Can Directors Face Criminal Liability under India's New Data Protection Law?

Can a Director in a Company be criminally prosecuted under the Digital Personal Data Protection Act 2023 for any significant data breach?

An interesting aspect of the DPDPA is that, for the first time, a substantial law in India does not provide for any criminal liability. Sec. 33(1) of the DPDPA provides that the Board is empowered to impose penalties ranging between Rs 10,000 in case of breach of duties by a Data Principal to up to Rs 250 crore if a Data Fiduciary fails to take reasonable security safeguards to prevent a personal data breach (the nature of safeguards will be provided under the Rules).?

Shri Rajeev Chandrasekhar, Hon. Minister of State - Ministry of Electronics and Information Technology, said in a recent interview that the DPDPA is a modern law that does away with criminal liability and imposes 'punitive civil penalties' in case of DPDPA violation.

If the experience of the last decade is any indicator, we are pretty aware of how hastily the Company Law was drafted to the extent that it provided for criminal liability even in case of minor offenses. Subsequently, the government decriminalized many minor violations, focusing instead on imposing penalties. That was a significant step indeed. Similarly, the law governing LLPs and other similar ones were also decriminalized.?

One can argue that for sensitive topics like data protection, strong deterrents assume significant importance, and hence, imposing criminal liability on directors or board personnel for violations of a Data Protection Law must be an option and may be a last resort.?

But one must not forget that severe violations of one's privacy through impersonation, cheating, forgery, hacking, using personal information, voyeurism, etc., are offenses punishable with imprisonment (in some cases) under the Indian Penal Code and other substantive laws.?

In addition, some of the other arguments that can be made in having only civil penalties are as follows:

1. Generally, criminal liability is often limited to actions that significantly affect society. In the case of DPDPA, not all violations may warrant such severe punishment. Many breaches may be unintentional or a result of organizational complexities rather than an individual's malicious intent. As such, subjecting directors or board members to criminal liability for such violations may be disproportionate to the harm caused (I hope this becomes the norm under the Company law also one day)
2. India aims to become a digital tech powerhouse. The Startup ecosystem, despite the recent hiccups, is booming slowly. As such, a balance between data protection and innovation is necessary, and if directors or board members are subjected to criminal liability for every data protection infringement, it can discourage them, thereby stifling technological advancements and economic growth.
3. A somewhat less persuasive argument is that if a majority of offenses are made criminal, directors' and Board members' attention may veer away from proactive measures. Instead, concealment for fear of punishment may become a norm. Instead of focusing on implementing robust data protection practices, companies could prioritize protecting individuals from criminal charges. Ultimately, this will hinder the overall effectiveness of data protection efforts. As has been the case with Independent Directors and the criminal charges they faced/ are facing under corporate laws, criminal liability under the DPDPA may discourage qualified persons from taking up leadership roles. Lastly, Companies are anyways being held accountable for data protection breaches through fines, regulatory actions, and reputational damages. Hence, the criminal liability assumes a (relatively) lesser relevance.?

As far as I know, the GDPR also provides only for civil penalties (punitive). Comparatively, some articles suggest that the UK's data protection law has some criminal liabilities in case of serious offenses.?

Similar to the decriminalization trend, future governments may introduce criminal penalties based on experiences gained in the first three or five years of fully implementing the law.?

It will be a wait-and-watch situation for all till then.?

Read previous articles in the series:

1. Cookies and Data Protection Law
2. Difference between Data Protection and Data Privacy Law
3. Why do we need a Data Privacy Law?