NEW DELHI: In what may spell relief for global technology giants such as Facebook, Instagram, Google, Amazon and Apple, the joint Parliamentary panel on personal data protection bill has recommended against imposing hefty penalties on internet behemoths even in case of serious data breaches and violations, and has left the matter in the hands of the government. Penalties were fixed at Rs 15 crore or 4% of global turnover (whichever is higher) in the original Data Protection Bill of 2019.
The Joint Parliamentary Committee (JPC) on Personal Data Protection Bill, headed by BJP's P P Chaudhary, who is also a former minister in the Narendra Modi government, has said that it will be challenging to work out global turnover of companies, especially when the digital landscape is changing rapidly.
"In the committee's view, such quantification may not be feasible as there are no clear mechanisms to quantify the 'world-wide turnover' of a company and that too along with its group entities. Also, keeping in view the rapidly changing dynamics of evolving digital technologies, the committee feels that it would be prudent to enable the government to quantify the penalties," the panel has recommended. The recommendations of the panel - which also has members such as Jairam Ramesh, Manish Tewari, Vivek Tankha, and Gaurav Gogoi (from Congress), Derek O'Brien and Mahua Moitra (from Trinamool Congress), and Amar Patnaik (from Biju Janata Dal) - will be a big relief to the internet giants, especially as many of them have been under regulatory scanner across the globe over user-info violations, data breaches, unlawful processing, and lax oversight.
Companies such as Facebook and Instagram have been under probe in India over various violations, including a CBI inquiry over the Cambridge Analytica episode, while many allegations have been made against Amazon and its handling of data. The revelations by whistleblower Frances Haugen has only highlighted ineptness of the FB group in content moderation across the world as also in India, as the company was accused of prioritising profits over safety.
The JPC recommendations said of specifying penalties "may be modified". The original bill had described the 'total worldwide turnover' as the "the total worldwide turnover of the data fiduciary and the total worldwide turnover of any group entity of the data fiduciary where such turnover of a group entity arises as a result of the processing activities of the data fiduciary". According to the original bill, the top penalty was mandated for serious violations that include violations in processing of personal data of users and that of children, failure to adhere to security safeguards, and violations in transfer of personal data outside India.
The JPC also did away with the penalty of Rs 5 crore or 2% of worldwide turnover for violations such as failure to take prompt and appropriate action in response to a data security breach, failure to register with the proposed data protection authority, failure to undertake a data protection impact assessment or conduct a data audit, and failure to appoint a data protection officer.