BACK TO IT ACT
IT Act 2000AMENDED 2008

Section 72A

Punishment for Disclosure of Information in Breach of Lawful Contract

THE STATUTE

Original Text

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.

Simplified

Section 72A is the IT Act's private-sector data breach criminal provision — extending the concept of Section 72 (which targets government officials) to service providers and intermediaries in contractual relationships. The provision has four essential elements that must all be established: (1) the accused was providing services under a lawful contract; (2) they accessed personal information in the course of those services; (3) they disclosed that information without the data subject's consent or in breach of the contract; and (4) the disclosure was made with intent to cause wrongful gain or loss (or with knowledge that wrongful gain or loss was likely). The intent requirement ('with intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain') is significant — it excludes inadvertent or negligent data breaches from criminal liability under Section 72A. Accidental data leaks are addressed through the civil liability framework under Section 43A (compensation for failure to protect sensitive personal data). Section 72A applies in practice to: employees of IT and BPO companies who sell customer data to competitors or fraudsters; healthcare providers who disclose patient records in violation of service agreements; fintech companies that share user financial data beyond the contractual scope; and call centre agents who misuse customer information for identity fraud. The DPDP Act 2023 creates a parallel framework for data breach penalties — though that Act's provisions are yet to be fully operationalised, and Section 72A continues to apply.

Common Queries

No. Section 72A requires intent to cause wrongful gain or loss, or knowledge that wrongful gain or loss is likely. Accidental or negligent data breaches are addressed through the civil liability framework under Section 43A — not Section 72A.
The DPDP Act 2023 creates a parallel civil penalty framework for data breaches (up to ₹250 crore). Section 72A continues to govern criminal liability for intentional contractual data breaches. Both can apply simultaneously to the same incident.
Yes. Section 72A applies to 'any person' providing services under a lawful contract — which includes employees who access customer data in the course of employment and then intentionally disclose it.

Legal Evolution

Section 72A was inserted by the IT (Amendment) Act 2008. Its creation was partly driven by the high-profile cases of Indian BPO employees selling customer data of multinational companies' clients — a pattern that emerged in the mid-2000s and threatened India's reputation as a data processing destination. The provision addressed a gap: Section 72 only covered government officials, leaving private sector data handlers outside the criminal framework.

Key Amendments

Inserted by IT (Amendment) Act 2008 — no equivalent in original IT Act 2000.

DPDP Act 2023 creates additional civil penalty framework for data breaches — Section 72A continues to govern criminal liability.

Fine ceiling of ₹5 lakh is higher than Section 72's ₹1 lakh — reflecting greater commercial scale of private sector breaches.