Spread the love

This article is written by Boorsu Hemalatha of 6th Semester of B.A.LLB of Sri Padmavathi Mahila Visvavidyalayam, an intern under Legal Vidhiya

Abstract

The Information Technology Act, 2000 (IT Act 2000) is a piece of Indian legislation that provides the legal framework for electronic governance by giving recognition to electronic records and digital signatures. It also explains cybercrimes and prescribes penalties for them. The primary objective of this act is to foster the growth of electronic-based transactions, provide legal recognition for e-commerce and e-transactions, and safeguard the rights of the consumers in the digital realm.

Keywords: Legislation, legal framework, electronic, digital signatures, cybercrimes, penalties.

Introduction

In an era marked by the rapid evolution of information technology and the internet, the need to have a robust legal framework to address the challenges posed by cyber activities became paramount. Recognizing the profound impact of IT on commerce, communications, and governance, the Indian government promulgated the Information Technology Act, 2000. The Act was a landmark piece of legislation that aimed to provide legal recognition to electronic records, digital signatures, and transactions carried out electronically. In addition to offering a legal structure for e-commerce and e-governance, the Act also introduced provisions to address various forms of cybercrime, ensuring that perpetrators could be held accountable under the law. Over the years, the Act has undergone amendments to stay relevant to the dynamic world of technology.

Background of IT Act, 2000

The United Nations Commission on International Trade law adopted a model law in 1996 related to e-commerce and digital complexities. It also made that every country should have their own laws on e-commerce and cybercrimes. To protect the data of citizens and the government, this act was passed in 2000.It is also called as IT Act and the act provides a legal framework for electronic commerce and digital transactions. It introduced provisions related to digital signatures, electronic records, and cybercrime offenses, aiming to foster trust in electronic communications and combat cyber threats.[1]

Schedule of Information Technology Act,2000

The Act consist of 13 chapters, 90 sections and 2 schedules.

Chapter 1 bring out the applicability of the act and definitions.

Chapter 2 deals with the electronic and digital signatures.

Chapter 3 and 4 discuss about e-governance and electronic records.

Chapter 5 covers the security of these records.

Chapter 6 related to the regulations of certifying authorities.

Chapter 7 deals with the certificates needed to issue the digital signatures.

Chapter 8 carry out the duties of subscribers.

Chapter 9 discuss about various penalties.

Chapter 10 deals with the sections related to the appellate tribunal.

Chapter 11 deals with the various offences related to breach of data and their punishments.

Chapter 12 discuss about the circumstances where the intermediaries are not liable for any offences or breach of data privacy.

Chapter 13 related to the miscellaneous provisions.

There are 2 schedules:

Schedule 1 is about the documents and data where the act is not applicable.

Schedule 2 is about the electronic signatures or methods of authentication.[2]

Objective of Information Technology Act, 2000

  1. The IT Act, 2000[3] provides legal recognition to any action done via electronic exchange of information and other electronic suggests that of communication or electronic commerce transactions.
  2. Offer legal identification to digital signatures for the verification of any data or matters requiring legal verification.
  3. It makes easier the electronic filing of documents with Government agencies and conjointly departments.
  4. Makes easy to the electronic storage of information.
  5. To provide legal recognition to electronic records, digital signatures, and transactions carried out electronically.[4]

Applicability

Section 1(2) of IT act states the applicability of this act to the entire country, which also includes Jammu and Kashmir. To include Jammu and Kashmir to this act, they used the article 253 of the Constitution of India. Further, this act is applicable to not only citizens but also it provides extra territorial jurisdiction.

Section 1(2) along with section 75 of this Act states that the act is applicable to any offence committed outside the India as well.

Non-Applicability

As per Section 1(4) read with the First Schedule of the IT Act, 2000, the following are the non-applicability scenarios:

  1. Negotiable Instruments: Except a cheque, the Act doesn’t apply to any other negotiable instrument as defined in Section 13 of the Negotiable Instruments Act, 1881.
  2. Power of Attorney: The provisions of the IT Act do not apply to the creation or execution of a power of attorney as defined in the Powers-of-Attorney Act, 1882.
  3. Trust: The Act is not applicable to any trust as defined in the Indian Trusts Act, 1882.
  4. Will: The IT Act doesn’t apply to any testamentary disposition by whatever name called, such as a will, codicil, etc.
  5. Contract for Sale or Conveyance of Immovable Property: Any contract for the sale or conveyance of immovable property is outside the purview of the IT Act.[5]

Digital signatures and electronic authentication

Under the Information Technology Act, 2000 (IT Act) of India, provisions related to digital signatures and electronic authentication have been defined and laid out. Here’s a brief overview:

1. Digital Signatures:

  • Digital signatures are electronic signatures generated by means of an asymmetric cryptosystem, ensuring the signer’s identity and indicating the signer’s approval of the information contained in the electronic record.
  •   The Act makes provisions for the authentication of electronic records by means of digital signatures.
  •  The Act specifies that digital signatures should only be considered reliable if, it was created during the operational period of a valid Digital Signature Certificate (DSC).
  • It is linked to the signer and no other individual.
  • It was created in a manner that the signer can be linked to the data, and the signer had control of the data used to create the signature.
  •  It is linked in such a manner that if the data is changed, the signature is invalidated.

2. Electronic Signature

  • With amendments to the IT Act over time, the concept of ‘electronic signature’ was introduced to have a broader scope than digital signatures. This allowed for various methods of authenticating electronic records.
  • An electronic signature means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature.
  • The electronic technique for electronic signatures must be reliable and specified in the Second Schedule of the Act.

Electronic governance

  1. Legal Recognition of Electronic Records:

Section 4 of the IT Act, 2000, states that any information or matter which is required by law to be in writing, typewritten, or printed can be in an electronic form, and is deemed to satisfy that requirement.

  • Secure Electronic Records and Signatures: Sections 14 and 15 deal with secure electronic records and signatures. If an electronic record is secured in a specific manner, it is presumed, unless the contrary is proved, that the electronic record has not been altered since the specific point in time to which the secure status connects.
  • Regulation of Certifying Authorities: To ensure the integrity and security of electronic records, the IT Act also provides for the establishment of Certifying Authorities, which issue digital signature certificates. Sections 17 to 34 specify the duties of these certifying authorities.
  • Controller of Certifying Authorities: The IT Act also establishes the position of the Controller of Certifying Authorities (CCA), who regulates the working of Certifying Authorities. The CCA’s responsibilities include certifying public keys, licensing and monitoring Certifying Authorities, and setting standards to be maintained by them.

Cybercrimes and Punishments

Several cybercrimes and their punishments under the IT Act, 2000 are:

        Cyber crimes       Punishments
Tampering with Computer Source Documents (Section 65)Imprisonment up to 3 years, or a fine up to ₹2 lakh, or both.  
Computer-related Offences (Section 66)Imprisonment up to 3 years, or a fine up to ₹5 lakh, or both.  
Sending Offensive Messages (Section 66A) [Note: This section was struck down by the Supreme Court of India in 2015]Deemed unconstitutional and is no longer in force.
Receiving Stolen Computer or Communication Device (Section 66B)Imprisonment up to 3 years, or a fine up to ₹1 lakh, or both.  
Identity Theft (Section 66C)Imprisonment up to 3 years, or a fine up to ₹1 lakh, or both.  
Cheating by Personation using Computer Resource (Section 66D)Imprisonment up to 3 years, or a fine up to ₹1 lakh, or both.  
Violation of Privacy (Section 66E)Imprisonment up to 3 years, or a fine up to ₹2 lakh, or both.  
Cyber Terrorism (Section 66F)Life imprisonment  
Publication or Transmission of Obscene Material in Electronic Form (Section 67) On first conviction, imprisonment up to 3 years and a fine up to ₹5 lakh. On subsequent convictions, imprisonment up to 5 years and a fine up to ₹10 lakh.  
Publication or Transmission of Sexually Explicit Material (Section 67A)On first conviction, imprisonment up to 5 years and a fine up to ₹10 lakh. On subsequent convictions, imprisonment up to 7 years and a fine up to ₹10 lakh.  
Publication or Transmission of Material Depicting Children in Sexually Explicit Act (Section 67B)On first conviction, imprisonment up to 5 years and a fine up to ₹10 lakh. On subsequent convictions, imprisonment up to 7 years and a fine up to ₹10 lakh.  
Unauthorized Access and Data Breach (Section 43)Compensation to be paid to the affected party up to ₹1 crore.[6]  

Data Protection and Privacy

In India, the Information Technology Act, 2000 (IT Act) was enacted primarily to promote the IT industry and electronic commerce. However, it also contains provisions related to data protection and privacy. Here’s a brief overview:

  1. Section 43A: This section imposes a responsibility on corporate entities that possess, deal, or handle any sensitive personal data or information in a computer resource they own, control, or operate. They must maintain reasonable security practices to protect such information from unauthorized access, damage, use, modification, disclosure, or impairment. If there is negligent failure leading to wrongful loss or wrongful gain to any person, then the entity can be held liable to pay damages.
  2. Section 72A: This provision punishes the disclosure of information in breach of lawful contract. If any person, including an intermediary, discloses personal information obtained under a lawful contract without the information provider’s consent, with the intent to cause or knowing it will likely cause wrongful loss or wrongful gain, they can be punished with imprisonment up to three years, a fine up to five lakh rupees, or both.
  3. Sensitive Personal Data and Information (SPDI): The IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 were formulated under the IT Act. These rules define SPDI to include items like passwords, financial data, health conditions, sexual orientation, biometric information, etc. Organizations are required to implement and maintain reasonable security practices to protect SPDI.
  4. Reasonable Security Practices: The IT Rules, 2011, require organizations to have a documented information security program and policies in place. This includes measures, practices, and procedures that are commensurate with the information assets being protected.
  5. Privacy Policies: Any entity that collects, receives, possesses, or handles SPDI is required to provide a privacy policy on its website that clearly mentions the kind of information collected, its purpose, and security practices in place.

Cyber Appellate Tribunal

One of the significant provisions within the IT Act, 2000 is the establishment of the “Cyber Appellate Tribunal” (CAT). Here’s a brief outline of the Cyber Appellate Tribunal:

  1. Purpose: The CAT was set up to adjudicate disputes and grievances arising out of violations of the IT Act, 2000. It also hears appeals against the orders passed by the Adjudicating Officers under the IT Act.
  2. Composition: The CAT is headed by a Chairperson, who is appointed by the Central Government. The qualifications for the Chairperson are specified in the Act, ensuring the person possesses the necessary legal and technical acumen.
  3. Powers: The CAT possesses the same powers as vested in a civil court under the Code of Civil Procedure, 1908. This includes the power to summon and enforce the attendance of any person, require the discovery and production of documents, receive evidence on affidavits, and issue commissions for the examination of witnesses or documents.
  4. Appeal: Decisions of the Cyber Appellate Tribunal can be challenged in the jurisdiction’s high court.
  5. Special Provisions: One of the key aspects of the CAT is that its proceedings are meant to be expedited and completed swiftly. The Tribunal needs to dispose of an appeal as expeditiously as possible, with an effort to conclude within six months of the receipt of the appeal.

The establishment of the Cyber Appellate Tribunal is indicative of the government’s effort to have specialized bodies to address the emerging challenges of the digital age. The IT Act, 2000 and its subsequent amendments have equipped India with a framework to handle cybercrimes, electronic governance, and other digital-related matters.[7]

Intermediaries and their liabilities

Intermediaries, like telecom providers, web-hosting companies, and search engines, under the Information Technology Act, 2000 of India, are pivotal in the digital ecosystem. While they facilitate data storage, retrieval, and transmission, they have specific liabilities. The Act provides “safe harbor” protections to intermediaries, ensuring they aren’t liable for unlawful acts by third parties on their platforms if they don’t initiate, select the receiver, or modify the information and follow due diligence. However, they must act swiftly to disable unlawful content upon knowledge or notification, and maintain user records for investigative purposes. Failure to comply removes their safe harbor protection, making them liable.[8]

Amendments and Updates

The Information Technology (IT) Act, 2000, is India’s primary legislation concerning electronic commerce and digital signatures. Over time, it has undergone various amendments and updates to keep pace with the evolving digital landscape. The 2008 amendment was significant, addressing issues like cyber terrorism, child pornography, and data protection. The amendment expanded the definition of cyber crimes and introduced stringent penalties for offenses. Another crucial update was the recognition of electronic signatures, broadening the scope beyond digital signatures. The section on data protection (Section 43A) was introduced, mandating companies to adopt reasonable security practices to protect sensitive personal information. Furthermore, the role of intermediaries (like ISPs and web-hosting service providers) was clarified, offering them limited liability if they adhered to certain due diligence practices. The amended act also granted the power to intercept, monitor, or decrypt information generated, transmitted, or stored in any computer source under specific circumstances. Additionally, a significant emphasis was laid on setting up a structure for the appointment of a ’Controller of Certifying Authorities’ and ‘Adjudicating Officers’. These changes were pivotal in strengthening the legal framework around India’s digital economy and addressing emerging threats in the cyber realm.

Comparative analysis

The IT Act 2000 was a landmark legislation for India, laying the foundation for e-commerce and electronic records. However, it faced challenges in addressing the growing array of cybercrimes. The subsequent IT (Amendment) Act 2008 expanded the scope to include newer forms of cybercrimes, like cyber terrorism and phishing. Penalties became stiffer, and the act addressed evolving threats. While the 2000 Act had limited provisions on data protection, the 2008 amendment recognized “sensitive personal data” and increased liability for intermediaries. However, the introduction of Section 66A in the amendment, which criminalized offensive online messages, was controversial and later deemed unconstitutional. Compared to global standards like the EU’s GDPR, the IT Act has areas to improve upon, especially in data protection and balancing regulation with freedom of speech.

Challenges and Criticisms

The IT Act 2000, India’s primary legislation governing cyber activities, has faced challenges and criticisms since its inception. Critics argue that its provisions are often vague, leading to potential misuse, especially regarding electronic evidence admissibility. The Act’s Section 66A, which criminalized offensive online messages, was struck down by the Supreme Court in 2015 for being unconstitutional and violating freedom of speech. Furthermore, the Act does not adequately address modern cyber threats, such as ransomware and IoT vulnerabilities. Lastly, concerns have arisen about its data protection measures being insufficient, especially with the rise of digital payments and e-commerce.

Conclusion

The Information Technology Act 2000 marked a pivotal step for India in regulating the digital realm, establishing guidelines for e-commerce and electronic records. While it laid foundational cybersecurity and legal structures, its initial scope required subsequent updates to address evolving cyber threats and to enhance data protection measures. The Act’s journey, inclusive of its amendments and controversies like Section 66A, underscores the challenges of legislating in a rapidly evolving digital environment. Nonetheless, the IT Act 2000 remains instrumental in shaping India’s digital landscape, highlighting the need for periodic reviews to stay abreast of global standards and emerging challenges.


[1] Monesh Mehndiratta, Information Technology Act, 2000, IPLEADERS, Sep 13, 2023, 12:40pm, https://blog.ipleaders.in/information-technology-act-2000/

[2] Monesh Mehndiratta, Information Technology Act, 2000, IPLEADERS, Sep 13, 2023, 12:40pm, https://blog.ipleaders.in/information-technology-act-2000/

[3] Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).

[4] Information Technology Act, 2000, VEDANTU, Sep 13, 2023, 03:23pm, https://www.vedantu.com/commerce/information-technology-act-2000

[5] Information Technology Act, 2000, TOPPR, Sep 14, 11:30am, https://www.toppr.com/guides/business-laws-cs/cyber-laws/information-technology-act-2000/#Applicability_and_Non-Applicability_of_the_Act

[6] Information Technology Act, 2000, GEEKSFORGEEKS, Sep 14, 09:35pm, https://www.google.com/amp/s/www.geeksforgeeks.org/information-technology-act-2000-india/amp/

[7] Kunal Kapoor, Role of the Appellate Tribunal under the IT Act, BNWJOURNAL, Sep 14,2023, 05:40pm, https://bnwjournal.com/2021/01/12/role-of-the-appellate-tribunal-under-the-it-act/#:~:text=Cyber%20Appellate%20Tribunal%20(CAT)%20was,of%20the%20IT%20Act%202000.

[8] Intermediaries Liabilities under the Information Technology Act, 2000, NETLAWGIC, Sep 14,2023, 7:14pm, https://netlawgic.com/intermediary-liability-it-act/#:~:text=The%20intermediary%20is%20not%20liable,to%20that%20extent%20is%20received.


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *