white_paper_on_data_protection_in_india_171127_final_v2
and non-patrimonial loss suffered by the data subject, aggravated damages, interest and cost of suit on such scale as may be determined by the court. 877 4.7 Provisional Views 1. An individual may be given the right to seek compensation from a data controller in case she has suffered any loss or damage due to a violation of the data controller‘s obligations under a data protection legal framework. 2. A claim for compensation may be filed in accordance with the provisions set out in the previous chapter on ‗Adjudication Process‘ (Part IV, Chapter 3 of the White Paper). 3. It may be considered whether an obligation should be cast upon a data controller to grant compensation on its own to an individual upon detection of significant harm caused to such individual due to violation of data protection rules by such data controller (without the individual taking recourse to the adjudicatory mechanism). 4.8 Questions 1. What is the nature, type and extent of loss or damage suffered by an individual in relation to which she may seek compensation under a data protection legal regime? 2. What are the factors and guidelines that may be considered while calculating compensation for breach of data protection obligations? 3. What are the mitigating circumstances (in relation to the defaulting party) that may be considered while calculating compensation for breach of data protection obligations? 4. Should there be an obligation cast upon a data controller to grant compensation on its own to an individual upon detection of significant harm caused to such individual due to data protection breach by such data controller (without the individual taking recourse to the adjudicatory mechanism)? What should constitute significant harm? 5. Are there any alternative views other than the ones mentioned above? 877 Section 99, POPI Act. 200
C. OFFENCES There are certain types of breaches of data protection obligations, which, by their very nature and the impact they create, are extremely serious and may cause significant harm to individuals. In these instances, it may be imperative to prescribe criminal sanctions in the form of punishment and severe fines on the data controller. 4.9 Issues The IT Act deals extensively with several types of offences or cybercrimes and prescribes penalty in the form of fines or imprisonment or both. 878 Specifically in the context of data protection, Sections 72 879 and 72A 880 of the IT Act offer some redress. Section 72 of the IT Act is limited in scope as it prescribes a penalty only against those persons who have been given the power under the IT Act or the rules and regulations made thereunder to access any electronic resource. As such, it may be limited to functionaries who have been granted specific powers under the provisions of the IT Act. 881 Section 72A of the IT Act is broader in scope as it imposes a penalty on any person, whether a private or public entity, for the disclosure of personal information without the consent of the person concerned. However, Section 72A of the IT Act is triggered only in those instances where the person (who has disclosed the personal information) has secured access to such personal information while providing services under the terms of a lawful contract. Rapid growth of technological advancements which may be utilised towards processing of personal information increases the risk of data protection violations. Consequently, provisions in a data protection legal framework may be required to carefully set out criminal liability in cases of data protection violation. Moreover, criminal sanction in the form of imprisonment and fines may be prescribed to ensure that it adversely affects the data controller financially and reputationally thereby serving some deterrent value. 878 This includes Section 65 (tampering with computer source documents), Section 66 (computer related offences), Section 66B (punishment for dishonestly receiving stolen computer resource or communication device), Section 66C (punishment for identity theft), Section 66D (punishment for cheating by personation by using computer resource), Section 66E (punishment for violation of privacy), Section 66F (punishment for cyber terrorism) and Section 67 (punishment for publishing or transmitting obscene material in electronic form). 879 Section 72, IT Act provides as follows: ―Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.‖ 880 Section 72A, IT Act provides as follows: ―Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.‖ 881 Apar Gupta, Commentary on Information Technology Act, 269 (Lexis Nexis, 2013). 201
- Page 159 and 160: have been taken or that the data su
- Page 161 and 162: The EU GDPR focuses on a ―risk ba
- Page 163 and 164: person who processes personal infor
- Page 165 and 166: with developing certain baseline ac
- Page 167 and 168: ENFORCEMENT TOOLS 2.6 Introduction
- Page 169 and 170: Australia The Privacy Act makes ext
- Page 171 and 172: B. PERSONAL DATA BREACH NOTIFICATIO
- Page 173 and 174: eputation, and loss of confidential
- Page 175 and 176: There is a need to put in place a n
- Page 177 and 178: C. CATEGORISATION OF DATA CONTROLLE
- Page 179 and 180: The Treasury Board of Canada Secret
- Page 181 and 182: Under the EU GDPR, only certain dat
- Page 183 and 184: 5. What range of additional obligat
- Page 185 and 186: D. DATA PROTECTION AUTHORITY 2.18 I
- Page 187 and 188: and approval of the appointment by
- Page 189 and 190: The supervisory authority shall pro
- Page 191 and 192: . Advisory The functions of the OAI
- Page 193 and 194: standards be set by different entit
- Page 195 and 196: maintain reasonable security practi
- Page 197 and 198: notices‘ 827 and ‗information n
- Page 199 and 200: 5. Given that the Appellate Tribuna
- Page 201 and 202: CHAPTER 4: REMEDIES A. PENALTIES In
- Page 203 and 204: sector, size, financial and other r
- Page 205 and 206: to an overly adverse impact on smal
- Page 207 and 208: B. COMPENSATION Awarding of compens
- Page 209: United Kingdom As per the guidance
- Page 213 and 214: 4.11 Provisional Views 1. The law m
- Page 215 and 216: SCOPE AND EXEMPTIONS 1. Territorial
- Page 217 and 218: 6. Are there any other views relati
- Page 219 and 220: 2. Should the definition of process
- Page 221 and 222: 1. What are your views on including
- Page 223 and 224: 9. Data Localisation Data localisat
- Page 225 and 226: 2. Child’s Consent It is estimate
- Page 227 and 228: Alternatives: a. Assigning a ‗dat
- Page 229 and 230: If ‗sensitive personal data‘ is
- Page 231 and 232: 2. Should there be a restriction on
- Page 233 and 234: 3. Does a right to be forgotten add
- Page 235 and 236: 1. What are your views on the use o
- Page 237 and 238: oth for principled and practical re
- Page 239 and 240: Questions 1. What are your views on
- Page 241 and 242: 12. In cases where compensation cla
- Page 243: 3. What are the mitigating circumst
and n<strong>on</strong>-patrim<strong>on</strong>ial loss suffered by the <strong>data</strong> subject, aggravated damages, <strong>in</strong>terest and cost<br />
of suit <strong>on</strong> such scale as may be determ<strong>in</strong>ed by the court. 877<br />
4.7 Provisi<strong>on</strong>al Views<br />
1. An <strong>in</strong>dividual may be given the right to seek compensati<strong>on</strong> from a <strong>data</strong> c<strong>on</strong>troller <strong>in</strong><br />
case she has suffered any loss or damage due to a violati<strong>on</strong> of the <strong>data</strong> c<strong>on</strong>troller‘s<br />
obligati<strong>on</strong>s under a <strong>data</strong> protecti<strong>on</strong> legal framework.<br />
2. A claim for compensati<strong>on</strong> may be filed <strong>in</strong> accordance with the provisi<strong>on</strong>s set out <strong>in</strong> the<br />
previous chapter <strong>on</strong> ‗Adjudicati<strong>on</strong> Process‘ (Part IV, Chapter 3 of the White Paper).<br />
3. It may be c<strong>on</strong>sidered whether an obligati<strong>on</strong> should be cast up<strong>on</strong> a <strong>data</strong> c<strong>on</strong>troller to<br />
grant compensati<strong>on</strong> <strong>on</strong> its own to an <strong>in</strong>dividual up<strong>on</strong> detecti<strong>on</strong> of significant harm<br />
caused to such <strong>in</strong>dividual due to violati<strong>on</strong> of <strong>data</strong> protecti<strong>on</strong> rules by such <strong>data</strong><br />
c<strong>on</strong>troller (without the <strong>in</strong>dividual tak<strong>in</strong>g recourse to the adjudicatory mechanism).<br />
4.8 Questi<strong>on</strong>s<br />
1. What is the nature, type and extent of loss or damage suffered by an <strong>in</strong>dividual <strong>in</strong><br />
relati<strong>on</strong> to which she may seek compensati<strong>on</strong> under a <strong>data</strong> protecti<strong>on</strong> legal regime?<br />
2. What are the factors and guidel<strong>in</strong>es that may be c<strong>on</strong>sidered while calculat<strong>in</strong>g<br />
compensati<strong>on</strong> for breach of <strong>data</strong> protecti<strong>on</strong> obligati<strong>on</strong>s?<br />
3. What are the mitigat<strong>in</strong>g circumstances (<strong>in</strong> relati<strong>on</strong> to the default<strong>in</strong>g party) that may be<br />
c<strong>on</strong>sidered while calculat<strong>in</strong>g compensati<strong>on</strong> for breach of <strong>data</strong> protecti<strong>on</strong> obligati<strong>on</strong>s?<br />
4. Should there be an obligati<strong>on</strong> cast up<strong>on</strong> a <strong>data</strong> c<strong>on</strong>troller to grant compensati<strong>on</strong> <strong>on</strong> its<br />
own to an <strong>in</strong>dividual up<strong>on</strong> detecti<strong>on</strong> of significant harm caused to such <strong>in</strong>dividual due<br />
to <strong>data</strong> protecti<strong>on</strong> breach by such <strong>data</strong> c<strong>on</strong>troller (without the <strong>in</strong>dividual tak<strong>in</strong>g recourse<br />
to the adjudicatory mechanism)? What should c<strong>on</strong>stitute significant harm?<br />
5. Are there any alternative views other than the <strong>on</strong>es menti<strong>on</strong>ed above?<br />
877 Secti<strong>on</strong> 99, POPI Act.<br />
200