Introduction

The Personal Data Protection Bill, 2018 ("New DP Act") proposes to carry out a drastic upgrade to India's current data privacy regime, namely the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("DP Rules 2011"), framed under the Information Technology Act, 2000 ("IT Act 2000"). From prescribing data localisation, to creating a fiduciary relationship between data subjects and data controllers, to providing for data portability, the New DP Act seeks to put in place for India, one of the most stringent data privacy regimes in the world. One of the interesting contrasts between the DP Rules 2011 and the New DP Act is in the punishments and penalties prescribed for any breach of the respective data privacy regimes.

The punishments and penalties in both the DP Rules 2011 (read with the IT Act 2000) and the New DP Act can be classified into 3 (three) categories, namely: (i) penalties in the form of fines; (ii) imprisonment; and (iii) the right to claim compensation.

Offences leading to the imposition of fines

Chapter XI of the New DP Act prescribes harsh fines for certain specified violations of the New DP Act.  Section 69(1) of the New DP Act states that for violations such as: (a) a breach by a data fiduciary of its obligation to take prompt and appropriate action in response to a data security breach; or (b) the failure by a significant data fiduciary to (i) undertake a data protection impact assessment, or (ii) conduct a data audit or (iii) appoint a data protection officer, or (iv) register with the Data Protection Authority of India ("Authority"); the data fiduciary will be liable to pay a fine of up to Rs. 5,00,00,000 (Rupees five crore) or 2% (two percent) of total worldwide turnover of the preceding financial year, whichever is higher.

Section 69(2) of the New DP Act states that in the event a data fiduciary processes personal data or sensitive personal data or personal data of children in breach of Chapters II, III, IV or V of the New DP Act, or in the event a data fiduciary  fails to adhere to the security safeguards prescribed by section 31 of the New DP Act or transfers personal data outside India in violation of section 41 of the New DP Act, the data fiduciary shall be liable to pay a fine of up to Rs. 15,00,00,000 (Rupees fifteen crore) or 4% (four percent) of its total worldwide turnover for the preceding financial year, whichever is higher. 

It needs to be pointed out that the two-tiered system of administrative fines that has been proposed by the New DP Act has been copied from the European Union's General  Data Protection Regulation (better known by its acronym, GDPR), which uses the phrase 'annual global turnover' instead of 'total worldwide turnover'. Section 69 of the New DP Act also has an explanation to the effect that the total worldwide turnover of a data fiduciary would include the turnover of any group entity if such turnover of a group entity arises as a result of the processing activities of the data fiduciary, having regard to factors, including: (i) the alignment of the overall economic interests of the data fiduciary and the group entity; (ii) the relationship between the data fiduciary and the group entity specifically in relation to the processing activity undertaken by the data fiduciary; and (iii) the degree of control exercised by the group entity over the data fiduciary or vice versa, as the case may be. 

A data fiduciary's failure, without any reasonable explanation, to comply with any request made by a data principal under Chapter VI of the New DP Act (such as a request for a summary of the personal data relating to the data principal that is being processed or has been processed by the data fiduciary or a request to update the personal data that is being stored or for the transfer of personal data held by a data fiduciary to other data fiduciary), shall resulti in a penalty of Rs.5,000 (Rupees five thousand) for each day during which such default continues, subject to a maximum of Rs. 10,00,000 (Rupees ten lac) in case of significant data fiduciaries and Rs. 5,00,000 (Rupees five lac) in other cases.

In the event any data fiduciary, who is required to furnish any report, return or information to the Authority, fails to furnish the same, then such data fiduciary shall be liablei to a penalty which shall be Rs. 10,000 (Rupees ten thousand) for each day during which such default continues, subject to a maximum of Rs. 20,00,000 (Rupees twenty lac) in case of significant data fiduciaries and Rs. 5,00,000 (Rupees five lac) in other cases.

Any failure by a data fiduciary or a data processor to comply with any direction issued by the Authority under: (a) section 62 of the New DP Actii; or (b) section 65iii of the New DP Act will lead to a penaltyiv. In case of a data fiduciary, the penalty may extend to Rs. 20,000 (Rupees twenty thousand) for each day during which such default continues, subject to a maximum of Rs. 2,00,00,000 (Rupees two crore). In case of a data processor, the prescribed penalty is one fourth of that applicable to data fiduciaries, that is, the penalty may extend to Rs. 5,000 (Rupees five thousand) for each day during which such default continues, subject to a maximum of Rs. 50,00,000 (Rupees fifty lac).

An interesting aspect of the above penalties prescribed by Chapter XI of the New DP Act is that the penalties do not strictly require any data principal to incur a loss on account of the relevant breach or violation. To attract a penalty, it is sufficient if the data fiduciary or the data processor has committed a breach of the relevant provisions of the New DP Act. However, section 74 of the New DP Act sets out a number of factors to be taken into account before any penalty is imposed. These range from: (i) the nature, gravity and duration of the violation, taking into account the nature, scope and purpose of processing concerned; (ii) the number of data principals affected, and the level of harm suffered by them; (iii) whether the breach or violation was intentional or negligent; (iv) the nature of personal data impacted by the violation; (v) whether the default is repetitive in nature;  (vi) transparency and accountability measures including adherence to any code of practice relating to security safeguards implemented by the person in breach; (vii) steps taken by the person in breach to mitigate the damage suffered by the data principal etc.

In contrast, neither the IT Act 2000 nor the DP Rules 2011 have provisions comparable to Chapter XI of the New DP Act. Section 45 of the IT Act 2000 has a residuary clause that provides that whoever contravenes any rules or regulations made under the IT Act 2000, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding Rs. 25,000 (Rupees twenty five thousand) to the person affected by such contravention or a penalty not exceeding Rs. 25,000 (Rupees twenty five thousand). Other than section 43A of the IT Act 2000 and section 72A of the IT Act 2000 (both discussed below), no other provision of the IT Act 2000 or the rules and regulations framed thereunder deal with offences relating to data privacy or the breach thereof.

The New DP Act also has a residuary penalty clause in section 73 which states that where any person fails to comply with any provision of the New DP Act, or rules prescribed or regulations specified thereunder as applicable to such person, for which no separate penalty has been provided, such person shall be liable to a penalty subject to a maximum of Rs. 1,00,00,000 (Rupees one crore) in case of significant data fiduciaries, and a maximum of Rs. 25,00,000 (Rupees twenty five lac) in all other cases. Thus, any breach of the data localisation requirements contained in Chapter VIII of the New DP Act will be covered by this residuary clause since no specific penalty has been prescribed for such violation. However, since the New DP Act contains comprehensive provisions for penalising various offences, this residuary clause will have limited applicability.

In our view, the harsh fines mentioned above are a step in the right direction. However, if for any reason, after the New DP Act comes into effect, the enforcement machinery is not staffed with competent professionals who are able to cope with the expected deluge of complaints and allegations, there could be widespread misuse and harassment of businesses.

Offences punishable with imprisonment

Section 90 of the New DP Act provides that if any person knowingly, intentionally or recklessly obtains or discloses or transfers or sells 'personal data' to another person in contravention of the New DP Act, and it results in 'significant harm' to a data principal, then such person shall be punishable with imprisonment for a term not exceeding 3 (three) years and/or shall be liable to a fine which may extend up to Rs. 2,00,000 (Rupees two lac). If the data happens to be 'sensitive personal data', then section 91 of the New DP Act ups the ante such that, if mere 'harm' is caused to a data principal, the punishment could be imprisonment for a term not exceeding 5 (five) years and/or a fine which may extend up to Rs. 3,00,000 (Rupees three lac).

Unlike in the case of violations penalised under Chapter XI of the New DP Act, for the offences under sections 90 and 91 of the New DP Act mentioned above, the offender need not be a data fiduciary. Further, the offender should have acted knowingly or intentionally or recklessly.

Re-identification and processing of personal data that has been de-identified by a data fiduciary or a data processor, without the consent of the relevant data fiduciary or a data processor, can also lead to imprisonment for a term not exceeding 3 (three) years and/or result in a fine of up to Rs. 2,00,000 (Rupees two lac).i For this offence as well, the offender should have acted knowingly or intentionally or recklessly.

Section 72A of the IT Act 2000, which was inserted in the IT Act 2000 by the Information Technology (Amendment) Act, 2008, with effect from October 27, 2009, prescribes criminal punishment for the disclosure of information in breach of any lawful contract. This section states that any person who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to 3 (three) years and/or with a fine which may extend to Rs. 5,00,000 (Rupees five lac). Other than this section 72A, the IT Act 2000 does not have any provision which punishes a breach of data privacy with imprisonment. 

The main difference between section 72A of the IT Act 2000 and sections 90 and 92 of the New DP Act is that in the former, the offender has to be a person who legitimately secured access to personal information before making a wrongful disclosure. Under the New DP Act, any person who makes a wrongful disclosure of personal data, howsoever such personal data may have come into the possession of the discloser, may be punished.

Offences to be cognizable and non-bailable

As per section 93 of the New DP Act, all offences punishable under the New DP Act are cognizable and non-bailable, irrespective of the provisions of the Code of Criminal Procedure, 1973. The New DP Act does not define an 'offence'. However, since the aforesaid section 93 falls under Chapter XIII of the New DP Act which is titled  'Offences',  it may be presumed only those violations punishable under Chapter XIII of the New DP Act (and not those punishable with fines under Chapter XI of the New DP Act) will be 'offences'.

Under the IT Act 2000, only offences punishable with imprisonment of 3 (three) years and above are cognizable and all offences punishable with imprisonment of 3 (three) years are bailable. Since the maximum punishment under section 72A of the IT Act 2000 for offences relating to data privacy is 3 (three) years, all such offences are bailable, unlike under the New DP Act.

Claiming Compensation

Section 75 of the New DP Act provides that in the event any data principal has suffered harm as a result of any violation of any provision under the New DP Act, or rules prescribed or regulations specified thereunder, by a data fiduciary or a data processor, such data principal shall have the right to seek compensation from the data fiduciary or the data processor, as the case may be. 

Section 43A of the IT Act 2000 also provides individuals with a statutory right to claim compensation. However, section 43A of the IT Act 2000 is more restrictive than section 75 of the New DP Act. To begin with, section 43A of the IT Act 2000 applies only in the event the sensitive personal data or information that is being processed, dealt with or handled, is in a computer resource. Further, the compensation claim can only be made against a body corporate who owns, controls or operates the computer resource in which the sensitive personal data or information is stored. A 'body corporate' has been defined to mean any company and to include a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Therefore, the test for the applicability of section 43A of the IT Act 2000 to an entity other than a company, is whether such entity is engaged in commercial or professional activities.

Section 43A of the IT Act 2000 applies only in the event there is negligence in implementing and maintaining reasonable security practices and procedures and such negligence results in wrongful loss or wrongful gain to any person. Section 43A defines 'reasonable security practices and procedures' to mean security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. Since the DP Rules 2011 are reasonable security practices and procedures prescribed by the Central Government, a view may be taken that any failure to comply with any of the obligations imposed by the DP Rules 2011 would amount to a failure to implement and maintain reasonable security practices and procedures and would give rise to a claim for compensation.

Unlike section 43A of the IT Act 2000, section 75 of the New DP Act does not require that the sensitive personal data or information that has been breached, should be in a computer resource. Also, section 75 of the New DP Act sets out several more parameters that the adjudicating officer shall have to consider while awarding compensation, than as was prescribed under the IT Act 2000. The IT Act 2000 merely requires the adjudicating authority to consider factors such as: (a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; (b) the amount of loss caused to any person as a result of the default; and (c) the repetitive nature of the default, while awarding compensation. Section 75 of the New DP Act has additional parameters such as, inter alia, (i) the intentional or negligent character of the violation; (ii) transparency and accountability measures including adherence to any code of practice relating to security safeguards implemented by the person in breach; and (iii) steps taken by the person in breach to mitigate the damage suffered by the data principal.

Offences by companies: Presumption of guilt

Section 95 of the New DP Act states that where an offence under the New DP Act has been committed by a company, every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly. Any person who is so deemed to be guilty may escape punishment if she proves that the offence was committed without her knowledge or that she had exercised all due diligence to prevent the commission of such offence.

Section 95 of the New DP Act is almost identical to section 85 of the IT Act 2000 which deals with offences by companies under the IT Act 2000. Further, a number of statutory provisions which deal with offences by companies, such as section 141 of the Negotiable Instruments Act, 1881, section 278B of the Income Tax Act, 1961, section 22C of Minimum Wages Act, 1948, section 86A of the Employees State Insurance Act, 1948, section 14A of Employees Provident Fund and Miscellaneous Provisions Act, 1952, section 29 of Payment of Bonus Act, 1965, section 40 of the Air (Prevention and Control of Pollution) Act, 1981, section 47 of Water (Prevention and Control of Pollution) Act, 1974 and section 17 of the Prevention of Food Adulteration Act, 1954, have very similar language.

In the case of Nikhil P. Gandhi v. State of Gujarati, the Gujarat High Court ruled that a person who can be made vicariously liable under sub-section (1) of section 141 of the Negotiable Instruments Act, 1881, is a person who is responsible to the company for the conduct of the business of the company and in addition is also in charge of the business of the company. The honourable court pointed out that none of the aforementioned enactments (dealing with corporate liability) give any indication as to who are the persons responsible to the company, for the conduct of the business of the company. Therefore, the honourable court was of the view that one had to fall back upon the provisions of Companies Act, 1956 which (then) was the law relating to and regulating companies to identify the persons responsible to the company, for the conduct of the business of the company.  The honourable Gujarat High Court relied on the meaning of the phrase 'officer in default' given in section 5 of the Companies Act, 1956 and ruled that the individuals mentioned therein (such as, inter alia, the managing director,  whole-time director, the manager, the secretary, persons in accordance with whose directions or instructions the board of directors of the company is accustomed to act and persons charged by the board with the responsibility of complying with specific provisions) could be considered to be the persons who are responsible to the company for the conduct of the business of the company.

In order to determine the 'person in charge of the business of the company', the Gujarat High Court relied on the Supreme Court's ruling in in Girdhari Lal Gupta v. D.N. Mehtaii, which has been  followed by the Supreme Court in the case of State of Karnataka v. Pratap Chandiii and Katta Sujatha v. Fertiliser & Chemicals Travancore Limited.iv The Supreme Court had held that the words 'person in charge of the business of the company' refer to a person who is in overall control of the day to day business of the company. According to the Gujarat High Court, determination of the 'person in charge of the business of the company' has to be based on facts, whilst identification of 'the persons responsible to the company, for the conduct of the business of the company' would be based on law, as applicable to companies.

In our view, the principles laid out in Nikhil P. Gandhi v. State of Gujaratv can be used to interpret section 95 of the New DP Act. Any individual who is both 'in charge of the business of the company' and is 'responsible to the company, for the conduct of the business of the company' will be presumed to be guilty if any offence under the New DP Act is committed by the company. It may be noted that this presumption can be rebutted only if the person presumed to be guilty can prove that the offence was committed without his/her knowledge or that he/she had exercised all due diligence to prevent the commission of such offence.

If a person presumed to be guilty under section 95 of the New DP Act demonstrates that the company had adequate safeguards in place to prevent the commission of an offence, would such person be exonerated? Let's assume that a company has violated section 91 of the New DP Act on account of a junior employee recklessly disclosing a customer's sensitive personal data and causing loss to such customer, as a result of which the managing director of that company would also be presumed to be guilty of the same offence, assuming that such managing director is in charge of, and is responsible to, the company for the conduct of the business of the company. The managing director would have to prove that the offence was committed without his/her knowledge or that he/she had exercised all due diligence to prevent the commission of such offence. If it is shown the offence was committed by the junior employee despite the company having adequate safeguards in place, would such a finding equate to showing that that the offence was committed without the managing director's knowledge or that the managing director had exercised all due diligence to prevent the commission of such offence? In our view, if the managing director can show that adequate safeguards were in place and the offence was committed despite the same, it can be said that the managing director had exercised all due diligence to prevent the commission of such offence.

It may also be noted that sub-section 3 to section 95 of the New DP Act provides that where an offence under the New DP Act is committed by a company and it is proved that the offence was committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly under the New DP Act. In other words, if a director, manager, secretary or other officer of a  company is proved to have consented to or connived in the commission of an offence under the New DP Act by such company, or it is proved that the corporate offence would not have occurred had it not been for the neglect by such director, manager, secretary or other officer, then such director, manager, secretary or other officer shall face punishment for such offence, even if such director, manager, secretary or other officer is not responsible to the company for the conduct of the business of the company and is also not in charge of the business of the company. Unlike in the case of sub-section 1 of section 95 of the New DP Act, there can be no punishment under sub-section 3 of section 95 of the New DP Act unless it is actually proved that the director, manager, secretary or other officer has either consented  to, connived in or neglected his/her duties.

One is now forced to ask, in the context of corporate offences, whether it is necessary for the New DP Act to deem guilty every person who, at the time an offence is committed by a company, is in charge of, and was responsible to, the company for the conduct of the business of the company? Before any individual is punished with imprisonment, shouldn't the prosecution show beyond reasonable doubt that such individual has committed an act or omission which resulted in an offence by a company under the New DP Act?

In our view, the deeming provision in sub-section 1 of section 95 of the New DP Act is unwarranted, especially in light of sub-section 3 of section 95 which provides that where an offence under the New DP Act is committed by a company and it is proved that the offence was committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the offence. Further, the New DP Act has specific provisionsi requiring all data fiduciaries to have adequate safeguards in place for the proper processing of personal data and any breach of these provisions will lead to a severe penalty under Chapter XI of the New DP Act.

Footnotes

i In Chapter VII of the New DP Act – Transparency and Accountability Measures.

i 2016 197 CompCas 50 (Guj).

ii1971 (3) SCC 189.

iii1981 (2) SCC 335.

iv2002 (7) SCC 655.

v 2016 197 CompCas 50 (Guj).

i As per section 92 of the New DP Act.

i Under section 71 of the New DP Act.

ii This could be any direction as the Authority may consider necessary for the discharge of its functions.

iii This would be a direction pursuant to an inquiry.

iv Under section 72 of the New DP Act.

i Under section 70 of the New DP Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.