This article has been written by Oishika Banerji of Amity Law School, Kolkata. This article provides an overview of the dispute resolution mechanism of cyber laws in India.
Cybercrime, such as phishing, identity theft, and fraud, has increased dramatically in recent years. India had a 37 percent increase in the number of cyberattacks in the previous year alone. Cybercrime is anticipated to become more prevalent in the future. This emphasises the need for more effective and deterrent legal structures, as well as stricter legislation, to combat cybercrime. In this situation, it becomes intriguing, if not vital, to examine the country’s existing cybersecurity legislation to see if they provide adequate protection against these crimes. The present article discusses cyber laws in India thereby specifically throwing light on dispute resolution mechanisms under the Information Technology Act, 2000 (IT Act, 2000).
Cyber laws in India : an insight
Cyber regulations are especially important in nations like India, where the internet is widely utilised. Cyber laws are in place to regulate the digital exchange of information, software, information security, e-commerce, and monetary transactions. India’s cyber laws have paved the way for electronic commerce and electronic governance in the nation, as well as increased the scope and use of digital media, by ensuring optimum connection and reducing cybersecurity risks. But there are several detriments that walk along with the existing laws as well. There are predominantly four cyber laws that India embraces:
- Information Technology Act, 2000 : The Information Technology Act, which was enacted in 2000, governs Indian cyber legislation. The main goal of this Act is to provide eCommerce with trustworthy legal protection by making it easier to register real-time information with the government. However, as cyber attackers became more cunning, coupled with the human predisposition to misuse technology, a number of adjustments were made.
- Companies Act, 2013 : The Companies Act, 2013 gave the SFIO (Serious Frauds Investigation Office) the authority to prosecute Indian corporations and their directors on account of cyber frauds. SFIOs have also become much more stringent and harsh in this area after the promulgation of the Companies Inspection, Investment, and Inquiry Rules, 2014. All regulatory compliances, including cyber forensics, e-discovery, and cybersecurity diligence, are well-covered by the law. The Companies (Management and Administration) Rules, 2014 establishes robust requirements for corporate directors and executives in terms of cybersecurity obligations and responsibilities.
- Indian Penal Code (IPC), 1860 : The Indian Penal Code (IPC), 1860, along with the Information Technology Act, 2000 are both used to prosecute identity theft and related cyber offences. False documentation (Section 464), forgery (Section 465), forgery pre-planned for defrauding (Section 468), reputation harm (Section 469) and presenting a forged document as real (Section 471), are the main provisions of the IPC that concern cyber scams.
- Cybersecurity Framework (NCFS) : The most trusted worldwide certifying organization, the National Institute of Standards and Technology (NIST) has approved the Cybersecurity Framework (NCFS), which provides a standardized approach to cybersecurity. The NIST Cybersecurity Framework includes all necessary rules, standards, and best practices for effectively managing cyber-related risks. The flexibility and cost-effectiveness of this system are top priorities.
Among the aforementioned laws, the Informational Technology Act, 2000 remains much in discussion owing to being the only data protection law India carried with it for several years now. When we talk about the dispute resolution mechanism, it is this Act that comes into the discussion, as for others, general civil and criminal procedures are abided by.
Dispute resolution mechanism under the IT Act, 2000
The Information Technology Act, 2000 establishes quasi-judicial bodies, such as adjudicating officials, to resolve disputes (offences of a civil nature as well as criminal offences). The adjudicating officer has the jurisdiction to award compensation as a civil remedy as well as impose fines for violating the Act, giving them civil and criminal court-like powers. The Cyber Appellate Tribunal is the first level of appeal, with a Chairperson and any additional members appointed by the Central Government. A second appeal may be lodged with a High Court having jurisdiction within 60 days after the Cyber Appellate Tribunal’s ruling has been communicated.
The adjudicating officer
The Central Government appoints an “Adjudicating Officer” (AO) with the authority to make decisions. The secretary of each state’s department of information technology is designated as the AO for that state by default, according to the Ministry of Electronics and Information Technology (“MeitY”). The AO is a quasi-judicial entity since it has the ability to:
- Order investigation, i.e. hold an inquiry into a breach of the IT Act, 2000 based on the evidence presented to it; and
- Adjudicate, i.e. determine the amount of compensation or punishment to be awarded in the event of a violation.
The adjudication process as provided by the IT Act, 2000
The adjudication process as provided by the Information Technology Act, 2000 has been discussed in pointers hereunder:
- Filing of the complaint to the AO.
- Notice to the necessary parties containing the date and time of the first hearing is issued by the AO.
- On the date provided in the notice, the AO explains alleged contraventions to the party against whom allegations are made. The three possible instances that can take place subsequent to this are provided below:
- The person against whom the allegation is made pleads guilty, or
- The person against whom the allegation is made shows cause why an inquiry should not be held against him/her, or
- The person against whom the allegation is made fails to appear. In that case, the AO proceeds with the inquiry in absence of such a person.
If the situation in point (a) happens, then the consequence will be the imposition of penalty or awarding of compensation as per the provisions of the IT Act, 2000, by the AO.
If the circumstance provided in point (b) unfolds itself, the outcomes are:
- The AO decides on the basis of submission of parties and/or preliminary investigation in order to determine whether there is sufficient cause to order an inquiry or not. The AO will fix another date for production of documents or evidence and then finally pass an order on the basis of the evidence presented.
- The AO dismisses the complaint on finding no sufficient cause to proceed with it.
The AO has jurisdiction over cases in which the claim for compensation or harm is less than INR 5 crore. The AO has the authority to order an investigation into a complaint at any time after receiving it. An officer from the Office of the Controller of Certifying Authorities, or (CERT-In), or a Deputy Superintendent of Police conducts the inquiry.
Cyber Appellate Tribunal
Sub-clause (1) Section 58 of the IT Act, 2000 states that the Cyber Appellate Tribunal is not bound by the Code of Civil Procedure, 1908, but rather by the principles of natural justice, and the Cyber Appellate Tribunal has the authority to regulate its own procedure, including the location of its hearings, subject to the other provisions of this Act and any rules.
Clause (2) Section 58 provides that the Cyber Appellate Tribunal shall have the same powers as a civil court under the Code of Civil Procedure, 1908, when trying a case, for the purposes of carrying out its tasks under this Act:
- Having any person summoned and compelled to appear, as well as questioning him under oath;
- Requiring documents or other electronic records to be discovered and produced;
- Receiving evidence on affidavit;
- Appointing commissions to examine witnesses or documents;
- Reconsidering its decisions;
- Dismissing an application due to default or making an ex parte decision;
- Any additional matter that the court may deem necessary.
Clause (3) Section 58 provides that any proceeding before the Cyber Appellate Tribunal is to be treated as a judicial proceeding for the purposes of Sections 193 and 228 of the Indian Penal Code, 1860, and the Cyber Appellate Tribunal is treated as a civil court for the purposes of Section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973.
According to Section 62 of the IT Act, 2000, a person aggrieved by the decision or order of the Cyber Appellate Tribunal, may file an appeal with the high court within sixty days of receiving notification of the Tribunal’s decision or order on any question of fact or law arising out of such order. If the high court is satisfied that the appellant was prohibited from filing the appeal within the prescribed time frame due to adequate reason, the high court may allow it to be filed within an extended sixty-day period.
The ineffective dispute resolution mechanism of cyber laws in India
Although the framework of the dispute resolution mechanism of cyber law, as discussed previously, appears to be promising in principle, it has not shown to be effective in practice. There is very little coverage of a cyber dispute, and no statistics on the number of cases adjudicated by police or the tribunal are accessible. The possible lacunas feeding on the resolution mechanism have been presented below:
- The AOs are vested with humongous powers. They have the authority to rule on any law, rule, regulation, or instruction made under the IT Act of 2000. At the same time, there are several AOs dealing with identical challenges. As a result, there are opposing viewpoints on the same subject. For example, in Rajendra Prasad Yadav v. ICICI Bank (2011), the AO concluded that because the bank constituted a corporate body, Section 43 of the IT Act did not apply to it. AOs in other states, on the other hand, have reached different conclusions. Section 43 has been used against corporations in a number of situations. This might make it difficult for an organization to comply with the IT Act, 2000 since it may need to take into account the opinions of various AOs in order to operate across India.
- To get adjudication orders issued under the IT Act, 2000, one must seek through state government websites that are difficult to browse. This issue is also not reported in prominent legal databases. Adjudication orders should be stored in a central database so that officers and other stakeholders would be able to resort to these adjudication orders when dealing with IT Act, 2000 infractions. It will also allow companies to keep track of cyber-conflicts.
- By virtue of an old MeitY Order from 2003, the secretaries of state departments of information technology were supposed to be AOs. In addition to completing their responsibilities as AOs, they are responsible for the administration of their department and are actively involved in the co-working of the government of the state they are appointed in. The dual nature of their employment is incredibly taxing. Given the rising number of cyber-crimes in the country, it is necessary to restructure the system for appointing AOs.
- The capacity of AOs has to be increased. The United Kingdom’s Crown Prosecution Service has formulated the ‘Cybercrime-prosecution guidance’ which lays down major types of cybercrime, such as hacking and social media-related offences, and therefore serves as a guideline for deciding on cybercrime cases. In India, similar guidance should be formulated and implemented to ensure better complaint management.
- There is no guiding document on the cyber investigation or cyber forensics in the Indian regulatory environment. The “Examiner of Electronic Evidence” was formed by the Information Technology (Amendment) Act of 2008. This organization offers professional advice on electronic evidence. Various forensic science laboratories have been appointed as examiners by the MeitY. These labs are well-versed in the field of cyber-investigation. The 2003 Holding of Enquiry Rules, on the other hand, have not been amended since the 2008 amending legislation. The regulations must be changed to allow AOs to require such examiners to look into the issues before them in a better and efficient way. To better equip the police and other investigative authorities to handle such instances, rules or principles on cybercrime investigation should be established.
- The TDSAT is solely made up of a chairperson and two additional members, as provided by the TRAI Act, 1997. Because telecom and information technology are two distinct areas, deciding between them necessitates a different set of skills. To deliberate on matters relevant to the issue, the TDSAT must strengthen itself and include specialists with expertise in information technology. Cyber appeals should be decided by a different bench for effective solutions to cyber challenges.
Given the high number of cyber-attacks in the country, it is imperative that the present dispute resolution structure under the IT Act, 2000 be strengthened. By requiring cyber violators to pay damages and compensation, the dispute resolution structure can serve as a strong deterrence. It may also be used as a venue for victims to file complaints and seek redress. It has failed to produce the desired outcome in its current state. The IT Act’s authorities are responsible for a wide range of concerns, including cybersecurity, intermediary responsibility, data privacy, and cyber offences. As a result, these authorities must be well-equipped to carry out their broad powers.
The government has emphasized its Digital India plan, which is expected to help India achieve its aim of being a $5 trillion economy by 2025. In addition, India has a big internet user base of 650 million people. Given India’s push for digital transformation, it’s critical to give the Act some teeth, particularly in terms of its dispute resolution mechanism. This will guarantee that online conflicts are efficiently managed and resolved. The general public, as well as stakeholders, will have more faith in the regulatory structure as a result of this.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: