The first sign was a credit card application the reader had never made. The next was a personal loan call from a bank she had never visited. By the third week, three different "investment opportunities" had spam-pinged her on WhatsApp from numbers she had never given out. Then, in a quiet moment between cups of tea, she remembered: six months ago she had filled out a long form on a startup's website to apply for an internship for her daughter. The form had asked for the daughter's PAN, address, college mark sheets and her own contact details. Two days later, the startup had gone quiet.

This is one of the most common online-privacy harms in India today. Companies collect more data than they need, store it carelessly, and sometimes sell or leak it. The victim does not always know that her data is the source of the spam, fraud calls, or identity-theft attempts. The reassuring part is that Indian law has, for fifteen years, contained a clean civil compensation route designed for exactly this situation. The trick is to use it correctly.

What This Article Will Answer

If you have just realised that a company has mishandled your personal data, here are the questions that need clear answers:

  1. Is what they did even illegal — or just sloppy?
  2. Can I claim compensation from the company?
  3. What law gives me that right, and where do I file?
  4. Should I also file a criminal complaint against the people involved?
  5. What evidence do I need to prove my case?
  6. How does the new DPDP Act 2023 fit in?
  7. What if the company is overseas or has shut down?

We will walk through these in order, ground every legal claim in the source material, and end with a ten-step checklist for the next two weeks.

What Counts as Misuse

Indian law uses the term "body corporate" — defined under Section 43A of the Information Technology Act, 2000 — to mean any company, firm, sole proprietorship or association engaged in commercial or professional activity. Schools, hospitals, online retailers, mobile apps, banks, insurers, edtech startups, and even smaller intermediaries all qualify. The core duty cast on a body corporate is to handle "sensitive personal data or information" with reasonable security practices.

"Misuse" can take several forms. The company has shared your sensitive personal data with a third party without consent. The company has stored it carelessly — on an open server, in an unencrypted spreadsheet, with default admin passwords — and a leak followed. The company has used the data for a purpose other than the one you consented to — for instance, marketing, after you signed up only for service. The company has refused to delete the data after you withdrew your consent. Each of these is actionable.

Two further preliminary points. First, the bare leak does not always require proof of intentional wrongdoing — Section 43A is built around the concept of negligence, not malice. Second, individual employees who deliberately disclosed your data may have committed a separate criminal offence under Section 72A — even where the company itself is also liable in damages under Section 43A.

Section 43A — Civil Compensation

This is the workhorse provision. Section 43A reads, in substance, that where a body corporate possessing, dealing with or handling sensitive personal data or information in a computer resource that it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices, and thereby causes wrongful loss or wrongful gain to any person, the body corporate is liable to pay damages by way of compensation to the affected person.

The section was inserted by the Information Technology (Amendment) Act, 2008, with effect from 27 October 2009. The Parliamentary Standing Committee debated the cap on compensation extensively — initially Rs 25 crore was suggested, then Rs 5 crore, and the final amended IT Act ultimately removed the cap altogether. As the source commentary records, "the damages by way of compensation are unlimited" under Section 43A. The structure of the section has four ingredients: a body corporate, sensitive personal data, negligence in implementing reasonable security practices, and wrongful loss or wrongful gain caused as a result.

"Reasonable security practices" — the second ingredient — is defined by the Explanation to the section. It means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — the SPDI Rules — specify the IS/ISO/IEC 27001 standard as one acceptable benchmark. The complainant must show that the company was negligent in implementing or maintaining such a standard.

What Is Sensitive Personal Data

The term is defined in the SPDI Rules 2011. Sensitive personal data or information typically includes passwords, financial information such as bank account, credit and debit card details, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information, and any details relating to the above as provided to the body corporate for providing service. Plain-vanilla name, email and address are personal data, but they are not sensitive personal data under the SPDI definition.

This matters in practice. If only your name and email leaked, Section 43A is not the right hammer — but if the leak included your PAN, bank details, health records, or biometric information, Section 43A is squarely attracted. Section 72A, discussed next, has a broader sweep that covers all "personal information" whether sensitive or not.

Section 72A — Criminal Track

Section 72A of the IT Act runs in parallel with Section 43A. The section punishes any person — including an intermediary — who, while providing services under the terms of a lawful contract, has secured access to material containing personal information about another person, and who discloses that material without the consent of the person concerned, or in breach of a lawful contract, with the intent to cause or with the knowledge that he is likely to cause wrongful loss or wrongful gain. Punishment is imprisonment up to three years, or fine up to five lakh rupees, or both.

Two important features. First, Section 72A is wider than Section 43A — it covers all personal information, not only sensitive personal data. Second, Section 72A requires a contractual relationship; the person disclosing must have secured access "while providing services under the terms of a lawful contract". This fits the typical fact pattern of a misuse case — the company collected the data under a service contract or terms of use, and then breached that contract by misusing the data.

Section 72 of the IT Act is a separate, narrower provision. It punishes a person who, having secured access to electronic records under powers conferred by the Act, discloses those records without consent. Section 72 mainly catches officials, certifying authorities, regulators, and government-appointed officers. Most commercial data-misuse matters are framed under 72A, not 72.

Going to the Adjudicating Officer

This is where the procedural piece sits. Section 46 of the IT Act sets up the Adjudicating Officer — typically the Secretary, Department of Information Technology, of the relevant State Government, or such other officer notified by the Central Government. Section 46(1A) provides that the Adjudicating Officer's jurisdiction is limited to matters where the claim for injury or damage does not exceed Rs 5 crore. Where the claim exceeds Rs 5 crore, jurisdiction vests in the competent civil court.

The proceedings are summary in nature. The body corporate has to be given a reasonable opportunity to make representation. The Adjudicating Officer, on being satisfied that the contravention has been committed, has the discretion to award such damages by way of compensation as is appropriate. Section 47 sets out the factors the officer must consider — the amount of gain or unfair advantage made by the body corporate, the amount of loss caused to the complainant, and the repetitive nature of the default.

One practical caution. Section 61 of the IT Act bars civil courts from entertaining any matter that the Adjudicating Officer is empowered to determine. So you cannot file a regular civil suit under Section 9 CPC for the same relief — the Section 46 forum is the right door. Appeals from the Adjudicating Officer go to the Cyber Appellate Tribunal or its successor. Where the data misuse has spilled into a wider privacy harm, the Adjudicating Officer route can be combined with civil-court relief.

A Word on the DPDP Act 2023

The Digital Personal Data Protection Act 2023 introduces a more modern, consent-based regime. Companies — re-labelled as "Data Fiduciaries" — must obtain specific informed consent for each purpose, must publish a privacy notice, must enable withdrawal of consent, and must process the data only for the consented purpose. The Act sets up a Data Protection Board with the power to investigate breaches and impose substantial financial penalties on the company.

Two practical points. First, the Section 43A and Section 72A regime continues to operate alongside the DPDP Act for now. Second, the DPDP Act is still being operationalised — many of the rules, the Board, and procedures are settling in. For an immediate remedy in 2026, the IT Act 43A and 72A route remains the workhorse. Add the DPDP angle once the regulatory machinery firms up, especially for repeated or systemic violations.

What Should I Actually Do Now?

If you have just realised that your data has been misused, here is the action sequence — in order:

  1. Map the data trail. Write down which company collected the data, when, what consent you gave, and what fields they took.
  2. Save the original consent. The signup form, terms and conditions, privacy policy, KYC submission, loan or credit application — all of it. Email yourself a copy.
  3. Save proof of misuse. Spam calls, fraudulent credit pulls, phishing texts that quote your specific data, unauthorised transactions. Screenshot and timestamp.
  4. Send a written grievance to the company's grievance officer. Quote Section 43A and the SPDI Rules 2011. Demand confirmation of the breach, the corrective steps taken, and compensation.
  5. If the company is silent or dismissive, file a complaint before the Adjudicating Officer under Section 46 of the IT Act. Quantify your loss and produce Section 65B certificates with the electronic evidence.
  6. Where individual employees of the company knowingly disclosed the data, file an FIR under Section 72A of the IT Act at the cyber cell. The civil and criminal tracks can run in parallel.
  7. If the loss is above Rs 5 crore, file the suit in the competent civil court instead of the Adjudicating Officer.
  8. Update your bank and card-issuer. Ask for a freeze on credit pulls. Get a CIBIL alert set up.
  9. Withdraw consent for any further processing — and follow up in writing under the DPDP Act 2023 once the regime is fully operational in your case.
  10. Talk to a lawyer if the loss is significant. The success of a Section 43A claim depends on quality of evidence and clean quantification of loss.

Talking to a Lawyer

Section 43A claims succeed on documentation. The signup form, the privacy policy, the consent record, the SPDI standard the company claims to follow, and the chain of misuse — all of these have to be assembled in a Section 65B-compliant package. The company will defend by showing that it implemented "reasonable security practices" — that is the battle on which the case turns. A lawyer who has handled adjudication matters before knows where companies typically slip and how to demonstrate negligence.

If you would prefer to have someone walk you through it, the team at Pinaka Legal handles privacy and data-misuse matters out of Delhi. The first conversation is confidential and free of cost; most of it is about identifying the strongest legal basis for your specific facts and the right forum to file in.

Get legal help from Pinaka Legal — Cyber & Digital experts in Delhi

Frequently Asked Questions

My company shared my personal data without my consent — can I claim compensation?

Yes, where the data is sensitive personal data and the company has been negligent. Section 43A of the Information Technology Act, 2000 says that a body corporate which possesses, deals with or handles sensitive personal data and is negligent in implementing reasonable security practices, and thereby causes wrongful loss or wrongful gain to any person, is liable to pay damages by way of compensation. The original cap of Rs 5 crore as proposed has been removed in the final amended IT Act — section 43A is uncapped, with claims up to Rs 5 crore handled by the Adjudicating Officer under Section 46 and larger claims by the competent civil court.

What is the difference between company misused my personal data what can i do and a regular consumer complaint?

They are different forums. The IT Act remedy under Section 43A goes to the Adjudicating Officer under Section 46 — usually the Secretary, Department of IT, of the relevant State. The forum is summary, focused on whether the company implemented reasonable security practices. A consumer complaint goes to the District, State or National Consumer Commission and focuses on deficiency in service. For a pure data-misuse matter, the Adjudicating Officer route is usually faster and more closely tailored. For broader service-failure matters, the consumer route fits better.

What counts as sensitive personal data under the IT Act?

Sensitive personal data is defined by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — usually called the SPDI Rules. The list typically includes passwords, financial information such as bank account, credit and debit card details, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information, and any details relating to the above as provided to the body corporate for providing service. Plain-vanilla name, email and address are not sensitive personal data, though they are still personal data under the wider DPDP Act 2023.

What are reasonable security practices under Section 43A?

The Explanation to Section 43A defines reasonable security practices as security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law or, in the absence of either, such reasonable security practices as may be prescribed by the Central Government in consultation with such professional bodies. The SPDI Rules 2011 specify the IS/ISO/IEC 27001 standard as one acceptable benchmark. The complainant must show that the company was negligent in implementing or maintaining the standard.

What is Section 72A of the IT Act?

Section 72A is a separate criminal offence. It punishes any person — including an intermediary — who, while providing services under the terms of a lawful contract, has secured access to material containing personal information about another person, and discloses that material without consent or in breach of the contract, with the intent to cause or knowing that it will cause wrongful loss or wrongful gain. Punishment is imprisonment up to three years, or fine up to five lakh rupees, or both. Section 72A is wider than Section 43A because it covers all personal information, not only sensitive personal data.

What is Section 72 of the IT Act?

Section 72 punishes any person who, having secured access to any electronic record or information in pursuance of any of the powers conferred by the IT Act, discloses that record or information to any other person without the consent of the person concerned. Section 72 is narrower than 72A and is aimed primarily at officials and persons who get access through statutory powers. Practical data-misuse matters are usually framed under Section 72A, but where a regulator, certifying authority, or government-appointed officer is the discloser, Section 72 fits better.

How do I approach the Adjudicating Officer under Section 46?

By a written complaint, with documentary evidence of the data, the misuse, and the loss caused. Section 46 of the IT Act gives the Adjudicating Officer — the Secretary, Department of IT, of the State or such other officer notified by the Central Government — jurisdiction to adjudicate matters in which the claim for injury or damage does not exceed Rs 5 crore. Where the claim exceeds Rs 5 crore, jurisdiction vests in the competent civil court. The proceedings are summary in nature and the body corporate has to be given a reasonable opportunity to make representation.

Should I also file a criminal complaint against the company?

Often yes. Section 43A is the civil compensation route. Section 72A is the parallel criminal route, where the disclosure was in breach of contract and made with intent to cause wrongful loss or wrongful gain. The two routes are not mutually exclusive — courts in India routinely allow civil and criminal proceedings to run simultaneously over the same facts. An FIR under Section 72A is registered at the cyber cell or police station of jurisdiction, and the Section 43A claim is filed before the Adjudicating Officer. A lawyer can pick the right combination on facts.

Does the DPDP Act 2023 give me extra remedies?

At a principle level, yes. The Digital Personal Data Protection Act 2023 introduces consent-based processing of personal data, the role of the Data Fiduciary, and the Data Protection Board with the power to investigate breaches and impose penalties on the company. The financial penalties under the DPDP Act are substantial. But the regime is still being operationalised — many businesses and adjudication procedures are still being put in place. For an immediate remedy in 2026, the IT Act 43A and 72A route remains the workhorse. Add the DPDP angle once the regulatory machinery firms up.

What evidence do I need to prove the company misused my data?

Documents that show three things — that you gave the data to the company, that the company allowed it to be misused, and that you suffered a loss. Save the original signup form, terms and conditions, privacy policy, KYC submission, credit card or loan application, and any consents. Save the misuse — fraudulent calls, unauthorised credit pulls, spam targeting your specific data, fraudulent transactions. Section 65B of the Indian Evidence Act, as confirmed in Anvar P V v P K Basheer (2015), requires a certificate alongside electronic evidence. Save server-stamped emails of every communication.

What is the limit on compensation under Section 43A?

There is no statutory upper limit. The original Bill proposed a Rs 5 crore cap; the Parliamentary Standing Committee even pushed for Rs 25 crore; the final amended IT Act removed the cap altogether. Section 46(1A) provides that the Adjudicating Officer's jurisdiction is limited to matters where the claim does not exceed Rs 5 crore. Claims above Rs 5 crore go to the competent civil court. So the route depends on the size of your claim, but the law itself does not cap your damages — they depend on the loss you can prove.

How long does a Section 43A compensation matter usually take?

It depends on the State. Adjudicating Officer proceedings under Section 46 are summary in nature and several states have decided cases within twelve to eighteen months of filing. Where the matter goes on appeal to the Cyber Appellate Tribunal or the Telecom Disputes Settlement and Appellate Tribunal, the timeline extends. Civil suits for claims above Rs 5 crore take longer. The faster the complainant produces clean Section 65B-compliant evidence and a clear quantification of loss, the faster the case moves.

Related Reads

Written by the Pinaka Legal Editorial Team. For queries, call +91 8595704798 or email info@pinakalegal.com. For more articles on Indian law, visit the Pinaka Legal Blog.