It is expected that the questions will primarily be framed from the Information Technology Act, 2000 (as amended in 2008), there might be cases where questions may be asked from the associated rules as well. It is essential that the students carry a Bare Act which contains the Rules as well, which is available in the market from any law books publisher. The students should be familiar with the important concepts, definitions, offences and adjudication mechanism.
This is a concise guide on the Information Technology Act, which can be used for a short recall and revision of the concepts and the provisions just before the exam.
Important Provisions of the Information Technology Act and its functioning
With the advent of the internet, various aspects of daily activity such as shopping, communication, interaction, and commercial transactions started occurring online. The IT Act was essentially passed to give recognition to electronic modes of communication, prescribe standards for the authenticity of the communication and security standards for organizations which collect data.
At the same time, those who provide online platforms (e.g. search engines, blogs, social media networks, etc.) for third parties to interact or upload and share content have additional responsibilities to ensure that such content is not harmful for the rights of others. Crimes using technology were also made punishable offences.
A conceptual understanding of these has been explained below.
Legal recognition of electronically stored information or ‘electronic records’ and e-governance (Sec. 4 and S. 6, 6A, 7,8 and 9 of IT Act)
As per the Information Technology Act, an electronic version of any document would be treated in the same manner as a written or printed version.
The IT Act also provides for recognition and usage of electronic records for filing, issuance of receipt, or payment, retention of documents in electronic form, publication of rules, regulation in electronic gazette and treating such electronic records at par with the physical maintenance, publication, delivery or transaction of the particular event.
Provisions for authentication of electronic communication
- Electronic and Digital Signature (Sec. 3 & 3A, 5)
The relevance of digital signatures is best illustrated by the following question – when a specific communication has been sent, how does one identify whether the person who is purported to be the sender has actually despatched the communication? The IT Act prescribes authentication methods that can be applied to such communication – if these methods have been followed then it is presumed that the sender had actually sent the
Any electronic record (i.e. information that is stored digitally) can be authenticated by using a digital signature (consisting of asymmetric crypto system and hash function) or an electronic signature (which is considered to be reliable and notified by the Central Government). Where a legal provision requires a particular document to be signed (say, for example, a declaration by the directors of the company that is required to be filed with the statutory authority), such document can be digitally or electronically signed in a manner prescribed by the Central Government. (Section 5, IT Act)
What is the advantage of a digital or electronic signature?
The identity of the sender of an ordinary email or the creator of an electronic document could be challenged in ordinary cases – unless a digital signature is appended. From a legal perspective, appending a digital signature to a document is considered to be reliable evidence of the following:
- The genuineness of the identity of the person who created or signed the document (i.e. that there was no forgery) and that ii) the document did not tamper during transmission.
Fraudulent or dishonest use of a digital or electronic signature is punishable with imprisonment of up to 3 years or fine of INR 1 lakh.
Note: Governance of digital signatures and Electronic Signature Certification Authorities (Sec. 17-39)
As per the IT Act, only ‘Certification Authorities’ can provide digital signatures which are recognized by the government. These Certification Authorities are regulated by the ‘Controller of Certifying Authorities’, which exercises supervision over the Electronic Signature Certifying Authorities and laying down the standards to be maintained by the Certifying Authorities.
The validity of electronic contracts (Sec. 10-A)
Are electronically executed contracts valid, or should all contracts be signed in physical form?
As per the IT Act, contracts (except on the matters listed below) which are in electronic form will be considered valid, unless there are additional requirements imposed by another law (such as having a minimum number of witnesses, or compliance with the provisions of the Indian Contract Act) to which the contract applies, and which have not been met.
Under Indian law, for a contract to be binding and enforceable in a court, it should be in writing and should be adequately stamped (as per the law of the appropriate state). For most ordinary contracts, no additional requirements are required. However, there are certain instruments to which the IT Act does not apply, and hence they cannot be entered into electronically. These are listed below :
- Negotiable Instruments
- A trust deed
- A will
- Contracts for the sale or any other kind of transfer of an interest in immovable
These instruments do not have the recognition that the IT Act grants to other instruments (discussed below). Therefore, it is advisable to execute these in physical form.
There is no legal requirement to affix a digital/ electronic signature to such documents.
- Attribution, Acknowledgment and Despatch of Electronic records (Sec. 11-13)
An electronic record or document sent can be attributed or credited to that person, if it was sent by the originator himself, or he had the authority to send the document, or was automatically sent through a programme created by the originator himself.
A person can confirm the receipt of an electronic record, where the sender has not specified any particular manner to acknowledging the receipt, by communicating the receipt through any manner (including automated receipts) or by conduct. However, if the sender of such electronic record wants a receipt of acknowledgement, unless such acknowledgement has been given by the recipient, it will be deemed that the electronic record was never sent.
Data protection and breach (Sec. 43-A, 72, 72-A of IT Act)
Indian law imposes certain obligations on entities which collect certain kinds of personal information of individuals which is considered to be ‘sensitive’. The obligations may apply to e-commerce websites, banks, employers, hospitals, and other entities, if they collect personal information of users.
The obligations for data protection have been mentioned in Section 43-A, 72, 72-A the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). The obligations under the IT Act and the SPDI Rules are applicable to body corporates, which includes companies, firms, or any association of individuals engaged in commercial activities that involve the collection of sensitive personal data or information. Thus, a partnership firm which collects sensitive data will have to comply with the SPDI Rules.
1) The rules are not applicable when data is collected or processed by an individual, e.g. a proprietorship business.
2) The SPDI Rules are also not applicable to Indian companies which collect and process data of foreign nationals – e.g. UK or US citizens. 3) Collection of information pertaining to a firm, partnership, trust, company, LLP, etc. will not attract data protection requirements under Indian law.
Under Indian law, SPDI can be collected only:
(i) the purpose for which the information is collected is lawful and is connected with a function or activity that the body corporate carries out, and (ii) if the collection of such information is necessary.
Breach of confidentiality – punishment and adjudication (Section 46)
The IT Act criminalizes the disclosure of confidential information obtained pursuant to a contract by any person (including an intermediary) with the intention of causing wrongful loss or gain with imprisonment up to three years and a fine of up to INR 500,000. Moreover, a body corporate handling any sensitive personal data or information will be liable to pay for the damages
One can file an application before the Adjudicating Officer appointed under Section 46 of Information Technology Act, 2000 claiming breach of reasonable security procedures by a body corporate or any breach of the provisions from Section 43 to 45. The Adjudicating Officer has the power of a Civil Court to adjudicate in the matters where the claim does not exceed Rs 5 crores and give appropriate reliefs including interim orders and order for payment of damages. All appeals from the Adjudicating officer’s order lies with the Cyber Appellate Tribunal, which must be made within 45 days of receiving the certified copies of the order.
- Appeals process – Cyber Appellate Tribunal (Sec 48-50, 57-64)
All appeals from the order of adjudicating officer or the Controller lies with the Cyber Appellate Tribunal (CAT). It has certain powers of civil court. The chairperson of the CAT is or has been or must be qualified to be a Judge of a High Court. Generally the members of CAT will hold office for a term of 5 years or until he enters 65 years, whichever is earlier. Civil courts will not have jurisdiction on the matters on which the Adjudicating officer is empowered. All appeals from the order of CAT will lie with the High Court, which must be filed within 60 days from the date of judgment.
Offences under the IT Act (65-78, 84-A, 84-B, 84-C)
IT Act criminalises certain acts like sending offensive messages, hacking, frauds, publication or transmitting of pornographic materials. The offences can be broadly divided into – acts against public interest, fraud, hacking and identity theft, offences and other statutory violations by intermediaries, offences related to obscenity. A list of offences under IT Act has been provided in a separate annexure.
Responsibility of intermediaries and those who provide online platforms
(Section 79, Information Technology Act)
Under law, if a person’s legal rights are violated by another person (Wrongdoer), any persons who have incited, abetted, or aided the Wrongdoer in committing the violation may also be held responsible (even if it is to a lesser degree). If commission of a particular act is punishable under Indian law, it is likely that facilitating or providing the means to encourage such action may also be punishable. Usually the punishment under criminal law is fine and imprisonment for the directors or the persons in control of the entity’s affairs.
Under the IT Act, an intermediary (Intermediary) is defined to include “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.”
Intermediaries (websites, social media networks, blogs and other platform owners) can potentially be held liable under provisions for abetment for illegal acts of third parties who have committed the act on the platform or by using the platform, even such actions have been taken without their knowledge – as per the IT Act, an intermediary must not knowingly publish, host or initiate transmission of unlawful information. The intermediary will be liable if:
(i) it has knowingly aided or induced the commission of an unlawful act, or (ii) if after receiving actual knowledge, or being notified by a Government or its agency that information hosted on a computer resource regulated by the intermediary is being used to commit an unlawful act, it does not remove information expeditiously.
In order to protect intermediaries from the risk of liability from illegal or unlawful activities on the internet where the intermediaries have not been actively involved, the IT Act was amended in 2008.
An intermediary will not be liable in respect of third party information or data hosted by it under the following circumstances:
- The function of the intermediary is restricted to providing access to a system where third party information is transmitted, stored or temporarily hosted, or
- When the intermediary does not a) initiate the transmission of the information, b) select the receiver of the information, and c) select or modify the information contained in the transmission, i.e. when the intermediary is merely a ‘blind’ carrier of information sent by a person to another person.
- The intermediary observes ‘due diligence’ – this is an interesting condition (discussed later). The rules for due diligence are prescribed in the Information Technology (Intermediaries Guidelines) Rules, 2011 (Intermediaries Rules) (discussed below).
Due diligence as per the Intermediaries Rules
Under the Intermediaries Rules, due diligence requires the intermediary to take the following steps:
3) Duty to comply to remove offending content in case of takedown notices from private entities within 36 hours of receiving the request. It should preserve records pertaining to the notice for 90 days. 4) Duty to assist government agencies with information 5) Compliance with Court Orders 6) Duty to comply with regulatory orders to block access to websites
The IT Act has created a body called the Computer Emergency Response Team (“CERT”), which is empowered to issue instructions for blocking of websites. Intermediaries are under an obligation to block access to websites on the instructions of the CERT as per a notification issued by the Central Government (DoT Notification) pursuant to the IT Act. The CERT is empowered to act on the directions of the following persons or entities (they can be broadly classified as governmental agencies or a court) (Authorized Complainants):
Questions around electronic evidence and investigative powers of the police
Are digital information or records acceptable as evidence in legal proceedings? The Information Technology Act, 2000 has incorporated certain changes to Indian evidence law to accommodate acceptance of electronic information and documents in digital format in the courts as evidence. Under Indian law, the electronic record includes “any data, record or data generated, any image or sound stored, received or sent in an electronic form or microfilm or computer generated micro fiche.”
- How should electronic evidence be produced before the court?
The most obvious idea that comes to mind is to present electronic evidence in its original form, that is, on the original device or on the storage medium which contains the information. For example, a cell-phone containing a call record, a hard disk, original CD records or the memory card which contains the relevant conversation. How can you produce these? When you produce the device itself, it is called primary evidence of electronic records. However, what happens when information is stored in a server or a machine? How can such information be presented before a court? How can one produce electronic records like email or information stored in a computer database or a server?
In such circumstances, the document will have to be presented as ‘secondary evidence’. The Evidence Act lays down procedures for production and admissibility of the content of computer generated information (that is, secondary electronic evidence). As electronic records may be stored in huge servers which are hard to physically produce for examination in a court, the law permits production of computer generated electronic records by printing them on a paper, or storing recording or copying them in an optical or magnetic media, without production of the original electronic device. However, such documents will only be accepted if they meet certain standards (see Section 65B of the Evidence Act for more details) .
Moreover, Courts will accept the above records only when they are certified (through an affidavit) by a competent officer / person who is responsible for managing or operating the relevant device.
- Presumptions pertaining to electronic evidence
Parties to a legal proceeding need to establish facts by providing necessary evidence. With respect to digital and electronic evidence, courts typically go by certain ‘presumptions’, that is, a default state of affairs. These default presumptions kick in if certain preliminary conditions are met. Unless the other side indicates reasons or facts to challenge the genuineness of a particular presumption of a court, the court proceeds with the presumption and assumes that state of facts to be true.
Presumptions with respect to electronic evidence are mentioned in Sections 85A, 85B, 85C, 88A and 90A of Indian Evidence Act – these are largely intuitive and correspond to common-sense. You are advised to refer to these.
Expert witness: When there is an apprehension of the documents being tampered or if the parties are disputing the identity, authenticity or contents of electronic records, the court may take expert opinion of a ‘cyber forensics expert’ into consideration – typically, the opinion of an Examiner of Electronic Evidence (‘examiners’ are appointed by the Central Government u/s 79-A of the IT Act) in matters involving information stored or transmitted by a computer resource, mobile phones, or in any electronic or digital form.
- Power of police to search (Sec 80)
Any police officer, not below the rank of Inspector or any other rank as notified by the Central or State Government can enter any premises for search and arrest without warrant any person who has reasonable suspected to have committed the offence, or about to commit an offence under this Act.
Quiz on Cyber Law
1.) What section of the Information Technology Act, 2008 authorises digital signature?
A.) Section 4
B.) Sec on 5
C.) Section 6
D.) Section 7
2.) What is the maximum fees prescribed under IT Act, 2008 for application of renewal of license?
3.) What is the obligation on the Certifying authority regarding display of their license?
A.) There is no explicit obligation to show license
B.) The certifying authorities are required to carry a copy of their license at all times
C.) The certifying authorities are required to display their license at a conspicuous place of the business premises
D.) Every customer is to be given a copy of the license
4.) What is the maximum term of imprisonment provided under the IT Act?
A.) 10 years
B.) 20 years
C.) life imprisonment
D.) the Act doesn’t prescribe imprisonment as a punishment
5.) What is the maximum punishment prescribed under IT Act for a first conviction for transmitting obscene material in electronic form?
A.) 3 years imprisonment and 5 lakhs fine
B.) 5 years imprisonment and 5 lakhs fine
C.) 3 years imprisonment and 7 lakhs fine
D.) 2 years imprisonment and 5 lakhs fine
6.) What section of the Information Technology Act, 2008 gives legal recognition to electronic records?
A.) Section 14
B.) Sec on 12
C.) Section 9
D.) Section 4
7.) Which one of the following is not an e-governance project launched by the Indian Government?
8.) Which of the following Section of the IT Act was invalidated by the Supreme Court in 2015?
9.) Which Section of the IT Act deals with cyberterrorism?
10.) How many schedules are listed in the IT Act?