India will soon join the ranks of data secure countries with the passage of the draft Personal Data Protection Bill (PDPB) into the Act by the Parliament. The Bill has been drafted by the Srikrishna Committee and released on Jul 27th, 2018 after almost a year of deliberations regarding the need for data privacy and the impact privacy laws have on technological innovation and the development of the digital economy.

The Bill addresses a number of significant issues around the protection of personal data and maintaining data privacy such as the grounds on which personal data can be used, the rights people have over their personal data, and the responsibilities of companies and other bodies when dealing with personal data.

In line with EU GDPR, India PDPB has also proposed hefty penalties on those companies in contravention of the proposed law. However, the Bill goes one step further because it also prescribes imprisonment as a possible result of violations. So what are these penalties, who has to pay for them, and how should you avoid them?


The Bill prescribes both financial penalties as well as imprisonment for contraventions of data privacy law based on the gravity of the violation. The maximum financial penalty under the Bill is Rs. 15 Crore or 4% of “total worldwide turnover”, whichever is higher for contraventions relating to unlawful or illegal processing among others. The lesser penalty of Rs. 5 Crore or 2% of “total worldwide turnover” (whichever is higher) is for contraventions such as not carrying out a privacy impact assessment or taking measures to contain data breaches. Other penalties ranging from Rs. 5000 per day to Rs. 50 lakh have also been prescribed for failures to comply with rights, orders of the commission, disclosure requirements, etc.

Criminal penalties in the form of imprisonment ranging from 3 to 5 years have been prescribed for obtaining, disclosing, selling or transferring personal data and sensitive personal data in contravention of the Bill’s provisions, as well as for re-identification of de-identified data without the consent of such data fiduciary or data processor.

Who imposes these penalties?

The Bill authorizes the Adjudicating Officer to determine when the penalties are to be imposed as well as the valuation of those penalties.

Where criminal liability is incurred, the criminal justice machinery will address the matter much like any other criminal complaint, with the police conducting an investigation and the trial courts subsequently, entertaining the case.

Who is liable?

The penalties have been imposed on ‘data fiduciaries’ which may be either public sector or private sector. The criminal liability has been imposed on any individual processing personal data in contravention of the Bill’s provisions either “knowingly, intentionally or recklessly”. Where the offences are committed by companies, the Bill holds directors liable for private sector corporate bodies and the Heads of Departments for public sector bodies.

What shall you do at macro level?

The liabilities – civil and criminal – under the Bill are enough to give anyone pause. They question, then becomes, what should you do to ensure you don’t incur such penalties. The recourse is surprisingly simply. Although the Bill is still in draft form and no-one can tell what it will finally look like, It is better to start preparing early. There are a series of steps any organization can take to ensure a minimum level of data privacy & protection, based on global best practices.

Ensure your organization has an internal data governance and data privacy policy based on which you process personal data. Based on this internal policy, conduct a data inventory to identify what data you have, where you have it, what you use it for, and how you have secured your data. This inventory becomes a roadmap for subsequent gap assessment, risk assessment, data protection impact assessment (for significant data fiduciaries) to determine the changes you need to make internally to ensure both data protection and privacy. Finally, implement such changes and build control mechanisms based on regular oversight and revisiting of your data governance systems including privacy by design.

If you have this data management infrastructure in place, complying with the final edition of the Personal Data Protection Bill, which will be passed by the Parliament, will entail comparative moderate customization and changes based on the new legal requirements otherwise significant efforts will be required to be compliant with the bill. Not surprisingly, most organizations will fall in later category.

Sandeep Arora

Co-founder & CEO, CyberImmersions Solutions

The ideas, view and opinions expressed above are those of the author and do not necessarily reflect the opinions or official position of any agency, organization, employer, or company. The views expressed are for informational purposes only. They are not intended to constitute legal advice.