The penalty of ₹500 crore is not set in stone in the draft Digital Personal Data Protection Bill (DPDP), 2022, released recently. A highly-placed source at the Ministry of Electronics and Information and Technology (MeitY) said the table for penalties will be modified and the penalty may go up to even ₹10,000 crore.

The government has raised the penalty amount to up to ₹500 crore, from the earlier proposed ₹15 crore or 4 per cent of global turnover of the equity, apart from setting up a Data Protection Board of India, under the draft DPDP Bill 2022.

The draft has proposed a graded penalty system for data fiduciary that will process the personal data of owners only in accordance with the provisions of the Act. The draft proposes a penalty of up to ₹250 crore if the data fiduciary or data processor fails to protect data under its possession from breaches.

Also, as part of the non-compliance, failure to notify the board and affected data principals in the event of a personal data breach and non-fulfilment of additional obligations in relation to children, will also attract penalty of up to ₹200 crore, the draft noted.

“This financial table will keep changing... this is not a cast in stone. If somebody has an imagination that ‘I made a benefit of ₹1,000 crore by data breach and will pay a fine of ₹500 crore’, there will be a shock for them... this table will be modified for the rules at that time and penalty may go up to even ₹10,000 crore,” the source said. It is a signal that this is absolutely clear about imposing punitive financial penalties for those who violate the rights of consumer, the source added.

“So, ₹500 crore is what we start with... there is nothing in the language that says ₹500 crore is for the entire breach. If there were 1,000 people affected by a breach and there are 1,000 complainants, so 500 to 1,000 is a nice number that would make anybody behave better,” the source added.

The provisions deal with informing an individual about the purpose for data collection, collection of children’s data, risk assessment around public order, appointment of data auditor, among others. The draft is open for public comments till December 17.