rupees under sub-section (2), respectively.
|
| 58 |
Penalty for failure to comply with data principal requests under
Chapter V.
Where, any data fiduciary, without any reasonable explanation,
fails to comply with any request made by a data principal under
Chapter V, such data fiduciary shall be liable to a penalty of five
thousand rupees for each day during which such default continues,
subject to a maximum of ten lakh rupees in case of significant data
fiduciaries and five lakh rupees in other cases.
|
| 59 |
Penalty for failure to furnish report, returns, information, etc.
If any data fiduciary, who is required under this Act or
the rules or regulations made thereunder, to furnish any report,
return or information to the Authority, fails to furnish the same,
then such data fiduciary shall be liable to a penalty which shall be
ten thousand rupees for each day during which such default
continues, subject to a maximum of twenty lakh rupees in case of
significant data fiduciaries and five lakh rupees in other cases.
|
| 60 |
Penalty for failure to comply with direction or order issued by
Authority.
If any data fiduciary or data processor fails to comply with any
directions issued by the Authority under section 51 or order issued
by the Authority under section 54,-
(i) such data fiduciary (***) shall be liable to a penalty which may
extend to twenty thousand rupees for each day during which such
default continues, subject to a maximum of two crore rupees(***); or
(ii) such data processor shall be liable to a penalty which (***)
may extend to five thousand rupees for each day during which such
default continues, subject to a maximum of fifty lakh rupees.
|
| 61 |
Penalty for contravention where no separate penalty has been
provided.
Where any person fails to comply with any provision of this Act
or the rules or regulations made thereunder applicable to such
person, for which no separate penalty has been provided, then, such
person shall be liable to a penalty which may extend to a maximum of
one crore rupees in case of significant data fiduciaries, and a
maximum of twenty-five lakh rupees in other cases.
|
| 62 |
Right to file complaint or application.
The aggrieved data principal referred to in section 32 may file a
complaint to the Authority within such period and in such manner as
may be specified by regulations.
(2) The data principal may seek compensation under section 65 by
filing an application to the Authority in such form, manner and
within such period as may be prescribed.
(3) The Authority may forward the complaint or application filed by
the data principal to the Adjudicating Officer for adjudging such
complaint or application, as the case may be.
|
| 63 |
Appointment of Adjudicating Officer.
(1)For the purpose of adjudging the penalties under sections 57
to 61or awarding compensation under section 65, the Authority shall
appoint such Adjudicating Officers as may be(***) required.
(2) The Central Government shall, having regard to the need to
ensure the operational segregation, independence, and neutrality of
the adjudication under this Act, prescribe—
(a) the number of Adjudicating Officers to be appointed under
sub-section (1);
(b) the manner and terms of appointment of Adjudicating Officers
ensuring independence of such officers;
(c) the jurisdiction of Adjudicating Officers; and
(d) such other requirements as (***) may (***) be prescribed.
(3)The Adjudicating Officers shall be persons of ability, integrity
and standing, and (***) shall possess such qualifications,
specialized knowledge, (***) and (***) adequate (***) professional
experience, in the fields of law, cyber and internet laws,
information technology law and policy, data protection and related
subjects,as may be prescribed.
|
| 64 |
Procedure for adjudication by Adjudicating Officer. (1) No
penalty shall be imposed under this Chapter, except after an inquiry
made in such manner as may be prescribed, and the data fiduciary or data
processor or any person, as the case may be, has been given an
(***)opportunity of being heard:
Provided that no inquiry under this section shall be initiated except by
a complaint made by the Authority.
(2) While holding an inquiry, the Adjudicating Officer shall have the
power to summon and enforce the attendance of any person acquainted with
the facts and circumstances of the case to give evidence or to produce
any document which, in the opinion of the Adjudicating Officer, may be
useful for or relevant to the subject matter of the inquiry.
(3) If, on the conclusion of such inquiry, the Adjudicating Officer is
satisfied that the person has failed to comply with the provisions of
this Act or has caused harm to any data principal as a result of any
contravention of the provisions of this Act, the Adjudicating Officer
may impose such penalty as specified under relevant section.
(4) While deciding whether to impose a penalty under sub-section (3) and
in determining the quantum of penalty under sections 57 to 61, the
Adjudicating Officer shall have due regard to the guidelines as may be
specified by the Authority for determination and imposition of penalty
taking into account any of thefollowing factors, namely:—
(a) nature, gravity and duration of violation taking into account
the nature, scope and purpose of processing concerned;
(b) number of data principals affected, and the level of harm
suffered by them;
(c) intentional or negligent character of the violation;
(d) nature of personal data impacted by the violation;
(e) repetitive nature of the default;
(f) transparency and accountability measures implemented by the data
fiduciary or data processor including adherence to any relevant code
of practice relating to security safeguards;
(g) action taken by the data fiduciary or data processor to mitigate
the harm suffered by data principals; (***) or
(h) any other aggravating or mitigating factors relevant to the
circumstances of the case, such as, the amount of disproportionate
gain or unfair advantage, wherever quantifiable, made as a result of
the default.
(5) Any person aggrieved by an order made under this section by the
Adjudicating Officer may prefer an appeal to the Appellate Tribunal
under section 73. |
| 65 |
Compensation.
(1) Any data principal who has suffered harm as a result of any
violation of any provision under this Act or the rules or
regulations made thereunder, by a data fiduciary or a data
processor, shall have the right to seek compensation from the data
fiduciary or the data processor, as the case may be.
Explanation.—For the removal of doubts, it is hereby clarified that
a data processor shall be liable only where it has acted outside or
contrary to the instructions of the data fiduciary pursuant to
section 31, or where the data processor is found to have acted in a
negligent manner, or where the data processor has not incorporated
adequate security safeguards under section 24, or where it has
violated any provisions of this Act. (***)
(2) (***)
(2)Where there are one or more data principals or any identifiable
class of data principals who have suffered harm as a result of any
contravention by the same data fiduciary or data processor, (***) a
representative applicationmay be instituted on behalf of all such
data principals seeking compensation for the harm suffered.
(3)While deciding to award compensation and the amount of
compensation under this section, the Adjudicating Officer shall have
regard to any of the following factors, namely:—
(a) nature, duration and extent of violation of the
provisions of the Act, rules (***) or regulations (***) made
thereunder;
(b) nature and extent of harm suffered by the data principal;
(c) intentional or negligent character of the violation;
(d) transparency and accountability measures implemented by the
data fiduciary or the data processor, as the case may be,
including adherence to any relevant code of practice relating to
security safeguards;
(e) action taken by the data fiduciary or the data processor, as
the case may be, to mitigate the damage suffered by the data
principal;
(f) previous history of any, or such violation by the data
fiduciary or the data processor, as the case may be;
(g) whether the arrangement between the data fiduciary and data
processor contains adequate transparency and accountability
measures to safeguard the personal data being processed by the
data processor on behalf of the data fiduciary;or
(h) any other aggravating or mitigating factor relevant to the
circumstances of the case, such as, the amount of
disproportionate gain or unfair advantage, wherever
quantifiable, made as a result of the default.
(4)Where more than one data fiduciary or data processor, or both
a data fiduciary and a data processor are involved in the same
processing activity and are found to have caused harm to the data
principal, then, each data fiduciary or data processor may be
ordered to pay the entire compensation for the harm to ensure
effective and speedy compensation to the data principal.
(5) Where a data fiduciary or a data processor has, in accordance
with sub-section (4), paid the entire amount of compensation for the
harm suffered by the data principal, such data fiduciary or data
processor shall be entitled to claim from the other data fiduciaries
or data processors, as the case may be, that amount of compensation
corresponding to their part of responsibility for the harm caused.
(6)Any person aggrieved by an order made under this section by the
Adjudicating Officer may prefer an appeal to the Appellate Tribunal
under section 73.
(7)The (***) procedure for hearing of (***) an application under
this section shall be such as may be prescribed.
|
| 66 |
Compensation or penalties not to interfere with other
punishment.
No compensation awarded, or penalty imposed, under this Act shall
prevent the award of compensation or imposition of any other penalty
or punishment under this Act or any other law for the time being in
force.
|
| 67 |
Recovery of amounts. (1) The amount of any penalty imposed
or compensation awarded under this Act, if not paid, may be recovered as
if it were an arrear of land revenue.
(2) All sums realised by way of penalties under this Act shall be
credited to the Consolidated Fund of India.
|