21 December 2020
India's Information Technology Act, 2000 or IT Act, is a subject of contention and controversy. As it is amended, it contains some of the most stringent privacy requirements in the world and has the unfortunate impact of holding intermediaries liable for illegal content.
You can read the contents of the law act here.
If you operate from/in India, you need to understand the IT Act in order to avoid potential penalties.
This overview will discuss the provisions and requirements set forth in the IT Act and a compliance checklist so your privacy and data protection strategies are planned correctly with the context of this law.
The IT Act of 2000 passed in a budget session of parliament and signed by President K.R. Narayanan in 2000. It underwent further finalization by India's Minister of Information Technology, Pramod Mahajan.
The original act addressed electronic documents, e-signatures, and authentication of those records. It also enacted penalties for security breach offenses including damaging computer systems or committing cyber terrorism. Regulating authorities received power to monitor these situations and draft rules as situations arose.
The IT Act underwent changes as Internet technology grew. In 2008, additions expanded the definition of "communication device" to include mobile devices and placed owners of given IP addresses responsible for distributed and accessed content.
Privacy was addressed in 2011 when stringent requirements for collecting personal information came into effect.
The most controversial change in this act involves section 66A. It makes "offensive messages" illegal and holds the owners of servers responsible for the content.
That means if an IP address with pornographic images is traced to your servers, you can be held liable for it even if you did not authorize its access.
Penalties arrange from imprisonment of three years to life and fines. Offenses that occur in a corporate setting can result in further administrative penalties and bureaucratic monitoring that can prove burdensome to doing business.
The IT Act 2000 applies to companies that do business in India. This includes entities registered in India, outsource there, and maintain servers within the country's borders.
The act covers all activity involving online exchanges and electronic documents.
If your only connection with India is having customers there, you are not held to the IT Act. The only way that can occur is if you run a service or sell a product and also maintain servers there.
Complying with the IT Act and the privacy requirements that follow will be a large effort.
In the end, you will have a more secure system that consumers can use in confidence. These steps will help you meet the requirements of the law in the most efficient way possible.
India's IT Act can be a difficult law to follow. It is also one of the few Internet protection and privacy laws that puts responsibility for content on intermediaries, meaning the companies that own the server.
If your company is located in India and registered there, there is no doubt that you must comply with the act. The same is true if your company is a foreign entity that outsourced to India or maintains servers in India.
Multiple layers of outsourcing can lead to unknown server locations. If you hired a consultant or other company to handle your outsourcing or IT needs, ask them where they keep the servers.
Even if your company is not technically an Indian company, you can still fall under this law if your servers are in India - even if you did not know that was the case.
Many offenses listed in this act arise from security breaches.
Limit access to your servers and create unique login credentials. Also, develop ways to track use on your servers so if any illegal activity arises, you can link it to an individual rather than make it appear your entire company is culpable.
It also offers a security explanation to show customers how payments are protected. As you can see, it describes its own Privacy by Design approach in detail with links to relevant sections:
New privacy protection additions passed in 2011 require written permission from users before a company can use personal information. These have been considered burdensome by many companies, although there is also an argument that they provide assurance.
It appears that most companies work in automatic acceptance of privacy rules in their Privacy Policies.
India Times adds a privacy consent in its agreement that is not much different than in other parts of the world:
Check out our free tools for website owners:
Then, support good Privacy by Design processes so at least your customer's data is secure and you do not face complaints. If you feel better developing written permission processes, take those steps with clickwrap methods perhaps.
If your online service or app involves exchanging material, develop screening so you can control user-generated content before it posts.
Discovering slanderous content after the fact can still result in legal liability so you want to be as proactive as possible.
Just as avoiding security breaches can keep you in line with privacy and IT protection laws, taking the same approach to possibly illegal content will also help you. You will likely have to implement extensive moderation procedures to control content. Also, your security precautions can prevent hacks and other illegal activity that places disruptive items on your server.
Addressing user-generated content in your Terms and Conditions is also helpful.
BillDesk contains provisions about monitoring client behavior:
This is important because not only do you need to monitor client use of your servers but you also need the authority to do so.
Placing terms like this in your legal agreements grants that expectation and in some cases, may serve as a deterrent to people who wish to stir up trouble using your systems.
India's IT Act 200 is a stringent yet evolving piece of legislature.
Stringent user conduct standards and monitoring use of your systems is also necessary.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.