NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

Information Technology Act

type
Regulation
Jurisdiction
Full Name
Information Technology Act (Information Technology Act, 2000)
Official Name
Information Technology Act, 2000

Description

Description
Source

Information Technology Act (IT Act), 2000 Overview

The Information Technology Act of India is a landmark legislation that provides the legal framework for electronic commerce, digital signatures, cybersecurity, and data protection in India. Enacted in 2000 and significantly amended in 2008, this law aims to facilitate e-commerce while protecting digital transactions and personal data.

The Act is particularly notable for introducing the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules (SPDI Rules) in 2011, which established India's first comprehensive data protection framework.

Key Objectives and Scope

  • Legal recognition of electronic transactions
  • Establishment of cybersecurity frameworks
  • Protection of sensitive personal data
  • Regulation of digital signatures and electronic authentication
  • Cybercrime prevention and enforcement

Key Requirements and Obligations

  1. Data Protection Requirements:

    • Implementation of reasonable security practices
    • Protection of sensitive personal data
    • Mandatory compensation for data breaches causing losses
  2. Corporate Obligations:

    "Where a body corporate, possessing, dealing or handling any sensitive personal data or information [...] is negligent in implementing and maintaining reasonable security practices and procedures [...] shall be liable to pay damages"

Technical and Operational Requirements

  • Electronic signature implementation standards
  • Security procedures and practices under section 16
  • Information security practices for protected systems
  • Encryption methods and standards

Compliance Mechanisms

  1. Regulatory Oversight:

    • Central Government authorized to make rules
    • Appointment of adjudicating officers
    • Establishment of appellate mechanisms
  2. Security Practices:

    • Must follow prescribed security procedures
    • Implementation of data protection measures
    • Regular security audits and assessments

Implementation Framework

Key Authorities:

  • Controller of Certifying Authorities
  • Adjudicating Officers
  • Appellate Tribunal

Territorial Scope

  • Applies throughout India
  • Covers all electronic transactions within Indian jurisdiction
  • Applies to both Indian and foreign entities handling Indian data

Enforcement Provisions

  1. Penalties and Compensation:

    • Compensation for failure to protect data
    • Civil and criminal penalties for violations
    • Powers to investigate cybersecurity incidents
  2. Regulatory Powers:

    • Section 43A: Compensation for data protection failures
    • Section 87: Rule-making powers of Central Government
    • Section 70: Protected systems and critical infrastructure

Projects Following this Regulation

Project
Website
Source

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page