What are the penalties for non-compliance with any applicable data protection laws?
Noncompliance with Data Privacy Laws and Data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
When a corporate entity in India is negligent in implementing security practices and procedures and it results in a wrongful loss/gain to a person, then the corporation is required to pay damages to the affected individual(s). There is no prescribed cap on damages. Punishment can include imprisonment of up to three years and/or a fine of up to 500,000 rupees. In addition, there are penalties for failing to provide and maintain information and documents required under the Information Technology Act (IT Act):
- Failure to file a return or provide books or other documents within the required timeframe could result in a liability of up to INR 5,000 for each day it’s delayed.
- Failure to maintain books or records creates a liability of up to INR 10,000 for each day the failure continues.
Criminal punishment may result when a service provider discloses personal information without consent in the course of performing a contract or, in breach of a contract with the intention to cause, or knowing it’s likely to cause, wrongful/loss or gain (IT Act, Sec. 72A).
Noncompliance with India’s Data Protection Rules, which doesn’t fall into one of these categories, may still result in penalties under the IT Act with the corporate entity liable for paying compensation of up to INR 25,000. Failure to respond to information requests or direction from the Indian Computer Emergency Response Team (CERT-In) can result in imprisonment for up to one year or a fine of up to INR 100,000.
HR Best Practices: When processing personal data, ensure everyone is following the security and consent measures outlined in the Information Technology Act. In the event of a possible data breach, reach out to CERT-In as soon as possible and follow their instructions.