IT Act 2000

Section 72

Breach of Confidentiality and Privacy

THE STATUTE

Original Text

Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Simplified

Section 72 creates a criminal check on government overreach — it penalises officials who use their IT Act access powers and then improperly disclose the information they obtain. The provision applies to anyone who has 'secured access' under IT Act powers: tax authorities accessing business records, CERT-In officials reviewing security logs, Adjudicating Officers examining dispute evidence, or government agencies conducting lawful interception under Section 69. If any such person then discloses that information to an unauthorised person, they commit a criminal offence under Section 72. This is the IT Act's built-in confidentiality protection on the state side. However, the provision has limitations: it is non-cognizable (police cannot arrest without a magistrate's order) and bailable — making it a relatively weak deterrent compared to the intrusive powers it is meant to check. Section 72A (added by 2008 Amendment) extends this concept to contractual relationships: service providers who disclose user data in breach of a lawful contract also face punishment.

Common Queries

Section 72 applies to any person who has secured access to information using powers conferred under the IT Act — including Adjudicating Officers, government-authorised investigators, CAs auditing subscriber information, and interception agency officials.

No. Section 72 protects against disclosure by government officials. Section 72A protects against disclosure by private service providers in breach of contract. The DPDP Act 2023 creates additional data protection obligations.

Imprisonment up to 2 years and/or fine up to ₹1 lakh. The offence is bailable and non-cognizable.

Legal Evolution

Section 72 was in the original IT Act 2000 as a counterbalance to the broad access powers given to government authorities. The 2008 Amendment added Section 72A to extend the principle to private sector data breaches where information is disclosed in violation of a service contract — an important step toward data protection for users of private digital services.

Key Amendments

Section 72A added by 2008 Amendment covering breach of contractual data confidentiality by service providers.

DPDP Act 2023 creates more comprehensive data breach obligations that may progressively supersede 72A.

Cyber Protocol Info

Section Type: ORIGINAL

OffenceDisclosing information obtained during lawful access/interception without the person's consent

CognizableNon-Cognizable

Trial AuthorityAny Magistrate

Cross-References

72A : Punishment for Disclosure in Breach of Lawful Contract 69 : Interception and Monitoring Powers 43A : Compensation for Data Protection Failure