|
Section No
|
IX. PENALTIES ,
COMPENSATION AND ADJUDICATION (Amended vide
ITAA-2006/8) |
|
|
|
|
43 |
|
Penalty
and Compensation for damage to computer, computer system, etc
(Amended vide ITAA-2008)
If any person
without permission of the owner or any other person who is in
charge of a computer, computer system or computer network -
(a)
accesses or secures access to such computer, computer system
or computer network or computer resource (ITAA2008)
(b)
downloads, copies or extracts any data, computer data base
or information from such computer, computer system or
computer network including information or data held or
stored in any removable storage medium;
(c)
introduces or causes to be introduced any computer
contaminant or computer virus into any computer, computer
system or computer network;
(d)
damages or causes to be damaged any computer, computer
system or computer network, data, computer data base or any
other programmes residing in such computer, computer system
or computer network;
(e)
disrupts or causes disruption of any computer, computer
system or computer network;
(f)
denies or causes the denial of access to any person
authorised to access any computer, computer system or
computer network by any means;
(g)
provides any assistance to any person to facilitate access
to a computer, computer system or computer network in
contravention of the provisions of this Act, rules or
regulations made thereunder,
(h)
charges the services availed of by a person to the account
of another person by tampering with or manipulating any
computer, computer system, or computer network,
(i)
destroys, deletes or alters any information residing in a
computer resource or diminishes its value or utility or
affects it injuriously by any means (Inserted vide
ITAA-2008)
(j)
Steals, conceals, destroys or alters or causes any person to
steal, conceal, destroy or alter any computer source code
used for a computer resource with an intention to cause
damage, (Inserted vide ITAA 2008)
he shall be
liable to pay damages by way of compensation not
exceeding one crore rupees to the person so affected.
(change vide ITAA 2008)
Explanation - for the purposes of this section -
(i)
"Computer Contaminant" means any set of computer
instructions that are designed -
(a)
to modify, destroy, record, transmit data or programme
residing within a computer, computer system or computer
network; or
(b)
by any means to usurp the normal operation of the
computer, computer system, or computer network;
(ii)
"Computer Database" means a representation of information,
knowledge, facts, concepts or instructions in text, image,
audio, video that are being prepared or have been prepared
in a formalised manner or have been produced by a
computer, computer system or computer network and are
intended for use in a computer, computer system or
computer network;
(iii)
"Computer Virus" means any computer instruction,
information, data or programme that destroys, damages,
degrades or adversely affects the performance of a computer
resource or attaches itself to another computer resource
and operates when a programme, data or instruction is
executed or some other event takes place in that computer
resource;
(iv)
"Damage" means to destroy, alter, delete, add, modify or
re-arrange any computer resource by any means.
(v)
"Computer Source code" means the listing of programmes,
computer commands, design and layout and programme analysis
of computer resource in any form (Inserted vide ITAA 2008)
|
|
| |
43 A |
|
|
Compensation for failure to protect data (Inserted
vide ITAA 2006)
Where a body corporate,
possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or
operates, is negligent in implementing and maintaining
reasonable security practices and procedures and thereby causes
wrongful loss or wrongful gain to any person, such body
corporate shall be liable to pay damages by way of
compensation, not exceeding five crore rupees,
to the person so affected. (Change vide ITAA 2008)
Explanation: For
the purposes of this section
(i) "body
corporate" means any company and includes a firm, sole
proprietorship or other association of individuals engaged
in commercial or professional activities
(ii) "reasonable
security practices and procedures" means security practices
and procedures designed to protect such information from
unauthorised access, damage, use, modification, disclosure
or impairment, as may be specified in an agreement between
the parties or as may be specified in any law for the time
being in force and in the absence of such agreement or any
law, such reasonable security practices and procedures, as
may be prescribed by the Central Government in consultation
with such professional bodies or associations as it may deem
fit.
(iii) "sensitive
personal data or information" means such personal
information as may be prescribed by the Central Government
in consultation with such professional bodies or
associations as it may deem fit.
Deleted vide
passage of DPDPA 2023 on 11th August 2023
|
|
|
|
44 |
|
|
Penalty for failure
to furnish information, return, etc |
|
|
|
|
|
|
If any person who is
required under this Act or any rules or regulations made
thereunder to -
|
(a) |
furnish any
document, return or report to the Controller or the
Certifying Authority, fails to furnish the same, he
shall be liable to a penalty not exceeding
one lakh and
fifty thousand fifteen
lakh (substituted
vide Janviswas Act 2022)
rupees for each such failure; |
|
(b) |
file any
return or furnish any information, books or other
documents within the time specified therefor in the
regulations, fails to file return or furnish the same
within the time specified therefore in the regulations,
he shall be liable to a penalty not exceeding
five
thousand fifty
thousand rupees for every day during which such failure
continues: (substituted
vide Janviswas Act 2022) |
|
(c) |
maintain books
of account or records, fails to maintain the same, he
shall be liable to a penalty not exceeding
ten thousand one
lakh rupees for every day during which the failure
continues. (substituted
vide Janviswas Act 2022) |
|
|
|
|
45 |
|
|
Residuary Penalty |
|
|
|
|
|
|
Whoever contravenes any
rules or regulations made under this Act, for the contravention
of which no penalty has been separately provided, shall be
liable to pay a compensation not exceeding twenty-five thousand
rupees to the person affected by such contravention or a penalty
not exceeding twenty-five thousand rupees. penalty
not exceeding one lakh rupees, in addition to compensation to
the person affected by such contravention not exceeding—
(a) ten lakh rupees, by an
intermediary, company or body corporate; or
(b) one lakh rupees, by any other
person.".
(substituted
vide Janviswas Act 2022)
|
|
|
|
46 |
|
|
Power to Adjudicate |
|
|
|
|
(1) |
|
For the purpose of
adjudging under this Chapter
Act (substituted
vide Janviswas Act 2022) whether any person has committed a
contravention of any of the provisions of this Act or of any
rule, regulation, direction or order made thereunder which
renders him liable to pay penalty or compensation,
the Central Government shall, subject to the provisions of
sub-section(3), appoint any officer not below the rank of a
Director to the Government of India or an equivalent officer of
a State Government to be an adjudicating officer for holding an
inquiry in the manner prescribed by the Central Government. (
amended vide ITAA 2008) |
|
| |
|
(1A) |
|
The
adjudicating officer appointed under sub-section (1) shall
exercise jurisdiction to adjudicate matters in which the claim
for injury or damage does not exceed rupees five crore
Provided that the
jurisdiction in respect of claim for injury or damage exceeding
rupees five croore shall vest with the competent court.
(Inserted Vide ITAA 2008) |
|
|
|
|
(2) |
|
The adjudicating
officer shall, after giving the person referred to in
sub-section (1) a reasonable opportunity for making
representation in the matter and if, on such inquiry, he is
satisfied that the person has committed the contravention, he
may impose such penalty as he thinks fit in accordance with the
provisions of that section. |
|
|
|
|
(3) |
|
No person shall be
appointed as an adjudicating officer unless he possesses such
experience in the field of Information Technology and Legal or
Judicial experience as may be prescribed by the Central
Government. |
|
|
|
|
(4) |
|
Where more than one
adjudicating officers are appointed, the Central Government
shall specify by order the matters and places with respect to
which such officers shall exercise their jurisdiction. |
|
|
|
|
(5) |
|
Every adjudicating
officer shall have the powers of a civil court which are
conferred on the Cyber Appellate Tribunal under sub-section (2)
of section 58, and -
|
(a) |
all proceedings
before it shall be deemed to be judicial proceedings
within the meaning of sections 193 and 228 of the Indian
Penal Code; |
|
(b) |
shall be deemed
to be a civil court for the purposes of sections 345
and 346 of the Code of Criminal Procedure, 1973. |
| (c) |
shall be deemed to be a Civil
Court for purposes of order XXI of the Civil Procedure
Code, 1908 (Inserted vide ITAA 2008) |
|
|
|
|
47 |
|
|
Factors to be taken
into account by the adjudicating officer |
|
|
|
|
|
|
While adjudging the
quantum of compensation under this Chapter the adjudicating
officer shall have due regard to the following factors, namely
-
|
(a) |
the amount of
gain of unfair advantage, wherever quantifiable, made as
a result of the default; |
|
(b) |
the amount of
loss caused to any person as a result of the default; |
|
(c) |
the repetitive
nature of the default |
|
|
|