white_paper_on_data_protection_in_india_171127_final_v2
(i) Per day basis A data protection law may stipulate that for a violation of a data protection obligation, a civil penalty of a specific amount may be imposed on the data controller for each day such violation continues, which may or may not be subject to an upper limit. 860 An upper limit may be a fixed amount or may be linked to a variable parameter, such as, a percentage of the annual turnover of the defaulting data controller. (ii) Discretion of adjudicating body subject to a fixed upper limit A data protection law may stipulate that for a violation of a data protection obligation, an adjudicating authority may decide the quantum of civil penalty leviable subject always to a fixed upper limit as prescribed under applicable law. This model of penalty determination is common to the Indian context 861 and appears to be so from an international perspective as well. (iii) Discretion of adjudicating body subject to an upper limit linked to a variable parameter A data protection law may stipulate that for a violation of a data protection obligation, an adjudicating authority may decide the quantum of civil penalty leviable subject always to an upper limit which is linked to a variable parameter. There are instances in Indian law where such a standard has been adopted. 862 In the context of a data protection law, the EU GDPR adopts a similar standard and sets the upper limit of a civil penalty that may be imposed on a defaulting data controller as a percentage of the total worldwide turnover of the preceding financial year of the defaulting data controller. 2. In relation to the penalty models set out above, it may be relevant to note that while civil penalty leviable on a daily basis (i.e., model (i)) may act as a deterrent, it may lead 860 In the Indian context, typically, per day civil penalty that may be leviable is capped to an upper limit. For instance, Section 91(2), Companies Act, 2013 provides that civil penalty for closure of register of members or debenture holders without prescribed notice is Rs. 5,000 for every day of such violation subject to a maximum of Rs. 1 lakh. Similarly, per Section 15C, SEBI Act, if any listed company or any registered intermediary fails to redress grievances of investors within the prescribed time, then such company or intermediary shall be liable to penalty which not be less than Rs. 1 lakh but which may extend to Rs. 1 lakh for each day during which such failure continues subject to a maximum of Rs. 1 crore. However, there are instances in the IT Act, such as, Section 44(b) (as cited above) which prescribes a per day civil penalty of Rs. 5,000 which is not capped. 861 For instance, per Section 105, Insurance Act, 1938, if any director, managing director, manager or other officer or employee of an insurer wrongfully obtains possession of any property or wrongfully applies to any purposes of the said Act, then such person shall be liable to a penalty not exceeding Rs. 1 crore. Further, per Section 50, Food Safety and Standards Act, 2006, any person who sells to the purchaser‘s prejudice any food which is not in compliance with the provisions of the FSSA or of the nature, substance or quality demanded by the purchaser shall be liable to a penalty not exceeding Rs. 5 lakhs. 862 For instance, per Section 15G, SEBI Act, the penalty for insider trading is provided as a minimum of Rs. 10 lakhs which may extend to Rs. 25 crores or three times the amounts of profit made out of insider trading, whichever is higher. Similarly, under Section 27, Competition Act, 2002, where after any enquiry, it is found that any agreement or action of an enterprise in a dominant position is in contravention of Sections 3 or 4, as the case may be, a penalty may be imposed which shall not be more than 10% of the average of the turnover for the last three preceding financial years upon each of such person or enterprise which are parties to such agreement or abuse. 194
to an overly adverse impact on small data controllers/ start-up entities who are in the process of setting up businesses or may be in their teething period. In such a case, a per day civil penalty may not be feasible and the quantum of penalty that may be imposed may be left to the discretion of an adjudicating body subject to an upper limit, where such an upper limit may be a fixed amount or may be linked to a variable parameter, such as, a percentage of the annual turnover of the defaulting data controller 3. Where models (ii) or (iii) are proposed to be adopted, it may leave sufficient room for discretion on the part of the adjudicating authority. Consequently, it may be necessary to set out the factors that an adjudicating authority may consider while determining the appropriate quantum of civil penalty that may be imposed. This may include, nature and extent of violation of the data protection obligation, nature of personal information involved, number of individuals affected, whether infringement was intentional or negligent, measures taken by data controller to mitigate the damage suffered and previous track record of the data controller in this regard. 4. To ensure that civil penalty imposed constitutes adequate deterrence, any of the above models or a combination thereof may be adopted. An upper limit of civil penalty which may be linked to the total worldwide turnover of the defaulting party, as is the case under the EU GDPR, brings within its ambit those data controllers which handle large volumes of personal data, or who have a high turnover due to their data processing operations, or whose operations involve the use of new technology for processing and therefore may have a higher likelihood of causing harms to individuals. 5. Consequently, the highest form of deterrence in relation to civil penalties may be where a per day civil penalty is imposed subject to a fixed upper limit or a percentage of the total worldwide turnover of the defaulting data controller of the previous financial year, whichever is higher. 4.4 Questions 1. What are your views on the above? 2. What are the different types of data protection violations for which a civil penalty may be prescribed? 3. Should the standard adopted by an adjudicating authority while determining liability of a data controller for a data protection breach be strict liability? Should strict liability of a data controller instead be stipulated only where data protection breach occurs while processing sensitive personal data? 4. In view of the above models, how should civil penalties be determined or calculated for a data protection framework? 195
- Page 153 and 154: PART IV REGULATION AND ENFORCEMENT
- Page 155 and 156: they form core, substantive element
- Page 157 and 158: CHAPTER 2: ACCOUNTABILITY AND ENFOR
- Page 159 and 160: have been taken or that the data su
- Page 161 and 162: The EU GDPR focuses on a ―risk ba
- Page 163 and 164: person who processes personal infor
- Page 165 and 166: with developing certain baseline ac
- Page 167 and 168: ENFORCEMENT TOOLS 2.6 Introduction
- Page 169 and 170: Australia The Privacy Act makes ext
- Page 171 and 172: B. PERSONAL DATA BREACH NOTIFICATIO
- Page 173 and 174: eputation, and loss of confidential
- Page 175 and 176: There is a need to put in place a n
- Page 177 and 178: C. CATEGORISATION OF DATA CONTROLLE
- Page 179 and 180: The Treasury Board of Canada Secret
- Page 181 and 182: Under the EU GDPR, only certain dat
- Page 183 and 184: 5. What range of additional obligat
- Page 185 and 186: D. DATA PROTECTION AUTHORITY 2.18 I
- Page 187 and 188: and approval of the appointment by
- Page 189 and 190: The supervisory authority shall pro
- Page 191 and 192: . Advisory The functions of the OAI
- Page 193 and 194: standards be set by different entit
- Page 195 and 196: maintain reasonable security practi
- Page 197 and 198: notices‘ 827 and ‗information n
- Page 199 and 200: 5. Given that the Appellate Tribuna
- Page 201 and 202: CHAPTER 4: REMEDIES A. PENALTIES In
- Page 203: sector, size, financial and other r
- Page 207 and 208: B. COMPENSATION Awarding of compens
- Page 209 and 210: United Kingdom As per the guidance
- Page 211 and 212: C. OFFENCES There are certain types
- Page 213 and 214: 4.11 Provisional Views 1. The law m
- Page 215 and 216: SCOPE AND EXEMPTIONS 1. Territorial
- Page 217 and 218: 6. Are there any other views relati
- Page 219 and 220: 2. Should the definition of process
- Page 221 and 222: 1. What are your views on including
- Page 223 and 224: 9. Data Localisation Data localisat
- Page 225 and 226: 2. Child’s Consent It is estimate
- Page 227 and 228: Alternatives: a. Assigning a ‗dat
- Page 229 and 230: If ‗sensitive personal data‘ is
- Page 231 and 232: 2. Should there be a restriction on
- Page 233 and 234: 3. Does a right to be forgotten add
- Page 235 and 236: 1. What are your views on the use o
- Page 237 and 238: oth for principled and practical re
- Page 239 and 240: Questions 1. What are your views on
- Page 241 and 242: 12. In cases where compensation cla
- Page 243: 3. What are the mitigating circumst
to an overly adverse impact <strong>on</strong> small <strong>data</strong> c<strong>on</strong>trollers/ start-up entities who are <strong>in</strong> the<br />
process of sett<strong>in</strong>g up bus<strong>in</strong>esses or may be <strong>in</strong> their teeth<strong>in</strong>g period. In such a case, a per<br />
day civil penalty may not be feasible and the quantum of penalty that may be imposed<br />
may be left to the discreti<strong>on</strong> of an adjudicat<strong>in</strong>g body subject to an upper limit, where<br />
such an upper limit may be a fixed amount or may be l<strong>in</strong>ked to a variable parameter,<br />
such as, a percentage of the annual turnover of the default<strong>in</strong>g <strong>data</strong> c<strong>on</strong>troller<br />
3. Where models (ii) or (iii) are proposed to be adopted, it may leave sufficient room for<br />
discreti<strong>on</strong> <strong>on</strong> the part of the adjudicat<strong>in</strong>g authority. C<strong>on</strong>sequently, it may be necessary<br />
to set out the factors that an adjudicat<strong>in</strong>g authority may c<strong>on</strong>sider while determ<strong>in</strong><strong>in</strong>g the<br />
appropriate quantum of civil penalty that may be imposed. This may <strong>in</strong>clude, nature and<br />
extent of violati<strong>on</strong> of the <strong>data</strong> protecti<strong>on</strong> obligati<strong>on</strong>, nature of pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong><br />
<strong>in</strong>volved, number of <strong>in</strong>dividuals affected, whether <strong>in</strong>fr<strong>in</strong>gement was <strong>in</strong>tenti<strong>on</strong>al or<br />
negligent, measures taken by <strong>data</strong> c<strong>on</strong>troller to mitigate the damage suffered and<br />
previous track record of the <strong>data</strong> c<strong>on</strong>troller <strong>in</strong> this regard.<br />
4. To ensure that civil penalty imposed c<strong>on</strong>stitutes adequate deterrence, any of the above<br />
models or a comb<strong>in</strong>ati<strong>on</strong> thereof may be adopted. An upper limit of civil penalty which<br />
may be l<strong>in</strong>ked to the total worldwide turnover of the default<strong>in</strong>g party, as is the case<br />
under the EU GDPR, br<strong>in</strong>gs with<strong>in</strong> its ambit those <strong>data</strong> c<strong>on</strong>trollers which handle large<br />
volumes of pers<strong>on</strong>al <strong>data</strong>, or who have a high turnover due to their <strong>data</strong> process<strong>in</strong>g<br />
operati<strong>on</strong>s, or whose operati<strong>on</strong>s <strong>in</strong>volve the use of new technology for process<strong>in</strong>g and<br />
therefore may have a higher likelihood of caus<strong>in</strong>g harms to <strong>in</strong>dividuals.<br />
5. C<strong>on</strong>sequently, the highest form of deterrence <strong>in</strong> relati<strong>on</strong> to civil penalties may be where<br />
a per day civil penalty is imposed subject to a fixed upper limit or a percentage of the<br />
total worldwide turnover of the default<strong>in</strong>g <strong>data</strong> c<strong>on</strong>troller of the previous f<strong>in</strong>ancial year,<br />
whichever is higher.<br />
4.4 Questi<strong>on</strong>s<br />
1. What are your views <strong>on</strong> the above?<br />
2. What are the different types of <strong>data</strong> protecti<strong>on</strong> violati<strong>on</strong>s for which a civil penalty may<br />
be prescribed?<br />
3. Should the standard adopted by an adjudicat<strong>in</strong>g authority while determ<strong>in</strong><strong>in</strong>g liability of<br />
a <strong>data</strong> c<strong>on</strong>troller for a <strong>data</strong> protecti<strong>on</strong> breach be strict liability? Should strict liability of<br />
a <strong>data</strong> c<strong>on</strong>troller <strong>in</strong>stead be stipulated <strong>on</strong>ly where <strong>data</strong> protecti<strong>on</strong> breach occurs while<br />
process<strong>in</strong>g sensitive pers<strong>on</strong>al <strong>data</strong>?<br />
4. In view of the above models, how should civil penalties be determ<strong>in</strong>ed or calculated for<br />
a <strong>data</strong> protecti<strong>on</strong> framework?<br />
195