85 The Information Technology Act, 2000
85.1 Background and Purpose
The Information Technology Act, 2000 (IT Act) was India’s first comprehensive cyber-law. It is based on the UNCITRAL Model Law on Electronic Commerce 1996 and on resolutions of the UN General Assembly recommending uniform e-commerce law (kapoor2023?).
The Act came into force on 17 October 2000. Major amendments — particularly the Information Technology (Amendment) Act, 2008 — broadened its scope to include cyber-crime, data protection and intermediary liability.
85.2 Objectives
| Objective | Working content |
|---|---|
| Legal recognition of electronic transactions | E-records, digital signatures |
| Facilitate e-governance | Government services online |
| Prevent cyber crimes | Hacking, identity theft, fraud, obscenity |
85.3 Major Provisions
| Domain | Working content |
|---|---|
| Legal recognition of electronic records (Sec. 4) | E-records have same legal validity as paper |
| Digital and electronic signatures (Sec. 3, 3A) | DSC and Aadhaar e-Sign |
| Certifying Authorities (Sec. 17–34) | Issue Digital Signature Certificates (DSCs); Controller of Certifying Authorities (CCA) |
| E-governance (Sec. 4–10A) | Filing returns, contracts online |
| Cyber offences (Sec. 65–74) | Hacking, identity theft, etc. |
| Cyber tribunal | TDSAT now hears appeals (replaced Cyber Appellate Tribunal in 2017) |
| Intermediary liability (Sec. 79) | Safe-harbour with due diligence |
| Sensitive personal data (Sec. 43A) | Reasonable security practices |
85.4 Digital Signature
A Digital Signature under Section 3 uses asymmetric crypto (public-private key pair) to authenticate electronic records. Section 3A (added in 2008) recognises electronic signatures using broader technology — including Aadhaar-based e-Sign.
The Controller of Certifying Authorities (CCA), Ministry of Electronics and Information Technology, regulates licensed Certifying Authorities (CAs) such as eMudhra, Sify, NIC, NSDL, IDRBT.
85.5 Cyber Offences and Penalties
| Section | Offence | Penalty |
|---|---|---|
| 43 | Damage to computer / data | Compensation up to ₹1 crore (originally) |
| 43A | Failure to protect sensitive personal data | Compensation |
| 65 | Tampering with source code | Up to 3 years and / or ₹2 lakh |
| 66 | Computer-related offences (hacking) | Up to 3 years and / or ₹5 lakh |
| 66A (struck down 2015 — Shreya Singhal v. UoI) | Sending offensive messages | (No longer in force) |
| 66B | Receiving stolen computer resource | Up to 3 years and / or ₹1 lakh |
| 66C | Identity theft | Up to 3 years and / or ₹1 lakh |
| 66D | Cheating by personation using computer | Up to 3 years and / or ₹1 lakh |
| 66E | Violation of privacy | Up to 3 years and / or ₹2 lakh |
| 66F | Cyber terrorism | Imprisonment up to life |
| 67 | Publishing obscene material | Up to 5 years (first) / 7 years (subsequent) |
| 67A | Sexually explicit content | Up to 5 / 7 years |
| 67B | Child pornography | Up to 5 / 7 years |
| 70 | Protected systems | Up to 10 years |
| 72A | Disclosure of personal info in breach | Up to 3 years and / or ₹5 lakh |
The Shreya Singhal v. Union of India (2015) judgment of the Supreme Court struck down Section 66A as unconstitutional (free-speech violation).
85.6 Intermediary Liability — Section 79
Intermediaries (ISPs, telecom providers, social-media platforms, search engines, online marketplaces) enjoy a safe harbour under Section 79 — they are not liable for third-party content, provided they:
- Do not initiate, select or modify content.
- Observe due diligence.
- Comply with take-down directions of the Government within 36 hours.
- Comply with the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021.
85.7 Adjudication and Appeal
| Body | Mandate |
|---|---|
| Adjudicating Officer | Adjudicates IT-Act civil disputes up to ₹5 crore |
| TDSAT | Telecom Disputes Settlement and Appellate Tribunal — appeals from Adjudicating Officer (since 2017) |
| Indian Computer Emergency Response Team (CERT-In) | National emergency-response team |
| NCIIPC | National Critical Information Infrastructure Protection Centre |
| Indian Cyber Crime Coordination Centre (I4C) | Under MHA |
85.8 Sensitive Personal Data Rules
The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Sec. 43A define SPDI — passwords, financial information, biometric data, medical records, sexual orientation, etc. — and require body corporates handling SPDI to implement reasonable security practices (e.g., ISO 27001).
85.9 Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s general data-protection law — separate from the IT Act. It introduces:
- Data Fiduciary and Data Principal concepts.
- Consent-based processing.
- Data Protection Board of India.
- Cross-border data flows; designated countries.
- Penalties up to ₹250 crore for major violations.
85.10 Recent Developments
- IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 — significant social-media intermediary obligations.
- Digital Personal Data Protection Act 2023.
- CERT-In Directions 2022 — log-retention, breach reporting within 6 hours.
- Bharat NCRB Cyber Crime Portal.
85.11 Exam-Pattern MCQs
Q1. The IT Act 2000 is based on which UN model?
A. UN Convention on Electronic Communications B. UNCITRAL Model Law on Electronic Commerce 1996 C. UN Charter D. UN Compact
Answer: B. UNCITRAL Model Law (1996).
Q2. Match each section with the offence:
| Section | Offence | ||
|---|---|---|---|
| (i) | 65 | (a) | Identity theft |
| (ii) | 66 | (b) | Cyber terrorism |
| (iii) | 66C | (c) | Tampering with source code |
| (iv) | 66F | (d) | Hacking |
A. (i)-(c), (ii)-(d), (iii)-(a), (iv)-(b) B. (i)-(a), (ii)-(b), (iii)-(c), (iv)-(d) C. (i)-(b), (ii)-(c), (iii)-(d), (iv)-(a) D. (i)-(d), (ii)-(a), (iii)-(b), (iv)-(c)
Answer: A.
Q3. Section 66A of the IT Act was struck down by the Supreme Court in:
A. Mohori Bibee v. Dharmodas Ghose B. Shreya Singhal v. Union of India (2015) C. Justice K.S. Puttaswamy v. Union of India D. Vishaka v. State of Rajasthan
Answer: B. Shreya Singhal v. Union of India (2015).
Q4. The Controller of Certifying Authorities under the IT Act regulates:
A. Cyber tribunals B. Issuance of digital-signature certificates C. Telecom operators D. SEBI brokers
Answer: B. CCA regulates licensed Certifying Authorities issuing DSCs.
Q5. The intermediary safe harbour is provided under:
A. Section 65 B. Section 66 C. Section 79 D. Section 43
Answer: C. Section 79 — safe harbour for intermediaries who exercise due diligence.
Q6. Match each cyber-security body with its mandate:
| Body | Mandate | ||
|---|---|---|---|
| (i) | CERT-In | (a) | Critical-information-infrastructure protection |
| (ii) | NCIIPC | (b) | National emergency response |
| (iii) | I4C | (c) | Cyber-crime coordination under MHA |
| (iv) | TDSAT | (d) | Appeals from Adjudicating Officer |
A. (i)-(b), (ii)-(a), (iii)-(c), (iv)-(d) B. (i)-(a), (ii)-(b), (iii)-(c), (iv)-(d) C. (i)-(c), (ii)-(d), (iii)-(b), (iv)-(a) D. (i)-(d), (ii)-(c), (iii)-(a), (iv)-(b)
Answer: A.
Q7. Arrange the following IT-law developments in chronological order:
- IT Act, 2000 came into force
- Section 66A struck down
- DPDPA passed
- IT Amendment Act, 2008
A. (i), (iv), (ii), (iii) B. (iv), (iii), (ii), (i) C. (ii), (iv), (i), (iii) D. (iii), (i), (iv), (ii)
Answer: A. IT Act 2000 → IT Amendment 2008 → 66A struck down 2015 → DPDPA 2023.
Q8. The DPDPA 2023 caps penalties for major violations at up to:
A. ₹50 crore B. ₹100 crore C. ₹250 crore D. ₹500 crore
Answer: C. ₹250 crore.
- IT Act 2000 — based on UNCITRAL Model Law on E-Commerce 1996. Effective 17 Oct 2000.
- IT (Amendment) Act 2008 — broadened scope (data, cyber crime, intermediaries).
- Sec. 3 / 3A: digital and electronic signatures; CCA regulates Certifying Authorities (eMudhra, Sify, NIC, NSDL, IDRBT).
- Cyber offences: 65 source code, 66 hacking, 66B receiving stolen, 66C identity theft, 66D personation, 66E privacy, 66F cyber terrorism, 67 obscene, 67A/B sexually explicit / child porn, 70 protected systems, 72A breach disclosure.
- Sec. 66A struck down in Shreya Singhal v. UoI (2015).
- Sec. 79 safe harbour for intermediaries; subject to due diligence.
- Sec. 43 / 43A: damage to computer / failure to protect sensitive personal data.
- Adjudication: Adjudicating Officer (≤ ₹5 cr); TDSAT appeals; CERT-In, NCIIPC, I4C for cyber security.
- SPDI Rules 2011 under Sec. 43A; DPDPA 2023 — general data-protection law (penalty up to ₹250 cr).
- IT Intermediary Rules 2021 impose new social-media obligations; CERT-In Directions 2022 require 6-hour breach reporting.