white_paper_on_data_protection_in_india_171127_final_v2
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
sector, size, f<strong>in</strong>ancial and other resources of a <strong>data</strong> c<strong>on</strong>troller as the purpose of a m<strong>on</strong>etary<br />
penalty is not to impose undue f<strong>in</strong>ancial hardship <strong>on</strong> an otherwise resp<strong>on</strong>sible entity. 856<br />
Australia<br />
As per the Privacy Act, the OAIC may apply to the prescribed court for an order that an entity<br />
which has <strong>in</strong>fr<strong>in</strong>ged any provisi<strong>on</strong>s of the Privacy Act shall be liable to pay a pecuniary<br />
penalty. 857 If the court is satisfied that the entity has c<strong>on</strong>travened certa<strong>in</strong> provisi<strong>on</strong>s of the<br />
Privacy Act, then it may order the entity to pay a pecuniary penalty as it determ<strong>in</strong>es. 858<br />
South Africa<br />
Under the POPI Act 859 , an adm<strong>in</strong>istrative f<strong>in</strong>e not exceed<strong>in</strong>g R10 milli<strong>on</strong> may be imposed <strong>on</strong><br />
the default<strong>in</strong>g organizati<strong>on</strong>. Moreover, while determ<strong>in</strong><strong>in</strong>g an appropriate f<strong>in</strong>e, the Informati<strong>on</strong><br />
Regulator may c<strong>on</strong>sider the follow<strong>in</strong>g factors:<br />
(i)<br />
(ii)<br />
nature of pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> <strong>in</strong>volved;<br />
durati<strong>on</strong> and extent of c<strong>on</strong>traventi<strong>on</strong>;<br />
(iii) number of <strong>data</strong> subjects affected or potentially affected by such c<strong>on</strong>traventi<strong>on</strong>;<br />
(iv) likelihood of substantial distress or damage, <strong>in</strong>clud<strong>in</strong>g <strong>in</strong>jury to feel<strong>in</strong>gs or anxiety<br />
suffered by <strong>data</strong> subjects;<br />
(v)<br />
whether the resp<strong>on</strong>sible party could have prevented the c<strong>on</strong>traventi<strong>on</strong> from occurr<strong>in</strong>g;<br />
and<br />
(vi) failure to carry out risk assessment or a failure to operate good policies, procedures and<br />
practices to protect pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong>.<br />
4.3 Provisi<strong>on</strong>al Views<br />
1. Based <strong>on</strong> a review of the extant Indian legal and regulatory framework as well as the<br />
<strong>in</strong>ternati<strong>on</strong>al best practices set out above, the follow<strong>in</strong>g models for calculati<strong>on</strong> of civil<br />
penalties may be possible:<br />
856 ICO, ―Informati<strong>on</strong> Commissi<strong>on</strong>er‘s guidance about the issue of m<strong>on</strong>etary penalties prepared and issued under<br />
secti<strong>on</strong> 55C(1) of the Data Protecti<strong>on</strong> Act 1998‖, 3 (December 2015), available at: https://ico.org.uk/media/fororganisati<strong>on</strong>s/documents/1043720/ico-guidance-<strong>on</strong>-m<strong>on</strong>etary-penalties.pdf,<br />
(last accessed 20 October 2017).<br />
857 Secti<strong>on</strong> 80W, Part VIB, Privacy Act.<br />
858 From a read<strong>in</strong>g of Secti<strong>on</strong> 80W(5), Privacy Act, it appears that the pecuniary penalty is capped at five times<br />
the amount stipulated for violati<strong>on</strong> of a specific provisi<strong>on</strong> under the Privacy Act, <strong>in</strong> case of a body corporate and<br />
otherwise, it is the amount of pecuniary penalty c<strong>on</strong>templated for violati<strong>on</strong> of a specific provisi<strong>on</strong> under the<br />
Privacy Act.<br />
859 Secti<strong>on</strong> 109, POPI Act.<br />
193