Companies may have to pay a penalty of up to Rs 15 crore or four per cent of global turnover if found violating norms under the Personal Data Protection Bill approved by the Cabinet, according to official sources. Besides, the company’s executive in-charge of conduct of the data business can also face jail term of up to three years if found guilty of knowingly “re-identifying de-identified data” of individuals in the country or processing them in violation of the norms laid in the Bill, a source said.
The Bill is expected to be tabled in Parliament during the ongoing Winter Session for final approval.
All internet companies will have to mandatorily store critical data of individuals within the country, however, they can transfer sensitive data overseas after explicit consent of the data owner to process it only for purposes permissible under law once the Bill is approved by Parliament, the source said.
“Critical data will be defined by the government from time to time. Data related to health, religious or political orientation, biometrics, genetic, sexual orientation, health, financial etc has been identified as sensitive data. Penalty of up to Rs 15 crore or four per cent of an entity’s global revenue will be imposed on entity found guilty of major violation under the Bill,” the source said.
For minor violations, the Bill proposes a penalty of Rs 5 crore or two per cent of the global turnover. It also has provision of jail term for officers of entity that is found breaching provisions under the Bill. Social media companies will be required to come up with a mechanism to identify users on their platform who are willing to be identified on voluntary basis.
“Under the provision, a social media fiduciary will have to give users on its platform an option to get verified. It will be voluntary for individuals if they want to get verified or not,” the source said. The Bill has provisions to grant right to be forgotten to data owners as well as right to erase, correct and porting of data.
“The Bill will encourage entities to start processing data in India and with high level of data consumption, the country is expected to become one of the world’s biggest centre of data refinery. The Bill allows processing of data for lawful purpose only,” the source said.
The Bill exempts processing of personal data in case of national security issues, court order etc.
“Any data which can identify an individual has been defined as personal data. While all entities will need to obtain explicit consent of the data owner, in some cases like security of the state, providing relief in case of a medical emergency, detection of unlawful activity, whistleblow etc an explicit consent may not be required,” the source said.
The Bill mandates entities in the business of data processing to register with the government as data fiduciary for the purpose of data processing.
“The government will have the right to direct data fiduciary to share anonymised or non-personal data for better targeting of service, policy making, relief work, etc,” the source said.