Information Technology Act, 2000
August 24, 2022
The article has been
published by Sneha Mahawar.
Table of Contents
·
Background
of Information Technology Act, 2000
·
Features
of Information Technology Act, 2000
·
Overview
of Information Technology Act, 2000
§
License
for electronic signatures
§
Powers of
certifying authorities
§
Penalty
for damaging a computer system
§
Compensation in the case of failure to protect data
§
Failure
to furnish the required information
§
Powers
·
Amendments
to Information Technology Act, 2000
·
Landmark judgments on Information Technology Act, 2000
§
Facts
§
Issue
§
Judgment
§
Facts
§
Issue
§
Judgment
§
Facts
§
Issue
§
Judgment
·
Loopholes
in Information Technology Act, 2000
·
Frequently
Asked Questions (FAQs)
Introduction
One day, you wake up
in the morning and check your phone. You are shocked to see that every piece of
data of yours stored in different applications like your phone’s gallery,
Facebook, Instagram and Whatsapp has been hacked. You then check your laptop and
observe that it has been hacked. What will you do? Will you sue these social
media for not protecting your data or search the hacker?
This is where
the Information Technology Act of 2000 comes
into the picture. The Act defines various offences related to breach of data
and privacy of an individual and provides punishment or penalties for them. It
also talks about intermediaries and regulates the power of social media. With
the advancement of technology and e-commerce, there has been a tremendous increase
in cyber crimes and offences related to data and authentic information. Even
the data related to the security and integrity of the country was not safe, and
so the government decided to regulate the activities of social media and data
stored therein. The article gives the objectives and features of the Act and
provides various offences and their punishments as given in the Act.
Background
of Information Technology Act, 2000
The United
Nations Commission on International Trade Law in 1996 adopted a
model law on e-commerce and digital intricacies. It also made it compulsory for
every country to have its own laws on e-commerce and cybercrimes. In order to
protect the data of citizens and the government, the Act was passed in 2000,
making India the 12th country in the world to pass legislation for cyber
crimes. It is also called the IT Act and provides the legal framework to
protect data related to e-commerce and digital signatures. It was further
amended in 2008 and 2018 to meet the needs of society. The Act also defines the
powers of intermediaries and their limitations.
Schedule of
Information Technology Act, 2000
The Act is divided
into 13 chapters, 90 sections
and 2 schedules. The following are the chapters under the Act:
· Chapter 1 deals with
the applicability of the Act and definitions of various terminologies used in
the Act.
· Chapter 2 talks about
digital and electronic signatures.
· Electronic governance
and electronic records are given under Chapters 3 and 4 respectively.
· Chapter 5 is related
to the security of these records and Chapter 6 deals with regulations of
certifying authorities.
· Chapter 7 further
gives the certificates needed to issue an electronic signature.
· Chapter 8 gives the
duties of subscribers and Chapter 9 describes various penalties.
· Chapter 10 provides
sections related to the Appellate Tribunal.
· Chapter 11 describes
various offences related to breach of data and their punishments.
· Chapter 12 provides
the circumstances where the intermediaries are not liable for any offence or
breach of data privacy.
· The final chapter,
i.e., Chapter 13 is the miscellaneous chapter.
The 2 schedules given
in the Act are:
· Schedule 1 gives the
documents and data where the Act is not applicable.
· Schedule 2 deals with
electronic signatures or methods of authentication.
Applicability of
Information Technology Act, 2000
According to Section 1, the Act applies to the whole
country, including the state of Jammu and Kashmir. The application of this Act
also extends to extra-territorial jurisdiction, which means it applies to a
person committing such an offence outside the country as well. If the source of
the offence, i.e., a computer or any such device, lies in India, then the
person will be punished according to the Act irrespective of his/her
nationality.
The Act, however, does
not apply to documents given under Schedule 1. These are:
· Any negotiable
instrument other than a cheque as given under Section 13 of the Negotiable Instruments Act, 1881.
· Any power of attorney
according to Section 1A of
the Powers of Attorney Act, 1882.
· Any sort of trust
according to Section 3 of
the Indian Trusts Act, 1882.
· Any will including
testamentary disposition given under the Indian Succession Act, 1925.
· Any contract or sale
deed of any immovable property.
Objectives of
Information Technology Act, 2000
The Act was passed to
deal with e-commerce and all the intricacies involved with digital signatures
and fulfill the following objectives:
· The Act seeks to
protect all transactions done through electronic means.
· E-commerce has reduced
paperwork used for communication purposes. It also gives legal protection to
communication and the exchange of information through electronic means.
· It protects the
digital signatures that are used for any sort of legal authentication.
· It regulates the
activities of intermediaries by keeping a check on their powers.
· It defines various
offences related to data privacy of citizens and hence protects their data.
· It also regulates and
protects the sensitive data stored by social media and other electronic
intermediaries.
· It provides
recognition to books of accounts kept in electronic form regulated by the Reserve Bank of India Act, 1934.
Features
of Information Technology Act, 2000
Following are the
features of the Act:
· The Act is based on
the Model Law on e-commerce adopted by UNCITRAL.
· It has
extra-territorial jurisdiction.
· It defines various
terminologies used in the Act like cyber cafes, computer systems, digital
signatures, electronic records, data, asymmetric cryptosystems, etc under Section 2(1).
· It protects all the
transactions and contracts made through electronic means and says that all such
contracts are valid. (Section 10A)
· It also gives
recognition to digital signatures and provides methods of authentication.
· It contains provisions
related to the appointment of the Controller and its powers.
· It recognises foreign
certifying authorities (Section 19).
· It also provides
various penalties in case a computer system is damaged by anyone other than the
owner of the system.
· The Act also provides
provisions for an Appellate Tribunal to be established under the Act. All the
appeals from the decisions of the Controller or other Adjudicating officers lie
to the Appellate tribunal.
· Further, an appeal
from the tribunal lies with the High Court.
· The Act describes
various offences related to data and defines their punishment.
· It provides
circumstances where the intermediaries are not held liable even if the privacy
of data is breached.
· A cyber regulation
advisory committee is set up under the Act to advise the Central Government on
all matters related to e-commerce or digital signatures.
Overview
of Information Technology Act, 2000
The Act deals with
e-commerce and all the transactions done through it. It gives provisions for
the validity and recognition of electronic records along with a license that is
necessary to issue any digital or electronic signatures. The article further
gives an overview of the Act.
Electronic records and
signatures
The Act defines
electronic records under Section 2(1)(t), which
includes any data, image, record, or file sent through an electronic mode.
According to Section 2(1)(ta), any
signature used to authenticate any electronic record that is in the form of a
digital signature is called an electronic signature. However, such
authentication will be affected by asymmetric cryptosystems and hash functions
as given under Section 3 of the
Act.
Section 3A further gives the conditions
of a reliable electronic signature. These are:
· If the signatures are
linked to the signatory or authenticator, they are considered reliable.
· If the signatures are
under the control of the signatory at the time of signing.
· Any alteration to such
a signature must be detectable after fixation or alteration.
· The alteration done to
any information which is authenticated by the signature must be detectable.
· It must also fulfill
any other conditions as specified by the Central Government.
The government can
anytime make rules for electronic signatures according to Section 10 of the Act. The attribution of
an electronic record is given under Section 11 of the Act. An electronic
record is attributed if it is sent by the originator or any other person on his
behalf. The person receiving the electronic record must acknowledge the receipt
of receiving the record in any manner if the originator has not specified any
particular manner. (Section 12). According
to Section 13, an electronic record is said to be
dispatched if it enters another computer source that is outside the control of
the originator. The time of receipt is determined in the following ways:
· When the addressee has
given any computer resource,
o Receipt occurs on the
entry of an electronic record into the designated computer resource.
o In case the record is
sent to any other computer system, the receipt occurs when it is retrieved by
the addressee.
· When the addressee has
not specified any computer resource, the receipt occurs when the record enters
any computer source of the addressee.
Certifying authorities
Appointment of
Controller
Section 17 talks
about the appointment of the controller, deputy controllers, assistant
controllers, and other employees of certifying authorities. The deputy controllers
and assistant controllers are under the control of the controller and perform
the functions as specified by him. The term, qualifications, experience and
conditions of service of the Controller of certifying authorities will be
determined by the Central Government. It will also decide the place of the head
office of the Controller.
Functions of the
Controller
According to Section 18, the
following are the functions of the Controller of certifying authority:
· He supervises all the
activities of certifying authorities.
· Public keys are
certified by him.
· He lays down the rules
and standards to be followed by certifying authorities.
· He specifies the
qualifications and experience required to become an employee of a certifying
authority.
· He specifies the
procedure to be followed in maintaining the accounts of authority.
· He determines the
terms and conditions of the appointment of auditors.
· He supervises the
conduct of businesses and dealings of the authorities.
· He facilitates the
establishment of an electronic system jointly or solely.
· He maintains all the
particulars of the certifying authorities and specifies the duties of the
officers.
· He has to resolve any
kind of conflict between the authorities and subscribers.
· All information and
official documents issued by the authorities must bear the seal of the office
of the Controller.
License for electronic
signatures
It is necessary to
obtain a license certificate in order to issue an electronic signature. Section 21 of the Act provides that any
such license can be obtained by making an application to the controller who,
after considering all the documents, decides either to accept or reject the
application. The license issued is valid for the term as prescribed by the
central government and is transferable and heritable. It is regulated by terms
and conditions provided by the government.
According to Section 22 of the Act, an application must fulfill the
following requirements:
· A certificate of
practice statement.
· Identity proof of the
applicant.
· Fees of Rupees 25,000
must be paid.
· Any other document as
specified by the central government.
The license can be
renewed by making an application before 45 days from the expiry of the license
along with payment of fees, i.e., Rupees 25000. (Section 23)
Any license can be
suspended on the grounds specified in Section 24 of the Act. However, no
certifying authority can suspend the license without giving the applicant a
reasonable opportunity to be heard. The grounds of suspension are:
· The applicant makes a
false application for renewal with false and fabricated information.
· Failure to comply with
the terms and conditions of the license.
· A person fails to
comply with the provisions of the Act.
· He did not follow the
procedure given in Section 30 of the
Act.
The notice of
suspension of any such license must be published by the Controller in his
maintained records and data.
Powers of certifying
authorities
Following are the
powers and functions of certifying authorities:
· Every such authority
must use hardware that is free from any kind of intrusion. (Section 30)
· It must adhere to
security procedures to ensure the privacy of electronic signatures.
· It must publish
information related to its practice, electronic certificates and the status of
these certificates.
· It must be reliable in
its work.
· The authority has the
power to issue electronic certificates. (Section 35)
· The authority has to
issue a digital signature certificate and certify that:
o The subscriber owns a
private key along with a public key as given in the certificate.
o The key can make a
digital signature and can be verified.
o All the information given
by subscribers is accurate and reliable.
· The authorities can
suspend the certificate of digital signature for not more than 15 days. (Section 37)
· According to Section 38, a certificate can be revoked by
the authorities on the following grounds:
o If the subscriber
himself makes such an application.
o If he dies.
o In case, the
subscriber is a company then on the winding up of the company, the certificate
is revoked.
Circumstances where
intermediaries are not held liable
Section 2(1)(w) of the
Act defines the term ‘intermediary’ as one who receives, transmits, or stores
data or information of people on behalf of someone else and provides services
like telecom, search engines and internet services, online payment, etc.
Usually, when the data stored by such intermediaries is misused, they are held
liable. But the Act provides certain instances where they cannot be held liable
under Section 79. These are:
· In the case of
third-party information or communication, intermediaries will not be held
liable.
· If the only function
of the intermediary was to provide access to a communication system and nothing
else, then also they are not held liable for any offence.
· If the intermediary
does not initiate such transmissions or select the receiver or modify any
information in any transmission, it cannot be made liable.
· The intermediary does
its work with care and due diligence.
However, the section
has the following exemptions where intermediaries cannot be exempted from the
liability:
· It is involved in any
unlawful act either by abetting, inducing or by threats or promises.
· It has not removed any
such data or disabled access that is used for the commission of unlawful acts
as notified by the Central Government.
Penalties under
Information Technology Act, 2000
The Act provides
penalties and compensation in the following cases:
Penalty for damaging a
computer system
If a person other than
the owner uses the computer system and damages it, he shall have to pay all
such damages by way of compensation (Section 43). Other reasons for penalties and
compensation are:
· If he downloads or
copies any information stored in the system.
· Introduces any virus
to the computer system.
· Disrupts the
system.
· Denies access to the
owner or person authorised to use the computer.
· Tampers or manipulates
the computer system.
· Destroys, deletes or
makes any alteration to the information stored in the system.
· Steals the information
stored therein.
Compensation in the
case of failure to protect data
According to Section 43A, if any corporation or company has
stored the data of its employees or other citizens or any sensitive data in its
computer system but fails to protect it from hackers and other such activities,
it shall be liable to pay compensation.
Failure to furnish the
required information
If any person who is
asked to furnish any information or a particular document or maintain books of
accounts fails to do so, he shall be liable to pay the penalty. In the case of
reports and documents, the penalty ranges from Rupees one lakh to Rupees fifty
thousand. For books of accounts or records, the penalty is Rs. 5000. (Section 44)
Residuary
Penalty
If any person
contravenes any provision of this Act and no penalty or compensation is
specified, he shall be liable to pay compensation or a penalty of Rs.
25000.
Appellate
tribunal
According to Section 48 of the Act, the Telecom
dispute settlement and appellate tribunal under Section 14 of the Telecom Regulatory Authority of India Act, 1997 shall
act as the appellate tribunal under the Information Technology Act, 2000. This
amendment was made after the commencement of the Finance Act of 2017.
All the appeals from
the orders of the controller or adjudicating officer will lie to the tribunal,
but if the order is decided with the consent of the parties, then there will be
no appeal. The tribunal will dispose of the appeal as soon as possible but in
not more than 6 months from the date of such appeal. (Section 57)
According to Section 62 of the
Act, any person if not satisfied with the order or decision of the tribunal may
appeal to the High Court within 60 days of such order.
Powers
According to Section 58 of the
Act, the tribunal is not bound to follow any provisions of the Code of Civil Procedure, 1908 and must
give decisions on the basis of natural justice. However, it has the same powers
as given to a civil court under the Code. These are:
· Summon any person and
procure his attendance.
· Examine any person on
oath.
· Ask to discover or
produce documents.
· Receive evidence on
affidavits.
· Examination of
witnesses.
· Review
decisions.
· Dismissal of any
application.
Offences and their
punishments under Information Technology Act, 2000
|
Offences |
Section |
Punishment |
|
Tampering with the documents
stored in a computer system |
Imprisonment of 3 years or a fine
of Rs. 2 lakhs or both. |
|
|
Offences related to computers or
any act mentioned in Section 43. |
Imprisonment of 3 years or a fine
that extends to Rs. 5 lakhs or both. |
|
|
Receiving a stolen computer source
or device dishonestly |
Imprisonment for 3 years or a fine
of Rs. 1 lakh or both. |
|
|
Identity theft |
Imprisonment of 3 years or a fine
of Rs. 1 lakh or both |
|
|
Cheating by personation |
Either imprisonment for 3 years or
a fine of Rs. 1 lakh or both. |
|
|
Violation of privacy |
Either imprisonment up to 3 years
or a fine of Rs. 2 lakhs or both |
|
|
Cyber terrorism |
Life imprisonment |
|
|
Transmitting obscene material in
electronic form. |
Imprisonment of 5 years and a fine
of Rs. 10 lakhs. |
|
|
Transmission of any material
containing sexually explicit acts through an electronic mode. |
Imprisonment of 7 years and a fine
of Rs. 10 lakhs. |
|
|
Depicting children in sexually
explicit form and transmitting such material through electronic mode |
Imprisonment of 7 years and a fine
of Rs. 10 lakhs. |
|
|
Failure to preserve and retain the
information by intermediaries |
Imprisonment for 3 years and a
fine. |
Amendments
to Information Technology Act, 2000
With the advancement
of time and technology, it was necessary to bring some changes to the Act to
meet the needs of society, and so it was amended.
Amendment of
2008
The amendment in 2008 brought
changes to Section 66A of the
Act. This was the most controversial section as it provided the punishment for
sending any offensive messages through electronic mode. Any message or
information that created hatred or hampered the integrity and security of the
country was prohibited. However, it had not defined the word ‘offensive’ and
what constitutes such messages, because of which many people were arrested on
this ground. This section was further struck down by the Supreme Court in the
case of Shreya Singhal
v. Union of India (2015).
Another amendment was
made in Section 69A of the Act, which empowered
the government to block internet sites for national security and integrity. The
authorities or intermediaries could monitor or decrypt the personal information
stored with them.
The 2015 Amendment
Bill
The bill was initiated
to make amendments to the Act for the protection of fundamental rights
guaranteed by the Constitution of the
country to its citizens. The bill made an attempt to make changes to Section
66A, which provides the punishment for sending offensive messages through
electronic means. The section did not define what amounts to offensive messages
and what acts would constitute the offence. It was further struck down by the
Supreme Court in the case of Shreya Singhal declaring it as violative of
Article 19.
Information Technology
Intermediaries Guidelines (Amendment) Rules, 2018
The government in 2018
issued some guidelines for the
intermediaries in order to make them accountable and regulate their activities.
Some of these are:
· The intermediaries
were required to publish and amend their privacy policies so that citizens
could be protected from unethical activities like pornography, objectionable
messages and images, messages spreading hatred, etc.
· They must provide the
information to the government as and when it is sought within 72 hours for
national security.
· It is mandatory for
every intermediary to appoint a ‘nodal person of contact’ for 24×7 service.
· They must have
technologies that could help in reducing unlawful activities done online.
· The rules also break
end-to-end encryption if needed to determine the origin of harmful messages.
Information Technology
(Intermediaries Guidelines and Digital Media Ethics Code) Rules 2021
The government of
India in 2021 drafted certain rules to be
followed by the intermediaries. The rules made it mandatory for intermediaries
to work with due diligence and appoint a grievance officer. They were also
required to form a Grievance Appellate Tribunal. All complaints from users must
be acknowledged within 24 hours and resolved within 15 days. It also provides a
“Code of Ethics” for the people publishing news and current affairs, which
makes it controversial. Many believe that the rules curtail freedom of speech
and expression and freedom of the press.
The intermediaries
were also required to share the information and details of a suspicious user with
the government if there was any threat to the security and integrity of the
country. As a result of this, writ petitions were filed in various high courts
against the rules. Recently, the Bombay High Court stayed in the case of Agij Promotion of Nineteenonea Media Pvt. Ltd. vs. Union of India (2021) and Nikhil Mangesg
Wagle vs. Union of India (2021) the two provisions of the
rules related to the Code of Ethics for digital media and publishers.
Landmark
judgments on Information Technology Act, 2000
Shreya Singhal v.
Union of India (2015)
Facts
In this case, 2 girls were arrested for posting
comments online on the issue of shutdown in Mumbai after the death of a
political leader of Shiv Sena. They were charged under Section 66A for posting
the offensive comments in electronic form. As a result, the constitutional
validity of the Section was challenged in the Supreme Court stating that it
infringes upon Article 19 of the
Constitution.
Issue
Whether Section 66A is
constitutionally valid or not?
Judgment
The Court, in this
case, observed that the language of the Section is ambiguous and vague, which
violates the freedom of speech and expression of the citizens. It then struck
down the entire Section on the ground that it was violative of Article 19 of the
Constitution. It opined that the Section empowered police officers to arrest
any person whom they think has posted or messaged anything offensive. Since the
word ‘offensive’ was not defined anywhere in the Act, they interpreted it
differently in each case. This amounted to an abuse of power by the police and
a threat to peace and harmony.
M/S Gujarat
Petrosynthese Ltd and Rajendra Prasad Yadav v. Union of India (2014)
Facts
In this case, the petitioners demanded the appointment
of a chairperson to the Cyber Appellate Tribunal so that cases can be disposed
of quickly and someone can keep a check on the workings of CAT. The respondents
submitted that a chairperson would be appointed soon.
Issue
Appointment of the
chairperson of CAT.
Judgment
The Court ordered the
appointment of the chairperson and must see this as a matter of urgency and
take into account Section 53 of the
Act.
Christian Louboutin
SAS v. Nakul Bajaj and Ors (2018)
Facts
In this case, a suit was filed by a shoe company to
seek an order of injunction against the defendants for using its trademarks and
logo.
Issue
Whether the protection
of “safe harbour” under Section 79 of the Act be applied in this case?
Judgment
The Court in this case
observed that the defendant was not an intermediary as their website was a
platform for the supply of various products. It used third-party information
and promoted vendors in order to attract consumers for them. The Court held
that e-commerce platforms are different from the intermediaries and the rights
granted to them in Section 79 of the Act. It ordered the intermediaries to work
with due diligence and not infringe the rights of the trademark owner. They
must take steps to recognise the authenticity and genuineness of the products
while dealing with any merchant or dealer.
The Court added that
if the intermediaries act negligently regarding IPR and indulge in any sort of
abetment or incitement of unlawful or illegal activity, they will be exempted
from the protection of safe harbour under Section 79 of the Act. Any active
participation in e-commerce would also lead to the same. It also referred to
the intermediaries guidelines, which state that no intermediary must violate
any intellectual property rights of anyone while displaying any content on its
website.
Loopholes
in Information Technology Act, 2000
The Act provides
various provisions related to digital signatures and electronic records, along
with the liability of intermediaries, but fails in various other aspects. These
are:
No provision for
breach of data
The provisions of the
Act only talk about gathering the information and data of the citizens and its
dissemination. It does not provide any remedy for the breach and leak of data,
nor does it mention the responsibility or accountability of anyone if it is
breached by any entity or government organization. It only provides for a
penalty if an individual or intermediary does not cooperate with the government
in surveillance.
No address to privacy
issues
The Act failed in
addressing the privacy issues of an individual. Any intermediary could store
any sensitive personal data of an individual and give it to the government for
surveillance. This amounts to a violation of the privacy of an individual. This
concern has been neglected by the makers.
Simple
punishments
Though the Act
describes certain offences committed through electronic means, the punishments
given therein are much simpler. To reduce such crimes, punishments must be
rigorous.
Lack of trained
officers
With the help of money
and power, one can easily escape liability. At times, these cases go unreported
because of a social stigma that police will not address such complaints.
A report shows that
police officers must be trained to handle cybercrimes and have expertise in
technology so that they can quickly investigate a case and refer it for speedy
disposal.
No regulation over
Cyber Crimes
With the advancement
of technology, cyber crimes are increasing at a greater pace. The offences
described in the Act are limited, while on the other hand, various types of
cyber crimes are already prevailing, which if not addressed properly within
time, may create a menace. These crimes do not affect any human body directly
but can do so indirectly by misusing the sensitive data of any person. Thus,
the need of the hour is to regulate such crimes. This is where the Act lacks.
Conclusion
The Act is a step
toward protecting the data and sensitive information stored with the
intermediaries online. It gives various provisions which benefit the citizens
and protect their data from being misused or lost. However, with the advancement
of e-commerce and online transactions, it is necessary to deal with problems
like internet speed and security, transactions that are struck, the safety of
passwords, cookies, etc. Cyber crimes are increasing at a great pace, and there
is a need to have a mechanism to detect and control them.
References
· THE INFORMATION TECHNOLOGY ACT, 2000S
· An analysis of loopholes under Cyber Law.
· Information Technology Act, 2000
· Information Technology Act, 2000 (India) – GeeksforGeeks
· Information Technology Act 2000
· India’s IT Act 2000 a toothless tiger? | CSO Online
