Extensive amendments to India’s Information Technology Act 2000 deal principally with cyber-security, and were enacted to some extent in response to the attacks in Mumbai in November 2008. They also include the most significant provisions to date in Indian statutes affecting data protection and privacy, though how extensive these turn out to be will depend to some extent on implementing regulations. Most Indian commentators have concentrated on the cyber-security aspects of the legislation, often very critically. This article focuses only on the Act’s data protection and privacy implications. The Information Technology (Amendment) Act 2008 was passed on the last day of the legislative sitting in 2008.