File photo for representation

NEW DELHI: Executives of companies found to have engaged - knowingly or "recklessly" - in data theft and illegal processing of 'sensitive personal' information could face criminal proceedings and be jailed up to five years.

This is one of the proposals of the draft bill on data protection submitted by the BN Srikrishna committee to the Centre on Friday.

The committee has proposed that violations of the data protection law should be treated as a cognisable and non-bailable offence, and the investigation should be conducted by an officer not below the rank of an inspector.

Questions sent to spokespersons for Google, Facebook and Twitter on the implications of the proposal remained unanswered on Saturday. Social media and internet giants access and process large amounts of user data.

All members of Srikrishna committee were not in agreement with the proposal. "The inclusion of criminal offences along with the fines and compensation is excessive and would impact the enforcement mechanism greatly," Rama Vedashree, CEO of Data Security Council of India and a member of Srikrishna committee, said.

The draft says that any individual found guilty of leaking sensitive personal information of an individual will attract a jail term of five years and/or a fine of Rs 3 lakh.

The sensitive information includes an individual's passwords, sexual preferences, caste, religion, aadhaar and tax details. Nikhil Pahwa, an independent expert who runs Medianama, said that clause seems to be excessive. "This is certainly harsh," he said.

In case of tampering and sale of personal data of individuals (as different from sensitive personal data), the maximum punishment recommended is 3-year jail terms and/or a penalty of Rs 2 lakh.

The bill covers offences by the central or state governments. It says "where the offence of the Act has been committed by any government department, the head of the department or authority shall be deemed to be guilty of the offence and shall be liable to be punished." The panel has also recommended civil penalties for companies that are found to have breached the personal and sensitive data of individuals. This may extend up to Rs 15 crore, or 4% of global turnover of the preceding financial year, whichever is higher.

