The digital personal data protection draft bill has proposed a penalty upto ₹250 crore for various matters of non-compliance. Though, the upper band of penalty worth ₹250 crore seems a big amount for ordinary citizens or even Indian tech start-ups but it is a negligible amount for global tech giants.
The draft bill seems heavily tilted in favour of global tech giants. By not insisting on data-processing within Indian jurisdiction the bill has left the back-door open for countries like the US--where some of these tech giants are based--to invade Indian’s data privacy. The bill also seems to be making it easy for these giants to pay the penalties rather than comply with the law.
At ₹80 per dollar assumed rate, the profit booked by Meta in 2021 was ₹3.12 lakh crore, Google booked ₹6.08 lakh crore, and Apple made ₹7.52 lakh crore in profits. Thus the penalty to be paid by companies of Meta, Amazon, Apple, Netflix, Google stature will be less than 0.05% of their profits.
However, for Indian tech start-ups or companies in the digital domain, who are mostly making losses, such a penalty would be back-breaking. Even established Indian companies that own big data and are susceptible to data breaches (like banks) are at the receiving end in terms of penal provisions. Case in point is ICICI Bank that recorded a PAT of ₹23,339 crore in FY22, the damage to profit through such penalty would be approx. 20 times more than what it would be to the big 5. Even for the biggest lender of the country, the State Bank of India (SBI), whose data has been hacked previously, and whose FY22 PAT stands at ₹31,676 crore, a penalty would still be large in proportion to its profits.
Ironically, the penalty provisions in the current draft are quite different from earlier versions of bill. In earlier draft bills, non compliance of rules made penal provisions in line with the annual turnover of the data fiduciaries. Tagging penalty to the annual turnover was a feature lifted from Europe’s General Data Protection Regulation (GDPR). It is still not clear under what pressure or circumstances, current draft bill has removed monetary penalty linked to annual turnover and converted into a penal provision upto just ₹250 crore, a paltry amount for Mega Global tech companies.
GDPR fines made non compliance around data security a costly mistake and they can be separated into 2 levels. Less severe infringements result in a fine of 10 million euros or 2% of a firm’s annual revenue of preceding financial year, depending on whichever is higher. Serious violations can result in a fine of up to 20 million euros or 4% of a firm’s annual revenue from the preceding year, depending on what is higher.
GDPR is one of the toughest privacy and security laws globally and global tech giants are taking all necessary steps to follow the rules. In the last calendar year, Amazon was handed a mammoth 746 million euro fine (₹6,341 crore assuming ₹85 equals to 1 Euro) while WhatsApp was given a massive 225 million Euro fine (₹1,912 crore) for data privacy breaches.
In a hypothetical event where the Pentagon, empowered by the Patriot Act of US, decides to rummage through the private data of Indian citizens stored on US soil, what kind of penalty does India hope to levy on data-fiduciaries storing the data in the US? Moreover, the moot question is- would penalising for non-compliance solve the purpose of data-privacy laws?