The Ultimate Guide to Cyber Law in India

16 min read

From the privacy of your personal data stored with Aadhar to your online movie booking. From your child’s Instagram posts to your demat share trading account. From the legality of drones to Uber tracking your movements…..cyber law governs your entire world. You are affected by cyber law if you use digital technologies – apps, email, social media, smartphones, online banking, online shopping, etc.

This guide covers Indian cyber law. If you are looking for global cyber laws, see The Ultimate Guide to Global Cyber Laws.

The primary source of cyber law in India is the Information Technology Act, 2000 (IT Act) that came into force on 17th October 2000. The cyber law ecosystem in India consists of the IT Act (as amended from time to time) and its allied Acts, Orders, Guidelines, Regulations, and Rules.

In India, cyber laws are primarily under the governance of the Ministry of Electronics & Information Technology, Government of India.

The Indian Penal Code (as amended by the Information Technology Act) penalizes several cybercrimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence, etc.

Digital Evidence is to be collected and proven in court as per the provisions of the Indian Evidence Act (as amended by the Information Technology Act).

In the case of bank records, the provisions of the Bankers’ Book Evidence Act (as amended by the Information Technology Act) are relevant.

Investigation and adjudication of cyber crimes is done in accordance with the provisions of the Code of Criminal Procedure, Civil Procedure Code, and the Information Technology Act.

The Information Technology Act also amended the Reserve Bank of India Act paving the way for digital payments.

---

---

1. The Need for Cyber Law

Is there a need for a separate field of law to cover cyberspace? Isn’t conventional law adequate to cover cyberspace?

Let us consider cases where so-called conventional crimes are carried out using computers or the Internet as a tool. Consider cases of spread of pornographic material, criminal threats delivered via email, websites that defame someone or spread racial hatred, etc. In all these cases, the computer is merely incidental to the crime. Distributing pamphlets promoting racial enmity is in essence similar to putting up a website promoting such ill feelings.

Of course, it can be argued that when technology is used to commit such crimes, the effect and spread of the crime increases enormously. Printing and distributing pamphlets even in one locality is a time consuming and expensive task while putting up a globally accessible website is very easy.

In such cases, it can be argued that conventional law can handle cyber cases. The Government can simply impose a stricter liability (by way of imprisonment and fines) if the crime is committed using certain specified technologies. A simplified example would be stating that spreading pornography by electronic means should be punished more severely than spreading pornography by conventional means.

As long as we are dealing with such issues, conventional law would be adequate. The challenges emerge when we deal with more complex issues such as ‘theft’ of data. Under conventional law, theft relates to “movable property being taken out of the possession of someone”.

The General Clauses Act defines movable property as “property of every description, except immovable property”. The same law defines immovable property as “land, benefits to arise out of land, and things attached to the earth, or permanently fastened to anything attached to the earth”. Using these definitions, we can say that the computer is movable property.

Let us examine how such a law would apply to a scenario where data is ‘stolen’. Consider my personal computer on which I have stored some information. Let us presume that some unauthorized person picks up my computer and takes it away without my permission. Has he committed theft? The elements to consider are whether some movable property has been taken out of the possession of someone. The computer is movable property and I am the legal owner entitled to possess it. The thief has dishonestly taken this movable property out of my possession. It is theft.

Now consider that some unauthorized person simply copies the data from my computer onto his pen drive. Would this be theft? Presuming that the intangible data is movable property, the concept of theft would still not apply as the possession of the data has not been taken from me. I still have the ‘original’ data on the computer under my control. The ‘thief’ simply has a ‘copy’ of that data. In the digital world, the copy and the original are indistinguishable in almost every case.

Consider another illustration on the issue of ‘possession’ of data. I use the email account rohasnagpal@gmail.com for personal communication. Naturally, a lot of emails, images, documents etc are sent and received by me using this account. The first question is, who ‘possesses’ this email account? Is it me because I have the username and password needed to ‘login’ and view the emails? Or it is Google Inc because the emails are stored on their computers?

Another question would arise if some unauthorized person obtains my password. Can it be said that now that person is also in possession of my emails because he has the password to ‘login’ and view the emails?

Another legal challenge emerges because of the ‘mobility’ of data. Let us consider an example of international trade in the conventional world. Sameer purchases steel from a factory in China uses the steel to manufacture nails in a factory in India and then sells the nails to a trader in the USA. The various Governments can easily regulate and impose taxes at various stages of this business process.

Now consider that Sameer has shifted to an ‘online’ business. He sits in his house in Pune (India) and uses his computer to create pirated versions of expensive software. He then sells this pirated software through a website (hosted on a server located in Russia). People from all over the world can visit Sameer’s website and purchase the pirated software. Sameer collects the money using a PayPal account that is linked to his bank account in a tax haven country like the Cayman Islands.

It would be extremely difficult for any Government to trace Sameer’s activities.

It is for these and other complexities that conventional law is unfit to handle issues relating to cyberspace. This brings in the need for a separate branch of law to tackle cyberspace.

---

2. What does cyber law cover?

Cyber Law is the legal and regulatory framework relating to

1. Artificial Intelligence
2. Bitcoin & other crypto-currencies
3. Cloud computing
4. Cryptography Export
5. Cyber Crime Investigation and Forensics
6. Cyber Insurance
7. Cyber security and incident response
8. Cyber Terrorism & Warfare
9. Data breaches and data privacy
10. Digital Evidence
11. Digital payments, credit, debit & cash cards, mobile wallets, net banking, UPI
12. Domain name disputes
13. E-commerce
14. E-governance, E-courts & E-tenders
15. Electronic & Digital Signatures
16. Electronic contracts
17. Electronic voting machines
18. Extradition of cyber criminals
19. Hacking, malware, ransomware, and other cybercrimes,
20. Information Technology Law Compliance
21. Intermediaries like Internet Service Providers (ISPs), Social Media Platforms, Email services, video streaming services
22. Internet of Things
23. Online education
24. Online gambling & gaming, and pharmacies
25. Online share trading, banking, and tax filing
26. Software licenses
27. Spam, hate speech and trolling
28. Telemedicine
29. Torrents, dark web, p2p networks, and file-sharing
30. Video conferencing

---

3. Information Technology Act

The major issues addressed by the IT Act relate to:

1. electronic records
2. establishing of authorities
3. Certifying Authorities
4. cyber crimes
5. administrative issues
6. amendments

The Information Technology Act does not apply to:

1. a negotiable instrument (other than a cheque),
2. a power-of-attorney ,
3. a trust ,
4. a will
5. any contract for the sale or conveyance of immovable property or any interest in such property
6. any such class of documents or transactions as may be notified by the Central Government in the Official Gazette.

Cyber crimes under Chapter 9 of the IT Act come under the jurisdiction of Adjudicating Officers. Appeals from orders of the Adjudicating Officers lie to the Cyber Appellate Tribunal and appeals from the orders of the Cyber Appellate Tribunal lie to the High Court. Other cyber crimes come under the jurisdiction of the criminal courts.

Case law is the law that is established through the decisions of the courts and other officials. Case law assumes even greater significance when the wordings of a particular law are ambiguous. The interpretation of the Courts helps clarify the real objectives and meaning of such laws.

In India, courts are bound by decisions of higher courts in the hierarchy. The apex court in India is the Supreme Court. Article 141 of the Constitution of India states that “the law declared by the Supreme Court shall be binding on all courts within the territory of India”.

The hierarchy of courts is further enshrined in the Code of Civil Procedure, 1908 and the Code of Criminal Procedure, 1973.

The chief responsibility of Adjudicating Officers (AO) under the IT Act is to adjudicate on cases under section 43, 44 and 45 of the IT Act e.g. unauthorized access, unauthorized copying of data, spread of viruses, denial of service attacks, computer manipulations etc.

Certifying Authorities, the Controller and other officers / agencies established under the Act and other government agencies like CERT-IND are required to promptly assist the AO.

Appeals against the orders of AO and the Controller lie with the Cyber Appellate Tribunal.

The primary role of the Controller of Certifying Authorities (CCA) is to regulate the working of the Certifying Authorities (CA). A CA is a business organization that issues digital signature certificates to subscribers. This sets the base for the development of electronic commerce and governance in India.

The CCA also has investigation powers u/s 28 of the IT Act. The CCA can also direct a person to decrypt information under his control. If such a person refuses to comply with the CCA directions he faces 7 years imprisonment u/s 69 of the IT Act.

The investigation of cyber crimes covered by the Indian Penal Code is done by the police. For cyber crimes covered by the IT Act, investigation can be done by an officer not below the rank of a Inspector of police.

According to section 2(h) of the Code of Criminal Procedure, “investigation” includes all the proceedings under this Code for the collection of evidence conducted by a police officer or by any person (other than a Magistrate) who is authorised by a Magistrate in this regard.

Section 28 of the Information Technology Act empowers the following to investigate any contravention of the Act and allied rules and regulations: (1) the Controller (2) any officer authorised by the Controller.

Additionally, section 78 of the Information Technology Act empowers a police officer not below the rank of Inspector to investigate offence under the Act. Offences are defined under Chapter XI of the Act.

Additionally, rule 4(i) of the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 authorizes the Adjudicating Officer to get a matter or report investigated from an officer in the Office of Controller or CERT-IND or from the concerned Deputy Superintendent of Police [Inspector], to ascertain more facts and whether prima facie there is a case for adjudicating on the matter or not.

Additionally, section 80 of the Information Technology Act provides a special power to police officers not below the rank of an Inspector of Police and to other Government officers authorised by the Central Government. Such authorised persons can enter and search any public place. Public places include cyber cafes, hotels, shops etc accessible to the public.

Additionally, they can arrest without warrant any person found in such a public place who is reasonably suspected of:

1. having committed an offence under the Act,
2. committing an offence under the Act,
3. being about to commit any offence under the Act.

---

4. Chronology of the Indian Cyber Law

2000

The primary source of cyber law in India is the Information Technology Act, 2000 (IT Act) which came into force on 17th October 2000. The primary purpose of the Information Technology Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government. The Information Technology Act also penalizes various cyber crimes and provides strict punishments (imprisonment terms up to 10 years and compensation up to crores of rupees).

The Indian Penal Code (as amended by the Information Technology Act) penalizes several cyber crimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence etc.

Digital Evidence is to be collected and proven in court as per the provisions of the Indian Evidence Act (as amended by the Information Technology Act).

In case of bank records, the provisions of the Bankers’ Book Evidence Act (as amended by the Information Technology Act) are relevant.

Investigation and adjudication of cyber crimes is done in accordance with the provisions of the Code of Criminal Procedure, Civil Procedure Code and the Information Technology Act.

The Reserve Bank of India Act was also amended by the Information Technology Act.

On 17th October 2000, the Information Technology (Certifying Authorities) Rules, 2000 also came into force. These rules prescribe the eligibility, appointment and working of Certifying Authorities. These rules also lay down the technical standards, procedures and security methods to be used by a Certifying Authority.

The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000 also came into force on 17th October 2000. These rules prescribe the appointment and working of the Cyber Regulations Appellate Tribunal whose primary role is to hear appeals against orders of the Adjudicating Officers.

2001

Information Technology (Certifying Authority) Regulations, 2001 came into force on 9th July 2001. They provide further technical standards and procedures to be used by a Certifying Authority. Two important guidelines relating to Certifying Authorities were issued. The first are the Guidelines for submission of application for license to operate as a Certifying Authority under the Information Technology Act. These guidelines were issued on 9th July 2001.

2002

An Executive Order dated 12th September 2002 contained instructions relating provisions of the Act with regard to protected systems and application for the issue of a Digital Signature Certificate.

Next were the Guidelines for submission of certificates and certification revocation lists to the Controller of Certifying Authorities for publishing in National Repository of Digital Certificates. These were issued on 16th December 2002.

Minor errors in the Act were rectified by the Information Technology (Removal of Difficulties) Order, 2002 which was passed on 19th September 2002.

The Information Technology Act was amended by the Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002. This introduced the concept of electronic cheques and truncated cheques.

Cyber Regulations Appellate Tribunal (Salaries, Allowances and Condition of Service of other Officers and Employees) Rules, 2002 were passed. This provides for the nature and categories of officers and employees of the Cyber Appellate Tribunal and their scales of pay. Further, the Rules also provide for the regulation of the conditions of service of officers and employees of the Cyber Appellate Tribunal in the matter of pay, allowances, leave, joining time, provident fund, age of superannuation, pension and retirement benefits, medical facilities, conduct, disciplinary matters and other conditions.

2003

On 17th March 2003, the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 were passed. These rules prescribe the qualifications required for Adjudicating Officers. Their chief responsibility under the IT Act is to adjudicate cases such as unauthorized access, unauthorized copying of data, spread of viruses, denial of service attacks, disruption of computers, computer manipulation etc. These rules also prescribe the manner and mode of inquiry and adjudication by these officers.

The appointment of adjudicating officers to decide the fate of multi-crore cyber crime cases in India was the result of the Public Interest Litigation (PIL) filed by students of Asian School of Cyber Laws (ASCL). The Government had not appointed Adjudicating Officers or the Cyber Regulations Appellate Tribunal for almost 2 years after the passage of the IT Act. This prompted ASCL students to file a Public Interest Litigation (PIL) in the Bombay High Court asking for a speedy appointment of Adjudicating officers.

The Bombay High Court, in its order dated 9th October 2002, directed the Central Government to announce the appointment of adjudicating officers in the public media to make people aware of the appointments. The division bench of the Mumbai High Court consisting of Hon’ble Justice A.P. Shah and Hon’ble Justice Ranjana Desai also ordered that the Cyber Regulations Appellate Tribunal be constituted within a reasonable time frame.

Following this, the Central Government passed an order dated 23rd March 2003 appointing the “Secretary of Department of Information Technology of each of the States or of Union Territories” of India as the adjudicating officers.

The Cyber Regulations Appellate Tribunal (Salary, Allowances and other Terms and Conditions of Service of Presiding Officer) Rules, 2003 prescribe the salary, allowances and other terms for the Presiding Officer of the Cyber Regulations Appellate Tribunal. Information Technology (Other Powers of Civil Court Vested in Cyber Appellate Tribunal) Rules 2003 provided some additional powers to the Cyber Regulations Appellate Tribunal.

Also relevant are the Information Technology (Other Standards) Rules, 2003. An important order relating to blocking of websites was passed on 27th February, 2003. Under this, Computer Emergency Response Team (CERT-IND) can instruct Department of Telecommunications (DOT) to block a website. The Information Technology (Certifying Authorities) Rules, 2000 were amended. The Chhattisgarh Citizen Service (Electronic Governance) Rules, 2003 were passed for effective implementation of e-governance services.

2004

Information Technology (Use of Electronic Records and Digital Signatures) Rules, 2004 have provided the necessary legal framework for filing of documents with the Government as well as issue of licenses by the Government. It also provides for payment and receipt of fees in relation to Government bodies.

The Information Technology (Security Procedure) Rules, 2004 came into force on 29th October 2004. They prescribe provisions relating to secure digital signatures and secure electronic records.

The Information Technology (Certifying Authorities) Rules, 2000 were amended.

The Gujarat Information Technology Rules, 2004 were passed in order to regulate cyber cafes in the State of Gujarat. The Rules provide for maintenance of log register by cyber cafe owners, the responsibilities of cyber cafe owners, etc.

The Information Technology (Karnataka) Rules, 2004 were issued in order to regulate cyber cafes in the State of Karnataka. The Rules provide for maintenance of log register by cyber cafe owners, the responsibilities of cyber cafe owners, liability in case of non-compliance, etc.

2006

The Information Technology (Certifying Authorities) Rules, 2000 were amended.

2007

The Rajasthan Cyber Cafe Rules, 2007 were passed with a view to regulate cyber cafes in Rajasthan. The Rules provide for maintenance of log register by cyber cafe owners, the responsibilities of cyber cafe owners, etc.

2009

The Information Technology (Amendment) Act, 2008, which came into force on 27th October, 2009 has made sweeping changes to the Information Technology Act.

The following rules have also come into force on 27th October, 2009:

1. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
2. Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009.
3. Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.
4. The Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009.
5. Cyber Appellate Tribunal (Procedure for Investigation of Misbehaviour or Incapacity of Chairperson and Members) Rules, 2009.

The Information Technology (Certifying Authorities) Rules, 2000 were amended.

2010

The Kerala Information Technology (Electronic Delivery of Services) Rules, 2010 passed to improve delivery of e-services by the Government.

2011

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 passed. These rules define sensitive personal data or information and form the crux of India’s data privacy law.

Clarification on Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 were also issued.

Information Technology (Intermediaries guidelines) Rules, 2011 passed. These rules explain the due diligence to be observed by intermediaries.

Information Technology (Electronic Service Delivery) Rules, 2011 passed. These rules relate to the system of Electronic Service Delivery by the Government.

Information Technology (Guidelines for Cyber Cafe) Rules, 2011 passed. This provides for registration of cyber cafes, maintenance of log register, identification of user, etc.

The Andhra Pradesh Information Technology (Electronic Service Delivery) Rules, 2011 were issued to improve delivery of e-services by the Government.

The Madhya Pradesh Information Technology (Regulation of Electronic Delivery of Citizen Services and Appointment of Service Provider) Rules, 2011 were passed to regulate the electronic delivery of citizen services, appointment of service provider and for the purpose of effective implementation of e-governance services.

2013

Clarification on The Information Technology (Intermediary Guidelines) Rules, 2011 issued. According to it, intermediaries should have a publicly accessible and published grievance redressal process by which complaints can be lodged. It also clarifies the words “..shall act within thirty-six hours.” as mentioned in sub-rule (4) of Rule 3.

Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013 came into force. They lay down the functions and duties of the National Critical Information Infrastructure Protection Centre.

Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 came into force. They lay down the detailed functions, responsibilities and services of the Indian Computer Emergency Response Team.

Information Technology (Salary, Allowances and Terms and Conditions of Service of the Director General, Indian Computer Emergency Response Team) Rules, 2012 were passed on 24th January 2013 regulating the qualifications, experience and other terms and conditions of service of the Director General, Indian Computer Emergency Response Team.

Information Technology (Recognition of Foreign Certifying Authorities Operating under a Regulatory Authority) Regulations, 2013 came into force in order to regulate the conduct of Foreign Certifying Authorities in India operating under a regulatory authority.

Information Technology (Recognition of Foreign Certifying Authorities not Operating under a Regulatory Authority) Regulations, 2013 came into force in order to regulate the conduct of Foreign Certifying Authorities in India not operating under a regulatory authority.

2015

Unique Identification Authority of India (UIDAI) facilities, Information Assets, Logistics Infrastructure and Dependencies declared as protected systems under section 70 of the Information Technology Act.

Digital Signature (End Entity) Rules, 2015 came into force. They deal with long term valid digital signatures.

Information Technology (Security Procedure) Amendments Rules, 2015 came into force. They make minor amendments to the Information Technology (Security Procedure) Rules, 2004.

Information Technology (Certifying Authorities) Amendment Rules, 2015 came into force. They make amendments to Information Technology (Certifying Authorities) Rules, 2000.

2016

Indian Computer Emergency Response Team authorised to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.
Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2016 passed. These lay down the manner in which the information is authenticated by means of digital signatures.

Information Technology (Certifying Authorities) (Amendment) Rules, 2016 passed. These rules made a slight correction to the Information Technology (Certifying Authorities) Rules, 2000.

Cyber Appellate Tribunal (Powers and Functions of the Chairperson) Rules, 2016 passed. These rules lay down the powers and functions of the Chairperson of the Cyber Appellate Tribunal.

Advisory on Functioning of Matrimonial Websites in accordance with the Information Technology Act, 2000 and Rules issued. According to this advisory, “There have been instances where users of matrimonial websites falsify their marital status, age, height, personality, health, social and economic status. In most of the cases victims are women who fall prey to these fraudsters after getting introduced through fake profiles on matrimonial portal”. This advisory has been issued to strengthen protective measures for all users of such websites.

Aadhar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 came into force on 26th March 2016. Through this legislation, the government plans to target delivery of subsidies and services by assigning unique identity numbers to individuals residing in India.

Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016 were passed for the preservation and retention of information by intermediaries providing Digital Locker Facilities.

2017

The Government Open Data License National Data Sharing and Accessibility Policy was announced on 10th February, 2017.

2018

On 22nd May, 2018, the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 came into force. These rules prescribe information security practices and procedures for protected systems.

On 20th December, 2018, the following Security and Intelligence Agencies were authorised for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the Information Technology Act:

1. Intelligence Bureau;
2. Narcotics Control Bureau;
3. Enforcement Directorate;
4. Central Board of Direct Taxes;
5. Directorate of Revenue Intelligence;
6. Central Bureau of Investigation;
7. National Investigation Agency;
8. Cabinet Secretariat (RAW);
9. Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only);
10. Commissioner of Police, Delhi.

2019

The Central Government notified the Regional Forensic Science Laboratory, Northern Range, Dharamshala, District- Kangra (Himanchal Pradesh), as Examiner of Electronic Evidence within India, with the following scope:

1. Computer (Media) Forensics excluding Floppy Disk Drive;
2. Mobile Devices Forensics.

---

---