BACK TO IT ACT
IT Act 2000AMENDED 2008

Section 43A

Compensation for Failure to Protect Data

THE STATUTE

Original Text

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Simplified

Section 43A is India's first statutory data protection liability provision for corporations, inserted by the 2008 Amendment. It imposes strict civil liability on any 'body corporate' — company, firm, or association — that handles 'sensitive personal data or information' (SPDI) negligently and thereby causes harm. Three elements must be proved: (1) the organisation handles SPDI; (2) it failed to implement 'reasonable security practices'; (3) this failure caused wrongful loss or gain. The provision enabled the Ministry of Electronics and IT to frame the IT (Reasonable Security Practices and Procedures and SPDI) Rules 2011, which defined SPDI as passwords, financial data, health data, sexual orientation, biometrics, and medical records. The Rules required organisations to have a documented security policy, obtain consent for SPDI collection, and allow individuals to withdraw consent. Unlike Section 43 (maximum ₹1 crore), Section 43A has no statutory cap on compensation, giving Adjudicating Officers considerable discretion. Critically, Section 43A was the primary data protection provision until the DPDP Act 2023 was notified, and even now, Section 43A and the SPDI Rules continue to apply for matters not covered by DPDP.

Common Queries

The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 define sensitive personal data to include passwords, financial information, health data, sexual orientation, biometric data, and similar categories.
Any company, firm, sole proprietorship, or other association of individuals engaged in commercial or professional activities that deals with personal information — essentially any business entity handling data.
The 2011 Rules prescribe ISO 27001 as a reasonable security standard. Bodies corporate that implement and comply with ISO 27001 satisfy the reasonable security practices requirement.

Legal Evolution

Section 43A was enacted in response to a wave of call centre data theft scandals in 2005-2007, where employees of BPO companies were selling customer data from UK and US banks. It was also influenced by the UK Data Protection Act 1998 and the EU Directive 95/46/EC. The SPDI Rules 2011 under Section 43A became India's primary data protection regulation for over a decade until the DPDP Act 2023, making 43A historically the most consequential data privacy provision in Indian corporate law.

Key Amendments

Inserted by IT (Amendment) Act 2008 as India's first corporate data protection liability norm.

Enabled the IT (SPDI) Rules 2011 which defined sensitive personal data categories.

No upper limit on compensation — departure from Section 43's ₹1 crore cap.

Will be progressively superseded as DPDP Act 2023 provisions are notified.

Landmark Precedents

In re: PNB Data Breach (2018)

Adjudicating Officer Proceedings
RELEVANCE

Adjudicating officers across states have handled Section 43A complaints involving banking data breaches, applying the SPDI Rules as the benchmark for 'reasonable security practices'.