Legislative Commentary to the Information Technology Act, 2000

by

Shourya Singh

CyJurII Scholar

on 22 September 2025

Abstract

The Information Technology Act, 2000, was a landmark in integrating India into the world of the digital age. Enacted to provide legal sanctity to electronic transactions and prevent cybercrime, the Act has been amended from time to time to make it effective in the face of the constantly changing technological threats. This parliament debate analyzes the framework, intent, and functioning of the Act, analyzes the key provisions, makes observations on judicial interpretations, and assesses the law's response to emerging digital trends like artificial intelligence, privacy, and data protection. It terminates by highlighting the gaps in the Act and proposing reforms to enable adequate cybersecurity and digital regulation.

Introduction

With the advent of the age of the internet, there was a need for an ordinance regime to regulate electronic commerce, secure online transactions, and punish cyber crimes. India's response was the Information Technology Act, 2000 (hereinafter "IT Act"). It was enacted on 17th October 2000, and the Act drew substantially from the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

India had no legal system to deal with cybercrimes, e-transactions, and e-governance before the IT Act. The Act was intended to boost e-commerce and digital signatures, but to deal with such crimes as hacking, data theft, and cyber terrorism as well.

Objectives and Organization of the Act

The main objectives of the IT Act are:

1. Legal acknowledgment of electronic records and digital signatures

2. Facilitating electronic document filing with government agencies;

3. Prescribing offences in respect of cybersecurity;

4. To enable regulation of intermediaries and protection of data subjects.

The Act consists of 13 Chapters and 2 Schedules, covering:

• Jurisdictional acknowledgment of electronic documents (Sections 3 to 10A);

• Certifying authorities (Sections 17 to 34);

• Offences and punishments (Sections 65 to 78);

• Intermediary liability (Section 79);

• Other miscellaneous provisions, such as the constitution of the Cyber Appellate Tribunal.

Major Provisions

Digital Signature and Electronic Authentication (Sections 3–10A)

The Information Technology Act, 2000, provided the foundation for legalisation of electronic records and digital methods of authentication in India. Sections 3 to 10A provisions are largely digital signatures and establish a technological as well as legal framework in which digital authentication is equivalent to the usual handwritten signature for the majority of legal as well as business purposes.

Section 3 of the Act certifies electronic records with digital signatures. A digital signature created using an asymmetric cryptosystem and a hash function is one of integrity and non-repudiation. Section 4 adds that any information in electronic form that may be accessed and used afresh for reference purposes is an electronic record. These two sections combined enable electronic governance, e-contracting, and paperless trade.

Sections 5 and 6 allow electronic records and digital signatures to file documents with government departments. Section 6A in the 2008 amendment allowed for the recognition of electronic contracts in the exercise of functions by government departments and public bodies, enabling bureaucratic efficiency.

The big leap was achieved with the inclusion of Section 10A under the 2008 amendment, providing legal recognition to electronic contracts that were concluded by offer and acceptance through electronic communication, even without the mutual presence of parties. The section performed phenomenally well during the COVID-19 pandemic, enabling citizens, governments, and businesses to conduct safe and remote transactions.

To ensure the authenticity of digital signatures, the Act empowers the Controller of Certifying Authorities (CCA) to license and regulate Certifying Authorities (CAs), which issue Digital Signature Certificates (DSCs). The certificates identify the owner and connect a digital signature with the owner's identity, making it transparent and impossible to forge.

Even after such revolutions, India's regime has been wanting when it comes to digital signatures. Fewer citizens and small enterprises know about or have access to digital signature infrastructure. In addition, partial adoption of security standards by CAs sometimes exposes them to cyber fraud or certificate abuse. Recent efforts to include eSign (a cloud-based enterprise-level digital signing solution) under the Aadhaar framework have been an effort to provide digital authentication that is more accessible and scalable, particularly for digital governance for Digital India.

Briefly, provisions of IT Act Sections 3 to 10A have provided a safe, effective, and legally enforceable regime of digital signatures in India. However, higher levels of awareness, improved regulatory adherence, and technology outreach are issues of serious concern for inclusive and safe e-governance.

2. Intermediary Liability – Section 79

Section 79 of the IT Act has hitherto had intermediaries such as internet service providers, web-hosting sites, and social networking sites potentially liable for unlawful third-party content. Section 79 was, however, entirely overhauled under the Information Technology (Amendment) Act, 2008, by introducing the "safe harbour" doctrine.

The new Section 79 prescribes that intermediaries cannot be held responsible for third-party data or information provided on their platforms, provided that they don't initiate the transmission, select the recipient, or modify the information. For this immunity to work, however, the intermediaries will have to conduct "due diligence" and follow standards set by the government.

The key judgment under this provision is Shreya Singhal v. Union of India (2015). The Supreme Court believed that intermediaries can only act after receiving a notice or court order to remove certain illegal content. The judgment declared the vague and overbearing Section 66A as violative of Article 19(1)(a) and held that intermediaries cannot be held responsible for pre-judging content except where there was intervention by the courts.

Post-Shreya Singhal, intermediary liability has remained a contentious concept, especially with increasing technology platform involvement in public discourse. For as much, the government notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 under Section 79. The rules had several compliance requirements, including:

•appointing grievance officers, nodal officers, and chief compliance officers for significant platforms (Significant Social Media Intermediaries).

• Climbing users' grievances within 15 days.

• The surveillance of message encryption in specific cases (especially in messaging apps such as WhatsApp), leading to issues of encryption and privacy.

Although these regulations try to make everyone liable, they are criticized by their opponents as outsourcing censorship costs to private companies and having the ability to create chilling effects on free speech. Additionally, compliance costs and legal uncertainty make it cumbersome for startups and smaller platforms to do business through them.

The intermediary liability regime is subject to judicial and parliamentary oversight. The intersection of freedom of speech, privacy, and platform accountability is a developing field, particularly with the rise of the power of AI-generated content, disinformation, and deepfakes. The Digital India Act, slated to replace the IT Act, 2000, will be expected to reimagine the existing safe harbour scheme to regulate intermediaries on an enhanced balance and in forward-looking terms.

Cyber Offences (Sections 65 to 74)

The Information Technology Act, 2000 (amended), gives ample scope to address cyber crimes as a reflection of the dynamic nature of crime in an e-society. Sections 65 to 74 list certain offenses under tampering with data, fraud, forging an electronic record or document, sending offensive messages, and cyber terrorism, thereby creating a strong legal framework to combat cyber wrongdoing.

Section 66: Hacking

This section makes it illegal to enter and harm or modify computer data in a computer facility without permission. "Hacking" is also made an offense where anyone, with intent or with the knowledge that he is obliged to bring about wrongful loss or injury to the public or to any other individual, deletes or destroys computer data stored in a computer facility. Punishment for this section is imprisonment up to a maximum of three years or a fine up to ₹5 lakh, or both. This section has been utilized in all types of data breach prosecutions, including corporate sabotage or espionage.

Section 66C: Identity Theft

Provided by the 2008 amendment, this section punishes the falsification or misuse of electronic signatures, passwords, or other identification characteristics of an individual. Identity theft, with the power of social networking sites and internet banking facilities, has emerged as a major concern. Three years' imprisonment and a fine of up to a maximum of ₹1 lakh are the penalties for the offence. The section has been used by courts in Aadhaar fraud and SIM cloning cases.

Section 66D: Personation with a computer resource to cheat

This category is aimed at impersonation through online means, email scams, and phishing. The crime is the utilization of computer facilities for deceiving another person through impersonation, which is easily available in the shape of online loan scams and job posting scams. The penalty is three years of imprisonment and a fine which cannot exceed ₹1 lakh. It has gained more usage with the rise in cases of duplicate accounts, deepfakes, and AI impersonations.

Section 67: Publication of Obscene Material in Electronic Form

This section makes it an offense to publish or circulate obscene, likely to be appealing to prurient interest, or tends to corrupt and deprave readers or viewers of such material. Section 67 has been used extensively for the offenses of cyber pornography, the circulation of sexually explicit videos, and revenge porn. It introduces a sentence of imprisonment for three years and a fine for the first offense, and five years of imprisonment for subsequent offenses. Sections 67A and 67B, which address sexual content and child pornography respectively in turn were brought into force as an addition to broaden the range of content regulation.

Section 66F: Cyber Terrorism

Section 66F can be termed the gravest offense under the Act. It deals with cyber terrorism. This would encompass acts intended to create fear or risk to the integrity, sovereignty, security, or unity of India by causing denial of access to computer resources, releasing viruses, or attempting to capture sensitive government information. The provision is necessary in the era of the internet, when state-sponsored cyber attacks and information war have become increasingly prevalent. Punishment here can reach as far as life imprisonment, a departure that clearly indicates the law takes an electronic threat to national security seriously.

Trial and Cyber Appellate Tribunal (Sections 46–47)

The Information Technology Act 2000 envisions a strong adjudication of contraventions and offences that can be brought within its fold. The Act envisages adjudicating officers to be appointed by the Central Government under Section 46 of the Act, who shall be at least a Director-level officer in the Central Government. These officers will be conducting inquiries and levying penalties for cyber contraventions, i.e., up to ₹5 crores of loss or damage. In case of higher amounts, the concerned civil court shall exercise jurisdiction.

Adjudicating officers are conferred civil court jurisdiction under the Code of Civil Procedure, 1908, like issuing summonses of witnesses, receiving evidence, and directing the production of documents. The provision is thus a reflection of legislative intent to resolve cyber disputes in a speedy and specialist forum without congesting regular courts. Section 47 of the Act prescribes the grounds on which adjudicating officers will take into consideration while determining the quantum of compensation, i.e., the unjustified benefit accrued, loss suffered by anyone, and repetitive default.

For granting appellate relief against adjudicating officers' orders, the Act initially established the Cyber Appellate Tribunal (CAT) under Section 48. The CAT was a quasi-judicial tribunal and exercised jurisdictional powers to hear adjudicating officers' orders. However, the CAT was abolished by the Finance Act 2017, and the Cyber Appellate Tribunal was merged with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) in the exercise of rationalizing and streamlining tribunals in ministries.

On the whole, the impact of this merger has been mixed. While it merged the tribunals' functions and assisted in cutting administrative overhead, it did impart a definite technical character to cases of cyber law, where the issues get obfuscated in the telecom-biased focus of TDSAT. There have been doubts regarding whether TDSAT possesses the cyber jurisprudence aptitude that would be required to dispose of complex information technology issues effectively.

Apart from this, with increasing cyber frauds, data breaches, and cyber financial crimes, the role of adjudicating forums has gained more significance. However, lack of regular appointments, capacity building, and awareness about the process of adjudication limit its accessibility. There have been proposals to establish special cyber benches or a fast-track digital grievance redressal scheme so that justice in the cyber space becomes efficient, accessible, and techno-savvy.

Hence, while Sections 46 to 47 have done well to introduce cyber adjudication to India, the changing digital scenario requires a more virile and professional adjudicatory environment, particularly with the growing sophistication of cybercrime in the 21st century.

Judicial Trends and Interpretations

Shreya Singhal v. Union of India (2015)

It made Section 66A unconstitutional in the sense that it placed blanket and vague restrictions on online speech. It restored Article 19(1)(a) rights in the cyberworld.

Anuradha Bhasin v. Union of India (2020)

The Court established guidelines for the internet shutdown on the basis that the internet is included under the freedom of expression, as well as carrying out business.

Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)

The right was deemed to be an Article 21 fundamental right. This had a direct bearing on the interpretation of the manner in which the IT Act operates, particularly those surveillance and data protection aspects.

Data Protection and the Digital Personal Data Protection Act, 2023

India. India did not have a full data protection law until 2023. The Digital Personal Data Protection Act now fills gaps in the IT Act with definitions of data fiduciaries, consent, and lawful processing. The IT Act, however, continues to apply to cybersecurity, cybercrime, and the regulation of intermediaries.

Challenges:

•Overlap and replication between the two legislations

•Deficits in enforcement capacity

•No independent data protection regulator under the IT Act

Modern Issues in Cyber Law

Artificial Intelligence and Deepfakes

The IT Act does not control AI content or deepfakes per se. Section 66E and Section 67 can, however, be used if the content is in breach of privacy or decency. The Act is in desperate need of an update to control AI.

Algorithmic Bias on Online Sites Platform responsibility is not governed.

While diligence is a necessity under Rule 4 of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the absence of clear parameters of algorithmic fairness leaves loopholes in law.

Cross-Border Data Flows

The IT Act is not robust in combating cross-border data transfer rules. Although international regulation like the GDPR has strict data transfer mandates, India's stance is highly lenient, leading to international business non-compliance risks.

Strengths and Successes

• Rolled out electronic documents and electronic signatures

• Enabled offences to address cybercrime

• Safeguarded intermediaries against legal harassment

• Set the pillars of e-commerce and e-governance

Limitations

• Lack of clarity in definitions such as "obscene," "annoying," "grossly offensive"

• Atrophied enforcement because of insufficient cybercrime infrastructure and training

• Excludes new technologies such as AI, blockchain, and quantum computing

• Privacy provisions are stale where there is no complete convergence with the DPDP Act

Recommendations

·       Enact AI and new technology bills under the IT Act or enact a standalone law.

·        Section 79 should be revised to cover algorithmic liability and transparency.

·       Cyber forensic and training centers should be set up in each state to allow investigation. Include stiffer penalties for data breaches and identity theft.

·       Harmonize the IT Act with the DPDP Act so that there isn't confusion in law.

Conclusion

The Information Technology Act, 2000, was its time's game-changer, which provided the legislative framework to India's information technology revolution. The speedy rate of technological development, however, means that it must yet shape up. The adoption of newer technologies, the safeguarding of digital rights, and transparent regimes of liability are required to help India remain robust in the danger-prone era of 21st-century cyber attacks.

Bibliography

1.     The Information Technology Act, 2000 (India Code), https://www.indiacode.nic.in

2.      2. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 3.

3.     Shreya Singhal v. Union of India, AIR 2015 SC 1523

4.     4. Anuradha Bhasin v. Union of India, (2020) 3 SCC 637

5.      5. Cleartax, "IT Act 2000 – Provisions & Relevance," https://cleartax.in/s/it-act-2000

6.      6. Wikipedia, "Information Technology Act, 2000," https://en.wikipedia.org/wiki/Information_Technology_Act,_2000

7.     7. Digital Personal Data Protection Act, 2023

8.      8. UN General Assembly, Model Law on Electronic Commerce, UNCITRAL, 1996