CONTENTS

INTRODUCTION................................................................................................................................. 4
DISPUTE RESOLUTION MECHANISM UNDER IT ACT, 2000 .................................................. 6
A. Adjudicating Officer ................................................................................................................. 6
B. Cyber Appellate Tribunal/TDSAT ........................................................................................... 8
C. High Court ............................................................................................................................... 10
ISSUES WITH THE DISPUTE RESOLUTION FRAMEWORK UNDER THE IT ACT .......... 11
CONCLUSION ................................................................................................................................... 15
INTRODUCTION
The Internet is a worldwide network of interconnected computer networks that utilize the
Internet Protocol Suite as its standard. It is a network of networks made up of millions of private
and public, academic, corporate, and government networks that are connected via copper lines,
fibre optic cables, wireless connections, and other technologies and spans the globe. The
Internet hosts a diverse set of information resources and services, including the World Wide
Web’s (WWW) interconnected hypertext documents and the infrastructure that supports
electronic mail, as well as popular services like online chat, file transfer and file sharing, online
gaming, and Voice over Internet Protocol (VoIP) voice and video communication. The
Internet’s beginnings may be traced back to the 1960s when the US military financed research
efforts to develop reliable, fault-tolerant, and dispersed computer networks.

Cybercrime has risen considerably in recent years, including phishing, identity theft, and fraud.
The majority of cyber-attack or fraud victims in India have no idea how to respond to a cyber-
attack. Even though there are several online cybercrime compliant platforms.1 In countries like
India, where the internet is widely used, cyber rules are extremely vital. The digital interchange
of information, software, information security, e-commerce, and monetary transactions are all
governed by cyber laws. By providing optimal connectivity and eliminating cybersecurity
threats, India’s cyber laws have cleared the path for electronic commerce and electronic
government in the country, as well as expanded the scope and usage of digital media. There are
predominantly four cyber laws that India embraces, viz., IT Act, 2000; The Companies Act,
2013; Indian Penal Code, 1860 and Cybersecurity Framework (NCFS).

The Information Technology Act of 2000 establishes a framework for resolving cyber-attacks
such as hacking, data theft, and phishing.2 The legislation recognized many types of violations
and imposed civil and criminal penalties in some circumstances. Furthermore, the legislation
detailed methods for resolving grievances and demanding damages through an organization
known as “Adjudication” with an appeal process through the Cyber Appellate Tribunal. Under
the IT Act, there are two types of violations: (i) contraventions 3 relating to damage to the
computer, computer systems; protection of data; failure to furnish information, violation of any
provision, rule, regulation, or direction under the Act; and (ii) offenses4 including cyber

1
National Cyber Crime Reporting Portal, Ministry of Home Affairs, https://www.cybercrime.gov.in/ (Last visited
on March 31, 2024)
2
Information Technology Act, 2000, Chapter IX,.
3
Information Technology Act, 2000 Ss. 43-44.
4
Information Technology Act, 2000, Section 61.
terrorism, violation of privacy and cheating. Only disputes relating to contraventions can be
resolved through the dispute resolution framework.5 Offences are criminal in nature, they are
dealt with under the criminal laws of India.6 The Information Technology Act, 2000 establishes
quasi-judicial bodies, such as adjudicating officials, to resolve disputes (offences of a civil
nature as well as criminal offences). The IT Act lays down a two-tier dispute resolution process:
(i) Adjudication of disputes; and (ii) appeal against the outcome of such adjudication. Once a
cyber-dispute is adjudicated as per the dispute resolution framework of the IT Act, the same
dispute cannot be taken up by a civil court.7

5
Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding
Enquiry) Rules, 2003, Rule 4(l)
6
Dispute Resolution Framework under IT Act available at https://www.ikigailaw.com/article/261/dispute-
resolution-framework-under-the-information-technology-act-
2000#:~:text=The%20Information%20Technology%20Act%2C%202000%20(%E2%80%9CIT%20Act%E2%8
0%9D),and%20compensation%20from%20the%20attackers. (Last visited on March 31, 2024)
7
Information Technology Act, 2000, Section 61.
DISPUTE RESOLUTION MECHANISM UNDER IT ACT, 2000

A. Adjudicating Officer

For adjudicating civil offences specified under Ss.43 (penalty and compensation for damage to
5 computer, computer system etc), 43A (compensation for failure to protect data), S.44 (penalty
for failure to furnish information, return etc), S.45 (residuary penalty), the Information
technology Act, 2000 (amended in 2008) established the post of adjudicator. Generally, the
adjudicators are of the rank of directors under the government of India. Presently the practice
is to appoint secretaries of the department of Information Technology as the adjudicator.
Adjudicators offices can also qualify as tribunals as these offices may fit into the three-
dimensional test as had been set in the case of Jaswant Sugar Mills v. Lakshmi Chand; the test
is :

• whether it was invested with the trappings of a court, such as having the authority to
determine matters,

• whether it has authority to compel the attendance of witnesses,

• whether it is bound by the duty to follow the essential rules of evidence and the power to
impose sanctions.

The power to adjudicate is given to an ‘Adjudicating Officer’ (“AO”) appointed by the central
government. As per the Ministry of Electronics and Information Technology (“MeitY”), the
secretary of the department of information technology of each state is appointed as the AO for
that state by default. The AO is a quasi-judicial body, as it has dual-powers to: (i) order
investigation i.e. hold inquiry into the violation of the IT Act on the basis of evidence produced
before it; and (ii) adjudicate i.e. it decides the quantum of compensation or penalty to be
awarded in case of a violation. The procedure of adjudication under IT act, 2000 is as under:

1. Filing of the complaint to the AO.

2. Notice to the necessary parties containing the date and time of the first hearing is issued by
the AO.

3. On the date provided in the notice, the AO explains alleged contraventions to the party
against whom allegations are made. The three possible instances that can take place
subsequent to this are provided below:
 a. The person against whom the allegation is made pleads guilty, or

b. The person against whom the allegation is made shows cause why an inquiry should
not be held against him/her, or

c. The person against whom the allegation is made fails to appear. In that case, the AO
proceeds with the inquiry in absence of such a person.

If the situation in point (a) happens, then the consequence will be the imposition of penalty or
awarding of compensation as per the provisions of the IT Act, 2000, by the AO.

If the circumstance provided in point (b) unfolds itself, the outcomes are:

1. The AO decides on the basis of submission of parties and/or preliminary investigation in

order to determine whether there is sufficient cause to order an inquiry or not. The AO will
fix another date for production of documents or evidence and then finally pass an order on
the basis of the evidence presented.

2. The AO dismisses the complaint on finding no sufficient cause to proceed with it.

The procedure can be summarised as under:

The AO has jurisdiction over cases in which the claim for compensation or harm is less than
INR 5 crore. The AO has the authority to order an investigation into a complaint at any time
after receiving it. An officer from the Office of the Controller of Certifying Authorities, or
(CERT-In), or a Deputy Superintendent of Police conducts the inquiry.

The functions of the adjudicator are as follows:

❖ to adjudicate matters where any person has committed a contravention of any of the
provisions of the Information Technology Act or of any rule, regulation, direction or order
made there under which renders him liable to pay penalty or compensation.
❖ He shall exercise jurisdiction to adjudicate matters in which the claim for injury or damage
does not exceed rupees five crore
❖ He shall give the contravener a reasonable opportunity for making representation in the
matter
❖ He shall hold inquiry into the matter.
❖ on such inquiry, if he is satisfied that the person has committed the contravention, he may
impose such penalty as he thinks fit in accordance with the provisions of that section.

As S.47 states, he must also check that

❖ the amount of gain of unfair advantage, wherever quantifiable, made as a result of the
default
❖ the amount of loss caused to any person as a result of the default
❖ The repetitive nature of the default

Sec 46 further states that only such persons may be appointed as adjudicators who may have
such experience in the field of Information Technology and Legal or Judicial experience as
may be prescribed by the Central Government. It also states that where more than one
adjudicating officer are appointed, the Central Government shall specify by order the matters
and places with respect to which such officers shall exercise their jurisdiction.

Regarding the powers of the adjudicating officer, S.46 further states that an AO may have
powers of a civil court or be deemed to be a civil court for purposes specified in the Act.

B. Cyber Appellate Tribunal/TDSAT

S. 48, IT Act 2000 mandates establishment of Cyber Appellate Tribunals. The Central
Government shall, by notification, establish one or more appellate tribunals to be known as the
Cyber Regulations Appellate Tribunal. Cy-AT are to consist of a Presiding Officer, who is or
is qualified to be a High Court Judge or has been a member of the Indian Legal Service and is
holding or has held a post in Grade I of that Service for at least three years, and members,
number of which as may be specified by the Central Government. The qualifications of the
members are specified u/s 50 of the Act. The Members of the Cyber Appellate Tribunal, except
the Judicial Member to be appointed under sub-section (3), shall be appointed by the Central
Government from amongst persons, having special knowledge of and professional experience
in, information technology, telecommunication, industry, management or consumer affairs. a
person shall not be appointed as a Member, unless he is, or has been, in the service of the
Central Government or a State Government, and has held the post of Additional secretary to
the Government of India or any equivalent post in the Central Government or State
Government for a period of not less than two one years or joint secretary to the Government of
India or any equivalent post in the central Government or State Government for a period of not
less than seven years. The Judicial Members of the Cyber Appellate Tribunal shall be appointed
by the Central Government from amongst persons who is or has been a member of the Indian
Legal Service and has held the post of Additional Secretary for a period of not less than one
year or Grade I post of that service for a period of not less than five years. The Act also provides
that the chairperson should hold office until he/she turns 65 or for 5 years, which ever comes
early.

Sub-clause (1) Section 58 of the IT Act, 2000 states that the Cyber Appellate Tribunal is not
bound by the Code of Civil Procedure, 1908, but rather by the principles of natural justice, and
the Cyber Appellate Tribunal has the authority to regulate its own procedure, including the
location of its hearings, subject to the other provisions of this Act and any rules.

Clause (2) Section 58 provides that the Cyber Appellate Tribunal shall have the same powers
as a civil court under the Code of Civil Procedure, 1908, when trying a case, for the purposes
of carrying out its tasks under this Act:

1. Having any person summoned and compelled to appear, as well as questioning him under
oath;
2. Requiring documents or other electronic records to be discovered and produced;
3. Receiving evidence on affidavit;
4. Appointing commissions to examine witnesses or documents;
5. Reconsidering its decisions;
6. Dismissing an application due to default or making an ex-parte decision;
7. Any additional matter that the court may deem necessary.

Clause (3) Section 58 provides that any proceeding before the Cyber Appellate Tribunal is to
be treated as a judicial proceeding for the purposes of Sections 193 and 228 of the Indian Penal
Code, 1860, and the Cyber Appellate Tribunal is treated as a civil court for the purposes of
Section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973. No appeal lies before
the Tribunal if the same order by AO has been passed by consent of the parties.

The provision of establishing the Cyber Appellate Tribunal under section 48 of the IT Act was
merged with Telecom Dispute Settlement and Appellate Tribunal (TDSAT) through the Finance
Act, 2017, where TDSAT comes under the administrative purview of the Department of
Telecommunication, Ministry of Communications. Accordingly, any person aggrieved by an
order made by controller or an adjudicating officer under the IT Act may prefer an appeal to
TDSAT.

A party can appeal against AO’s order before the TDSAT within 45 days of receiving the order8.
The right to appeal is not available to the parties if the adjudication order was passed with the
consent of the parties.

The TDSAT may confirm, modify or set the adjudication order appealed against, after giving
the parties a reasonable opportunity to be heard. The TDSAT has the same powers as are vested
in a civil court to summon the parties, order production of documents and to review its
decisions. A party can file an appeal against TDSAT’s order to the High Court, within 60 days
of receiving the order.

C. High Court
According to Section 62 of the IT Act, 2000, a person aggrieved by the decision or order of the
Cyber Appellate Tribunal, may file an appeal with the high court within sixty days of receiving
notification of the Tribunal’s decision or order on any question of fact or law arising out of
such order. If the high court is satisfied that the appellant was prohibited from filing the appeal
within the prescribed time frame due to adequate reason, the high court may allow it to be filed
within an extended sixty-day period.

8
However, the appellate tribunal may entertain an appeal after the expiry of the said period of forty-five days if it
is satisfied that there was sufficient cause for not filing it within that period, according to section 57(3),
Information Technology Act, 2000.
ISSUES WITH THE DISPUTE RESOLUTION FRAMEWORK UNDER
THE IT ACT

The framework may look promising in theory, but it has not been as effective in practice. There
is hardly any reportage on a cyber-dispute and there is no data available on the number of cases
adjudicated upon by officers or the tribunal. Certain issues that highlight the lacunae in the
system are as follows:

❖ Possibility of conflicting orders passed by AOs: They AOs enjoy wide powers. They can
adjudicate on violation of any provision, rule, regulation or direction passed under the IT
Act. AOs have sometimes passed orders with significant ramifications. For example, in one
case, an AO held a bank liable for not exercising due diligence to prevent phishing9. The
AO referred to the prevailing RBI guidelines10 on internet banking to arrive at this
conclusion. Thus, AOs can play a significant role in interpreting the IT Act. There are
multiple AOs, who address similar kind of issues, at the same time. This results in the
problem of conflicting opinions on the same issue. For instance, in a case11, the AO had
held that Section 43 of the IT Act was not applicable to the bank as it was a body corporate.
However, AOs in other states had held otherwise. In multiple cases, Section 43 has been
invoked against body corporates12. This can make it difficult for an entity to comply with
the IT Act, as it may have to consider the opinion of multiple AOs to function across India.

❖ Poor availability of orders passed by AOs: To access adjudication orders passed under the
IT Act, one has to search through websites of state governments which are not easy to
navigate. There is no reportage of these disputes by popular legal databases as well. There
should be a central database for adjudication orders. This will enable officers and other

9
Umashankar Sivasubramanian v. ICICI Bank, Adjudicating Officer Chennai, Petition No. 2462 of 2008, Order
dated April 12, 2010, https://www.naavi.org/cl_editorial_10/umashankar_judgement.pdf
10
RBI Master Circular on KYC norms, July 01, 2008,
https://m.rbi.org.in/scripts/BS_CircularIndexDisplay.aspx?Id=4354&Mode=0
11
Rajendra Prasad Yadav v. ICICI Bank, Complaint no. 015/2011, Adjudicating Officer, Karnataka.
12
Raju Dada Raut v. ICICI Bank,
http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf ;
Saurabh Jain v. ICICI Bank,
http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SourabhJain_Vs_ICICI&Idea-22022013.PDF;
Ravindra Gunale v. Bank of Maharashtra,
http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_200220
13.PDF
 stakeholders to refer to these adjudication orders while dealing with violations under the IT
Act. It will also enable businesses to keep a track of cyber disputes.

❖ Excessive burden on department secretaries appointed as AOs: Secretaries of the

department of information technology of the states are AOs by virtue of an old MeitY Order
from 200313. They are responsible for the administration of their department, and are
actively involved in the governance of the state, in addition to performing their duties as
AOs. The dual-aspect of their job is extremely burdensome. Considering the high amount
of cyber-offences in the country, there is a need to revamp this system for appointment of
AOs. There are other Indian laws where AOs are given independent roles for adjudicating
violations. For instance, the Prevention of Money Laundering Act, 2002 (“PMLA”) lays
down a similar adjudication procedure for offences. However, instead of appointing AOs,
the PMLA has established an ‘Adjudicating Authority’. This authority comprises of a
chairperson and two other members. This authority is only involved in adjudication of
offences, it is also allowed to have its own staff for assistance. The IT Act could adopt a
mechanism similar to the other laws to ensure efficacy and speedy disposal of
adjudications.

❖ Need for capacity building in adjudication of cyber offences: There is a need to build the
capacity of AOs. The Crown Prosecution Service of the United Kingdom has issued
‘Cybercrime-prosecution guidance’14. This guidance has defined major kinds of
cybercrimes like hacking, social media related offences, etc. They provide basic principles
for adjudication of cybercrimes. A guidance of a similar nature should be introduced in
India to ensure better handling of complaints.

❖ Investigation and appreciation of evidence during the adjudication process: Investigation

into violations is conducted by an officer in the Office of Controller of Certifying
Authorities or CERT-IN; or by the Deputy Superintendent of Police. However, the capacity
of these bodies to conduct cyber investigations is questionable. Most cyber-offences are
reported to the police departments, as the National Cyber Crime Portal functions under the
domain of the Ministry of Home Affairs. Complaints on this portal are referred to the police

13
Order, Ministry of Communication and Information Technology (Department of Information Technology),
Gazette of India, 25 March 2013, http://egazette.nic.in/WriteReadData/2003/E_136_2011_029.pdf
14
Cybercrime – prosecution guidance, available at https://www.cps.gov.uk/legal-guidance/cybercrime-
prosecution-guidance (last visited on March 31, 2024)
 department of the state in which the alleged cyber-offence was committed. The police
personnel are not equipped to deal with cybercrimes; they may not have the requisite
expertise in areas like cyber forensics and investigation. They often appoint private firms
to investigate into such matters.15 There is no guiding document under the Indian regulatory
framework on cyber investigation or cyber forensics. The Information Technology
(Amendment) Act, 2008 has established a body called the “Examiner of Electronic
Evidence”. This body provides expert opinion on electronic evidence. The MeitY has
appointed various forensic science laboratories as the examiner. These laboratories hold
expertise in conducting cyber investigation. However, the Holding of Enquiry Rules, 2003
have not been updated post the coming of the 2008 amendment act. The rules must be
amended to give AOs the power to order such examiners to investigate into the matters
before them. There should be guidelines or principles on investigation of cyber offences to
better equip the police and other investigating agencies to handle such cases. For instance,
the United States Department of Justice had issued a guide on ‘Electronic Crime Scene
Investigation’ in 2001. This is a comprehensive guide which sets out investigation
techniques for different kinds of cyber violations like frauds, identity theft etc. A similar
national guideline on cyber investigations must be issued in India. A cybercrime
investigation manual was launched by the Data Security Council of India16. Steps must be
taken by the central government to notify such guidelines.

❖ Issues with the TDSAT: Initially, a “Cyber Appellate Tribunal” was established under the
IT Act to deal with appeals from orders of AOs. In 2015, a Parliamentary Standing
Committee was constituted to study the conditions of tribunals and pendency of cases. This
committee in its report highlighted that the position of the Chairperson of the Cyber
Appellate Tribunal was vacant since 2011 and was thus dysfunctional. As of 31 December
2014, only 34 cases were pending in this tribunal17. Considering the state of affairs, this
tribunal was merged with the TDSAT in 2017. As per the TRAI Act, the TDSAT consists

15
Police in states across India are relying on private firms and consultants to solve cybercrime cases, available at
, https://economictimes.indiatimes.com/news/politics-and-nation/police-in-states-across-india-are-relying-on-
private-firms-and-consultants-to-solve-cybercrime-cases/articleshow/72499885.cms?from=mdr (Published on 13
December 2019)
16
Cybercrime Investigation Manual, available at https://uppolice.gov.in/writereaddata/uploaded-
content/Web_Page/28_5_2014_17_4_36_Cyber_Crime_Investigation_Manual.pdf (last visited on March 31,
2024)
17
Report of the Department-Related Parliamentary Standing Committee On Personnel, Public Grievances, Law
and Justice, available at, https://www.prsindia.org/sites/default/files/bill_files/SC_Report-
_Tribunals_Bill%2C_2014.pdf (published on 13 December 2019)
 of a chairperson and two other members only. Considering that telecom and information
technology are separate subjects, a different set of expertise is required to decide upon them.
It is necessary that the TDSAT increase its strength and involve experts having a
background in information technology to decide upon cases relating to the subject. There
should be a separate bench to decide upon cyber appeals.

❖ Adjudication and handling of cyber violations by sectoral authorities: Most instances of

cyber violations relate to online banking frauds, including KYC frauds and phishing related
cases18. For this, the RBI has an “Ombudsman Scheme for Digital Transaction, 2019”. This
allows victims of cyber violations to file online complaints. Such complaints should relate
to default of the bank, payment system or prepaid payment instruments provider. The
ombudsman is empowered to award compensation up to INR 20 lakh rupees to the victim.
Similarly, the Ministry of Home Affairs had introduced a National Cyber Crime Reporting
Portal. Complaints pertaining to online financial frauds, social media related frauds and
hacking can be reported on this portal. However, the procedure post filing a complaint on
this portal is not set out. It is good to have sectoral regulations for handling cybercrimes.
Sectoral regulators may be better equipped to deal with the cybercrimes pertaining to their
particular area. At the same time, different sets of regulations may lead to potential conflict
between authorities under the IT Act and the sectoral authorities. There should be a channel
for sectoral regulators to seek consultation from the authorities under the IT Act, where
required. For instance, Section 21 of the Competition Act, 2002 lays down a framework for
references by statutory authorities. This section allows other statutory authorities to take
the Competition Commission of India’s opinion on whether any decision taken by such
authority would be contrary to the Competition Act. A similar framework should be
incorporated into the IT Act.

18
A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicatory Officers under the IT
Act, available at, https://cis-india.org/internet-governance/blog/review-of-functioning-of-cyber-appellate-
tribunal-and-adjudicatory-officers-under-it-act (published on 16 June 2014)
CONCLUSION

Considering the large number of incidents of cyber-attacks in the country, it is the need of the
hour to bolster the current dispute resolution framework under the IT Act. The dispute
resolution framework can create a strong deterrent for cyber offenders by forcing them to pay
damages and compensation. It can also serve as an effective complaint redress platform for
victims. In its current state it has failed to achieve the desired result.

The authorities under the IT Act function in a vast domain, which encompasses issues relating
to cybersecurity, intermediary liability, data privacy, and cyber offences. Therefore, these
authorities must be adequately equipped to exercise their wide ranging powers.

The government has stressed heavily upon its Digital India initiative which will support India’s
goal of becoming a $5 trillion economy by 2025. Also, India has a large user base of 697
million internet users. Considering India’s quest to digital transformation, it is pertinent to give
teeth to the Act, especially to its dispute resolution framework. This will ensure that disputes
in the cyberspace are effectively managed and resolved. This will increase the confidence of
the masses as well as the stakeholders towards the regulatory framework.
 BIBLIOGRAPHY

PRIMARY SOURCES

❖ Information Technology Act, 2000 (No. 21 OF 2000)

❖ Umashankar Sivasubramanian v. ICICI Bank, Adjudicating Officer Chennai, Petition No.

2462 of 2008, Order dated April 12, 2010
❖ Rajendra Prasad Yadav v. ICICI Bank, Complaint no. 015/2011, Adjudicating Officer,
Karnataka.
❖ Raju Dada Raut v. ICICI Bank,
http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICI
CIBank-13022013.pdf ;
❖ Saurabh Jain v. ICICI Bank,
http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SourabhJain_Vs_ICICI
&Idea-22022013.PDF;

SECONDARY SOURCES
❖ Jyoti Rattan, Cyber Laws and Information Technology ( Bharat Publishing House, New
Delhi, 9th edn., 2022)
❖ Dispute resolution mechanism of cyber laws in India, available at
https://blog.ipleaders.in/dispute-resolution-mechanism-of-cyber-laws-in
india/#The_adjudicating_officer (Last visited on March 31, 2024)
❖ Dispute resolution mechanism of cyber laws in India, available at
https://icmcrmediation.org/dispute-resolution-mechanism-of-cyber-laws-in-
india/#:~:text=The%20Information%20Technology%20Act%20of%202000%20provides
%20quasi%2Djudicial%20entities,as%20well%20as%20criminal%20offenses). (Last
visited on March 31, 2024)
❖ Dispute resolution framework under the Information Technology Act, 2000, available at
https://www.ikigailaw.com/article/261/dispute-resolution-framework-under-the-
information-technology-act-
2000#:~:text=The%20Information%20Technology%20Act%2C%202000%20(%E2%80
%9CIT%20Act%E2%80%9D),and%20compensation%20from%20the%20attackers.
(Last visited on March 31, 2024)