Contents
What is the news?
A report of the Joint Committee of Parliament on the Personal Data Protection Bill has been tabled in Lok Sabha and Rajya Sabha.
The committee has recommended the formation of a Data Protection Authority (DPA).
What will be the purpose of the Data Protection Authority (DPA)?
The Data Protection Authority (DPA) will be dealing with privacy and personal data as well as non-personal data.
Composition of DPA
The Chairperson and the members of the DPA shall be appointed by the Union government based on the recommendation of a selection committee chaired by the Cabinet Secretary.
Other members of the committee would be the Attorney General of India, the IT and law secretaries.
Nominated members: An independent expert and a director each from the IIT and the IIM will be nominated by the Centre.
How will the DPA work?
In case of a data leak, the DPA should be notified within 72 hours of the company becoming aware of the breach.
The DPA shall then take into account the personal data breach and the severity of harm that may be caused to the persons whose data has been leaked. Accordingly, it will ask the company to report it and take appropriate remedial measures.
What penalties and punishments have been recommended in the report?
If the company fails to take prompt and appropriate action following a breach, does not conduct a data audit or does not appoint a data protection officer,
– it should attract a penalty of up to Rs 5 crore or 2% of the total worldwide turnover of the preceding financial year, whichever is higher.
Further, if a company violates the provisions of processing personal data or data of children, or transfers data outside India against the prescribed rules,
– it shall be fined up to Rs 15 crore or 4% of its total worldwide turnover of the preceding financial year, whichever is higher.
For government departments, the liability in case of data breach will not be directly placed with the head of the departments.
– The head of the government department will first conduct an in-house probe to determine the officer responsible for the violation, and only then will the liability be decided.
If a person intentionally and without the consent of data fiduciary or data processor re-identifies personal data which has been de-identified will face
– a jail term of up to 3 years or a fine of up to Rs 2 lakh or both
Source: This post is based on the article “Data breach to be reported in 72 hours: House joint panel” published in Indian Express on 17th Dec 2021.
Discover more from Free UPSC IAS Preparation Syllabus and Materials For Aspirants
Subscribe to get the latest posts sent to your email.