Information Technology Act

2000
Cyber crime and criminal Justice:
Penalties, Adjudication and appeals
under the IT Act 2000, IT Act 2008
and its amendments
 Introduction
The Information Technology Act 2000 also known as ITA-2000 or the IT Act.

Notified on 17 october 2000.

Primary law in India to deal with cybercrime and electronic commerce.

Based on the UN Commission on International Trade Law adopted model law on

e-commerce in 1996.

The Indian Act 2000 is based on model law on e-commerce.

India became 12th country to enable the cyberlaw.

This law was finalised by group of officials headed by IT Minister Mr. Pramod
Mahajan and passed by President K.R Narayanan
ITA 2000
Objectives of the ITA 2000
● Provides legal recognition to the transaction done using EDI and other
electronic means of communication
● The Act further amends the following laws
Indian Penal code 1860

Indian Evidence Act 1872

Bankers Book Evidence Act 1891

Reserve Bank of India Act 1934

Features of ITA 2000
● Provides legal recognition to records in electronic form.
● Provides legal recognition to e-commerce and electronic transaction in India.
● Provides legal recognition to digital signatures issued and authenticated by
the certifying authorities.
● Applicable to cybercrimes and contraventions committed to India and outside
India by any person irrespective of nationality.
● Elaborates on offences, penalties and breaches.
● Established the cyber appellate tribunal to hear appeals.
Information Technology Amendment Act 2008
ITAA 2008 makes amendments to the ITA 2000 passed by the Indian Parliament in
October 2008 and came into force on 2009.
1. Data Protection and Privacy
The Act introduced provisions to protect sensitive personal data and information, making
unauthorized access, misuse, or leakage of data a punishable offense.
It also emphasized the role of intermediaries (such as ISPs and website administrators) in
protecting user privacy.
2. Introduction of Cybercrimes
•Cyberterrorism was introduced as a crime, with provisions to deal with individuals who
use computers or communication devices to commit terrorism or threaten national
security.
•New cybercrimes like identity theft, phishing, cyberstalking, cyber harassment, and
child pornography were specifically defined and made punishable offenses.
3. Stronger Penalties for Cybercrimes
•The Act enhanced the penalties for a wide range of cybercrimes, including
unauthorized access to computer systems, data theft, and tampering with
computer source documents.
•Cyberterrorism could result in life imprisonment under the amendment.
4. Liability of Intermediaries
•The role of intermediaries (such as internet service providers, social media
platforms, etc.) was redefined, making them responsible for removing or disabling
access to any unlawful content when informed of such content.

5. Digital Signatures and Electronic Authentication

•The Act recognized electronic signatures (in addition to digital signatures) as
valid means of authentication for electronic transactions, which expanded the
scope of e-commerce and electronic governance.
•The use of Electronic Signature Certificates was introduced to ensure secure
online transactions.
Establishment of Cyber Appellate Tribunal
The Act established the Cyber Appellate Tribunal, which allows individuals and organizations
to appeal decisions related to cyber offenses, adjudicated by relevant authorities. The tribunal
deals with cases arising from violations of the IT Act and ensures proper legal recourse.
Mobile and Wireless Technology Inclusion
•The amendment brought mobile devices and wireless communication under the ambit of the IT
Act, recognizing the role of mobile phones in communication and crime.
Legal Recognition of E-Governance and E-Commerce
•The Act laid down provisions for the legal recognition of electronic contracts and
communications, promoting e-commerce and facilitating easier online transactions with legal
validity.
Protection of Critical Information Infrastructure
•The Act aimed to protect Critical Information Infrastructure (CII) by providing mechanisms
for the government to declare certain computer systems as critical and take necessary steps to
safeguard them against cyberattacks.
Corporate Responsibility
•The law introduced the concept of corporate responsibility, making companies liable if they
fail to implement adequate security practices to protect user data.
Penalties and Offences under ITA 2000
Section 43 to 47 deals with the penalties, compensation and adjudication for
various prohibited acts

Section 65 to 68 deals with offences and penalties for them.

SECTION 43: Penalty for damage to computer, computer system etc

A person who commits certain prohibited acts, shall be liable to pay the damages
by way of compensation upto 1 crore to the affected party
PROHIBITED ACT includes

● Accessing computer, computer system and computer network without

authority
● Downloading, copying or extracting any data, database or information from
computer,computer system or computer network without authority
● Introducing computer virus into any computer system or computer network
including information or data held or stored in any removable storage medium
● Damaging computer or computer system or computer network , data,
computer database or any other residing in such computer
● Disrupting the computer resources
● Denying or causing denial of access to any person authorised to access any
computer or computer system or network by any means
● Providing access to any person to access a computer or computer system or
computer network in contravention of the provisions of the act and rules or
regulations made by the act.
● Charging the services availed of by a person to the account of other person by
tampering or manipulating any computer or computer system or computer
network.
● Destructing, deleting or altering any information residing in computer.
● Stealing, concealing, destroying or altering or causing any person to do same
to any computer source with intention to cause damage.

Section 43 is designed to prevent hacking, data theft, and malicious activities

on computer systems, and it establishes penalties for such actions.
Section 43A Compensation for failure to protect data

Was inserted by ITAA 2008.

Applicable to any firm, sole proprietorship or an association of individuals engaged

in commercial or professional activities.

In such a body corporate involved with processing, dealing or handling any

sensitive personal data or information in a computer resource which it owns,
controls or operates is found to be negligent in implementing and maintaining
reasonable security practices and procedures which causes wrongful loss or gain
to any person, then the body corporates shall be liable to pay damages by way of
compensation not exceeding 5 crore to the affected party.
Section 44:Penalty for failure to furnish information,
return,etc
● If a person who require to furnish any document, return or report to the
controller or the certifying Authority, but fails to the same shall be liable to a
penalty not exceeding one lakh fifty thousand rupees for such failure
● If a person who is required to file any return or furnish any information, books
or other documents within the time period, but fails to do the same, shall be
liable to penalty not exceeding five thousand rupees for every day during such
failures
● If a person who is required to maintain books of account or records but fails to
do the same, shall be liable to penalty not exceeding ten thousand rupees for
every day during which the failure continues.
Incident:
ABC Telecom fails to properly maintain its call data records and logs. Due to
negligence or a lack of proper systems in place, it cannot provide the requested call
logs and network records for a particular investigation initiated by a government
authority.

Examples of Section 44 Application:

•Hospitals or healthcare providers: Failing to maintain digital patient records as
required by health regulations and not being able to furnish these records when
requested by health authorities or patients themselves.

•Educational institutions: Failing to maintain digital records of students' data

(such as attendance, results, or admissions) and not furnishing these records
during inspections or audits by the education board or regulatory authorities.
Section 45: Residuary Penalty
Provides provision of penalty for contravention of any rules or regulations for
which no penalty has been prescribed.

A person committing such contravention shall be liable to pay compensation not

exceeding twenty five thousand rupees to person affected.

If an organization is mandated to maintain and disclose a security report on its

website (say, as part of its compliance with data protection rules or security audit
procedures) but fails to do so, it could be considered a contravention under
Section 45 if no specific penalty is outlined elsewhere.
Offences under the information technology act 2000
Section 65: Tampering with Computer Source Documents

Under Section 65,any person who knowingly or intentionally tampers, conceals,

destroys or alters any computer source document or knowingly causes someone
else to do the same, will be liable to pay a fine upto two lakh rupees or
imprisonment upto three years or both
Section 66: Computer related offences
Section 66 was earlier “Hacking with computer system” which was substituted
with computer related offences by the ITAA 2008.

Any person who dishonestly or fraudulently does any act as referred to in section
43 will be liable to pay a fine upto five lakh rupees or imprisonment upto 3 years.

Section 66B: Punishment for dishonestly receiving stolen computer

resource or communication device will be liable to pay a fine upto one lakh
rupees, imprisonment upto 3 years or both.
Section 66C: Punishment for Identity Theft.

A Person who dishonestly or fraudulently make use of Electronic Signature,

password or any other unique identification feature of any other person, will be
liable to fine upto one lakh rupees or imprisonment upto three years.

Section 66D: Punishment for cheating by personation by using computer

resource.

Any person who dishonestly or fraudulently by means of any communication

device or computer resource cheats by personating, then the person will be liable
to pay a fine upto one lakh rupees or imprisonment upto 3 years
SECTION 66E : Punishment for violation of privacy

Any person who intentionally captures, publishes or transmits the image of the
private area of any person without his/her knowledge will be liable to pay fine upto
two lakh rupees or imprisonment upto 3 years or both.

SECTION 66F: Punishment for cyberterrorism.

Any person or a group of individuals, threatens the unity, integrity. Security or

sovereignty of India, jeopardise foreign relations or strikes terror in people
using computer or electronically commits cyberterrorism will be punished upto
life imprisonment.
SECTION 67: Punishment for publishing or transmitting obscene material in
electronic form.

A person who publishes or transmits in the electronic from, any material which
appeals to prurient interest or if its effect is such as to tend to deprave and corrupt
persons who are likely to read, see or hear matter contained in it, will be liable to
pay a fine upto five lakh rupees or imprisonment upto 3 years or both.

In the event of subsequent conviction such a person will be liable to pay a fine
upto 10 lakh rupees or imprisonment upto 5 years or both.
SECTION 67A: Punishment for publishing or transmitting of material containing
sexually explicit act, etc in electronic form.

Any person who publishes or transmits in the electronic form any material which
contains a sexually explicit act or conduct will be liable to pay a fine upto 10 lakh
rupees or imprisonment upto 5 years or both.

In the event of subsequent conviction, such a person will be liable to pay a fine
upto 10 lakh rupees or imprisonment upto 7 years or both.
SECTION 67B : Punishment for publishing or transmitting of material depicting
children in sexually explicit act etc in electronic form.

If any person captures, publishes or transmits content of a child in a sexually

explicit act or conduct or creates, browses, downloads, shares, promotes,
facilitates or records such content or induces a child into a sexual act. A child is
defined as anyone under 18 years of agee
SECTION 67C : Preservation and retention of information by intermediaries.

Enforces that anyone deemed as an intermediary, for example an ISP must

maintain required records for a stipulated time as prescribed by central
government. Failure to do so. Intentionally, will make the intermediary liable to a
fine and imprisonment for upto 3 years.
SECTION 68: Power of controller to give directions.

Regulatory Authority: Grants the Central Government the authority to prescribe

rules and guidelines for the protection of users and their data in relation to
information technology.
Rules for Cyber Security: The section empowers the government to establish rules
to ensure the security of networks and information systems, thereby enhancing
overall cybersecurity in the country.

A controller has been given the power and may direct a certifying authority or any
employee of such authority to take such measures or cease carrying on such
activities as specified in the order if those are necessary to ensure compliance with
the provision of this act or its rules or regulations.

If any person who intentionally or knowingly fails to comply with order, then he/she
will be liable to one lakh rupees or imprisonment upto 2 years or both.
SECTION 69: Power to issue directions for interceptions or monitoring or
decryption of information through any computer resource.

Section 69 gives power to the controller so that if controller is satisfied that it is

necessary to expedient to direct any agency of the government to intercept any
information transmitted through any computer resource in the interest of
sovereignty or integrity of India, the security of India, friendly relations with foreign
states or public order or for preventing incitement to the commission of any
cognisable offence relating to above or for investigation of any offence.

The subscriber, an intermediary or any person, in charge of computer resource

must extend all facilities and technical assistance to monitor , intercept, provide
secure access and decrypt the information for investigating agency. Failing to
assist agency liable to pay a fine or imprisonment upto seven years or both
SECTION 70: Protected system

This section explains the meaning of the term “Critical Information Infrastructure”,
which means a computer resource, destruction of which, may have severe impact
on national security, economy, public health or safety.

As per section, the appropriate government may declare any facility of critical
information infrastructure as a protected system and prescribe the security
practices and procedures for its security.

Any person who attempts to secure access to such a protected system in

contravention to the provision of the section will be liable to pay a fine , or
imprisonment upto 10 years or both.
SECTION 71 : Penalty of misinterpretation

As per section, if any person makes any misinterpretation to or suppress any

material fact from, the controller of certifying authority for obtaining any licence or
Electronic signature certificate, then he/she will be liable to pay fine upto one lakh
rupees or imprisonment upto two years or both.

SECTION 72: Breach of confidentiality and Privacy

If any person who has secured access to any electronic record, book, register,
correspondence, information, document or other material, without the consent of
person concerned, discloses to any other person, then he/she will be liable to pay
a fine up to one lakh rupees or imprisonment up to two years or both
SECTION 72A: Punishment for disclosure of information in breach of lawful
contract

Any person or intermediary secures access to any material containing personal

information about another person while providing services and discloses it without
the consent of the concerned person with an intention to cause wrongful loss or
wrongful gain will be liable to fine up to 5 lakh rupees or imprisonment upto 3
years or both.
Appeals under ITA 2000
Cybercrimes can be reported to cyber cell established by police department in
different cities.

The ITA 2000 clearly defines that when a cybercrime is committed, it has global
jurisdiction and hence compliant can be filed in any cyber cell.
Cyber Appellate Tribunal
 Section 62: Appeal to High court
Appeal to High Court.-Any person aggrieved by any decision or order of the Cyber
Appellate Tribunal may file an appeal to the High Court within sixty days from the date of
communication of the decision or order of the Cyber Appellate Tribunal to him on any
question of fact or law arising out of such order: Provided that the High Court may, if it is
satisfied that the appellant was prevented by sufficient cause from filing the appeal within
the said period, allow it to be filed within a further period not exceeding sixty days.