CHAPTER X
PENALTIES AND COMPENSATION
57. Penalties for contravening certain provisions of the Act
(1) Where the data fiduciary contravenes any of the following provisions,—
(a) obligation to take prompt and appropriate action in response to a data
security breach under section 25;
(b) failure to register with the Authority under sub-section (2) of section
26,
(c) obligation to undertake a data protection impact assessment by a
significant data fiduciary under section 27;
(d) obligation to conduct a data audit by a significant data fiduciary under
section 29;
(e) appointment of a data protection officer by a significant data fiduciary
under
section 30,
it shall be liable to a penalty which may extend to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher;
(2) Where a data fiduciary contravenes any of the following provisions,—
(a) processing of personal data in violation of the provisions of Chapter II
or
Chapter III;
(b) processing of personal data of children in violation of the provisions
of
Chapter IV;
(c) failure to adhere to security safeguards as per section 24; or
(d) transfer of personal data outside India in violation of the provisions
of
Chapter VII,
it shall be liable to a penalty which may extend to fifteen crore rupees or
four per cent of its total worldwide turnover of the preceding financial
year, whichever is higher.
(3) For the purposes of this section,—
(a) the expression "total worldwide turnover" means the gross amount of
revenue recognised in the profit and loss account or any other equivalent
statement, as applicable, from the sale, supply or distribution of goods or
services or on account of services rendered, or both, and where such revenue
is generated within India and outside India.
(b) it is hereby clarified that total worldwide turnover in relation to a
data fiduciary
is the total worldwide turnover of the data fiduciary and the total
worldwide turnover of any group entity of the data fiduciary where such
turnover of a group entity arises as a result of the processing activities
of the data fiduciary, having regard to factors, including—
(i) the alignment of the overall economic interests of the data fiduciary
and the group entity;
(ii) the relationship between the data fiduciary and the group entity
specifically in relation to the processing activity undertaken by the data
fiduciary; and
(iii) the degree of control exercised by the group entity over the data
fiduciary or vice versa, as the case may be.
(c) where of any provisions referred to in this section has been contravened by the State, the maximum penalty shall not exceed five crore rupees under sub-section (1), and fifteen crore rupees under sub-section (2), respectively.
58.Penalty for failure to comply with data principal requests under Chapter V.
Where, any data fiduciary, without any reasonable explanation, fails to
comply
with any request made by a data principal under Chapter V, such data
fiduciary shall be liable to a penalty of five thousand rupees for each day
during which such default continues, subject to a maximum of ten lakh rupees
in case of significant data fiduciaries and five lakh rupees in other cases.
59.Penalty for failure to furnish report, returns,information, etc.
If any data fiduciary, who is required under this Act, or the rules or
regulations made thereunder, to furnish any report, return or information to
the Authority, fails to furnish the same, then such data fiduciary shall be
liable to penalty which shall be ten thousand rupees for each day during
which such default continues, subject to a maximum of twenty lakh rupees in
case of significant data fiduciaries and five lakh rupees in other cases.
60.Penalty for failure to comply with direction or order issued by Authority.
If any data fiduciary or data processor fails to comply with any direction
issued by the Authority under section 51or order issued by the Authority
under section 54, such data fiduciary or data processor shall be liable to a
penalty which may extend to twenty thousand rupees for each day during which
such default continues, subject to a maximum of two crores in case of a data
processor it may extend to five thousand rupees for each day during which
such default continues, subject to a maximum of fifty lakh rupees.
61. Penalty for contravention where no separate penalty has been provided.
Where any person fails to comply with any provision of this Act or the rules
or regulations made thereunder applicable to such person, for which no
separate penalty has been provided, then, such person shall be liable to a
penalty which may extend to a maximum of one crore rupees in case of
significant data fiduciaries, and a maximum of twenty five lakh rupees in
other cases.
62.Appointment of Adjudicating Officer.
(1) For the purpose of adjudging the penalties under sections 57 to 61or
awarding compensation under section 64, the Authority shall appoint such
Adjudicating Officer as may be prescribed.
(2) The Central Government shall, having regard to the need to ensure the
operational segregation, independence, and neutrality of the adjudication
under this Act, prescribe—
(a) number of Adjudicating Officers to be appointed under sub-section (1);
(b) manner and terms of appointment of Adjudicating Officers ensuring
independence of such officers;
(c) jurisdiction of Adjudicating Officers;
(d) other such requirements as the Central Government may deem fit.
(3) The Adjudicating Officers shall be persons of ability, integrity and standing, and must have specialised knowledge of, and not less than seven years professional experience in the fields of law, cyber and internet laws, information technology law and policy, data protection and related subjects.
63.Procedure for adjudication by Adjudicating Officer.
(1) No penalty shall be imposed under this Chapter, except after an inquiry
made in such manner as may be prescribed, and the data fiduciary or data
processor or any person, as the case may be, has been given a reasonable
opportunity of being heard:
Provided that no inquiry under this section shall be initiated except by a
complaint
made by the Authority.
(2) While holding an inquiry, the Adjudicating Officer shall have the power
to summon and enforce the attendance of any person acquainted with the facts
and circumstances of the case to give evidence or to produce any document
which, in the opinion of the Adjudicating Officer, may be useful for or
relevant to the subject matter of the inquiry.
(3) If, on the conclusion of such inquiry, the Adjudicating Officer is
satisfied that the person has failed to comply with the provisions of this
Act or has caused harm to any data principal as a result of any
contravention of the provisions of this Act, the Adjudicating Officer may
impose such penalty specified under relevant section.
(4) While deciding whether to impose a penalty under sub-section (3) and in
determining
the quantum of penalty under sections 57 to 61, the Adjudicating Officer
shall have due regard to the following factors, namely:—
(a) nature, gravity and duration of violation taking into account the
nature, scope and purpose of processing concerned;
(b) number of data principals affected, and the level of harm suffered by
them; (c) intentional or negligent character of the violation;
(d) nature of personal data impacted by the violation;
(e) repetitive nature
of the default;
(f) transparency and accountability measures implemented by the data
fiduciary or data processor including adherence to any relevant code of
practice relating to security safeguards;
(g) action taken by the data fiduciary or data processor to mitigate the
harm suffered by data principals; and
(h) any other aggravating or mitigating factors relevant to the
circumstances of the case, such as, the amount of disproportionate gain or
unfair advantage, wherever quantifiable, made as a result of the default.
(5) Any person aggrieved by an order under this section by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal.
64.Compensation.
(1) Any data principal who has suffered harm as a result of any violation of
any
provision under this Act or the rules or regulations made thereunder, by a
data fiduciary or a data processor, shall have the right to seek
compensation from the data fiduciary or the data processor, as the case may
be.
Explanation.—For the removal of doubts, it is hereby clarified that a data processor shall be liable only where it has acted outside or contrary to the instructions of the data fiduciary pursuant to section 31, or where the data processor is found to have acted in a negligent manner, or where the data processor has not incorporated adequate security safeguards under section 24, or where it has violated any provisions of this Act expressly applicable to it.
(2) The data principal may seek compensation under this section by making a
complaint
to the Adjudicating Officer in such form and manner as may be prescribed.
(3) Where there are one or more data principals or any identifiable class of
data principals who have suffered harm as a result of any contravention by
the same data fiduciary or data processor, one complaint may be instituted
on behalf of all such data principals seeking compensation for the harm
suffered.
(4) While deciding to award compensation and the amount of compensation under this section, the Adjudicating Officer shall have regard to the following factors, namely:—
(a) nature, duration and extent of violation of the provisions of the Act,
rules prescribed, or regulations specified thereunder;
(b) nature and extent of harm suffered by the data principal;
(c) intentional or negligent character of the violation;
(d) transparency and accountability measures implemented by the data
fiduciary or the data processor, as the case may be, including adherence to
any relevant code of practice relating to security safeguards;
(e) action taken by the data fiduciary or the data processor, as the case
may be, to mitigate the damage suffered by the data principal;
(f) previous history of any, or such, violation by the data fiduciary or the
data processor, as the case may be;
(g) whether the arrangement between the data fiduciary and data processor
contains adequate transparency and accountability measures to safeguard the
personal data being processed by the data processor on behalf of the data
fiduciary;
(h) any other aggravating or mitigating factor relevant to the circumstances
of the case, such as, the amount of disproportionate gain or unfair
advantage, wherever quantifiable, made as a result of the default.
(5) Where more than one data fiduciary or data processor, or both a data
fiduciary and
a data processor are involved in the same processing activity and are found
to have caused harm to the data principal, then, each data fiduciary or data
processor may be ordered to pay the entire compensation for the harm to
ensure effective and speedy compensation to the data principal.
(6) Where a data fiduciary or a data processor has, in accordance with
sub-section (5),
paid the entire amount of compensation for the harm suffered by the data
principal, such data fiduciary or data processor shall be entitled to claim
from the other data fiduciaries or data processors, as the case may be, that
amount of compensation corresponding to their part of responsibility for the
harm caused.
(7) Any person aggrieved by an order made under this section by the
Adjudicating
Officer may prefer an appeal to the Appellate Tribunal.
(8) The Central Government may prescribe the procedure for hearing of a
complaint under this section.
65.Compensation or penalties not to interfere with other punishment.
No compensation awarded, or penalty imposed, under this Act shall prevent
the award of compensation or imposition of any other penalty or punishment
under this Act or any other law for the time being in force.
66. Recovery of amounts.
(1) The amount of any penalty imposed or compensation awarded under this
Act, if not paid, may be recovered as if it were an arrear of land revenue.
(2) All sums realised by way of penalties under this Act shall be credited
to the
Consolidated Fund of India.