NOVEMBER 28, 2021
NEW DELHI: Independent directors and non-executive directors on board a top social media, internet or electronics hardware company should also face legal and criminal proceedings for willful offenses around data violations and in cases of complicity or negligence, the parliamentary panel on personal data protection (PDP) has said.
The committee, that went threadbare into the various provisions of the Personal Data Protection Bill, 2019, advocated the inclusion of the non-executive directors in cases of offences committed by companies. “… the committee desires that a proviso… may be inserted to cover these two categories of directors,” it said, while making the key recommendation.
However, the joint parliamentary committee (JPC) — headed by senior BJP leader and former minister P P Chaudhary — said they should be held liable “only if it is shown that the acts of omission or commission by the company had occurred with his/her knowledge or with his/her consent attributable to him/her or where he/she had not acted diligently.”
The original PDP Bill had said that apart from action against the company for the violations, those facing action for complicity or negligence would be the executive directors, manager, secretary or other officers of the company.
The JPC report, while widening the scope of the officials who will face action, however, requested leniency when a person was successful in proving his or her innocence. “… the person shall be free from ‘proceedings’ and ‘punishment’ once he/she proves innocence… (and) the offence was committed without his/her knowledge or that he/she had exercised all due diligence to prevent the commission of such offence.”
The recommendations of the panel — which also has members such as Jairam Ramesh, Manish Tewari, Vivek Tankha, and Gaurav Gogoi (from Congress), Derek O’Brien and Mahua Moitra (from Trinamool Congress), and Amar Patnaik (from Biju Janata Dal) — have also gone into the issue of companies mandatorily reporting any data breaches to the proposed Data Protection Authority (DPA) within a period of 72 hours.
The original bill had not made any mention of a specific timeline under which companies had to report data breaches to the authorities, even as evolved laws such as Europe’s GDPR mandates 72 hours for such notifications. Saying that the present provisions are open-ended and do not mention any specific timeline, the Committee said “there should be a realistic and finite time frame” to report a data breach to the Authority. “The Committee, therefore, recommends… a time period of 72 hours for reporting of data breach.”