On February 5, 2009, the President of India signed into law the Information Technology (Amendment) Act, 2008 (the “ITAA”)3, a robust amendment to the country’s Information Technology Act, 2000 (the “IT Act”).

For companies doing business in India or with Indian entities, Section 43A of the ITAA is of particular importance. Section 43A is a new provision designed to hold companies accountable for the protection of personal data. It provides:

“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”

Perhaps one of the more important consequences of the ITAA is that it introduces the concept of personal data into Indian law. The original IT Act punished unauthorized extraction of or damage to data, but it did not explicitly target personal data. The ITAA, however, requires companies to maintain the security of “sensitive personal data,” thus recognizing that certain data deserves a higher level of protection.

The ITAA, however, limits the protections afforded to “sensitive” personal data, which is defined in the act as “such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.” The Central Government of India has not yet prescribed what constitutes “sensitive personal data,” but the DSCI, at the government’s behest, has recommended that personal information be defined consistently with the EU Data Directive,8 as information that can identify an individual through one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Sensitive personal information, however, would be defined more narrowly to include health and financial data (but not embracing the broader EU concept of data regarding racial, ethnic, political and religious beliefs, which the DSCI has noted is often publicly known in India).

Taken from Technology Law Section, State Bar of Georgia.