The primary source of cyber law in India is the Information Technology Act, 2000 (IT Act) which came into force on 17 October 2000.
The primary purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government. The IT Act also penalizes various cyber crimes and provides strict punishments (imprisonment terms upto 10 years and compensation up to Rs 1 crore).
An Executive Order dated 12 September 2002 contained instructions relating to provisions of the Act with regard to protected systems and application for the issue of a Digital Signature Certificate.
Minor errors in the Act were rectified by the Information Technology (Removal of Difficulties) Order, 2002 which was passed on 19 September 2002.
The IT Act was amended by the Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002. This introduced the concept of electronic cheques and truncated cheques.
Information Technology (Use of Electronic Records and Digital Signatures) Rules, 2004 has provided the necessary legal framework for filing of documents with the Government as well as issue of licenses by the Government. It also provides for payment and receipt of fees in relation to the Government bodies.
On the same day, the Information Technology (Certifying Authorities) Rules, 2000 also came into force. These rules prescribe the eligibility, appointment and working of Certifying Authorities (CAs). These rules also lay down the technical standards, procedures and security methods to be used by a CA. These rules were amended in 2003, 2004 and 2006.
Information Technology (Certifying Authority) Regulations, 2001 came into force on 9 July 2001. They provide further technical standards and procedures to be used by a CA. Two important guidelines relating to CAs were issued. The first are the Guidelines for submission of application for license to operate as a Certifying Authority under the IT Act. These guidelines were issued on 9 July 2001.
Next were the Guidelines for submission of certificates and certification revocation lists to the Controller of Certifying Authorities for publishing in the National Repository of Digital Certificates. These were issued on 16 December 2002.
The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000 also came into force on 17 October 2000. These rules prescribe the appointment and working of the Cyber Regulations Appellate Tribunal (CRAT) whose primary role is to hear appeals against orders of the Adjudicating Officers.
The Cyber Regulations Appellate Tribunal (Salary, Allowances and other terms and conditions of service of Presiding Officer) Rules, 2003 prescribe the salary, allowances and other terms for the Presiding Officer of the CRAT.
Information Technology (Other powers of Civil Court vested in Cyber Appellate Tribunal) Rules 2003 provided some additional powers to the CRAT.
On 17 March 2003, the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 were passed. These rules prescribe the qualifications required for Adjudicating Officers. Their chief responsibility under the IT Act is to adjudicate on cases such as unauthorized access, unauthorized copying of data, spread of viruses, denial of service attacks, disruption of computers, computer manipulation etc. These rules also prescribe the manner and mode of inquiry and adjudication by these officers.
The appointment of adjudicating officers to decide the fate of multi-crore cyber crime cases in India was the result of the public interest litigation filed by students of Asian School of Cyber Laws (ASCL).
The Government had not appointed the Adjudicating Officers or the Cyber Regulations Appellate Tribunal for almost 2 years after the IT Act had come into force. This prompted ASCL students to file a Public Interest Litigation (PIL) in the Bombay High Court asking for speedy appointment of Adjudicating officers.
The Bombay High Court, in its order dated 9 October 2002, directed the Central Government to announce the appointment of adjudicating officers in the public media to make people aware of the appointments. The division bench of the Mumbai High Court consisting of Hon’ble Justice A.P. Shah and Hon’ble Justice Ranjana Desai also ordered that the Cyber Regulations Appellate Tribunal be constituted within a reasonable time frame.
Following this the Central Government passed an order dated 23 March 2003 appointing the “Secretary of Department of Information Technology of each of the States or of Union Territories” of India as the adjudicating officer for that State or Union Territory.
The Information Technology (Security Procedure) Rules, 2004 came into force on 29 October 2004. They prescribe provisions relating to secure digital signatures and secure electronic records. Also relevant are the Information Technology (Other Standards) Rules, 2003.
An important order relating to blocking of websites was passed on 27 February, 2003. Computer Emergency Response Team (CERT-IND) can instruct Department of Telecommunications (DoT) to block a website.
The Indian Penal Code (as amended by the IT Act) penalizes several cyber crimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence etc. Digital evidence is to be collected and proven in court as per the provisions of the Indian Evidence Act (as amended by the IT Act). In case of bank records, the provisions of the Bankers’ Book Evidence Act (as amended by the IT Act) are relevant.
Investigation and adjudication of cyber crimes is done in accordance with the provisions of the Code of Criminal Procedure and the IT Act. The Reserve Bank of India Act was also amended by the IT Act.
The Information Technology (Amendment) Act, 2008, which came into force on 27th October, 2009 has made sweeping changes to the Information Technology Act, 2000.
The following rules have also come into force on the same day:
(1) Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
(2) Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009
(3) Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009
(4) The Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009
(5) Cyber Appellate Tribunal (Procedure for Investigation of Misbehaviour or Incapacity of Chairperson and Members) Rules, 2009.