Image Source:

This article is written by Monesh Mehndiratta, a law student at Graphic Era Hill University, Dehradun. The article explains various terminologies and gives an overview of the Information Technology Act, 2000. It further describes the offences given in the Act and the punishment related to them.

This article has been published by Sneha Mahawar.

Table of Contents


One day, you wake up in the morning and check your phone. You are shocked to see that every piece of data of yours stored in different applications like your phone’s gallery, Facebook, Instagram and Whatsapp has been hacked. You then check your laptop and observe that it has been hacked. What will you do? Will you sue these social media for not protecting your data or search the hacker?

Download Now

This is where the Information Technology Act of 2000 comes into the picture. The Act defines various offences related to breach of data and privacy of an individual and provides punishment or penalties for them. It also talks about intermediaries and regulates the power of social media. With the advancement of technology and e-commerce, there has been a tremendous increase in cyber crimes and offences related to data and authentic information. Even the data related to the security and integrity of the country was not safe, and so the government decided to regulate the activities of social media and data stored therein. The article gives the objectives and features of the Act and provides various offences and their punishments as given in the Act. 

Background of Information Technology Act, 2000

The United Nations Commission on International Trade Law in 1996 adopted a model law on e-commerce and digital intricacies. It also made it compulsory for every country to have its own laws on e-commerce and cybercrimes. In order to protect the data of citizens and the government, the Act was passed in 2000, making India the 12th country in the world to pass legislation for cyber crimes. It is also called the IT Act and provides the legal framework to protect data related to e-commerce and digital signatures. It was further amended in 2008 and 2018 to meet the needs of society. The Act also defines the powers of intermediaries and their limitations. 

Schedule of Information Technology Act, 2000

The Act is divided into 13 chapters, 90 sections and 2 schedules. The following are the chapters under the Act:

  • Chapter 1 deals with the applicability of the Act and definitions of various terminologies used in the Act. 
  • Chapter 2 talks about digital and electronic signatures. 
  • Electronic governance and electronic records are given under Chapters 3 and 4 respectively. 
  • Chapter 5 is related to the security of these records and Chapter 6 deals with regulations of certifying authorities. 
  • Chapter 7 further gives the certificates needed to issue an electronic signature. 
  • Chapter 8 gives the duties of subscribers and Chapter 9 describes various penalties. 
  • Chapter 10 provides sections related to the Appellate Tribunal. 
  • Chapter 11 describes various offences related to breach of data and their punishments. 
  • Chapter 12 provides the circumstances where the intermediaries are not liable for any offence or breach of data privacy. 
  • The final chapter, i.e., Chapter 13 is the miscellaneous chapter. 

The 2 schedules given in the Act are:

  • Schedule 1 gives the documents and data where the Act is not applicable. 
  • Schedule 2 deals with electronic signatures or methods of authentication. 

Applicability of Information Technology Act, 2000

According to Section 1, the Act applies to the whole country, including the state of Jammu and Kashmir. The application of this Act also extends to extra-territorial jurisdiction, which means it applies to a person committing such an offence outside the country as well. If the source of the offence, i.e., a computer or any such device, lies in India, then the person will be punished according to the Act irrespective of his/her nationality. 

The Act, however, does not apply to documents given under Schedule 1. These are:

Objectives of Information Technology Act, 2000

The Act was passed to deal with e-commerce and all the intricacies involved with digital signatures and fulfill the following objectives:

  • The Act seeks to protect all transactions done through electronic means. 
  • E-commerce has reduced paperwork used for communication purposes. It also gives legal protection to communication and the exchange of information through electronic means. 
  • It protects the digital signatures that are used for any sort of legal authentication. 
  • It regulates the activities of intermediaries by keeping a check on their powers. 
  • It defines various offences related to data privacy of citizens and hence protects their data.
  • It also regulates and protects the sensitive data stored by social media and other electronic intermediaries.
  • It provides recognition to books of accounts kept in electronic form regulated by the Reserve Bank of India Act, 1934

Features of Information Technology Act, 2000

Following are the features of the Act:

  • The Act is based on the Model Law on e-commerce adopted by UNCITRAL. 
  • It has extra-territorial jurisdiction. 
  • It defines various terminologies used in the Act like cyber cafes, computer systems, digital signatures, electronic records, data, asymmetric cryptosystems, etc under Section 2(1)
  • It protects all the transactions and contracts made through electronic means and says that all such contracts are valid. (Section 10A)
  • It also gives recognition to digital signatures and provides methods of authentication. 
  • It contains provisions related to the appointment of the Controller and its powers. 
  • It recognises foreign certifying authorities (Section 19). 
  • It also provides various penalties in case a computer system is damaged by anyone other than the owner of the system. 
  • The Act also provides provisions for an Appellate Tribunal to be established under the Act. All the appeals from the decisions of the Controller or other Adjudicating officers lie to the Appellate tribunal. 
  • Further, an appeal from the tribunal lies with the High Court. 
  • The Act describes various offences related to data and defines their punishment. 
  • It provides circumstances where the intermediaries are not held liable even if the privacy of data is breached. 
  • A cyber regulation advisory committee is set up under the Act to advise the Central Government on all matters related to e-commerce or digital signatures. 

Overview of Information Technology Act, 2000

The Act deals with e-commerce and all the transactions done through it. It gives provisions for the validity and recognition of electronic records along with a license that is necessary to issue any digital or electronic signatures. The article further gives an overview of the Act. 

Electronic records and signatures 

The Act defines electronic records under Section 2(1)(t), which includes any data, image, record, or file sent through an electronic mode. According to Section 2(1)(ta), any signature used to authenticate any electronic record that is in the form of a digital signature is called an electronic signature. However, such authentication will be affected by asymmetric cryptosystems and hash functions as given under Section 3 of the Act. 

Section 3A further gives the conditions of a reliable electronic signature. These are:

  • If the signatures are linked to the signatory or authenticator, they are considered reliable. 
  • If the signatures are under the control of the signatory at the time of signing. 
  • Any alteration to such a signature must be detectable after fixation or alteration. 
  • The alteration done to any information which is authenticated by the signature must be detectable. 
  • It must also fulfill any other conditions as specified by the Central Government. 

The government can anytime make rules for electronic signatures according to Section 10 of the Act. The attribution of an electronic record is given under Section 11 of the Act. An electronic record is attributed if it is sent by the originator or any other person on his behalf. The person receiving the electronic record must acknowledge the receipt of receiving the record in any manner if the originator has not specified any particular manner. (Section 12). According to Section 13, an electronic record is said to be dispatched if it enters another computer source that is outside the control of the originator. The time of receipt is determined in the following ways:

  • When the addressee has given any computer resource,
    • Receipt occurs on the entry of an electronic record into the designated computer resource. 
    • In case the record is sent to any other computer system, the receipt occurs when it is retrieved by the addressee. 
  • When the addressee has not specified any computer resource, the receipt occurs when the record enters any computer source of the addressee. 

Certifying authorities

Appointment of Controller

Section 17 talks about the appointment of the controller, deputy controllers, assistant controllers, and other employees of certifying authorities. The deputy controllers and assistant controllers are under the control of the controller and perform the functions as specified by him. The term, qualifications, experience and conditions of service of the Controller of certifying authorities will be determined by the Central Government. It will also decide the place of the head office of the Controller. 

Functions of the Controller

According to Section 18, the following are the functions of the Controller of certifying authority:

  • He supervises all the activities of certifying authorities. 
  • Public keys are certified by him. 
  • He lays down the rules and standards to be followed by certifying authorities. 
  • He specifies the qualifications and experience required to become an employee of a certifying authority. 
  • He specifies the procedure to be followed in maintaining the accounts of authority. 
  • He determines the terms and conditions of the appointment of auditors. 
  • He supervises the conduct of businesses and dealings of the authorities. 
  • He facilitates the establishment of an electronic system jointly or solely. 
  • He maintains all the particulars of the certifying authorities and specifies the duties of the officers.
  • He has to resolve any kind of conflict between the authorities and subscribers. 
  • All information and official documents issued by the authorities must bear the seal of the office of the Controller. 

License for electronic signatures 

It is necessary to obtain a license certificate in order to issue an electronic signature. Section 21 of the Act provides that any such license can be obtained by making an application to the controller who, after considering all the documents, decides either to accept or reject the application. The license issued is valid for the term as prescribed by the central government and is transferable and heritable. It is regulated by terms and conditions provided by the government. 

According to Section 22 of the Act, an application must fulfill the following requirements:

  • A certificate of practice statement. 
  • Identity proof of the applicant. 
  • Fees of Rupees 25,000 must be paid. 
  • Any other document as specified by the central government. 

The license can be renewed by making an application before 45 days from the expiry of the license along with payment of fees, i.e., Rupees 25000. (Section 23)

Any license can be suspended on the grounds specified in Section 24 of the Act. However, no certifying authority can suspend the license without giving the applicant a reasonable opportunity to be heard. The grounds of suspension are:

  • The applicant makes a false application for renewal with false and fabricated information. 
  • Failure to comply with the terms and conditions of the license. 
  • A person fails to comply with the provisions of the Act. 
  • He did not follow the procedure given in Section 30 of the Act. 

The notice of suspension of any such license must be published by the Controller in his maintained records and data. 

Powers of certifying authorities

Following are the powers and functions of certifying authorities:

  • Every such authority must use hardware that is free from any kind of intrusion. (Section 30)
  • It must adhere to security procedures to ensure the privacy of electronic signatures. 
  • It must publish information related to its practice, electronic certificates and the status of these certificates. 
  • It must be reliable in its work. 
  • The authority has the power to issue electronic certificates. (Section 35)
  • The authority has to issue a digital signature certificate and certify that:
    • The subscriber owns a private key along with a public key as given in the certificate. 
    • The key can make a digital signature and can be verified.
    • All the information given by subscribers is accurate and reliable. 
  • The authorities can suspend the certificate of digital signature for not more than 15 days. (Section 37)
  • According to Section 38, a certificate can be revoked by the authorities on the following grounds:
    • If the subscriber himself makes such an application.
    • If he dies. 
    • In case, the subscriber is a company then on the winding up of the company, the certificate is revoked. 

Circumstances where intermediaries are not held liable

Section 2(1)(w) of the Act defines the term ‘intermediary’ as one who receives, transmits, or stores data or information of people on behalf of someone else and provides services like telecom, search engines and internet services, online payment, etc. Usually, when the data stored by such intermediaries is misused, they are held liable. But the Act provides certain instances where they cannot be held liable under Section 79. These are:

  • In the case of third-party information or communication, intermediaries will not be held liable. 
  • If the only function of the intermediary was to provide access to a communication system and nothing else, then also they are not held liable for any offence. 
  • If the intermediary does not initiate such transmissions or select the receiver or modify any information in any transmission, it cannot be made liable. 
  • The intermediary does its work with care and due diligence. 

However, the section has the following exemptions where intermediaries cannot be exempted from the liability:

  • It is involved in any unlawful act either by abetting, inducing or by threats or promises. 
  • It has not removed any such data or disabled access that is used for the commission of unlawful acts as notified by the Central Government. 

Penalties under Information Technology Act, 2000

The Act provides penalties and compensation in the following cases:

Penalty for damaging a computer system

If a person other than the owner uses the computer system and damages it, he shall have to pay all such damages by way of compensation (Section 43). Other reasons for penalties and compensation are:

  • If he downloads or copies any information stored in the system. 
  • Introduces any virus to the computer system. 
  • Disrupts the system. 
  • Denies access to the owner or person authorised to use the computer.
  • Tampers or manipulates the computer system. 
  • Destroys, deletes or makes any alteration to the information stored in the system. 
  • Steals the information stored therein. 

Compensation in the case of failure to protect data

According to Section 43A, if any corporation or company has stored the data of its employees or other citizens or any sensitive data in its computer system but fails to protect it from hackers and other such activities, it shall be liable to pay compensation. 

Failure to furnish the required information

If any person who is asked to furnish any information or a particular document or maintain books of accounts fails to do so, he shall be liable to pay the penalty. In the case of reports and documents, the penalty ranges from Rupees one lakh to Rupees fifty thousand. For books of accounts or records, the penalty is Rs. 5000. (Section 44)

Residuary Penalty 

If any person contravenes any provision of this Act and no penalty or compensation is specified,  he shall be liable to pay compensation or a penalty of Rs. 25000.   

Appellate tribunal 

According to Section 48 of the Act, the Telecom dispute settlement and appellate tribunal under Section 14 of the Telecom Regulatory Authority of India Act, 1997 shall act as the appellate tribunal under the Information Technology Act, 2000. This amendment was made after the commencement of the Finance Act of 2017.

All the appeals from the orders of the controller or adjudicating officer will lie to the tribunal, but if the order is decided with the consent of the parties, then there will be no appeal. The tribunal will dispose of the appeal as soon as possible but in not more than 6 months from the date of such appeal. (Section 57

According to Section 62 of the Act, any person if not satisfied with the order or decision of the tribunal may appeal to the High Court within 60 days of such order.


According to Section 58 of the Act, the tribunal is not bound to follow any provisions of the Code of Civil Procedure, 1908 and must give decisions on the basis of natural justice. However, it has the same powers as given to a civil court under the Code. These are:

  • Summon any person and procure his attendance. 
  • Examine any person on oath. 
  • Ask to discover or produce documents. 
  • Receive evidence on affidavits. 
  • Examination of witnesses. 
  • Review decisions. 
  • Dismissal of any application. 

Offences and their punishments under Information Technology Act, 2000 Offences Section Punishment 
Tampering with the documents stored in a computer systemSection 65Imprisonment of 3 years or a fine of Rs. 2 lakhs or both.  
Offences related to computers or any act mentioned in Section 43.  Section 66Imprisonment of 3 years or a fine that extends to Rs. 5 lakhs or both.
Receiving a stolen computer source or device dishonestlySection 66BImprisonment for 3 years or a fine of Rs. 1 lakh or both.
Identity theftSection 66CImprisonment of 3 years or a fine of Rs. 1 lakh or both
Cheating by personationSection 66DEither imprisonment for 3 years or a fine of Rs. 1 lakh or both.
Violation of privacySection 66EEither imprisonment up to 3 years or a fine of Rs. 2 lakhs or both
Cyber terrorism Section 66F Life imprisonment 
Transmitting obscene material in electronic form.Section 67Imprisonment of 5 years and a fine of Rs. 10 lakhs.
Transmission of any material containing sexually explicit acts through an electronic mode. Section 67A Imprisonment of 7 years and a fine of Rs. 10 lakhs.
Depicting children in sexually explicit form and transmitting such material through electronic modeSection 67BImprisonment of 7 years and a fine of Rs. 10 lakhs.
Failure to preserve and retain the information by intermediaries Section 67CImprisonment for 3 years and a fine. 

Amendments to Information Technology Act, 2000

With the advancement of time and technology, it was necessary to bring some changes to the Act to meet the needs of society, and so it was amended. 

Amendment of 2008 

The amendment in 2008 brought changes to Section 66A of the Act. This was the most controversial section as it provided the punishment for sending any offensive messages through electronic mode. Any message or information that created hatred or hampered the integrity and security of the country was prohibited. However, it had not defined the word ‘offensive’ and what constitutes such messages, because of which many people were arrested on this ground. This section was further struck down by the Supreme Court in the case of Shreya Singhal v. Union of India (2015)

Another amendment was made in Section 69A of the Act, which empowered the government to block internet sites for national security and integrity. The authorities or intermediaries could monitor or decrypt the personal information stored with them. 

The 2015 Amendment Bill

The bill was initiated to make amendments to the Act for the protection of fundamental rights guaranteed by the Constitution of the country to its citizens. The bill made an attempt to make changes to Section 66A, which provides the punishment for sending offensive messages through electronic means. The section did not define what amounts to offensive messages and what acts would constitute the offence. It was further struck down by the Supreme Court in the case of Shreya Singhal declaring it as violative of Article 19. 

Information Technology Intermediaries Guidelines (Amendment) Rules, 2018

The government in 2018 issued some guidelines for the intermediaries in order to make them accountable and regulate their activities. Some of these are:

  • The intermediaries were required to publish and amend their privacy policies so that citizens could be protected from unethical activities like pornography, objectionable messages and images, messages spreading hatred, etc. 
  • They must provide the information to the government as and when it is sought within 72 hours for national security. 
  • It is mandatory for every intermediary to appoint a ‘nodal person of contact’ for 24×7 service.
  • They must have technologies that could help in reducing unlawful activities done online.
  • The rules also break end-to-end encryption if needed to determine the origin of harmful messages.

Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules 2021

The government of India in 2021 drafted certain rules to be followed by the intermediaries. The rules made it mandatory for intermediaries to work with due diligence and appoint a grievance officer. They were also required to form a Grievance Appellate Tribunal. All complaints from users must be acknowledged within 24 hours and resolved within 15 days. It also provides a “Code of Ethics” for the people publishing news and current affairs, which makes it controversial. Many believe that the rules curtail freedom of speech and expression and freedom of the press. 

The intermediaries were also required to share the information and details of a suspicious user with the government if there was any threat to the security and integrity of the country. As a result of this, writ petitions were filed in various high courts against the rules. Recently, the Bombay High Court stayed in the case of Agij Promotion of Nineteenonea Media Pvt. Ltd. vs. Union of India (2021) and Nikhil Mangesg Wagle vs. Union of India (2021) the two provisions of the rules related to the Code of Ethics for digital media and publishers. 

Landmark judgments on Information Technology Act, 2000

Shreya Singhal v. Union of India (2015)


In this case, 2 girls were arrested for posting comments online on the issue of shutdown in Mumbai after the death of a political leader of Shiv Sena. They were charged under Section 66A for posting the offensive comments in electronic form. As a result, the constitutional validity of the Section was challenged in the Supreme Court stating that it infringes upon Article 19 of the Constitution. 


Whether Section 66A is constitutionally valid or not?


The Court, in this case, observed that the language of the Section is ambiguous and vague, which violates the freedom of speech and expression of the citizens. It then struck down the entire Section on the ground that it was violative of Article 19 of the Constitution. It opined that the Section empowered police officers to arrest any person whom they think has posted or messaged anything offensive. Since the word ‘offensive’ was not defined anywhere in the Act, they interpreted it differently in each case. This amounted to an abuse of power by the police and a threat to peace and harmony. 

M/S Gujarat Petrosynthese Ltd and Rajendra Prasad Yadav v. Union of India (2014)


In this case, the petitioners demanded the appointment of a chairperson to the Cyber Appellate Tribunal so that cases can be disposed of quickly and someone can keep a check on the workings of CAT. The respondents submitted that a chairperson would be appointed soon.


Appointment of the chairperson of CAT. 


The Court ordered the appointment of the chairperson and must see this as a matter of urgency and take into account Section 53 of the Act. 

Christian Louboutin SAS v. Nakul Bajaj and Ors (2018)


In this case, a suit was filed by a shoe company to seek an order of injunction against the defendants for using its trademarks and logo. 


Whether the protection of “safe harbour” under Section 79 of the Act be applied in this case?


The Court in this case observed that the defendant was not an intermediary as their website was a platform for the supply of various products. It used third-party information and promoted vendors in order to attract consumers for them. The Court held that e-commerce platforms are different from the intermediaries and the rights granted to them in Section 79 of the Act. It ordered the intermediaries to work with due diligence and not infringe the rights of the trademark owner. They must take steps to recognise the authenticity and genuineness of the products while dealing with any merchant or dealer. 

The Court added that if the intermediaries act negligently regarding IPR and indulge in any sort of abetment or incitement of unlawful or illegal activity, they will be exempted from the protection of safe harbour under Section 79 of the Act. Any active participation in e-commerce would also lead to the same. It also referred to the intermediaries guidelines, which state that no intermediary must violate any intellectual property rights of anyone while displaying any content on its website.

Loopholes in Information Technology Act, 2000

The Act provides various provisions related to digital signatures and electronic records, along with the liability of intermediaries, but fails in various other aspects. These are:

No provision for breach of data 

The provisions of the Act only talk about gathering the information and data of the citizens and its dissemination. It does not provide any remedy for the breach and leak of data, nor does it mention the responsibility or accountability of anyone if it is breached by any entity or government organization. It only provides for a penalty if an individual or intermediary does not cooperate with the government in surveillance. 

No address to privacy issues 

The Act failed in addressing the privacy issues of an individual. Any intermediary could store any sensitive personal data of an individual and give it to the government for surveillance. This amounts to a violation of the privacy of an individual. This concern has been neglected by the makers. 

Simple punishments 

Though the Act describes certain offences committed through electronic means, the punishments given therein are much simpler. To reduce such crimes, punishments must be rigorous.

Lack of trained officers

With the help of money and power, one can easily escape liability. At times, these cases go unreported because of a social stigma that police will not address such complaints. A report shows that police officers must be trained to handle cybercrimes and have expertise in technology so that they can quickly investigate a case and refer it for speedy disposal. 

No regulation over Cyber Crimes

With the advancement of technology, cyber crimes are increasing at a greater pace. The offences described in the Act are limited, while on the other hand, various types of cyber crimes are already prevailing, which if not addressed properly within time, may create a menace. These crimes do not affect any human body directly but can do so indirectly by misusing the sensitive data of any person. Thus, the need of the hour is to regulate such crimes. This is where the Act lacks. 


The Act is a step toward protecting the data and sensitive information stored with the intermediaries online. It gives various provisions which benefit the citizens and protect their data from being misused or lost. However, with the advancement of e-commerce and online transactions, it is necessary to deal with problems like internet speed and security, transactions that are struck, the safety of passwords, cookies, etc. Cyber crimes are increasing at a great pace, and there is a need to have a mechanism to detect and control them. 

Frequently Asked Questions (FAQs)

What is the main purpose of the Information Technology Act, 2000?

The aim of the Act is to :

  • Protect all the transactions done through electronic means.
  • Recognise the digital signatures that are used for any sort of legal authentication. 
  • Regulate the activities of intermediaries and protect citizens from cybercrime. 

What will happen if any of the offences given in the Act is committed by a company?

According to Section 85 of the Act, if any of the offences is committed by a company, then all the people involved in the commission of the offence shall be liable and proceedings will be initiated against them.

What is the constitution of the Advisory Committee under the Act?

The Act under Section 88 talks about an advisory committee called the Cyber Regulations Advisory Committee formed by the Central Government. The committee consists of a chairperson and other officers having expertise in the subject matter of the Act. It will give advice to the government on all matters related to the Act. 


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here