This article is written by Aarushi Chopra pursuing Diploma in International Data Protection and Privacy Laws. This article discusses the debate in an analytical manner if Section 43A of the IT Act, 2000 is within the parameters of the IT Act, 2000 or not.
This article has been published by Sneha Mahawar.
Table of Contents
Enacted in 2000 and amended in 2008, the primary purpose of the Information Technology Act, 2000 (“IT Act”) is to provide legal recognition for electronic transactions and electronic communications, which are commonly referred to as electronic commerce. It was ushered in to facilitate the electronic filing of documents with Government agencies and further to amend the Indian Penal Code,1860; the Indian Evidence Act, 1872; the Banker’s Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.
Section 43A of the IT Act, 2000 deals with the “ Compensation for failure to protect data” and since its introduction, it has fueled the debate about its scope within the Act.
Section 43A of the IT Act, 2000
The Information Technology (Amendment Act), 2008 (“2008 Amendment”) came into effect from 27th October, 2009. It sought to address concerns that the original IT Act of 2000 did not address, as well as account for future developments in IT and associated security issues. This led to the incorporation of Section 43A, which talks about compensation to be paid by a body corporate for its failure to protect data. The section can be divided into two parts, wherein –
- A body corporate negligently fails to implement and maintain reasonable security practices and procedures while handling sensitive personal data on a computer resource that it owns, controls, or operates, and
- As a result, causes a wrongful loss/wrongful gain to any person,
then such body corporate will be liable to pay damages by way of compensation to all the individuals affected as a result of such failure.
Despite the fact that the 2008 Amendment did not define Personal Data or Sensitive Personal Data specifically, Section 43A indicated that ‘sensitive personal data or information’ would mean such personal data as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
SPDI Rules, 2011
Further, in 2011, the Central Government introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“) under Section 43A of the Act. ‘Sensitive Personal Data or Information’ (“SPDI”) was properly introduced and defined by these Rules, stating SPDI to include personal information about any individual relating to –
- Financial information (bank account, credit card/debit card, or details of other payment instruments);
- Physical, physiological and mental health conditions;
- Sexual orientation;
- Medical records and history;
- Biometric information.
Any details relating to the aforementioned are also covered by Section 3 of the SPDI Rules if it is given to a body corporate for processing or storage as part of a service or under a lawful contract. Subject to the exception that no information shall be regarded as sensitive personal data or information if it is freely accessible or available in the public domain, provided pursuant to the Right to Information Act, 2005, or disclosed under any other law currently in effect.
It is important to note that the term ‘sensitive personal data or information’ is made up of two distinct terms, i.e. ‘sensitive personal data’ and ‘sensitive personal information’ and therefore should be read separately.
These Rules further define Personal Information (“PI”) as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”
Analysis of the question
However, the question that arises is whether Section 43A and the SPDI Rules contained therein fall outside the purview of the IT Act. The following details should be taken into account before answering the same:
- Electronic communication and electronic documents are the main topics covered by the IT Act. In general, laws created under the IT Act cannot be applied to matters outside its purview. Section 43A only applies to SPDI in a computer resource. This means that it does not cater to data stored physically and therefore, its applicability is only with respect to data stored electronically. The SPDI Rules have been created by the Central Government in accordance with Section 87(2)(ob), read in conjunction with Section 43A of the IT Act. This section states that the Central Government is empowered to make such rules as necessary for reasonable security practices and procedures and sensitive personal data or information under section 43A.
It can therefore be argued that the SPDI Rules would only apply to PI in an electronic format or in a computer resource and would not apply if PI is kept in non-electronic forms (such as physical registers or hard copy documents).
- A press note published by the MCIT on August 24, 2011, clarified that the SPDI Rules pertain to SPDI and are applicable to any body corporate or organisation located in India. The Press Note exempts Indian outsourcing firms/foreign companies from the collection and disclosure provisions outlined in the SPDI Rules.
Section 43A only includes SPDI within its ambit, but the SPDI Rules don’t just deal with SPDI. The phrase ‘personal information or sensitive personal data or Information‘ has also been used in various contexts. For example, under Rule 5 of the SPDI Rules, the terms “information,” “Personal Information,” and “SPDI,” which have varying definitions and implications, have been used in different sub-clauses. This shows an inconsistency between the SPDI Rules and Section 43A.
- The location of computer resources in India determines the applicability of Section 43A. This is because the SPDI Rules apply to personal data regardless of the nationality of the provider of the information. As a result, the information provided by nationals of other countries whose information is stored, handled, or dealt with in a computer resource by a corporate entity in India would also be subject to Section 43A.
- It can also be said that the SPDI Rules are applicable in the case the body corporate is based in India, regardless of the location of the computer resource, whether in India or abroad, and regardless of the residency status of individuals. It can further be said that even if the body corporate is abroad and uses an Indian computer resource to handle data for individuals who are located in India, then the SPDI Rules will be applicable. However, Section 1(2) of the IT Act also applies to “any offence or contravention thereunder committed outside India by any person”.
- The SPDI Rules have additional compliance requirements in addition to setting forth reasonable security practices and procedures. It can be seen that the majority of these extra compliances fall outside of Section 43A’s purview, and accordingly, it can be argued that the non-compliance penalty under Section 43A shouldn’t be enforced.
- It should also be noted that a negligent act that results in wrongful loss or wrongful gain to any person is connected to Section 43A’s operational fraction. Therefore, compensation under Section 43A would not be attractive unless any wrongful loss or gain has occurred.
- In order to fully understand Section 43A, a body corporate has been defined to include a sole proprietorship, a firm, or other association of individuals carrying out professional or commercial activities. However, the SPDI Rules do not require a body corporate to gather personal data as part of its regular commercial or professional operations for the SPDI Rules to apply. A body corporate will be subject to the SPDI Rules as long as it engages in any kind of professional or commercial activity. This means that any person or entity who is not involved in commercial or professional activities would not be covered by the SPDI Rules.
After analysing the above-mentioned details, it can be said that the scope and applicability of the SPDI Rules are not in accordance with Section 43A of the IT Act. It can further be said that the SPDI Rules are out of the scope of the IT Act but Section 43A is not out of the scope of the IT Act, 2000. With almost 12 years being passed after the SPDI Rules came into force, these inconsistencies have still not been resolved, making it easier to find loopholes within the laws and take undue advantage.
Accordingly, The Digital India Act, 2023 will be released by the Ministry of Electronics and Information Technology in order to replace the Information Technology Act, 2000 and the rules within. The Digital Personal Data Protection Bill, 2022, which was introduced in November 2022, and the Digital India Act will be implemented concurrently by the Indian parliament. The legislation’s primary goal is to create a comprehensive, central framework that would handle problems in relation to data protection, intermediary regulation, and cybercrime.
On 09th March 2023, via the Digital India Dialogues held in Bengaluru, the Proposed Digital India Act was introduced, wherein the objectives and proposed provisions for the Act have been laid out. With the IT Act being a 22-year-old law, introduced at the beginning of the internet era, and lacking its ability to keep up with the new technologies, the Digital India Act was a much-awaited step. Only time will tell how the bill’s initial draft comes out.
- Information Technology Act, 2000.
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: