Srikrishna Panel proposals: Privacy breaches to attract monetary penalties

While submitting its recommendations for a data protection law to the Centre on Friday, the panel led by Justice B N Srikrishna has proposed hefty penalties on corporates who fail to uphold the country’s data privacy laws.

The committee has recommended that misuse of data by any private entity should attract a fine of a fixed amount set by law or a certain percentage of that company’s worldwide turnover.

Experts are of the opinion that this provision is very similar to what the European Union has done through its General Data Protection Regulation (GDPR).

In situations where a company fails to take prompt and appropriate action to curb the effects of a data breach, the panel has suggested a fine of up to Rs 50 million or two per cent of that entity’s worldwide turnover in the preceding financial year, whichever is higher.

It proposes that the authorities increase the penalties significantly in the case of a breach or misuse of personal data, sensitive data or the personal information of children, with a fine of up to Rs 150 million or 4 per cent of that company’s global turnover, whichever is higher.

“I felt that the committee was going down the GDPR route when it came to penalties. The penalties and the whole structure is very much geared towards regulating corporations. This will not apply to the government. While there are some provisions for penalising the government, I’m still concerned about it targeting only corporations,” said Rahul Matthan, Partner at Trilegal.

The recommendations come in the backdrop of the Cambridge Analytica scandal which saw data of over 80 million Facebook users being wrongly used to sway public perception during the US presidential elections last year. The scandal has shaken up governments across the world, which are currently investigating the role of the company in facilitating such a breach. 

On Thursday, Ravi Shankar Prasad, Minister of Electronics & Information Technology, said that the Centre had ordered a CBI probe into the Cambridge Analytica case to determine if the company had got access to data of Indian users.

Overall, experts say that the Srikrishna committee proposals have taken an aggressive slant towards protecting the data and privacy of users, while asking for entities collecting data to do so in a strictly prescribed manner. This could hurt India’s allure as a massive upcoming market, especially for large global technology companies and in some cases for local startups as well.

The report submitted to the central government on Friday even mandates that sensitive personal data should only be processed within the bounds of the country. There is even a provision for the ‘Right to be Forgotten’ which is very much in line with the European data privacy laws.