Indian Ministry of Electronics and Information technology (MeitY) is drafting the final data protection law and new rules under the IT Act imposing harsh penalties for not reporting a data breach, as reported by Economic Times.

The decision comes after massive data breaches reported in public statements of the companies. In particular, tech giants Google and Facebook have had multiple data breaches of significant magnitude in recent times. The former leaked data of about half a million Indian users and the latter about 50 million. Google had decided to shut down Google+ services after the massive breach.

On the breach, a Google spokesperson told ET that the company goes beyond legal requirements to apply several user-focused criteria to determine whether to provide notice, like the type of data involved, evidence of misuse, possible actions that could be taken by the developer etc. He added that the recent breach did not qualify any of these criteria.

Despite the IT Act 2008 introducing financial penalties for not reporting data breaches, companies have repeatedly failed to inform the government even after multiple attempts by latter to contact them. Officials feel that government penalties rarely exceed one lakh rupees, an amount too low to incentivise action.

Public policy lead Nehaa Chaudhari at Ikigai Law was quoted as saying, “increasing penalties to increase reporting of incidents is one way of looking at it. Regulators around the world, be it under GDPR or the data protection bill are resorting to fairly high penalties but it only goes so far, we also need a legal and regulatory framework to support them”. She added that there should be clarity in the law about what constitutes a data breach and how quickly the company has to report it.