Technology Law · In ForceAct No. 21 of 2000S.66A Struck Down — Shreya Singhal 2015

Information Technology Act

IT Act 2000 · India's Cyber Law Framework

Provides legal recognition for electronic transactions and digital signatures; defines cyber offences and their consequences; governs intermediary liability; grants powers of investigation and surveillance to government agencies. Substantially amended in 2008 to add cyber offence provisions.

90+

Sections

Chapters

UNCITRAL

Based On

2008

Major Amendment

Key Amendments & Developments

→IT (Amendment) Act, 2008 — major expansion of cyber offence provisions, added S.43A, 66A-F, 67A-C, 69, 69A, 69B, 70A, 70B, 79 safe harbour

→IT (Intermediary Guidelines) Rules, 2011 — due diligence obligations for intermediaries

→IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — social media regulation, significant social media intermediaries

→S.66A struck down by Supreme Court in Shreya Singhal v. Union of India (2015) as unconstitutional

Structure — 14 Chapters

Browse the IT Act by chapter

Chapter I1–2

Preliminary

Short title, extent, commencement, and definitions including computer, computer network, data, digital signature, electronic record.

Chapter II3–3A

Digital Signature and Electronic Signature

Authentication of electronic records using digital signatures. S.3A added electronic signatures as a broader category beyond digital signatures.

Chapter III4–10A

Electronic Governance

Legal recognition of electronic records. Government to accept and issue electronic records. Rules for electronic contracts.

Chapter IV11–13

Attribution, Acknowledgment and Despatch of Electronic Records

Rules for determining when an electronic record is attributed to the originator, when acknowledged, and when dispatched/received.

Chapter V14–16

Secure Electronic Records and Secure Digital Signatures

Security of electronic records and digital signatures. Criteria for "secure" status.

Chapter VI17–34

Regulation of Certifying Authorities

Appointment of Controller of Certifying Authorities (CCA). Licensing and regulation of Certifying Authorities (CAs) that issue Digital Signature Certificates.

Chapter VII35–42

Electronic Signature Certificates

Issue, suspension, and revocation of Digital Signature Certificates. Duties of subscribers.

Chapter VIII40–42

Duties of Subscribers

Obligations of persons to whom Digital Signature Certificates are issued.

Chapter IX43–47

Penalties, Compensation and Adjudication

Civil liability for damage to computer systems (S.43), data breach liability (S.43A). Adjudicating officers can award compensation up to Rs. 5 crore; above that, jurisdiction of civil courts.

Chapter X48–64

The Cyber Appellate Tribunal

Establishment, jurisdiction, and procedure of Cyber Appellate Tribunal (CAT) to hear appeals from adjudicating officers.

Chapter XI65–78

Offences

Criminal offences including tampering with source code (S.65), computer-related offences (S.66), identity theft (S.66C), cheating by impersonation (S.66D), violation of privacy (S.66E), cyber terrorism (S.66F), obscene content (S.67, 67A, 67B), child pornography.

Chapter XII79

Intermediaries Not to Be Liable in Certain Cases

Safe harbour for intermediaries: not liable for third-party information if they act as conduit, do not initiate transmission, do not select recipients, and observe due diligence (S.79).

Chapter XIII79A

Examiner of Electronic Evidence

Appointment of Examiners of Electronic Evidence to assist courts in analysing digital evidence.

Chapter XIV80–90

Miscellaneous

Power to investigate (S.80), protected systems (S.70), cyber security incident response (S.70B — CERT-In), network service providers (S.79), offences by companies (S.85), liability of directors.

Key Sections

Most litigated and counselled provisions

S. 2(1)(o)

Intermediary — Definition

An "intermediary" is any person who on behalf of another person receives, stores, or transmits an electronic message or provides any service related to it. This includes telecom companies, internet service providers, search engines, social media platforms, online marketplaces, and cloud providers. The definition is broad and determines who gets S.79 safe harbour protection.

In Force

S. 4

Legal Recognition of Electronic Records

An electronic record satisfies any legal requirement for a document to be in writing. This is the foundational provision that gives legal validity to contracts formed electronically, emails, and digitally executed documents under Indian law.

In Force

S. 43

Penalty for Damage to Computer, Computer System etc.

Any person who without permission accesses a computer, downloads or extracts data, introduces viruses, disrupts a computer system, denies access, or assists another in any of these acts is liable to pay compensation to the affected person. The adjudicating officer can award compensation up to Rs. 5 crore; claims above that go to civil courts. This section covers civil liability — criminal liability for similar acts falls under S.66.

In Force

S. 43A

Compensation for Failure to Protect Data

A corporate body that possesses, deals with, or handles sensitive personal data and is negligent in implementing reasonable security practices — resulting in wrongful loss or gain to any person — is liable to pay damages by way of compensation. This was the primary data breach liability provision before the DPDPA 2023. "Sensitive personal data" includes passwords, financial information, health data, biometric data, and sexual orientation.

In Force

S. 66

Computer-Related Offences

Any act described in S.43 (unauthorised access, data theft, introducing viruses, etc.), when done dishonestly or fraudulently, becomes a criminal offence. The key distinction from S.43 is intent — civil liability under S.43 does not require dishonest intent, but the criminal offence under S.66 does. S.66 is the cyber equivalent of general criminal provisions and is one of the most invoked sections in cybercrime FIRs.

In Force

S. 66A

Punishment for Sending Offensive Messages [STRUCK DOWN]

This section criminalised sending "grossly offensive" or "menacing" messages through electronic communication, and messages intended to cause annoyance, inconvenience, or ill will. The Supreme Court struck down S.66A entirely in Shreya Singhal v. Union of India (2015) as unconstitutional, holding it violated Article 19(1)(a) (freedom of speech) and was unreasonably vague. The section no longer exists in law.

Struck Down

S. 69

Power to Issue Directions for Interception, Monitoring or Decryption

The Central or State Government (or any officer authorised) may direct any agency of the government to intercept, monitor, or decrypt information transmitted through any computer resource for specified purposes including sovereignty, security, public order, or prevention of incitement to crime. Any subscriber or intermediary must enable interception or face up to seven years imprisonment. Widely used for lawful interception orders served on telecom and internet companies.

In Force

S. 69A

Power to Issue Directions for Blocking Public Access

The Central Government (through the Designated Officer) can direct intermediaries to block public access to any information online in the interest of sovereignty, security of the State, public order, decency, or prevention of incitement. This is the statutory basis for all website and URL blocking orders in India, including app bans. Intermediaries must comply or face up to seven years imprisonment.

In Force

S. 70B

Indian Computer Emergency Response Team (CERT-In)

CERT-In is the national nodal agency for cyber security incident response in India. It operates under MeitY and issues mandatory cyber security directions to organisations. The CERT-In Directions 2022 impose mandatory reporting of cyber incidents within 6 hours, require VPN providers and cloud companies to maintain user data for 5 years, and mandate synchronisation of ICT system clocks to NTP servers.

In Force

S. 79

Exemption from Liability of Intermediaries

Intermediaries are not liable for third-party information, data, or communication links hosted on their platforms if: (a) the intermediary does not initiate the transmission or select the recipient, (b) the intermediary does not modify the information, and (c) the intermediary observes due diligence and follows the IT Rules 2021. Safe harbour is lost if the intermediary has actual knowledge of unlawful content and fails to expeditiously remove it after notice.

In Force

Other Provisions

Additional sections in advisory and enforcement contexts

S. 10A

Validity of Electronic Contracts

Contracts formed electronically are valid. An offer and acceptance communicated through electronic means creates a binding contract under the Indian Contract Act 1872. This section removed any argument that electronic contracts lack legal validity.

In Force

S. 66B

Punishment for Dishonestly Receiving Stolen Computer Resource

Dishonestly receiving or retaining stolen computer resources or communication devices, knowing or having reason to believe they are stolen, is a criminal offence. Mirrors S.411 IPC (receiving stolen property) in the digital context.

In Force

S. 66C

Punishment for Identity Theft

Fraudulently or dishonestly using the electronic signature, password, or any other unique identification feature of another person is identity theft under the IT Act. This covers phishing attacks, credential theft, SIM swapping, and OTP fraud scenarios.

In Force

S. 66D

Punishment for Cheating by Impersonation Using Computer Resource

Using any communication device or computer resource to cheat by personating (impersonating) someone is a criminal offence. This covers online impersonation, fake social media accounts in another person's name used to deceive, and CEO fraud/business email compromise scenarios.

In Force

S. 66E

Punishment for Violation of Privacy

Intentionally or knowingly capturing, publishing, or transmitting the image of a private area of any person without consent, under circumstances where the person would have a reasonable expectation of privacy, is a criminal offence. This section addresses voyeurism, non-consensual sharing of intimate images, and hidden camera offences.

In Force

S. 66F

Punishment for Cyber Terrorism

Cyber terrorism means using computer resources to threaten the unity, integrity, security, or sovereignty of India, or to strike terror in people by denying access to computers, introducing contaminants into critical infrastructure, or accessing protected systems. This is one of the most serious offences under the IT Act.

In Force

S. 69B

Power to Authorise Collection of Traffic Data

The Central Government may authorise any agency to monitor and collect traffic data or information generated, transmitted, received, or stored in any computer resource. Intermediaries and subscribers must provide technical assistance for collection and must maintain confidentiality.

In Force

S. 70

Protected Systems

The Central Government may notify any computer resource as a "protected system" and restrict access to authorised persons. Unauthorised access to a protected system is a criminal offence. Protected systems include critical infrastructure like power grids, banking systems, air traffic control, nuclear facilities, and defence networks.

In Force

S. 72

Breach of Confidentiality and Privacy

Any person who has secured access to any electronic record, book, register, correspondence, information, document, or other material under the powers conferred by the IT Act, and who discloses such material without the consent of the person concerned, commits an offence. This applies to government officials and investigators.

In Force

S. 72A

Punishment for Disclosure of Information in Breach of Lawful Contract

Disclosure of personal information obtained while providing services under a lawful contract, without the consent of the person concerned and with the intent to cause wrongful loss or gain, is a criminal offence. This section creates liability for employees, service providers, and third-party data processors who misuse personal data they access under a contract.

In Force

S. 81

Act to Have Overriding Effect

The provisions of the IT Act shall have overriding effect — notwithstanding anything inconsistent in any other law. However, this does not restrict any person from exercising rights under the Copyright Act or Patents Act.

In Force

S. 85

Offences by Companies

When a company commits an IT Act offence, every person in charge of and responsible for the company at the time — director, manager, secretary, or officer — is deemed guilty and is liable. They can escape liability by proving the offence was committed without their knowledge or despite their due diligence. This mirrors S.141 NI Act for corporate accountability.

In Force

Related Legislation

—Digital Personal Data Protection Act, 2023 (DPDPA) — now the primary data privacy law

—Indian Evidence Act 1872 / Bharatiya Sakshya Adhiniyam 2023 — electronic evidence admissibility

—Bharatiya Nyaya Sanhita 2023 (BNS) — cyber offences also in BNS

—IT (Intermediary Guidelines) Rules 2021 — regulates social media platforms

Need Legal Advice?

Our team advises on matters arising under this legislation.

DPDP Act Compliance Cybersecurity Legal Advisory

Schedule a Consultation

Corpus Juris Legal advises technology companies, intermediaries, and digital businesses on IT Act compliance, CERT-In obligations, data breach response, cyber offence defence, and intermediary due diligence under the IT Rules 2021.

Free Consultation ← All Acts