86  The Information Technology Act, 2000: Objectives and main provisions; Cyber crimes and penalties

86.1 Background and Purpose

The Information Technology Act, 2000 is India’s primary law on cyber affairs — electronic commerce, digital signatures, intermediary liability, and cybercrime. It is based on the UNCITRAL Model Law on Electronic Commerce (1996) and received Presidential assent on 9 June 2000; came into force 17 October 2000. The Act was substantially amended in 2008 (effective 27 Oct 2009) — adding new offences (§§ 66, 67, 67A-C), data-protection (§§ 43A, 72A), and intermediary liability (§ 79). Companion law: Digital Personal Data Protection Act 2023 for privacy.

86.2 Objectives (Preamble)

TipObjectives of the IT Act
  • Give legal recognition to e-records and digital signatures.
  • Facilitate e-filing and e-storage of records.
  • Recognise electronic contracts.
  • Prevent cybercrime.
  • Promote e-governance and e-commerce.
  • Amend related laws (IPC, IEA, NIA, RBI Act) to incorporate cyber dimensions.

86.3 Structure of the Act

TipIT Act — Chapters
Chapter Subject
II Digital/Electronic Signature (§§ 3, 3A)
III Electronic Governance (§§ 4-10A)
IV Attribution, Acknowledgement & Despatch (§§ 11-13)
V Secure electronic records & signatures (§§ 14-16)
VI Regulation of Certifying Authorities (§§ 17-34)
VII Electronic Signature Certificate (§§ 35-39)
VIII Duties of Subscribers (§§ 40-42)
IX Penalties, Compensation & Adjudication (§§ 43-47)
X Appellate Tribunal — TDSAT (now)
XI Offences (§§ 65-78)
XII Intermediaries — Safe harbour (§ 79)
XII-A Cyber Appellate Tribunal — now merged with TDSAT

86.4 Key Definitions

TipKey Definitions
  • § 2(p)Digital signature — authentication of electronic record by an asymmetric crypto-system.
  • § 3AElectronic signature — wider concept including biometric; added by 2008 amendment.
  • § 2(t)Electronic record.
  • § 2(w)Intermediary — anyone who stores or transmits electronic records on behalf of another.
  • § 2(za)Cyber café.

86.5 Digital & Electronic Signatures

PKI-based digital signatures issued by Licensed Certifying Authorities (CAs) under the Controller of Certifying Authorities (CCA, § 17). CCA acts as repository (§ 20). India also recognises Aadhaar-based e-Sign (since 2015).

86.6 E-Governance (§§ 4-10A)

TipImportant E-Gov Sections
  • § 4 — Legal recognition of electronic records.
  • § 5 — Legal recognition of digital signatures.
  • § 6 — Use of e-records and digital signatures in govt.
  • § 7 — Retention of e-records.
  • § 8 — Publication of rules in Electronic Gazette.
  • § 10A — Validity of contracts formed through electronic means.

86.7 Penalties & Compensation (§§ 43-47)

TipCivil Penalties — § 43
  • Damage to computer / computer system without permission — unlimited compensation to affected person (adjudicating officer for claims up to ₹5 crore; above ₹5 cr → civil court).
  • § 43Abody corporate failing to maintain reasonable security practices and causing wrongful loss/gain → compensation; SPDI Rules 2011.

86.8 Cybercrimes — Offences (§§ 65-78)

TipMajor Cyber Offences
Section Offence Punishment
§ 65 Tampering with source code Up to 3 yrs / ₹2 lakh
§ 66 Hacking, dishonest / fraudulent acts in §43 Up to 3 yrs / ₹5 lakh
§ 66B Receiving stolen computer/data Up to 3 yrs / ₹1 lakh
§ 66C Identity theft Up to 3 yrs / ₹1 lakh
§ 66D Cheating by personation (phishing) Up to 3 yrs / ₹1 lakh
§ 66E Violation of privacy (capture/publish private body image) Up to 3 yrs / ₹2 lakh
§ 66F Cyber-terrorism Life imprisonment
§ 67 Publishing obscene material electronically 1st: 3 yrs/₹5 L; Repeat: 5 yrs/₹10 L
§ 67A Sexually explicit material 5/7 yrs + fine
§ 67B Child porn (CSAM) 5/7 yrs + fine
§ 67C Failure to preserve records (intermediary) 3 yrs + fine
§ 70 Critical Information Infrastructure (CII) attack Up to 10 yrs + fine
§ 72 Breach of confidentiality Up to 2 yrs / ₹1 lakh
§ 72A Disclosure in breach of contract 3 yrs / ₹5 lakh

86.8.1 § 66A — Struck Down

Held unconstitutional in Shreya Singhal v Union of India (2015) — violated Article 19(1)(a) (free speech).

86.9 Intermediary Liability — § 79

Provides safe harbour to intermediaries (ISPs, social media, search engines, etc.) if they: - Don’t initiate transmission. - Don’t select receiver / modify info. - Observe due diligence and Govt-prescribed rules.

IT (Intermediary Guidelines & Digital Media Ethics Code) Rules 2021 + 2022 amendments introduced grievance officer, takedown timelines, traceability for significant social media intermediaries, online gaming additions (2023).

86.10 Adjudication & Appeals

TipAdjudication Mechanism
  • Adjudicating Officer (§ 46) — Secretary level officer; powers of civil court.
  • AppealTelecom Disputes Settlement & Appellate Tribunal (TDSAT) (since 2017, replacing Cyber Appellate Tribunal).
  • Further appeal → High Court → Supreme Court.

86.11 Privacy and Data Protection Architecture

TipPrivacy / Data Protection Snapshot
  • § 43A + SPDI Rules 2011 — protection of sensitive personal data.
  • § 72A — disclosure of personal information in breach of contract.
  • Aadhaar Act 2016 — biometric ID law.
  • Puttaswamy v Union of India 2017 — privacy is a fundamental right.
  • Digital Personal Data Protection Act 2023 — sectoral privacy law; consent-based; introduces Data Protection Board.
  • RBI / SEBI / IRDAI / TRAI — sector-specific cyber and privacy guidelines.

86.12 Major Indian Cyber-security Institutions

TipCyber Institutions
  • CERT-In (2004) — national cyber-security incident response team.
  • NCIIPC (National Critical Information Infrastructure Protection Centre) — under NTRO.
  • I4C — Indian Cyber Crime Coordination Centre (2018).
  • NCRB cybercrime portal — cybercrime.gov.in.
  • CCA, MeitY.
  • Ministry of Electronics and Information Technology (MeitY) — administers Act.

flowchart TB
  IT[IT Act 2000] --> S[Signatures<br/>§3 Digital · §3A Electronic]
  IT --> EG[E-Governance<br/>§§4-10A]
  IT --> P[Penalties<br/>§§43-47 · §43A SPDI]
  IT --> O[Offences<br/>§§65-78 · §66F cyber-terror · §70 CII]
  IT --> I[Intermediary §79<br/>Safe harbour · IT Rules 2021]
    classDef default fill:#003366,color:#ffffff,stroke:#ffcc00,stroke-width:3px,rx:10px,ry:10px;

NoteDistractor warning

PYQ trap: IT Act 2000 — based on UNCITRAL Model Law 1996; effective 17 Oct 2000; 2008 amendment added §66 series + §43A SPDI. §66A struck down — Shreya Singhal 2015. Appeals → TDSAT since 2017.

86.13 Practice Questions

Q 01UNCITRALMedium

IT Act 2000 is based on:

  • AUNCITRAL Model Law 1996
  • BUN Convention 1989
  • CGATT
  • DBerne Convention
View solution
Correct Option: A
**UNCITRAL Model Law on E-Commerce 1996**.
Q 02EffectiveEasy

IT Act came into force on:

  • A9 June 2000
  • B17 October 2000
  • C1 April 2001
  • D27 October 2009
View solution
Correct Option: B
**17 Oct 2000** in force; assent 9 Jun 2000.
Q 03§66AMedium

Section 66A was struck down in:

  • AShreya Singhal v UoI (2015)
  • BPuttaswamy
  • CManeka Gandhi
  • DADM Jabalpur
View solution
Correct Option: A
**Shreya Singhal 2015**.
Q 0466FMedium

Cyber-terrorism is punishable under:

  • A§ 66
  • B§ 66C
  • C§ 66F
  • D§ 67
View solution
Correct Option: C
**§ 66F** — life imprisonment max.
Q 0566CMedium

Identity theft offence:

  • A§ 66C
  • B§ 66D
  • C§ 66B
  • D§ 67
View solution
Correct Option: A
**§ 66C** — identity theft.
Q 0666DMedium

Phishing — cheating by personation — is in:

  • A§ 66
  • B§ 66B
  • C§ 66D
  • D§ 66E
View solution
Correct Option: C
**§ 66D**.
Q 0766EHard

Violation of privacy (private body image) — § 66E — punishment:

  • A2 yrs / ₹1 L
  • B3 yrs / ₹2 L
  • C5 yrs / ₹5 L
  • D7 yrs / ₹10 L
View solution
Correct Option: B
**3 yrs / ₹2 L**.
Q 08CCAHard

CCA in IT Act stands for:

  • AController of Certifying Authorities
  • BCyber Crime Agency
  • CComputer Compliance Authority
  • DComputer Cell Administrator
View solution
Correct Option: A
**Controller of Certifying Authorities** — § 17.
Q 0979Medium

Safe harbour for intermediaries is in:

  • A§ 79
  • B§ 66
  • C§ 43
  • D§ 70
View solution
Correct Option: A
**§ 79**.
Q 10CERT-InMedium

CERT-In was set up in:

  • A2000
  • B2004
  • C2009
  • D2014
View solution
Correct Option: B
**CERT-In 2004** — national CSIRT.
Q 112008Medium

2008 Amendment to IT Act came into force on:

  • A17 Oct 2000
  • B27 Oct 2009
  • C2011
  • D2015
View solution
Correct Option: B
**27 Oct 2009**.
Q 12Adj officerHard

Adjudicating Officer's pecuniary jurisdiction (after 2009 amendment):

  • AUp to ₹50 lakh
  • BUp to ₹1 crore
  • CUp to ₹5 crore
  • DUnlimited
View solution
Correct Option: C
**Up to ₹5 crore**; above → civil court.
Q 13TDSATMedium

IT-Act appeals lie with:

  • ACyAT
  • BTDSAT (since 2017)
  • CSAT
  • DNCLAT
View solution
Correct Option: B
**TDSAT** since 2017.
Q 14SPDIHard

SPDI Rules 2011 were notified under:

  • A§ 43A
  • B§ 66
  • C§ 67
  • D§ 70
View solution
Correct Option: A
**§ 43A — Reasonable Security Practices (SPDI Rules 2011)**.
Q 15DPDPMedium

India's privacy law passed in:

  • A2018
  • B2019
  • C2022
  • DDPDP Act 2023
View solution
Correct Option: D
**DPDP Act 2023**.
Q 16CIIHard

Attack on Critical Information Infrastructure is punishable under:

  • A§ 66
  • B§ 70
  • C§ 72
  • D§ 79
View solution
Correct Option: B
**§ 70** — up to 10 yrs.
Q 17Source codeMedium

Tampering with computer source documents:

  • A§ 65
  • B§ 66
  • C§ 67
  • D§ 70
View solution
Correct Option: A
**§ 65** — up to 3 yrs / ₹2 L.
Q 1810AHard

Electronic contracts are recognised under:

  • A§ 4
  • B§ 10A
  • C§ 11
  • D§ 14
View solution
Correct Option: B
**§ 10A** — validity of e-contracts.
Q 192021 rulesHard

IT (Intermediary & Digital Media Code) Rules came in:

  • A2018
  • B2021
  • C2023
  • D2017
View solution
Correct Option: B
**IT Rules 2021** — amended 2022, 2023.
Q 20MatchMedium

Match section with offence:

Section Offence
(i) § 65 (a) Phishing
(ii) § 66C (b) Source-code tampering
(iii) § 66D (c) Identity theft
(iv) § 66F (d) Cyber-terrorism
  • A(i)-(b), (ii)-(c), (iii)-(a), (iv)-(d)
  • B(i)-(a), (ii)-(b), (iii)-(c), (iv)-(d)
  • C(i)-(d), (ii)-(c), (iii)-(b), (iv)-(a)
  • D(i)-(c), (ii)-(a), (iii)-(b), (iv)-(d)
View solution
Correct Option: A
65-source code, 66C-id theft, 66D-phishing, 66F-cyber-terror.

86.14 Quick Recall

ImportantQuick recall
  • IT Act 2000 — based on UNCITRAL 1996; in force 17 Oct 2000; major 2008 amendment (effective 27 Oct 2009).
  • Signatures: §3 digital, §3A electronic; CCA under § 17.
  • E-gov: §4 records, §5 signature, §10A e-contracts.
  • Penalties §43; §43A SPDI Rules 2011 — body-corporate data security.
  • Offences: §65 source code, §66 hacking, §66A struck down (Shreya Singhal 2015), 66B receiving, 66C ID theft, 66D phishing, 66E privacy, 66F cyber-terror (life), §67/A/B obscene/explicit/child, §70 CII attack (10 yrs), §72 breach of confidentiality, §72A disclosure.
  • §79 safe-harbour + IT Rules 2021/22/23.
  • Appeals — TDSAT since 2017.
  • Related: CERT-In 2004, NCIIPC, I4C 2018, DPDP Act 2023.