LEGAL ASPECTS OF BUSINESS

Information Technology Act, 2000

Assignment submitted to – Mr. Taranjit Singh

Parul Kaundal (Roll no. 15/23)

4-4-2024
What is Information Technology Act, 2000?
The Information Technology Act, 2000 is an Indian law that aims to
provide legal recognition to electronic commerce and electronic data
interchange. It also specifies procedures for digital signatures
and cybercrime investigation.

The Act has been amended several times to keep up with

technological developments and address gaps. The major
amendments were in 2008 and 2011.

 The 2011 amendments expanded the scope of cybercrimes to

include child pornography, voyeurism, identity theft and breach
of privacy. Penalties were increased for various offences.
 The Act enables the central government to appoint Controlling
Officers to oversee compliance with the provisions of the Act.
 Compliance with provisions related to data protection, data
storage and cybersecurity are supervised by the Indian
Computer Emergency Response Team (CERT-In).
 The Act established the Cyber Regulations Appellate Tribunal to
adjudicate IT related disputes and hear appeals against orders
of authorities constituted under the Act.
 The Act led to the establishment of the Unique Identification
Authority of India (UIDAI) which issues Aadhaar numbers to
Indian residents.

Schedules of Information Technology Act, 2000

The Information Technology Act, 2000 contains 7 Schedules which
specify various provisions of the Act in detail:

Schedule 1 - Contains the procedures for appointment of Certifying

Authorities and functions of Certifying Authorities under the Act.

Schedule 2 - Specifies the various technical and operational

standards for digital signatures to ensure security and authenticity.
Schedule 3 - Provides for functions and duties of the Controller of
Certifying Authorities appointed under the Act.

Schedule 4 - Specifies procedures for appointment of adjudicating

officers and appellate tribunals under the Act.

Schedule 5 - Lays down offences and penalties for different

cybercrimes defined under the Act.

Schedule 6 - Lists the amendments to other existing laws made by

the Information Technology Act.

Schedule 7 - Contains provisions related to the constitution and

functions of the Cyber Regulations Appellate Tribunal.

The Schedules provide important details regarding the functioning of

digital signature certificates, certification authorities, adjudicating
officers, penalties for cybercrimes and constitution of appellate
tribunals under the IT Act. Together with the main Act, the Schedules
aim to provide a comprehensive legal framework governing use of
digital technologies in India.

Applicability of Information Technology Act, 2000

The applicability of the Information Technology Act, 2000 can be
summarized in the following points:

o The Act applies to the whole of India, except the state

of Jammu and Kashmir.
o The provisions of the Act apply to any offence or contravention
committed under this Act by any person globally.
o The Act applies to all government and private entities that use
electronic records, computers, or communication networks.
This includes individuals, corporations, non-profits, government
agencies, etc.
 o The Act covers all electronic records and communication
whether created, stored, sent or received within or outside
India.
o The digital signature provisions apply to all Certifying
Authorities operating in India, irrespective of the location of the
subscribers.
o The cybercrime provisions apply to any offence committed
using a computer resource or communication device through
any communication network.
o The intermediary liability provisions apply to all internet and
network service providers operating in India irrespective of the
location of the hosted content.
o The provisions related to establishment of cyber appellate
tribunal and adjudicating officers apply only within India.
Foreign entities cannot appeal to these judicial bodies under
the Act.
o The central government has powers to block public access to
any information through the IT Act only within India based on
grounds specified in the Act.

Objectives of Information Technology Act, 2000

The key objectives of the Information Technology Act, 2000 are:

Provide legal recognition to electronic records and digital

signatures: The Act aims to give legal validity and enforceability to
electronic records and digital signatures at par with physical
documents and handwritten signatures. This enables e-
governance and e-commerce.

Facilitate electronic governance and commerce: By recognizing

electronic records and signatures, the Act intends to facilitate
electronic delivery of government services and transactions between
businesses and consumers.

Define and penalize cybercrimes: The Act defines various

cybercrimes like hacking, data theft, identity theft, cyberstalking etc.
and prescribes penalties for such offences. This aims to create a safe
and secure cyber environment.

Regulate cyber activity: The Act empowers the central government

to formulate rules and regulations to govern use of electronic
medium for online communication and commerce.

Establish institutional mechanisms: The Act establishes mechanisms

like adjudicating officers, appellate tribunals and regulatory
authorities to enforce the provisions of the Act.

Enable data protection: The Act intends to establish necessary

Institutional and legal framework for protecting sensitive electronic
data and ensuring data security.

Promote growth of IT sector: By providing a comprehensive legal

framework for digital technologies, the Act aims to promote growth
of the fledgling but rapidly expanding Indian IT and ITES sector.

Foster innovation: By promoting confidence in digital technologies,

the Act seeks to encourage innovation and entrepreneurship in the
information technology space.

Features of Information Technology Act, 2000

Here are the key features of the Information Technology Act, 2000:

Gives legal recognition to electronic records and digital

signatures: The Act considers electronic records and digital
signatures to be at par with physical documents and handwritten
signatures. This is a major feature that enables e-governance and e-
commerce.

Defines cybercrimes and prescribes penalties: The Act defines

various cybercrimes like hacking, data theft, cyberterrorism, etc. and
specifies penalties for such offenses. This helps maintain cyber
security.
Provides for establishment of adjudicating officers and tribunals: The
Act provides for appointment of adjudicating officers to decide
disputes and appellate tribunals to hear appeals against orders of
such officers.

Empowers government to make rules and regulations: The Act

empowers the central government to frame rules to implement
provisions of the Act related to electronic commerce and cybercrime.

Defines roles and responsibilities of intermediaries: The Act clearly

specifies conditions under which intermediary liability can be
exempted and the due diligence obligations of intermediaries.

Lays down procedures for use of digital signatures: The Act provides
detailed procedures for use of digital signatures along with roles of
Certifying Authorities who issue digital signature certificates.

Establishes Indian Computer Emergency Response Team (CERT-

In): The Information Technology Act led to creation of CERT-In which
is responsible for cybersecurity and cyber incident response.

Amended several times to remain relevant: The Act has been

amended in 2008 and 2011 to address technological advancements,
implement ability concerns and anomalies.

Other Important Aspects

The Act deals with e-commerce and all the transactions done
through it. It gives provisions for the validity and recognition of
electronic records along with a license that is necessary to issue any
digital or electronic signatures. The article further gives an overview
of the Act.

Electronic records and signatures

The Act defines electronic records under Section 2(1)(t), which
includes any data, image, record, or file sent through an electronic
mode. According to Section 2(1) (ta), any signature used to
authenticate any electronic record that is in the form of a digital
signature is called an electronic signature. However, such
authentication will be affected by asymmetric cryptosystems and
hash functions as given under Section 3 of the Act.

Section 3A further gives the conditions of a reliable electronic

signature. These are:

 If the signatures are linked to the signatory or authenticator,

they are considered reliable.
 If the signatures are under the control of the signatory at the
time of signing.
 Any alteration to such a signature must be detectable after
fixation or alteration.
 The alteration done to any information which is
authenticated by the signature must be detectable.
 It must also fulfil any other conditions as specified by the
Central Government.
The government can anytime make rules for electronic signatures
according to Section 10 of the Act. The attribution of an electronic
record is given under Section 11 of the Act. An electronic record is
attributed if it is sent by the originator or any other person on his
behalf. The person receiving the electronic record must acknowledge
the receipt of receiving the record in any manner if the originator has
not specified any particular manner. (Section 12). According
to Section 13, an electronic record is said to be dispatched if it enters
another computer source that is outside the control of the
originator. The time of receipt is determined in the following ways:

 When the addressee has given any computer resource,

 o Receipt occurs on the entry of an electronic record
into the designated computer resource.
o In case the record is sent to any other computer
system, the receipt occurs when it is retrieved by the
addressee.
 When the addressee has not specified any computer
resource, the receipt occurs when the record enters any
computer source of the addressee.

Certifying authorities

Appointment of Controller

Section 17 talks about the appointment of the controller, deputy

controllers, assistant controllers, and other employees of certifying
authorities. The deputy controllers and assistant controllers are
under the control of the controller and perform the functions as
specified by him. The term, qualifications, experience and conditions
of service of the Controller of certifying authorities will be
determined by the Central Government. It will also decide the place
of the head office of the Controller.

Functions of the Controller

According to Section 18, the following are the functions of the

Controller of certifying authority:

 He supervises all the activities of certifying authorities.

 Public keys are certified by him.
 He lays down the rules and standards to be followed by
certifying authorities.
 He specifies the qualifications and experience required to
become an employee of a certifying authority.
  He specifies the procedure to be followed in maintaining the
accounts of authority.
 He determines the terms and conditions of the appointment
of auditors.
 He supervises the conduct of businesses and dealings of the
authorities.
 He facilitates the establishment of an electronic system
jointly or solely.
 He maintains all the particulars of the certifying authorities
and specifies the duties of the officers.
 He has to resolve any kind of conflict between the authorities
and subscribers.
 All information and official documents issued by the
authorities must bear the seal of the office of the Controller.

License for electronic signatures

It is necessary to obtain a license certificate in order to issue an

electronic signature. Section 21 of the Act provides that any such
license can be obtained by making an application to the controller
who, after considering all the documents, decides either to accept or
reject the application. The license issued is valid for the term as
prescribed by the central government and is transferable and
heritable. It is regulated by terms and conditions provided by the
government.

According to Section 22 of the Act, an application must fulfil the

following requirements:

 A certificate of practice statement.

 Identity proof of the applicant.
 Fees of Rupees 25,000 must be paid.
  Any other document as specified by the central government.
The license can be renewed by making an application before 45 days
from the expiry of the license along with payment of fees, i.e.,
Rupees 25000. (Section 23)

Any license can be suspended on the grounds specified in Section

24 of the Act. However, no certifying authority can suspend the
license without giving the applicant a reasonable opportunity to be
heard. The grounds of suspension are:

 The applicant makes a false application for renewal with false

and fabricated information.
 Failure to comply with the terms and conditions of the
license.
 A person fails to comply with the provisions of the Act.
 He did not follow the procedure given in Section 30 of the
Act.
The notice of suspension of any such license must be published by
the Controller in his maintained records and data.

Powers of certifying authorities

Following are the powers and functions of certifying authorities:

 Every such authority must use hardware that is free from any
kind of intrusion. (Section 30)
 It must adhere to security procedures to ensure the privacy
of electronic signatures.
 It must publish information related to its practice, electronic
certificates and the status of these certificates.
 It must be reliable in its work.
 The authority has the power to issue electronic certificates.
(Section 35)
  The authority has to issue a digital signature certificate and
certify that:
o The subscriber owns a private key along with a public
key as given in the certificate.
o The key can make a digital signature and can be
verified.
o All the information given by subscribers is accurate
and reliable.
 The authorities can suspend the certificate of digital
signature for not more than 15 days. (Section 37)
 According to Section 38, a certificate can be revoked by the
authorities on the following grounds:
o If the subscriber himself makes such an application.

o If he dies.
o In case, the subscriber is a company then on the
winding up of the company, the certificate is
revoked.

Circumstances where intermediaries are not held liable

Section 2(1)(w) of the Act defines the term ‘intermediary’ as one who
receives, transmits, or stores data or information of people on behalf
of someone else and provides services like telecom, search engines
and internet services, online payment, etc. Usually, when the data
stored by such intermediaries is misused, they are held liable. But
the Act provides certain instances where they cannot be held liable
under Section 79. These are:

 In the case of third-party information or communication,

intermediaries will not be held liable.
  If the only function of the intermediary was to provide access
to a communication system and nothing else, then also they
are not held liable for any offence.
 If the intermediary does not initiate such transmissions or
select the receiver or modify any information in any
transmission, it cannot be made liable.
 The intermediary does its work with care and due diligence.
However, the section has the following exemptions where
intermediaries cannot be exempted from the liability:

 It is involved in any unlawful act either by abetting, inducing

or by threats or promises.
 It has not removed any such data or disabled access that is
used for the commission of unlawful acts as notified by the
Central Government.

Penalties under Information Technology Act, 2000

The Act provides penalties and compensation in the following cases:

Penalty for damaging a computer system

If a person other than the owner uses the computer system and
damages it, he shall have to pay all such damages by way of
compensation (Section 43). Other reasons for penalties and
compensation are:

 If he downloads or copies any information stored in the

system.
 Introduces any virus to the computer system.
 Disrupts the system.
  Denies access to the owner or person authorised to use the
computer.
 Tampers or manipulates the computer system.
 Destroys, deletes or makes any alteration to the information
stored in the system.
 Steals the information stored therein.

Compensation in the case of failure to protect data

According to Section 43A, if any corporation or company has stored

the data of its employees or other citizens or any sensitive data in its
computer system but fails to protect it from hackers and other such
activities, it shall be liable to pay compensation.

Failure to furnish the required information

If any person who is asked to furnish any information or a particular

document or maintain books of accounts fails to do so, he shall be
liable to pay the penalty. In the case of reports and documents, the
penalty ranges from Rupees one lakh to Rupees fifty thousand. For
books of accounts or records, the penalty is Rs. 5000. (Section 44)

Residuary Penalty

If any person contravenes any provision of this Act and no penalty or

compensation is specified, he shall be liable to pay compensation or
a penalty of Rs. 25000.

Appellate tribunal
According to Section 48 of the Act, the Telecom dispute settlement
and appellate tribunal under Section 14 of the Telecom Regulatory
Authority of India Act, 1997 shall act as the appellate tribunal under
the Information Technology Act, 2000. This amendment was made
after the commencement of the Finance Act of 2017.

All the appeals from the orders of the controller or adjudicating

officer will lie to the tribunal, but if the order is decided with the
consent of the parties, then there will be no appeal. The tribunal will
dispose of the appeal as soon as possible but in not more than 6
months from the date of such appeal. (Section 57)

According to Section 62 of the Act, any person if not satisfied with

the order or decision of the tribunal may appeal to the High Court
within 60 days of such order.

Powers of tribunal

According to Section 58 of the Act, the tribunal is not bound to

follow any provisions of the Code of Civil Procedure, 1908 and must
give decisions on the basis of natural justice. However, it has the
same powers as given to a civil court under the Code. These are:

 Summon any person and procure his attendance.

 Examine any person on oath.
 Ask to discover or produce documents.
 Receive evidence on affidavits.
 Examination of witnesses.
 Review decisions.
 Dismissal of any application.

Amendments to Information Technology Act, 2000

With the advancement of time and technology, it was necessary to
bring some changes to the Act to meet the needs of society, and so it
was amended.
Amendment of 2008
The amendment in 2008 brought changes to Section 66A of the Act.
This was the most controversial section as it provided the
punishment for sending any offensive messages through electronic
mode. Any message or information that created hatred or hampered
the integrity and security of the country was prohibited. However, it
had not defined the word ‘offensive’ and what constitutes such
messages, because of which many people were arrested on this
ground. This section was further struck down by the Supreme Court
in the case of Shreya Singhal v. Union of India (2015).

Another amendment was made in Section 69A of the Act, which

empowered the government to block internet sites for national
security and integrity. The authorities or intermediaries could
monitor or decrypt the personal information stored with them.

The 2015 Amendment Bill

The bill was initiated to make amendments to the Act for the
protection of fundamental rights guaranteed by the Constitution of
the country to its citizens. The bill made an attempt to make changes
to Section 66A, which provides the punishment for sending offensive
messages through electronic means. The section did not define what
amounts to offensive messages and what acts would constitute the
offence. It was further struck down by the Supreme Court in the case
of Shreya Singhal declaring it as violative of Article 19.

Information Technology Intermediaries Guidelines

(Amendment) Rules, 2018
The government in 2018 issued some guidelines for the
intermediaries in order to make them accountable and regulate their
activities. Some of these are:
  The intermediaries were required to publish and amend their
privacy policies so that citizens could be protected from
unethical activities like pornography, objectionable messages
and images, messages spreading hatred, etc.
 They must provide the information to the government as and
when it is sought within 72 hours for national security.
 It is mandatory for every intermediary to appoint a ‘nodal
person of contact’ for 24×7 service.
 They must have technologies that could help in reducing
unlawful activities done online.
 The rules also break end-to-end encryption if needed to
determine the origin of harmful messages.

Information Technology (Intermediaries Guidelines

and Digital Media Ethics Code) Rules 2021
The government of India in 2021 drafted certain rules to be followed
by the intermediaries. The rules made it mandatory for
intermediaries to work with due diligence and appoint a grievance
officer. They were also required to form a Grievance Appellate
Tribunal. All complaints from users must be acknowledged within 24
hours and resolved within 15 days. It also provides a “Code of Ethics”
for the people publishing news and current affairs, which makes it
controversial. Many believe that the rules curtail freedom of speech
and expression and freedom of the press.

The intermediaries were also required to share the information and

details of a suspicious user with the government if there was any
threat to the security and integrity of the country. As a result of this,
writ petitions were filed in various high courts against the rules.
Recently, the Bombay High Court stayed in the case of Agij
Promotion of Nineteenonea Media Pvt. Ltd. vs. Union of India
(2021) and Nikhil Mangesg Wagle vs. Union of India (2021) the two
provisions of the rules related to the Code of Ethics for digital media
and publishers.

Landmark judgments on Information Technology Act,

2000

SHREYA SINGHAL V. UNION OF INDIA (2015)

Facts

In this case, 2 girls were arrested for posting comments online on the
issue of shutdown in Mumbai after the death of a political leader of
Shiv Sena. They were charged under Section 66A for posting the
offensive comments in electronic form. As a result, the constitutional
validity of the Section was challenged in the Supreme Court stating
that it infringes upon Article 19 of the Constitution.

Issue

Whether Section 66A is constitutionally valid or not?

Judgment

The Court, in this case, observed that the language of the Section is
ambiguous and vague, which violates the freedom of speech and
expression of the citizens. It then struck down the entire Section on
the ground that it was violative of Article 19 of the Constitution. It
opined that the Section empowered police officers to arrest any
person whom they think has posted or messaged anything offensive.
Since the word ‘offensive’ was not defined anywhere in the Act, they
interpreted it differently in each case. This amounted to an abuse of
power by the police and a threat to peace and harmony.
Loopholes in Information Technology Act, 2000
The Act provides various provisions related to digital signatures and
electronic records, along with the liability of intermediaries, but fails
in various other aspects. These are:

No provision for breach of data

The provisions of the Act only talk about gathering the information
and data of the citizens and its dissemination. It does not provide any
remedy for the breach and leak of data, nor does it mention the
responsibility or accountability of anyone if it is breached by any
entity or government organization. It only provides for a penalty if an
individual or intermediary does not cooperate with the government
in surveillance.

No address to privacy issues

The Act failed in addressing the privacy issues of an individual. Any

intermediary could store any sensitive personal data of an individual
and give it to the government for surveillance. This amounts to a
violation of the privacy of an individual. This concern has been
neglected by the makers.

Simple punishments

Though the Act describes certain offences committed through

electronic means, the punishments given therein are much simpler.
To reduce such crimes, punishments must be rigorous.

Lack of trained officers

With the help of money and power, one can easily escape liability. At
times, these cases go unreported because of a social stigma that
police will not address such complaints. A report shows that police
officers must be trained to handle cybercrimes and have expertise in
technology so that they can quickly investigate a case and refer it for
speedy disposal.

No regulation over Cyber Crimes

With the advancement of technology, cybercrimes are increasing at a

greater pace. The offences described in the Act are limited, while on
the other hand, various types of cybercrimes are already prevailing,
which if not addressed properly within time, may create a menace.
These crimes do not affect any human body directly but can do so
indirectly by misusing the sensitive data of any person. Thus, the
need of the hour is to regulate such crimes. This is where the Act
lacks.

Conclusion
The Act is a step toward protecting the data and sensitive
information stored with the intermediaries online. It gives various
provisions which benefit the citizens and protect their data from
being misused or lost. However, with the advancement of e-
commerce and online transactions, it is necessary to deal with
problems like internet speed and security, transactions that are
struck, the safety of passwords, cookies, etc. Cybercrimes are
increasing at a great pace, and there is a need to have a mechanism
to detect and control them.