How Indian Business Need to Protect their Customer Data under IT Act, 2008

IT Act for protecting customers data

Article Written by Vinamrata Yadav. Edited by Sugandha Nagariya.

We live in a smart world where we are dependent on censors, apps and other connected tools, which contains our vital data. Present era is also termed as “age of data” which often leads to sharing of personal data while using various internet services ranging from social media to email to instant messenger platform to many such online services. 

Have you ever wondered what happens after you collect your customers’ data and share it with advertisers or when you use third-party cookies in your website?

Also, have you ever thought what are the laws for data protection in our country and whether you are playing it safe with regard to those laws? 

Well you’ll find all those answers as well as many more such queries which might arise out of data protection in business down below in this article.

Now, there are various laws laid down in legislations for the protection of personal data of an individual, such as-

  1. Personal Data Protection Bill, 
  2. Indian Contract Act, 1872
  3. Information Technology Act 2008, and various other statutes contain provisions for the data privacy in India. 

Among these provisions, the personal data protection rules are best described in Information Technology Act 2008. 

In this article, I will be decoding the IT Act, 2008 in detail for you so that you can learn the implications and requirement for protection of your customers’ data as well as the penalties if you do it wrong.

A Little Background

Information Technology Amendment Act, 2008 is an update to the IT Act to take into account new technologies, increasing cyber crime, the growth of the business outsourcing industry in India and rising global concern about data privacy and security.

Prior to the IT Act’s amendment, the act  focused mainly on individual hacking than on systematic data protection. 

Pre-amendment IT Act imposed liability on any ‘person’, whereas after amendment it recognizes the organizations or the business and companies handling customer’s personal data and also provides them the responsibility to protect data by imposing liabilities against the organizations and the businesses, if they tried to misuse the personal information of their customers. 

What is meant by Personal Data?

Users data should be protected by businesses under IT Act, 2008.

The information technology amendment act 2008 introduced the concept of personal data.

“Personal data” has not been defined in the legislation. 

However the information technology rules defined the term “personal information” as an information that relates to a natural person, either directly or indirectly in addition with other information available with a corporate body or business, which is capable of identifying such a person.

Important Provisions for Personal Data Protection

There are various provisions in Information Technology Amendment Act, 2008 which ensures the security of vital data or confidentials of the customers of companies. 

The sections of ITAA act 2008 which states such provisions are as follows:

Section 66, Section 66A to Section 66F, Section 69, Section 69A, Section 79, Section 72 and other related sections. 

Strict Fines and Penalties

IT Act, 2008, also provides provisions to take stringent action against defaulters. It contains both fine and penalties. Strict fines and penalties act as a deterrent and ensure that firms or businesses invest in quality cyber security mechanisms. The penalties, compensation and adjudication are described in chapter 9 of the IT act 2008.

Application of Strict Data Privacy Rules in Business

Rules for data privacy that businesses must follow

Data privacy rules which were introduced in the act in 2011 has been described as stringent by some Indian and US firms. They consider them to be a barrier in outsourcing. These rules require business companies to obtain a written permission from the customers in these companies before collecting and using their personal data. 

  • These rules brought US firms in a conundrum while sourcing the data to Indian companies, because it was difficult for them to collect the customers data by following such strict data privacy rules. They described these data privacy rules to be strict for US firms. 
  • On the other hand few companies welcomed these strict rules by saying that these rules would remove outsourcing to Indian companies.
  • The rules in Indian IT Act, govern the collection and use of personal information including banking and medical details. The banking detail refers to  bank account numbers , credit card numbers etc. 
  • The new measures were designated to ensure that all the information collected by companies that is  related to the customers is secured. It obligates the person or organizations or companies, who control the sensitive personal information like password, bank accounts details, credit card numbers, medical records, and biometric data to build the best technical management system and operate information security practices along with a dispute resolution process.

Protection measures to be taken by Indian businesses to secure personal data-

Indian businesses have seen an exponential rise in its connection in the past few years. With the rise of the Indian business there are some evil practices developed by the hackers and the people who have unauthorized access to the personal data of the customers of the company. 

Related Read: How Digital Marketing can Help Grow Your Business Exponentially: The Definitive Guide

Such criminal practices have increased gradually with the rise of business using technical sources for keeping customer’s personal data.

IT Amendment Act, 2008 is a significant step taken to protect people from cyber crimes and identity theft. Indian businesses need to take consideration of the IT act 2008 to protect their customers personal data .

Importance of Section 43A

For companies doing business in India or  Indian based companies, have to give a special importance to section 43A of IT Act. 

As this section describes that the company will be held accountable for the breach of loss of any personal data of their customers. The section 43 A states-

“where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in maintaining and implementing reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”

Section 43A of IT act talks of reasonable security practices and procedures to be followed by body corporate for  possessing or dealing or handling with personal data or information. 

However, most government departments and agencies can’t be classified as a body corporate and hence it is beyond the purview of section 43 A’s compliance requirements. 

While these laws are tightening the free operations of data analytics and marketing businesses, it should be noted that these are done in the larger public interest. 

Users should be informed about how much part of their  data has been used  by the company. It is important for the customers to know where their personal data is being used in the business.

Changes in Law on Data Protection throughout the World

The European Union General Data protection rule (GDPR) has set 4% or 20 million Euros whichever is higher as a limit on fine for unlawfully using any personal data.

Italy’s data protection authority has fined 5 companies in excess of 11 million Euros for unlawful processing of personal information as Strict fines and penalties ensure cyber security.

  • Employee monitoring

While businesses should try to maintain the anonymity of the data that is collected, there is a growing need for employees to be monitored by some upper authority so that they do not misuse the data of the customers.

Related Reads:

Relevant Cases to be Considered by Businesses in India

Cases on data privacy under the law

Courts on several occasions have interpreted “data protection” within the ambit of “right to privacy” as implicit in Article 19 and Article 21 of the Constitution of India.  

Many companies rely upon the Contract Act to protect these data.

Technology may get smarter but the weakest chink in the armor are humans. 

While there are several instances of data getting leaked due to human error, there are also various cases of data theft in businesses. 

  • In February 2017, Ms Voucha Gram India Pvt. Ltd, owner of Delhi based e-commerce portal made a complaint to Hauz Khas police against some hackers from different cities under IT Act. She filed complaints for theft, cheating, misappropriation, criminal conspiracy, criminal breach of trust, cyber crime of hacking, snooping, and tampering. Thus four hackers were arrested by south Delhi police for digital shoplifting.
  • A 25 year old technology dropout from Rajasthan leaked Reliance Jio company’s customers’ data on an online website called magicapk. Maharashtra government arrested the man from Rajasthan and action was taken against him. He was charged with data theft and unauthorized access.

From above  cases it is clear that businesses in India have to look into their cyber security more often. These cases act as an example to other businesses to ensure better data security for the development of the business.

Relevant Sections of the IT Act 2008 to be Focused on by the Indian Businesses to Ensure Data Security

The IT Act 2008 contains various provisions which need to be considered by the companies in India. Some of the important sections are mentioned below:

  • Section 43A – This section deals with the compensation for failure to protect data. The section states that –

“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns ,controls or operates ,is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person , such body corporate shall be liable to pay damages by way of compensation ,  to the person so affected.”

By way of explanation : “body corporate means Indian companies”. 

  • Section 66

This section deals with computer related offences. The section states that-

If any person dishonestly ,or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

This section 66 was applied in the reliance Jio case in which the man dishonestly used the data which is considered offence under this IT Act 2008.

  • Sections 66A all the way up to Sections 66F

These sections deals with the punishment for the offences related to computer such as identity theft, sending offensive messages, dishonestly receiving stolen computer data resources, violation of privacy etc.

66A. Punishment for sending offensive messages through communication service, etc.- Any person who sends, by means of a computer resource or a communication device,–

(a) any information that is grossly offensive or has menacing character; or

(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device; or

(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation.– For the purposes of this section, terms “electronic mail” and “electronic mail message” means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.

66D. Punishment for cheating by personation by using computer resource.- Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

66E. Punishment for violation of privacy — Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.

Explanation.– For the purposes of this section–

(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;

(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means;

(c) “private area” means the naked or undergarment clad genitals, public area, buttocks or female breast;

(d) “publishes” means reproduction in the printed or electronic form and making it available for public;

(e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that–

(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or

(ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

I believe you may think that this is highly irrelevant for your businesses but with IoT devices like Google Home and Alexa filling up almost each and every households, this doesn’t remain a far cry.

In fact, Google glasses sparked fear among its users as it couldn’t be turned off leading to fears of privacy violation.

Also, there have been instances of hackers getting into home CCTV cameras and live-streaming it to thousands of viewers.

As such, if you are into IoT devices, you need to be very cautious about this section as well as rules and notifications made under this section.

  • Section 67C– This section deals with the preservation and retention of information by intermediaries. The section states that–
  1. Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the central government may prescribe.
  2. Any intermediary who intentionally or knowingly contravenes the provisions of sub-section 1 shall be punished with an imprisonment for the term which may extend to three years and shall also be liable to fine.

This section usually is applicable for platform based services that connects buyers or sellers or businesses with each other.

  • Section 72 A- Under this section disclosure without consent exposes a person including an “intermediary” to three years imprisonment of fine upto Rs five lakh rupees or both .

This section uses the term “personal information” instead of “sensitive personal information” as in section 43A. Hence it could be applicable to any information which is obtained in order to deliver services. Hence in some ways broadens the definition of information.

This section may come into play when you use third-party cookies to track users’ preference. Therefore you always need to provide the users with a link to your privacy policy in your webpage if you are using third-party cookies.

Further note that if you have a privacy policy page and are using cookies in accordance with that policy page, if you want to change the terms and conditions for collecting user data, you need to first change the privacy policy of your website or else you might get sued.

These are some important provisions of Information Technology Act 2008 which you should look after, if you do not want to get sued!

Wrapping the IT Act Up

Information Technology management and security needs to be looked at by all companies for various reasons including customer assurance and compliance, customer regulation, protection of information assets, better data protection framework, prevent violation of privacy of customers, theft of identity, indigenous cyber security solutions, etc.

Plus, customers are getting increasingly concerned about their privacy. In fact, a study found, telling customers beforehand that you’re going to respect their personal data, got a huge boost in email list sign-ups.

Read Next: How to Localize your Business for The Indian Market: (In 2020)

Author Bio: Vinamrata Yadav is an LLB student at Delhi University and an intern at WinSavvy. Connect with her on LinkedIn.

Editor Bio: Sugandha Nagariya is a law student at GLC, Mumbai and is an intern at Connect with her on LinkedIn.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top