CHAPTER XI
PENALTIES AND REMEDIES
69. Penalties.
(1) Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable
(a) obligation to take prompt and appropriate action in response to a data security breach under section 32 of this Act;
(b) obligation to undertake a data protection impact assessment by a significant data fiduciary under section 33 of this Act;
(c) obligation to conduct a data audit by a significant data fiduciary under section 35 of this Act;
(d) appointment of a data protection officer by a significant data fiduciary under section 36 of this Act;
(e) failure to register with the Authority under sub-section (2) of section 38.
(2) Where a data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable
(a) processing of personal data in violation of the provisions of Chapter II;
(b) processing of personal data in violation of the provisions of Chapter III;
(c) processing of sensitive personal data in violation of the provisions of Chapter IV of this Act;
(d) processing of personal data of children in violation of the provisions of Chapter V;
(e) failure to adhere to security safeguards as per section 31 of this Act;
(f) transfer of personal data outside India in violation of section 41 of this Act.
Explanation I. For the purposes of this section, total worldwide turnover means the gross amount of revenue recognised in the profit and loss account or any other equivalent statement, as applicable, from the sale, supply or distribution of goods or services or on account of services rendered, or both, and where such revenue is generated within India and outside India.
Explanation II. For the purposes of this section, it is hereby clarified that total worldwide turnover in relation to a data fiduciaryis the total worldwide turnover of the data fiduciary and the total worldwide turnover of any group entity of the data fiduciary where such turnover of a group entity arises as a result of the processing activities of the data fiduciary, having regard to factors, including
(i) the alignment of the overall economic interests of the data fiduciary and the group entity;
(ii) the relationship between the data fiduciary and the group entity specifically in relation to the processing activity undertaken by the data fiduciary; and
(iii) the degree of control exercised by the group entity over the data fiduciary or vice versa, as the case may be.
70. Penalty for failure to comply with data principal requests under Chapter VI.
Where, any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter VI of this Act, such data fiduciary shall be liable to a penalty of five thousand rupees for each day during which such default continues, subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
71. Penalty for failure to furnish report, returns, information, etc.
If any data fiduciary, who is required under this Act, or rules prescribed or regulations specified there under, to furnish any report, return or information to the Authority, fails to furnish the same, then such data fiduciary shall be liable to penalty which shall be ten thousand rupees for each day during which such default continues, subject to a maximum of twenty lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
72. Penalty for failure to comply with direction or order issued by the Authority.
If any data fiduciary or data processor fails to comply with any direction issued by the Authority under section 62 or order issued by the Authority under section 65,as applicable, such data fiduciary or data processor shall be liable to a penalty which, in case of a data fiduciary may extend to twenty thousand rupees for each day during which such default continues, subject to a maximum of two crore rupees, and in case of a data processor may extend to five thousand rupees for each day during which such default continues, subject to a maximum of fifty lakh rupees.
73. Penalty for contravention where no separate penalty has been provided.
Where any person fails to comply with any provision of this Act, or rules prescribed or regulations specified there under as applicable to such person, for which no separate penalty has been provided, then such person shall be liable to a penalty subject to a maximum of one crore rupees in case of significant data fiduciaries, and a maximum of twenty five lakh rupees in all other cases.
74. Adjudication by Adjudicating Officer.
(1) No penalty shall be imposed under this Chapter except after conducting an inquiry in such manner as may be prescribed, and the data fiduciary or data processor or any person, as the case may be, has been given a reasonable opportunity of being heard.
(2) While holding an inquiry, the Adjudicating Officer shall have the power to summon and enforce the attendance of any person acquainted with the facts and circumstances of the case to give evidence or to produce any document which, in the opinion of the Adjudicating Officer, may be useful for or relevant to the subject matter of the inquiry
(3) If, on the conclusion of such inquiry, the Adjudicating Officer is satisfied that the person has failed to comply with the provisions of this Act or has caused harm to any data principal as a result of any violation of the provisions of this Act, which a penalty may be imposed under section 69 to section 73, the Adjudicating Officer may impose a penalty in accordance with the provisions of the appropriate section.
(4) While deciding whether to impose a penalty under sub-section (3) of this section and in determining the quantum of penalty under section69to section 73, the Adjudicating Officer shall have due regard to the following factors, as may be applicable
(a) nature, gravity and duration of violation taking into account the nature, scope and purpose of processing concerned;
(b) number of data principals affected, and the level of harm suffered by them;
(c) intentional or negligent character of the violation;
(d) nature of personal data impacted by the violation;
(e) repetitive nature of the default;
(f) transparency and accountability measures implemented by the data fiduciary or data processor including adherence to any relevant code of practice relating to security safeguards;
(g) action taken by the data fiduciary or data processor to mitigate the harm suffered by data principals; and
(h) any other aggravating or mitigating factors relevant to the circumstances of the case, such as, the amount of disproportionate gain or unfair advantage, wherever quantifiable, made as a result of the default.
(5) Any person aggrieved by an order under this section by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal.
75. Compensation.
(1) Any data principal who has suffered harm as a result of any violation of any provision under this Act, or rules prescribed or regulations specified hereunder, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor, as the case may be.
Explanation.- For the removal of doubts, it is hereby clarified that a data processor shall be liable only where it has acted outside or contrary to the instructions of the data fiduciary pursuant to section37, or where the data processor is found to have acted in a negligent manner, or where the data processor has not incorporated adequate security safeguards under section 31, or where it has violated any provisions of this Act expressly applicable to it.
(2) The data principal may seek compensation under this section pursuant to a complaint instituted in such form and manner as may be prescribed before an Adjudicating Officer.
(3) Where there are one or more data principals or any identifiable class of data principals who have suffered harm as a result of any violation by the same data fiduciary or data processor, one complaint may be instituted on behalf of all such principals seeking compensation for the harm suffered.
(4) While deciding whether to award compensation and the amount of compensation under this section, the Adjudicating Officer shall have due regard to the following factors, namely
(a) nature, duration and extent of violation of the provisions of the Act, rules prescribed, or regulations specified thereunder;
(b) nature and extent of harm suffered by the data principal;
(c) intentional or negligent character of the violation;
(d) transparency and accountability measures implemented by the data fiduciary or the data processor, as the case may be, including adherence to any relevant code of practice relating to security safeguards;
(e) action taken by the data fiduciary or the data processor, as the case may be, to mitigate the damage suffered by the data principal;
(f) previous history of any, or such, violation by the data fiduciary or the data processor, as the case may be;
(g) whether the arrangement between the data fiduciary and data processor contains adequate transparency and accountability measures to safeguard the personal data being processed by the data processor on behalf of the data fiduciary;
(h) any other aggravating or mitigating factor relevant to the circumstances of the case, such as, the amount of disproportionate gain or unfair advantage, wherever quantifiable, made as a result of the default.
(5) Where more than one data fiduciary or data processor, or both a data fiduciary and a data processor are involved in the same processing activity and are found to have caused harm to the data principal as per this section, then each data fiduciary or data processor may be ordered to pay the entire compensation for the harm in order to ensure effective and speedy compensation to the data principal.
(6) Where a data fiduciary or a data processor has, in accordance with sub-section (5), paid the entire amount of compensation for the harm suffered by the data principal, such data fiduciary or data processor shall be entitled to claim from the other data fiduciaries or data processors, as the case may be, that amount of compensation corresponding to their part of responsibility for the harm caused.
(7) Any person aggrieved by an order made under this section by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal.
(8) The Central Government may prescribe the procedure for hearing of a complaint under this section.
76. Compensation or penalties not to interfere with other punishment.
No compensation awarded, or penalty imposed, under this Act shall prevent the award of compensation or imposition of any other penalty or punishment under any other law for the time being in force.
77. Data Protection Funds.
(1) There shall be constituted a fund to be called the Data Protection Authority Fund to which the following shall be credited
(a) all Government grants, fees and charges received by the Authority under this Act; and
(b) all sums received by the Authority from such other source as may be decided upon by the Central Government, but which shall not include the sums mentioned in sub- section (3)
(c) The Data Protection Authority Fund shall be applied for meeting
(i) the salaries, allowances and other remuneration of the chairperson, members, officers, employees, consultants and experts appointed by the Authority; and
(ii) the other expenses of the Authority in connection with the discharge of its functions and for the purposes of this Act.
(2) Without prejudice to the foregoing, there shall also be constituted a fund to be called the Data Protection Awareness Fundto which all sums realised by way of penalties by the Authority under this Act shall be credited.
(3) The Data Protection Awareness Fund shall be applied solely for the purpose of generating awareness regarding data protection including for the purposes set out in clauses (m), (o) and (p) of sub-section (2) of section 61 and for no other purpose whatsoever.
78. Recovery of Amounts.
(1) The Authority shall, by an order in writing, appoint at least one officer or employee as a Recovery Officer for the purpose of this Act.
(2) Where any person fails to comply with
(a) an order of the Adjudicating Officer imposing a penalty under the provisions of this Act; or
(b) an order of the Adjudicating Officer directing payment of compensation under the provisions of this Act, the Recovery Officer may recover from such person the aforesaid amount in any of the following ways, in descending order of priority, namely
(i) attachment and sale of the person‟s movable property;
(ii) attachment of the person‟s bank accounts;
(iii) attachment and sale of the person‟s immovable property;
(iv) arrest and detention of the person in prison;
(v) appointing a receiver for the management of the person‟s movable and immovable properties.
(3) For the purpose of such recovery, the provisions of section 220 to section 227, and sections 228A, 229 and 232, the Second and Third Schedules of the Income Tax Act, 1961 (43 of 1961) and the Income Tax (Certificate Proceedings) Rules, 1962, as in force from time to time, in so far as may be, shall apply with necessary modifications as if the said provisions and rules
(a) were the provisions of this Act; and
(b) referred to the amount due under this Act instead of to income tax under the Income Tax Act, 1961 (43 of 1961).
(4) In this section, the movable or immovable property or monies held in a bank account shall include property or monies which meet all the following conditions
(a) property or monies transferred by the person without adequate consideration;
(b) such transfer is made:
(i) on or after the date on which the amount in the certificate drawn up under section 222 of the Income Tax Act, 1961 (43 of 1961) had become due; and
(ii) to the person‟s spouse, minor child, son‟s wife or son‟s minor child
(c) such property or monies are held by, or stand in the name of, any of the persons referred to in sub-clause (b), including where they are so held or stand in the name of such persons after
they have attained the age of majority.
(5) The Recovery Officer shall be empowered to seek the assistance of the local district administration while exercising the powers under this section.