Firms stealing your data? Their executives may be jailed for up to 5 years

Worried that the big fish at big companies that misuse your personal data might escape the long hand of the law? Rest easy. Executives and heads of companies that are caught knowingly or "recklessly" engaging in data theft and the illegal processing of your sensitive personal information could be jailed for up to five years if the recommendations of a recently-submitted draft Bill on data protection are accepted by the government.   

While submitting its recommendations for a data protection law to the Centre on Friday, the panel led by Justice B N Srikrishna has proposed that such executives should face criminal proceedings, reported the Times of India on Sunday. Further, the report said that not all members of the committee were in agreement with this proposal.  

The national daily has detailed the proposals made by the panel.  

Here's what the B N Srikrishna committee's draft Bill proposes:

  • Treat violations of the data protection law as a cognisable and non-bailable offence 
  • Investigations into the matter should be conducted by an officer not below an inspector's rank
  • Those guilty of leaking sensitive personal information of individuals should be jailed for five years and/or be fined Rs 300,000
  • Sensitive information includes passwords, caste, religion, sexual preferences, Aadhaar, and tax details 
  • Those guilty of tampering and sale of individuals' personal data (different from sensitive personal data) should get, at maximum, a punishment of three years in jail and/or a penalty of Rs 200,000

The Srikrishna committee's recommendation that data related to Aadhaar, Right to Information and health care should be included under the data protection framework would mean amendments in 70-odd Acts

Here are some other recommendations made by the panel:

  • Explicit consent must be taken for processing sensitive personal data like biometrics, sexual orientation, and religious or political belief
  • At least a copy of such personal data should be stored in India
  • Stringent penalties in case of any violation or misuse of personal data by public or private entities
  • If a company fails to take prompt and appropriate action to curb the effects of a data breach, it should be fined up to Rs 50 million or two per cent of its worldwide turnover in the preceding financial year, whichever is higher
  • In case of a breach or misuse of personal data, sensitive data or the personal information of children, the company should be fined up to Rs 150 million or 4 per cent of its global turnover, whichever is higher 
  • Sensitive personal data should only be processed within India
  • Aadhaar Act should be amended "significantly" to bolster privacy safeguards
  • Only public authorities discharging public functions approved by the UIDAI or entities mandated by law should be given the right to request for identity authentication 
  • People should have the 'Right to be Forgotten' -- which allows a person to demand that links to online information about them be removed from search engine results if the data are outdated or irrelevant  

What is the panel and what was it formed to do?

The government had constituted the 10-member committee in July 2017 to recommend a framework for securing personal data in the increasingly digitised economy and also to address privacy concerns and build safeguards against data breaches.

Headed by Justice B N Srikrishna, the panel handed the report to Electronics and Information Technology Minister Ravi Shankar Prasad on Friday, wrapping up nearly one year of deliberations that touched upon sensitive and controversial issues.   

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel