top of page

Section 43A and SPDI Rules – India’s First Attempt at Data Protection

  • Writer: Crypticroots
    Crypticroots
  • Mar 18
  • 3 min read

Before India had a comprehensive data protection law, privacy protection existed in fragments, reactive, limited, and often overlooked. Yet, within this fragmented framework lay the first serious attempt to regulate personal data… quietly embedded in cyber law.


What Are Section 43A and the SPDI Rules?

India’s earliest structured framework for data protection emerged through:

  • Section 43A of the Information Technology Act, 2000

  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Here, Sensitive Personal Data or Information (SPDI) refers to specific categories of personal data requiring higher protection.

Together, they formed India’s first legal attempt at regulating the handling of personal data by private entities.


Section 43A – Legal Provision Explained

What Does Section 43A Provide?

In October 27, 2009 the Parliament inserted Section 43A in the ITA, which addressed issues in relation to data security and privacySection 43A states:

  • A body corporate handling Sensitive Personal Data or Information (SPDI)

  • Must implement reasonable security practices and procedures

If it fails to do so and causes:

  • Wrongful loss, or

  • Wrongful gain

It is liable to pay compensation to affected individuals


Who Is a “Body Corporate”?

Includes:

  • Companies

  • Firms

  • Sole proprietorships

  • Associations engaged in commercial activities

Government entities were largely excluded, which was a key limitation.


SPDI Rules, 2011 – Operational Framework

The Sensitive Personal Data or Information (SPDI) Rules, 2011 were introduced to:

Provide practical guidelines for implementing Section 43A

They regulate:

  • Collection

  • Storage

  • Processing

  • Disclosure of sensitive personal data


Key Components of the SPDI Rules

1. What Is Sensitive Personal Data or Information (SPDI)?

Not all data was protected — only what was considered “sensitive.”

SPDI includes:

  • Passwords

  • Financial information (bank details, credit cards)

  • Health data

  • Sexual orientation

  • Medical records

  • Biometric information

General personal data was not covered, creating a major gap.


2. Consent Requirement

An early version of consent — present, but not powerful.

  • Consent must be obtained before collecting SPDI

  • Must be:

    • In writing, or

    • In electronic form

However, it lacked the sophistication of modern consent standards.


3. Privacy Policy Requirement

Organizations must:

  • Publish a privacy policy

  • Clearly disclose:

    • Type of data collected

    • Purpose of collection

    • Usage and disclosure practices


4. Reasonable Security Practices

Organizations must implement:

  • Security measures such as:

    • ISO/IEC 27001 standards, or

    • Equivalent safeguards

Failure → liability under Section 43A


5. Data Transfer Restrictions

SPDI can be transferred only if:

  • The recipient ensures same level of data protection, and

  • Transfer is:

    • Necessary for contract performance, or

    • Consent-based


Practical & Compliance Perspective

At the time, organizations were expected to:

  • Implement basic data security measures

  • Draft and publish privacy policies

  • Obtain consent for handling SPDI

However, in reality:

  • Compliance was often minimal and formalistic

  • Many companies treated it as a checkbox requirement

  • Awareness and enforcement remained limited


Key Limitations of Section 43A & SPDI Rules

1. Narrow Scope

Protection existed, but only for a select category of data.

  • Covered only SPDI

  • Ignored vast amounts of personal data


2. Limited Applicability

Not all actors were regulated.

  • Applied only to body corporates

  • Government largely outside its scope


3. Weak Enforcement Mechanism

No central authority to enforce compliance.

  • No dedicated regulator

  • Reliance on adjudication for compensation


4. Absence of Data Principal Rights

Individuals had little to no control.

  • No right to:

    • Access

    • Correction

    • Erasure


5. Outdated Framework

Designed for a simpler digital world.

  • Could not address:

    • Big data analytics

    • AI-driven profiling

    • Platform-based ecosystems


Real-World Context

Consider a company before the Digital Personal Data Protection Act (DPDP Act), 2023:

  • It collects payment data → regulated under SPDI

  • It tracks browsing behavior → not regulated

This created a massive regulatory gap, leaving most personal data unprotected.


Key Takeaways

  • Section 43A and SPDI Rules were India’s first data protection framework

  • They focused only on Sensitive Personal Data or Information (SPDI)

  • Enforcement and scope were limited

  • No comprehensive rights were granted to individuals

  • These limitations highlighted the need for a modern law like the DPDP Act


Recent Posts

See All
Why India Needed the DPDP Act, 2023

From Legal Gaps to a Data Protection Framework For years, India stood at the crossroads of a digital revolution without a corresponding legal shield. Personal data flowed freely collected, stored, tra

 
 
 

Comments

bottom of page