Introduction: Companies Liable for Data Breaches Under Section 43A
The Information Technology (IT) Act, 2000 governs digital activities in India. It provides legal recognition to electronic records and digital signatures. It also sets rules for cybercrime, data protection, and electronic governance.
Under Section 43A of the IT Act, 2000, companies must protect sensitive personal data. If they fail to follow reasonable security practices, they can face legal action. Victims of data breaches can sue for compensation if negligence is proven.
The law, hence, holds companies accountable for weak data protection measures.
What Is Section 43A Of The Information Technology Act, 2000?
According to Section 43A of the IT act, if a company owns, controls, or operates a system that handles sensitive personal data, it must follow strong security practices.
When a company fails to do so due to negligence, it can cause harm. This includes wrongful loss or gain to individuals.
In such cases, the company must compensate the affected person. The law holds the company responsible for not protecting data properly.
Who Is a Body Corporate Under Section 43A of the IT Act?
Section 43A of IT Act, 2000 defines “body corporate” broadly. It includes companies, firms, sole proprietorships, and associations of individuals.
These entities must be involved in commercial or professional activities. This definition matters because Section 43A applies only to them.
They are responsible for protecting sensitive personal data in any computer system they own, control, or operate. Failure to secure such data can lead to compensation claims.
What Are The SPDI Rules Under The IT Act?
The (Sensitive Personal Data or Indormation) SPDI Rules fall under the IT Act, 2000. They were notified in 2011 under Section 87(2) with Section 43A. These rules apply to all companies and individuals in India.
SPDI includes: Passwords, Bank details and card information, Health records, Sexual orientation, Biometric data
Companies must get written consent before collecting SPDI.
Users can withdraw consent or update their data at any time.
SPDI can only be shared with third parties if: The user consents, or it’s required by law.
Data transfers are allowed if the recipient ensures equal protection and if the transfer is necessary for a contract or done with consent.
Firms must follow reasonable security practices.
Standards like IS/ISO/IEC 27001 are recommended for compliance.
SPDI should not be stored longer than needed.
Delete the data once the purpose is fulfilled.
Every company must appoint a grievance officer. Complaints must be resolved within 30 days.
Analysis
The SPDI Rules provide extra compliance guidelines.
They cover how companies should collect, store, and share sensitive personal data.
Experts debate whether Section 43A and the SPDI Rules fully align with the IT Act.
The IT Act mainly covers digital communication and electronic records.
A company is liable only if negligence causes wrongful gain or loss. Without proven harm, compensation under Section 43A does not apply.
Conclusion
In conclusion, a company must follow proper data protection practices.
If it fails to do so and causes wrongful loss or gain, it must pay compensation. This applies when negligence leads to harm due to poor data security. Therefore, Section 43A applies only to data processed or stored electronically. It does not cover data stored only in physical form unless used via electronic systems.
