Should Data Protection Bill 2022 revaluate its penalties?

Today, India has the world’s second-largest internet users, with more than 837 million active users. India observed an internet boom when Jio entered the telecom industry in 2016 and revolutionised how we interact with the digital world by providing free internet. Such a disruptive event made it possible for millions of Indians from all economic brackets to enter the internet age.

This shift towards the digital space eventually resulted in a massive surge in the internet economy, with over 50% growth in 2022, contributing more than 16% to the country’s GDP.

Now that we are so accustomed to using mobile apps for navigation, banking, and document storage, we need to realise how much information we are sharing online. This rapid increase in online activity exposes personal data to high-risk cybersecurity threats. For instance, a seemingly innocuous piece of data may serve as a primary resource for profiling individuals, targeting ads, predicting consumer trends, and much more. And as India continues to be the breeding ground for social media giants, these companies are interested in the data treasure trove of the country.

Businesses today, however, frequently run the risk of unknowingly breaking these data privacy laws since their security procedures aren’t keeping up with the constantly changing cyber risk environment. Organisations are increasingly susceptible to a wide range of cyber assault techniques from hackers and cybercriminals. Such attacks are not just a threat to the organisation’s business data but also to the extensive repository of employees’ and clients’ personal information.

When discussing online data, we must consider the magnitude of the impact that each organisation can have based on their access to personal information.

Considering India's recent hike in online activity, the country is in dire need of data protection regulations. A data protection regulation ensures the security of personal information and governs its collection, use, transfer, and disclosure. Furthermore, its role includes access to the data of individuals and accountability measures for businesses that process personal data, complemented by the remedies for unauthorised and harmful data processing.

As user-generated data grows and the individual value of data increases exponentially, government bodies are becoming more and more responsible for protecting citizens' data rights. Thus, the Digital Personal Data Protection Bill 2022 was released by the Indian Ministry of Electronics and Information Technology (MeitY) in November 2022. This Bill has allowed a more sophisticated vision of personal data protection that balances individual and public interest rights.

One of the most notable aspects of the Bill is its provision of the penalty imposed on an organisation in case of infringement.

According to the 2022 Bill, penalties for noncompliance can amount to as much as Rs 500 crore, depending on the nature of the violation. Several factors may be considered when determining the quantum of penalties, including the nature, gravity, and duration of noncompliance, the type of personal data affected, or the repetitive nature of noncompliance.

The figures in the Bill represent the maximum penalty. We hope the regulations grade them in proportion to the offence and the company's size, so they are not onerous.

Consider Meta's profit in 2021 was over Rs 3 lakh crore, Google's profit was over Rs 6 lakh crore, and Apple's profit was over Rs 7 lakh crore. As a result, the penalty for companies like Meta, Amazon, Apple, Netflix, and Google will be less than 0.05% of their profits. On the other hand, such a penalty would be crippling for most Indian IT startups or businesses in the digital sector. Even well-established Indian companies that own big data and are vulnerable to data breaches (like banks) are subject to stringent penal provisions.

Furthermore, startups are put on an uneven footing with larger organisations when penalties for non-compliance are calculated without considering the business's market share. Therefore, imposing financial penalty slabs based on market share, or a portion of annual revenue could be a positive step. Additionally, it would be appropriate if the Data Protection Board's assessment of penalties consider the impact of the violation done by the organisation.

Data is essential to every country and industry, and India's recognition of this is a positive sign. It opens the door for businesses and the government to collaborate to strengthen the law regarding privacy and innovation further.

Sanjay Jain is a Partner at Bharat Innovation Fund and Chief Innovation Officer at CIIE.co. He is also a volunteer with iSPIRT, the software product industry think-tank of India.