Index 

1. Introduction 
2. Overview Of The Information Technology Act Of 2000: A Detailed Breakdown
3. Jurisdiction And Exemptions under The Information Technology Act Of 2000
4. Safeguarding Electronic Transactions: Key Provisions Of The Information Technology Act
5. Key Features Of The Information Technology Act
6. Defining Electronic Records And Signatures: Insights From The Information Technology Act
7. Roles and Responsibilities Of Certifying Authorities And The Controller
8. Role and Responsibilities Of Certifying Authorities In Digital Signatures
9. Legal Framework for Intermediaries’ Liability in Information Technology
10. Penalties And Compensation Under The Information Technology Act
11. Appellate Tribunal And Powers Under The Information Technology Act
12. Amendments To The Information Technology Act: Sections 66A And 69A
13. 2018 Government Guidelines For Intermediaries
14. 2021 Rules For Intermediaries And Controversies
15. Shortcomings Of The Information Technology Act
16. Conclusion 

Introduction 

The Information Technology Act of 2000 plays a crucial role in addressing various cyber crimes related to data breaches and privacy violations. It sets forth penalties for such offences and regulates the activities of intermediaries, including social media platforms. As technology and e-commerce have advanced, cyber crimes have surged, prompting the need for tighter regulation to safeguard data integrity and national security. This article delves into the objectives, features, offences, and corresponding punishments outlined in the Act, highlighting its significance in combating cyber threats.

Overview Of The Information Technology Act Of 2000: A Detailed Breakdown

The Information Technology Act of 2000 is structured into 13 chapters, comprising 90 sections and 2 schedules. Each chapter delineates crucial aspects of digital governance and security.

Chapter 1 establishes the Act’s scope and defines key terms vital for understanding its provisions.

Chapters 2 and 3 focus on digital and electronic signatures, while Chapters 4 and 5 address electronic governance and records, respectively.

The Act’s emphasis on data security is highlighted in Chapter 6, which regulates certifying authorities and ensures the integrity of electronic transactions.

Chapter 7 outlines the necessary certificates for issuing electronic signatures, ensuring their authenticity and reliability.

Chapters 8 and 9 delineate the responsibilities of subscribers and detail penalties for non-compliance, reinforcing adherence to legal standards.

Chapter 10 establishes provisions related to the Appellate Tribunal, facilitating judicial oversight and resolution of disputes.

Chapter 11 specifically addresses offences related to data breaches, prescribing corresponding punishments to deter cyber crimes effectively.

Chapter 12 provides safeguards for intermediaries, outlining circumstances where they are not liable for data breaches or related offences.

Finally, Chapter 13 serves as a miscellaneous section, covering additional aspects and provisions essential for comprehensive legal coverage under the Act.

Schedule 1 within the Information Technology Act of 2000 enumerates specific documents and data to which the Act does not apply, delineating boundaries and exceptions within its regulatory framework.

On the other hand, Schedule 2 of the Act pertains to electronic signatures and authentication methods, outlining accepted practices and standards for digital verification and validation processes.

Jurisdiction And Exemptions under The Information Technology Act Of 2000

The Information Technology Act of 2000 holds jurisdiction over the entire country. Its reach extends to extra-territorial boundaries, allowing for prosecution of individuals committing offences outside India if the source of the offence, such as a computer, is within the country’s borders, regardless of the perpetrator’s nationality.

However, certain exemptions exist under Schedule 1 of the Act, excluding specific documents from its purview. These exemptions include negotiable instruments other than cheques as per the Negotiable Instruments Act, 1881, powers of attorney under the Powers of Attorney Act, 1882, trusts according to the Indian Trusts Act, 1882,  wills and testamentary dispositions governed by the Indian Succession Act, 1925, and contracts or sale deeds related to immovable property.

Safeguarding Electronic Transactions: Key Provisions Of The Information Technology Act

The Information Technology Act is designed to safeguard electronic transactions, offering legal protection and regulation for digital interactions. With the rise of e-commerce, it reduces paperwork while ensuring legal validity for electronic communications and information exchanges. Crucially, it protects digital signatures, ensuring their authenticity in legal authentication processes.

Moreover, the Act regulates intermediary activities, curbing their powers to maintain accountability. It defines and addresses various offences concerning data privacy, bolstering protection for citizens’ sensitive information. Notably, it extends its regulatory umbrella over social media and electronic intermediaries, safeguarding stored sensitive data.

Additionally, the Act grants recognition to electronically kept books of accounts as per the Reserve Bank of India Act, 1934, further enhancing the legal framework for electronic financial records.

Key Features Of The Information Technology Act

The Information Technology Act encompasses significant features aimed at fortifying digital transactions and legal frameworks. First and foremost, it draws upon the Model Law on e-commerce adopted by UNCITRAL, aligning India’s regulations with international standards.

One notable feature is its extra-territorial jurisdiction, empowering it to address cyber offences committed beyond national borders. Additionally, the Act meticulously defines crucial terms such as cyber cafes, computer systems, digital signatures, and electronic records, clarifying legal interpretations under Section 2(1).

The Act upholds the validity of transactions and contracts conducted through electronic means, ensuring legal recognition and protection under Section 10A. It also emphasises the authentication and recognition of digital signatures, establishing methods for secure electronic authentication.

Furthermore, the Act outlines the appointment and powers of the Controller, recognizes foreign certifying authorities, and delineates penalties for damaging computer systems. It establishes an Appellate Tribunal for appeals from Controller decisions, with subsequent appeals directed to the High Court.

Addressing cyber offences, the Act specifies punishments for data-related breaches and offers provisions exempting intermediaries from liability under certain circumstances. It further establishes a Cyber Regulation Advisory Committee to advise the Central Government on matters pertaining to e-commerce and digital signatures.

The Information Technology Act includes provisions recognizing foreign certifying authorities (Section 19), enabling international collaboration and standards in digital authentication processes. Additionally, it outlines penalties for damaging computer systems, imposing consequences on individuals who harm systems they do not own.

The Act establishes an Appellate Tribunal, allowing appeals from Controller decisions or other Adjudicating officers to be heard and resolved at this level. Subsequently, appeals from the tribunal’s decisions can be escalated to the High Court, ensuring a hierarchical legal framework for dispute resolution.

Addressing cyber offences comprehensively, the Act delineates various data-related offences and defines corresponding punishments, reinforcing legal consequences for breaches and unauthorised activities. Moreover, it provides exemptions for intermediaries from liability in specific circumstances, balancing legal accountability with practical considerations in data privacy and security.

To further bolster regulatory oversight and expertise, the Act institutes a Cyber Regulation Advisory Committee tasked with advising the Central Government on e-commerce and digital signature-related matters, contributing to informed policymaking and implementation.

Defining Electronic Records And Signatures: Insights From The Information Technology Act

The Information Technology Act under Section 2(1)(t) provides a comprehensive definition of electronic records, encompassing any data, image, record, or file transmitted via electronic means. Furthermore, Section 2(1)(ta) clarifies that an electronic signature, used to authenticate electronic records in digital form, is instrumental in validating transactions. These authentication processes are bolstered by asymmetric cryptosystems and hash functions, as detailed in Section 3 of the Act.

To ensure the reliability of electronic signatures, Section 3A outlines specific conditions. These include signatures being linked to the signatory, under their control at the time of signing, capable of detecting alterations post-signing, and providing traceability to authenticated information. Moreover, the Central Government reserves the authority to specify additional conditions for electronic signatures, as stipulated in Section 10.

The Act further addresses the attribution and dispatch of electronic records. Section 11 attributes electronic records to the originator or a designated representative, while Section 12 mandates acknowledgment of receipt by the addressee, with receipt determinations based on various scenarios outlined in Section 13. These provisions establish a robust framework for electronic communication and transaction validation within the digital landscape.

Roles and Responsibilities Of Certifying Authorities And The Controller

Section 17 of the Information Technology Act outlines the appointment procedures for the Controller, deputy controllers, assistant controllers, and other staff within certifying authorities. The Controller has authority over deputy controllers and assistant controllers, defining their roles in accordance with the Controller’s directives. Qualifications, experience criteria, and service conditions for the Controller are determined by the Central Government, including the location of the Controller’s head office.

The Controller of certifying authorities, as detailed in Section 18, holds several pivotal responsibilities. These include overseeing certifying authority operations, certifying public keys, establishing standards and rules for certifying authorities, defining qualifications for authority employees, specifying accounting procedures, appointing auditors, monitoring authority business conduct, facilitating electronic system establishment, maintaining authority records, outlining officer duties, mediating conflicts between authorities and subscribers, and ensuring official documents bear the Controller’s office seal. These functions collectively ensure the efficient and regulated operation of certifying authorities in electronic authentication processes.

In accordance with Section 21 of the Act, obtaining a licence certificate is mandatory for issuing an electronic signature. Applicants must submit an application to the Controller, who assesses the documents and decides whether to approve or reject the application. The licence granted is valid for a period specified by the central government, transferable, heritable, and subject to government-provided terms and conditions.

Applicants must fulfil specific requirements outlined in Section 22 when submitting an application for a licence. These include providing a certificate of practice statement, proof of identity, payment of a fee amounting to Rupees 25,000, and any additional documents specified by the central government.

Licence renewal can be initiated by submitting an application at least 45 days before the licence’s expiration, along with the requisite fee of Rupees 25,000, as detailed in Section 23.

Section 24 delineates grounds for licence suspension, including false renewal applications, non-compliance with licence terms or Act provisions, and failure to follow prescribed procedures. However, suspensions cannot occur without providing the applicant with a fair opportunity to present their case.

Upon suspension, the Controller must publish a notice in their records, detailing the reasons for suspension and ensuring transparency in the regulatory process, as mandated by the Act.

Role and Responsibilities Of Certifying Authorities In Digital Signatures

Certifying authorities play a crucial role in ensuring the security and reliability of electronic signatures. Section 30 mandates that these authorities must utilise hardware that is free from any form of intrusion, ensuring the integrity of the electronic certification process. Moreover, they are required to adhere strictly to security procedures to safeguard the privacy of electronic signatures, maintaining a high level of confidentiality.

Transparency and accountability are also key aspects of certifying authorities’ functions. They are obligated to publish relevant information regarding their practices, electronic certificates, and the current status of these certificates. This transparency fosters trust and confidence in the digital signature ecosystem.

Reliability is another fundamental requirement for certifying authorities. They must demonstrate consistency and dependability in their operations, ensuring that electronic certificates are issued accurately and efficiently. Section 35 empowers these authorities to issue electronic certificates after thorough verification processes.

Certifying authorities are also responsible for overseeing the validity of digital signature certificates. Section 37 grants them the authority to suspend a certificate for a limited period, not exceeding 15 days, under specific circumstances, thereby maintaining the integrity of the certification system.

Furthermore, Section 38 outlines grounds for revoking a digital signature certificate. These include instances where the subscriber requests revocation, in case of the subscriber’s demise, or if the subscriber is a company undergoing winding up procedures. These provisions ensure the appropriate management of digital certificates and enhance overall system security.

Legal Framework for Intermediaries’ Liability in Information Technology

Under Section 2(1)(w) of the Act, an ‘intermediary’ is defined as an entity that handles data or information on behalf of others, providing services such as telecommunications, search engines, internet services, and online payments. Typically, intermediaries are held accountable for any misuse of the data they store. However, Section 79 of the Act outlines circumstances where intermediaries are not liable:

Firstly, intermediaries are not held liable for third-party information or communications. This exemption protects them when data misuse occurs without their direct involvement.

Secondly, if an intermediary’s sole function is to provide access to a communication system without engaging in other activities, they are not liable for any offences related to the data transmitted through their system.

Thirdly, intermediaries are not liable if they do not initiate transmissions, select receivers, or modify information in any communication. This provision safeguards them from liability for data exchanges they do not control.

Additionally, intermediaries must conduct their operations with care and due diligence to qualify for exemption from liability, as stated in Section 79.

However, there are exceptions to these exemptions where intermediaries can be held liable:

If an intermediary is involved in unlawful activities by abetting, inducing, making threats, or promises, they are not exempt from liability.

Moreover, if an intermediary fails to remove or disable access to data used for unlawful activities as notified by the Central Government, they cannot claim exemption from liability under Section 79. These provisions establish a legal framework that balances intermediary protection with accountability for unlawful actions facilitated through their platforms.

Penalties And Compensation Under The Information Technology Act

The Information Technology Act specifies penalties and compensation for various offences related to computer systems and data protection.

1. Firstly, if a person, other than the owner, damages a computer system, they are liable to compensate for all damages incurred, as per Section 43. This includes instances such as downloading or copying information, introducing viruses, disrupting the system, denying access, tampering, manipulating, destroying, deleting, altering information, or stealing stored information.
2. Secondly, Section 43A addresses compensation in cases where corporations or companies fail to protect data stored in their computer systems from hackers or similar activities, especially sensitive data of employees or citizens.
3. Thirdly, failure to furnish required information, documents, or maintain books of accounts as mandated by the Act results in penalties. The penalty for reports and documents ranges from Rs. 1 lakh to Rs. 50,000, while for books of accounts or records, it is Rs. 5,000 under Section 44.
4. Lastly, a residuary penalty of Rs. 25,000 is applicable if any person violates any provision of the Act for which no specific penalty or compensation is mentioned. These provisions ensure accountability and deterrence in the use and management of information technology resources.
5. Tampering with documents stored in a computer system, as per Section 65, can lead to imprisonment for three years, a fine of Rs. 2 lakhs, or both.
6. Receiving stolen computer sources or devices dishonestly, as defined in Section 66B, can result in imprisonment for three years, a fine of Rs. 1 lakh, or both.
7. Identity theft, covered in Section 66C, carries penalties of imprisonment for three years, a fine of Rs. 1 lakh, or both.
8. Cheating by personation, under Section 66D, entails either three years of imprisonment, a Rs. 1 lakh fine, or both.
9. Violation of privacy, as per Section 66E, can lead to imprisonment for up to three years, a fine of Rs. 2 lakhs, or both.
10. Cyber terrorism, defined in Section 66F, is a grave offence punishable by life imprisonment.
11. Transmitting obscene material electronically, per Section 67, results in five years of imprisonment and a fine of Rs. 10 lakhs.
12. Transmission of sexually explicit material through electronic means, under Section 67A, leads to seven years of imprisonment and a Rs. 10 lakh fine.
13. Depicting children in sexually explicit ways and transmitting such content electronically, as stated in Section 67B, incurs seven years of imprisonment and a Rs. 10 lakh fine.
14. Failure by intermediaries to preserve and retain information, as outlined in Section 67C, can result in three years of imprisonment and a fine. These stringent penalties underscore the seriousness with which cybercrimes are viewed under the Information Technology Act.

 

Appellate Tribunal And Powers Under The Information Technology Act

The Telecom dispute settlement and appellate tribunal, as designated by Section 48 of the Act, serves as the appellate tribunal for matters under the Information Technology Act, 2000, as per the Telecom Regulatory Authority of India Act, 1997. This amendment came into effect after the Finance Act of 2017.

Appeals from orders issued by the controller or adjudicating officer are directed to the tribunal, unless the order is reached with the consent of all involved parties, which precludes an appeal. The tribunal is tasked with resolving appeals promptly, ensuring disposal within a maximum of six months from the appeal’s filing date, as stipulated in Section 57.

In case a person is dissatisfied with the tribunal’s order or decision, Section 62 grants the right to appeal to the High Court within 60 days from the issuance of such an order.

Regarding its powers, outlined in Section 58, the tribunal operates independently of the Code of Civil Procedure, 1908, instead adjudicating matters based on principles of natural justice. However, it possesses the same powers as a civil court under the Code, which include summoning individuals, taking oaths, requesting document production, receiving evidence via affidavits, conducting witness examinations, reviewing decisions, and dismissing applications as necessary. These powers empower the tribunal to effectively adjudicate disputes and appeals related to information technology matters.

 

Amendments To The Information Technology Act: Sections 66A And 69A

The 2008 amendment to the Information Technology Act included significant changes to Section 66A, which became highly controversial. This section imposed penalties for sending offensive messages through electronic means, including messages that could incite hatred or threaten national security. However, the term “offensive” was not clearly defined, leading to numerous arrests based on this vague criterion. Ultimately, the Supreme Court struck down Section 66A in the 2015 case of Shreya Singhal v. Union of India.

Another important amendment was made to Section 69A, granting the government the authority to block internet sites to protect national security and integrity. This section also allowed authorities or intermediaries to monitor or decrypt personal information stored with them.

 

2018 Government Guidelines For Intermediaries

In 2018, the government issued guidelines to make intermediaries more accountable and regulate their activities:

1. Intermediaries must publish and update their privacy policies to protect citizens from unethical activities like pornography, objectionable content, and messages spreading hatred.
2. They must provide requested information to the government within 72 hours for national security purposes.
3. Every intermediary is required to appoint a ‘nodal person of contact’ available 24/7.
4. They should implement technologies to reduce unlawful online activities.
5. The rules allow breaking end-to-end encryption if needed to trace the origin of harmful messages.

 

2021 Rules For Intermediaries And Controversies

In 2021, the Indian government drafted new rules for intermediaries. These rules required intermediaries to act with due diligence and appoint a grievance officer. They also had to establish a Grievance Appellate Tribunal. User complaints needed to be acknowledged within 24 hours and resolved within 15 days. The rules included a “Code of Ethics” for news and current affairs publishers, which sparked controversy, with many arguing that they restrict freedom of speech, expression, and press freedom.

Intermediaries were also required to share information about suspicious users with the government if there was a threat to national security and integrity. This led to writ petitions being filed in various high courts against the rules. Recently, the Bombay High Court stayed two provisions related to the Code of Ethics for digital media and publishers in the cases of Agij Promotion of Nineteenonea Media Pvt. Ltd. vs. Union of India (2021) and Nikhil Mangesh Wagle vs. Union of India (2021).

Shortcomings Of The Information Technology Act

The provisions of the Information Technology Act primarily focus on gathering and disseminating citizens’ information and data. However, it lacks remedies for data breaches and leaks, and it does not establish responsibility or accountability for breaches by any entity or government organisation. The Act only imposes penalties on individuals or intermediaries who fail to cooperate with government surveillance efforts.

The Act fails to address individual privacy issues adequately. It permits intermediaries to store sensitive personal data and share it with the government for surveillance purposes, leading to potential privacy violations. This significant concern has been overlooked by the Act’s drafters.

Although the Act outlines certain electronic offences, the prescribed punishments are relatively mild. To effectively deter such crimes, more stringent punishments are necessary.

The lack of properly trained officers is another significant issue. Wealth and influence can enable individuals to escape liability, and many cases go unreported due to a belief that the police will not address these complaints. Reports indicate that police officers need specialised training in handling cybercrimes and technological expertise to investigate cases effectively and ensure speedy resolutions.

The rapid advancement of technology has led to a surge in cybercrimes. The offences described in the Act are limited, and it does not address the broader range of cybercrimes that are prevalent today. These crimes, while not directly harming individuals physically, can cause significant indirect harm through the misuse of sensitive data. Therefore, there is a pressing need to regulate such crimes, an area where the Act falls short.

Conclusion 

The Information Technology Act marks a significant step toward protecting data and sensitive information stored with intermediaries online. It includes various provisions that benefit citizens and safeguard their data from misuse or loss. However, with the growth of e-commerce and online transactions, it is essential to address issues such as internet speed, transaction security, and the safety of passwords and cookies. As cybercrimes continue to rise rapidly, there is an urgent need for an effective mechanism to detect and control these threats.