New Delhi: The Union government will pocket the penalties it collects from physical and online companies and platforms that misuse personal data, the Telegraph reported.The Digital Personal Data Bill (DPDP) said “all sums realised by way of penalties imposed by the Data Protection Board under this Act, shall be credited to the Consolidated Fund of India”.According to analysts, this clearly indicates that the person whose data has been breached would not get any compensation.While the Data Protection Board has the authority to impose a penalty of up to Rs 250 crore on an entity for a personal data breach, none of this compensation goes to the user, who is the victim of the data breach.Additionally, the Bill removes section 43A of the IT Act, 2000, which provides such compensation, the report noted.The DPDP Bill allows the Data Protection Board to levy a penalty of up to Rs 10,000 if users fail to perform their duties as listed in the Bill.One of the duties, for example, is that users should not register false or frivolous grievances or complaints with a Data Fiduciary or the Data Protection Board.Commenting on this provision, analysts told the daily that it could “deter users from filing complaints in the first place in fear of a fine. A Bill that’s about protecting the right to privacy of users should not be levying any penalties on users.”Also read: Why the Personal Data Protection Bill Won’t Stop Data Proliferation in Digital IndiaSection 43A of the IT ActThis provision, as mentioned earlier, provides for compensation for failure to protect data. However, in the absence of it, “the simple remedy of approaching an authority would also stand deleted without alternatives being provided in the DPDP,” analysts told the newspaper.“Section 43A of the IT Act provides for damages payable by compensation to the affected person. However, the DPDP Bill has not touched on compensation payable to the affected person. This approach taken under the DPDP Bill is a deviation from several data protection legislations across the world,” Supratim Chakraborty, partner at Khaitan and Co, told the Telegraph.On the other hand, Shardul Amarchand Mangaldas & Co., in a statement, said that the DPDP Bill only “imposes monetary liabilities for any contraventions, in line with India’s moves towards de-criminalisation of economic offences. The DPDP Bill also allows entities to provide voluntary undertakings to the Data Protection Board for undertaking specific actions.”It hailed it as a “positive step in accordance with prevailing global best practices.”According to the ministry of information technology, the Digital Personal Data Protection Bill, 2023 aims to “provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.”The Bill was tabled in the Lok Sabha on August 3 even as opposition members demanded that the Bill be sent to a parliamentary committee.Opposition members, including Congress MP Adhir Ranjan Chowdhury and Nationalist Congress Party MP Supriya Sule, had raised concerns about the lack of compensation for victims of data theft in the Bill.Apart from that, concerns were raised about the aggressive amendments being made to the Right to Information (RTI) Act, which several experts and opposition members believe will lead to corruption.
