India’s Information Technology Act,
2000 or IT Act contains some of the
most stringent privacy requirements
in the world and has the unfortunate
impact of holding intermediaries
liable for illegal content.
If you operate from/in India, you need
to understand the IT Act in order to
avoid potential penalties.
The IT Act 2000 applies to companies
that do business in India. This includes
entities registered in India, outsource
there, and maintain servers within the
If your only connection with India is
having customers there, you are not
held to the IT Act.
The only way that can occur is if you
run a service or sell a product and also
maintain servers there.
For example, Instagram (1) is popular (2)
in India with many people participating in
that social media app.
However, Instagram is a U.S. company
and does not need policies complying
with the IT Act.
(1) Link to https://www.instagram.com/?hl=en
(2) Link to http://www.alexa.com/siteinfo/instagram.com
(3) Link to https://www.snapdeal.com/
(4) Link to https://www.snapdeal.com/page/terms
However, Snapdeal (3), an online shopping
source in India, is an Indian company that
conducts transactions in India.
It is held to the stipulations in the IT Act 2
- and that is addressed in its Privacy
Policy page (4):
If your company is located in India and
registered there, there is no doubt that
you must comply with the act.
If you hired a consultant or other
company to handle your outsourcing
or IT needs, ask them where they
keep the servers.
Determine if your servers are located in
Many offenses listed in in the IT Act 2000
arise from security breaches.
Follow the Privacy by Design guidelines:
Have good IT security policies
(5) Link to https://termsfeed.com/blog/privacy-by-design/
Limit access to your servers
Create unique login credentials
Develop ways to track use on your servers
so if any illegal activity arises, you can link
it to an individual rather than make it
appear your entire company is culpable.
* * *
If your website or mobile app allows of
user-generated content to be created
and post, develop screening so you can
control the user-generated content
before it posts.
Discovering slanderous content after the
fact can still result in legal liability so you
want to be as proactive as possible.
Addressing user-generated content in
your Terms and Conditions (6) is also
This is important because not only do
you need to monitor client use of your
servers but you also need the authority
to do so.
(6) Link to https://termsfeed.com/blog/4-clauses-host-user-generated-content/
Companies operating in and/or from India
concerned about complying with the IT Act
2000 would do well to:
Start with Privacy by Design approaches
Writing simple language into their Privacy