The new data protection law, likely to be introduced for discussion during the monsoon session of parliament that begins from July 20, will add penal provisions for entities that flout “voluntary undertaking” commitments, officials aware of the matter have said. HT Image

The punishments are meant to give teeth to a provision in the law that will potentially allow companies to proactively inform the future data protection board about privacy breaches and undertake remedial measures, which could otherwise help them avoid hefty fines.

“The voluntary undertaking may include an undertaking to take specified action (such as reporting a data breach) within a specified time, an undertaking to refrain from taking specified action, and an undertaking to publicizing the voluntary undertaking, the new draft states,” one of these persons said.

Fines under the data protection law, if a company is found to have violated its provisions, can otherwise extend up to ₹500 crore, according to the draft.

The law, as per a draft in the public domain, will set up a Data Protection Board that will become the de-facto regulator, with the power to monitor incidents and lay down penalties. “The acceptance of the voluntary undertaking by the Board shall constitute a bar on proceedings under the provisions of this act as regards to the contents of the voluntary undertaking,” this person said, implying that once a voluntary undertaking is accepted, other proceedings may not be initiated.

But breaching these commitments itself may lead to a fine, this person said, adding that this is a new provision being baked into the draft law.

The previous version of the Act also underlined the need for voluntary undertakings but did not specify a specific fine for the same or what would happen if these were violated.

The data protection law has been long overdue and the government has had to go back to the drawing board more than once after previous attempts were seen to have failed to strike a balance between privacy and ease of compliance. The latest draft too has been criticised for several lapses. But focussing on voluntary undertaking avenues, and making them enforceable, is a welcome step since cybersecurity experts have warned that privacy laws must not become too cumbersome to dissuade companies from coming clean – the sooner a breach is mitigated, the better the outcomes are.

The proposed law has been criticised for giving the government excessive leeway in framing rules and protocols outside of the parent legislation. The independence of the regulator too has been of some debate.

The voluntary undertaking mechanism has precedence in other data privacy laws. Singapore in 2020 amended its data protection laws to create similar avenues, and such steps have been considered by the UK.