KNC501/KNC601 Constitution of India, Law and Engineering
Chapter 15: Regulation to Information
Information Technology Act, 2000
The IT Act of 2000 passed in a budget session of parliament and signed by President K.R. Narayanan in 2000. It underwent further finalization by India’s Minister of Information Technology, Pramod Mahajan.
The original act addressed electronic documents, e-signatures, and authentication of those records. It also enacted penalties for security breach offenses including damaging computer systems or committing cyber terrorism. Regulating authorities received power to monitor these situations and draft rules as situations arose.
The IT Act underwent changes as Internet technology grew. In 2008, additions expanded the definition of “communication device” to include mobile devices and placed owners of given IP addresses responsible for distributed and accessed content.
Privacy was addressed in 2011 when stringent requirements for collecting personal information came into effect.
The most controversial change in this act involves section 66A. It makes “offensive messages” illegal and holds the owners of servers responsible for the content.
That means if an IP address with pornographic images is traced to your servers, you can be held liable for it even if you did not authorize its access.
Penalties arrange from imprisonment of three years to life and fines. Offenses that occur in a corporate setting can result in further administrative penalties and bureaucratic monitoring that can prove burdensome to doing business.
Requirements of IT Act 2000:
The IT Act 2000 applies to companies that do business in India. This includes entities registered in India, outsource there, and maintain servers within the country’s borders.
The act covers all activity involving online exchanges and electronic documents.
If your only connection with India is having customers there, you are not held to the IT Act. The only way that can occur is if you run a service or sell a product and also maintain servers there.
For example, Instagram is popular in India with many people participating in that social media app. However, Instagram is a U.S. company and does not need policies complying with the IT Act.
Compliance checklist for IT Act 2000:
Complying with the IT Act and the privacy requirements that follow will be a large effort.
In the end, you will have a more secure system that consumers can use in confidence. These steps will help you meet the requirements of the law in the most efficient way possible.
Know the location of your servers:
India’s IT Act can be a difficult law to follow. It is also one of the few Internet protection and privacy laws that puts responsibility for content on intermediaries, meaning the companies that own the server.
If your company is located in India and registered there, there is no doubt that you must comply with the act. The same is true if your company is a foreign entity that outsourced to India or maintains servers in India.
Multiple layers of outsourcing can lead to unknown server locations. If you hired a consultant or other company to handle your outsourcing or IT needs, ask them where they keep the servers.
Even if your company is not technically an Indian company, you can still fall under this law if your servers are in India – even if you did not know that was the case.
Follow Privacy by Design:
Many offenses listed in this act arise from security breaches.
Limit access to your servers and create unique login credentials. Also, develop ways to track use on your servers so if any illegal activity arises, you can link it to an individual rather than make it appear your entire company is culpable.
It also offers a security explanation to show customers how payments are protected. As you can see, it describes its own Privacy by Design approach in detail with links to relevant sections:
New privacy protection additions passed in 2011 require written permission from users before a company can use personal information. These have been considered burdensome by many companies, although there is also an argument that they provide assurance.
It appears that most companies work in automatic acceptance of privacy rules in their Privacy Policies.