Section 43A IT Act — Definition & Legal Meaning in India

Also known as: Section 43A · Compensation for Data Breach · Body Corporate Liability IT Act

Legal Glossary Cyber Law Section 43A cyber law IT Act 2000
Statute: Information Technology Act, 2000, Section 43A
New Law: Digital Personal Data Protection Act, 2023, Section 33 (Data Protection Board penalties)
Landmark Case: We the Citizens v. Union of India (Writ Petition (C) No. 607/2021)
Veritect
Veritect Legal Intelligence
Legal Intelligence Agent
4 min read

Section 43A of the IT Act is the statutory provision that holds body corporates liable to pay compensation to individuals affected by their negligence in implementing and maintaining reasonable security practices for sensitive personal data. Under Indian law, Section 43A of the Information Technology Act, 2000 (inserted by the 2008 amendment) is the primary provision for civil liability arising from data breaches, with claims up to Rs 5 crore adjudicated by the Adjudicating Officer and claims above that threshold by competent civil courts.

Section 43A of the Information Technology Act, 2000 provides:

Section 43A — Compensation for failure to protect data: Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

The key elements of liability under Section 43A are:

  1. Body corporate: Defined broadly as any company, firm, sole proprietorship, or other association of individuals engaged in commercial or professional activities
  2. Sensitive personal data: As defined in Rule 3 of the IT (Reasonable Security Practices) Rules, 2011 — includes passwords, financial information, health data, biometric information, sexual orientation, and medical records
  3. Negligence: The body corporate must have been negligent in implementing and maintaining reasonable security practices
  4. Wrongful loss or gain: The negligence must have caused actual harm to the affected person

The operative rules are the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), which prescribe the categories of sensitive personal data and the security standards that body corporates must implement.

How courts have interpreted this term

Shreya Singhal v. Union of India [(2015) 5 SCC 1]

While primarily concerning Section 66A of the IT Act, the Supreme Court's analysis in this case touched upon the broader framework of the IT Act, including Section 43A. The Court's emphasis on proportionality and the need for clear standards in imposing liability has influenced how Section 43A is interpreted — particularly the requirement that "negligence" must be assessed against objectively determinable standards, not vague expectations.

Sabu Mathew George v. Union of India [(2018) 3 SCC 229]

The Supreme Court acknowledged the growing importance of data protection in India and noted that Section 43A, read with the SPDI Rules, constitutes the primary framework for civil liability for data breaches. The Court observed that the adequacy of this framework would need to be assessed in light of evolving technological threats and international standards.

Adjudicating Officer, IT Act — Various State Orders (2018-2023)

Several Adjudicating Officers across states have adjudicated claims under Section 43A in cases involving unauthorised access to banking information, leakage of personal data by service providers, and negligent handling of sensitive health data. The typical inquiry involves: (1) whether the data constituted "sensitive personal data" under Rule 3; (2) whether the body corporate had implemented security practices compliant with IS/ISO/IEC 27001 or an equivalent standard; and (3) whether the breach caused quantifiable harm to the complainant.

Why this matters

Section 43A remains a critical provision in Indian data protection law, operating alongside the Digital Personal Data Protection Act, 2023 (DPDP Act). While the DPDP Act establishes a comprehensive framework for personal data protection through the Data Protection Board, Section 43A continues to apply specifically to failures in protecting sensitive personal data as defined under the SPDI Rules.

For businesses handling sensitive personal data, Section 43A creates a clear financial liability for security failures. The threshold question is whether the body corporate has implemented "reasonable security practices" — and the SPDI Rules provide a safe harbour for entities that have implemented IS/ISO/IEC 27001 or codes of best practice approved by the Central Government. Businesses that cannot demonstrate compliance with these standards face liability for any data breach that causes wrongful loss.

For individuals whose data has been compromised, Section 43A provides a direct cause of action against the body corporate. The claim must be filed before the Adjudicating Officer (for claims up to Rs 5 crore) or a competent civil court (for claims exceeding Rs 5 crore). The claimant must prove negligence, causation, and actual harm.

A practical challenge is that Section 43A's compensation framework does not prescribe fixed penalties — unlike the DPDP Act, which provides for penalties up to Rs 250 crore for significant data breaches. This means that Section 43A claims require proof of individual loss, which can be difficult to quantify in the context of data breaches where the harm is often diffuse and delayed.

Parent framework:

Child concepts:

Sibling concepts:

Related enforcement:

Frequently asked questions

Does Section 43A still apply after the DPDP Act, 2023?

Yes. The DPDP Act and Section 43A operate in parallel. The DPDP Act deals with personal data protection broadly through the Data Protection Board, while Section 43A specifically addresses compensation for negligent handling of sensitive personal data as defined under the SPDI Rules, 2011. Until the DPDP Act rules explicitly supersede the SPDI framework, both provisions remain operative.

What is the maximum compensation under Section 43A?

Section 43A does not prescribe an upper limit on compensation. However, claims up to Rs 5 crore are adjudicated by the Adjudicating Officer, and claims exceeding Rs 5 crore must be filed before competent civil courts. The compensation is based on the actual wrongful loss or gain proved by the claimant.

What qualifies as "reasonable security practices"?

Under Rule 8 of the SPDI Rules, 2011, compliance with IS/ISO/IEC 27001 or codes of best practice approved by the Central Government constitutes reasonable security practices. A body corporate that has implemented these standards and can demonstrate a documented information security programme enjoys a safe harbour against Section 43A liability.

Who can file a complaint under Section 43A?

Any person who has suffered wrongful loss or wrongful gain due to a body corporate's negligence in protecting their sensitive personal data can file a complaint. The complaint is filed before the Adjudicating Officer appointed by the Central Government under Section 46 of the IT Act.

This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.

Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.

Related Terms

Sensitive Personal Data Reasonable Security Practices Data Protection (DPDP Act) Adjudicating Officer (IT Act) IT Act, 2000
Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.