Author: Y. Ananya, KL University

India’s primary legislative framework relating to the digitization of commerce, communication and governance is contained in the Information Technology Act (the “IT Act 2000”). The IT Act was passed, in part, to enable electronic transactions and to provide a legislative framework for cyber crime and cyber security. The IT Act has seen evolution from its initial statute to the passage of three legislative acts that were enacted after it became law: The IT (Amendment) Act (2008), the IT (Intermediary Guidelines/Digital Media Ethics Code) Rules (2021), and the Digital Personal Data Protection Act (2023). This Research discloses the original architecture of the IT Act and then shows how the additions to the Act have made it liberal. A combination of doctrinal methodology with additional analysis of international law instruments will also be used to examine the IT Act's interaction with similar laws outside of India. Next on the list is a comparison that features several different items including The Budapest Convention on Cybercrime and the EC's Data Protection Regulation .This research assesses the IT Act’s contemporary adequacy to deal with; (i) data breaches; (ii) intermediary liability; (iii) state surveillance; and, (iv) Artificial Intelligence driven harms. This research provides a comparative method of analysis to identify three main problems with the existing IT Act framework. These problems are: (1) there is currently no regulatory authority that is separate from the government. (2) There are not enough enforcement procedures to monitor compliance for the entire ecosystem of data protection. (3) The IT Act does not have a "technology-neutral" approach to the regulation of new or emerging technologies regarding protection of rights and proportionality. The research provides targeted recommendations on how each of the above mentioned deficiencies can be addressed through a comparative approach to analysis or reforms.

KEYWORDS:

Information Technology Act 2000; Cybercrime; Data Protection; Cyber law ; Digital Personal Data Protection Act 2023; Cyber Regulation India.

In India, the Information Technology Act (IT Act) was enacted on 17 October, 2000, serving as the nation’s first all-encompassing legal framework for digital commerce, electronic records, digital signatures and crimes committed via computers. It was drafted in recognition of the globalization of electronic commerce, with the IT Act coming directly from international developments, largely based upon the UNCITRAL Model Law on Electronic Commerce; a standard document intended to offer a consistent basis for the global treatment of electronic transactions. At the beginning of 2000, the digital economy in India was undeveloped, with limited access to broadband, e-governance being in its infancy, and the Internet being largely accessible only to business and government institutions.With approximately 900 million internet users currently in India, it is now the second largest connected user base in the world and one of the fastest growing digital economies. For example, state-run digital infrastructure like Aadhaar, the Unified Payments Interface, Goods and Services Tax Network, and the CoWIN vaccination platform use sensitive personal information from over 1 billion users on a daily basis. The structural limits of a statute that was created in a legislative environment prior to smartphones, cloud technology, and social media has now been highlighted by the transformation of these new technologies. Originally, the IT Act combined two regulatory logic strands of facilitating e-commerce with prohibiting cybercrime into a single statute. As a result, the nature of the IT Act’s original structure has created continuing jurisdictional ambiguity and enforcement shortcomings. There were important changes made to the IT (Information Technology) Act in 2008 with the introduction of many more offences under that Act and the addition of very limited data protection obligation (section 43A) although some of these changes address enforcement issues, they have given rise to new constitutional problems. A prime example of this was the Supreme Court’s ruling in Shreya Singhal vs. Union of India that section 66A was unconstitutional because it was unconstitutionally vague. A number of legislative responses after the IT Act—including the 2021 Intermediary Guidelines and the Digital Personal Data Protection Bill of 2023 represent incremental but insufficient solutions to a challenge that requires an overall system of legislative architecture. This paper therefore answers two research questions. It poses the question of how well the existing provisions of the IT Act – as amended, with supplementary provisions, and understood in the light of the superior court rulings – are able to meet the IT threats and governance requirements of 2025. Second, it attempts to answer questions regarding the legislative and institutional changes that are required to build a coherent and rights-compliant cyber legal framework for India. The paper adopts doctrinal and comparative approach by assessing the framework in India with the Budapest Convention on Cybercrime and the General Data Protection Regulation of the European Union. The paper follows up this organization: In Section 2 the literature is reviewed, Section 3 presents the methodology, Sections 4-6 contain the key analysis, Section 7 offers policy considerations, and Section 8 concludes with recommendations for comprehensive legislative reform.

The scholarship on the Information Technology Act, 2000 is both wide-ranging and interdisciplinary, with research covering doctrine, constitutional law, empirical research in cybercrimes, and works advocating for regulatory policies. Pavan Duggal's detailed work on Indian Cyberlaw is a systematic overview of the provisions in the IT Act from its inception in the UNCITRAL Model Law on Electronic Commerce till its modification. Duggal's main argument that the IT Act was prepared by a legislature which was not well informed about the technology which it sought to regulate is well-founded and convincing. He shows that this unfamiliarity resulted in a provision that on the one hand was too broad to criminalize harm, and on the other too narrow to provide civil remedies for it, leaving a structure that is poorly designed to address the complex harms of the digital world. His next writings amplify this critique in relation to the 2008 amendments, highlighting the reactive nature of the new offences regime – including the short-lived Section 66A – as one that focused on the accessibility of digital harms, rather than the structural nature of the issue. A complementary approach is provided by Anirudh Rastogi's work on cyberlaw that provides a comparative international perspective on Indian law. Unlike the European Union which has separate laws for data protection, cybercrime and electronic communications, Rastogi finds that India's cyber legal regime is incoherent, with the laws for data protection, cybercrime and electronic communications all overlapping in different ways, resulting in jurisdictional confusion, enforcement gaps, and regulatory incoherence. This is a structural criticism, which is confirmed in the judicial record. Nasscom v. Ajay Sood is a typical instance of the legislature's committal of remedies for this category of claims, which have led to creative applications of common law principles by courts and grant of remedies that are not expressly provided in the statute. In a similar fashion, in State of Tamil Nadu v. Suhas Katti, The first conviction obtained under the IT Act, the prosecution was heavily dependent on the provisions of the Indian Penal Code section to fill the gaps in the statute as it did not cover cyber-harassment comprehensively. In the first case in which the Indian Information Technology Act 2000 was applied, namely the State of Tamilnadu v. Suhas Katti (Criminal No. 4680/2004), the information technology Act 2000 was heavily relied upon by an ancillary application of the Indian Penal Code sections as there was no specific section in the information technology Act 2000 for cyber harassment.

The report of Justice B.N Srikrishna Committee (2018) that made a detailed analysis of the shortcomings of Section 43A and recommended for a separate data protection regulation has had a significant effect on the academic discourse on data protection in India. The final passage of the Digital Personal Data Protection Act, 2023 has collected both measured the introduction of data fiduciary accountability, a framework of data principal rights and a specific adjudicatory body, and continued institutional critique.There are three specific shortcomings that have been noted by academic commentators of the DPDPA, namely the wide exception for the state to remove itself from the protections of the law by notifying it, the lack of an independent Data Protection Board with security of tenure equal to that of the GDPR supervisory authorities and the fact that some of the implementation details like the method of determining ‘reasonable security practices’ and ‘consent mechanisms for children’ are delegated to ‘rules’ which remain unpublished at the time of writing. The discussions on “Intermediary liability” in the IT Act have increased variously since the enactment of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Regulatory gaps are being felt at the international level with India being similar to the European Union's Artificial Intelligence Act and the Budapest Convention on Cybercrime.

This paper has been prepared using mainly doctrinal approach of research, which is based on analysing the primary sources of law like Information Technology Act, 2000 and its amendments, subordinate rules and notifications under the Act, e.g., Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and judicial interpretations of the provisions of the Act, for example in the case of Shreya Singhal v. Union of India and K.S. Puttaswamy v. Union of India.Doctrinal methodology is well suited to the central objective of the paper, which is to identify the strengths and weaknesses of the current legal authority, by examining the extent to which it is adequate to meet its expressed purpose and internally consistent. There is an added comparative methodology in the doctrinal analysis. The paper compares the provisions made in the IT Act with four international instruments on the basis of their influence in terms of norms and their relevance in the functional context of India. The European Union’s General Data Protection Regulation is first analysed as the international standard for data protection and then the Digital Personal Data Protection Act, 2023 (DPDPA) is examined. The Budapest Convention on Cybercrime is the international standard for cybercrime offences, procedural safeguards and cross-border law enforcement cooperation against which Chapter XI of the IT Act is measured; that is why it will be taken into account when interpreting the Convention. Chapter XI of the IT Act is to be interpreted in the light of the Budapest Convention on Cybercrime, which is the international standard for cybercrime offences, procedural safeguards and cross-border law enforcement cooperation. Third, the United States Computer Fraud and Abuse Act provides a sectoral approach to the unauthorised access offences. Finally, the EU’s forthcoming Artificial Intelligence Act has a role to play in the analysis of the emerging technology regulation. To determine the adequacy of the legal framework in addressing the cyber threats, secondary empirical data is also cited throughout from CERT-In’s annual incident reports, National Crime Records Bureau’s cybercrime reports and RBI’s cyber security advisories.. Considering the scope and objectives of this paper, the integrated doctrinal-comparative methodology, which uses National Cyber Security Policy 2013 as a policy reference point, and secondary empirical context, is applicable.

The 2000 Information Technology Act was designed for a wide range of pointers. The Act's four broad goals were: for the first time, to recognize the legality of electronic records and digital signatures; to create a legal structure for electronic commerce and e-governance; to create a system of Certifying Authorities for the issuance of digital certificates; and to provide structures for the civil and criminal prosecution of crimes against cyberspace. In drafting the IT Act, the legislature took heavy cues from the UNCITRAL Model Law on Electronic Commerce, especially its provisions for electronic contracts; the manner in which offers and acceptances are made electronically; and the attribution of electronic records. The legislature made a conscious decision to adopt a technology-neutral drafting style. Thus, it defined 'electronic record' broadly, and did not tie the provisions of the Act to specific technologies. This was the right decision, because it allows the Act to be applied to emerging technologies that were unforeseeable when the Act was passed.Chapter II of the IT Act recognizes the legality of electronic records and digital signatures and establishes the legal foundation upon which India's future e-Governance infrastructure would build. Chapter VI, which established the Office of the Controller of Certifying Authorities, created an environment for secure digital transactions using public key infrastructure in a hierarchical manner. While the public key infrastructure and digital certificate environment were created to serve as a framework for the reliable execution of digital transactions, the actual use of public key infrastructure and digital certificates by commercial participants has been limited; rather, the majority of commercial participants have used alternative, simpler, and non-systematic methods for the verification of digital identities.

Cyber Offences Under the Original Act:

The first statutory cyber offence regime in India was created by Chapter XI of the original Act, which consisted of Sections 65 to 74. The offences included: tampering with computer source code (Section 65); hacking with wrongful intent (Section 66); publishing obscene electronic material (Section 67); confidentiality and privacy violations by service providers (Section 72); and misrepresentation to obtain digital certificates (Section 74). The hacking provision was the main component of India's criminal framework and was the first time that the notion of unauthorised access had been expressed in law.

The offences framework quickly drew scholarly criticism for three reasons: first, there was inconsistency in the mens rea requirements for the various offences which made it difficult for judges unfamiliar with digital evidence to interpret; second, there were certain categories of cybercrime (phishing, cyberstalking, and identity theft) that were already prevalent when the Act came into effect, but were not addressed directly by the Act leading prosecutors to rely on general provisions in IPC; and thirdly, as evidence of this last point, the first conviction under the Act -State of Tamil Nadu v. Suhas Katti - required the court to base its reasoning on both the IPC and the IT Act - thus indicating that there were still gaps in how cybercrime was defined at the time of enactment.

Expanding Cyber Crime Offences Legislation:

The greatest change in the history of the Information Technology Act (IT Act) was made with its 2008 amendment known as the Information Technology (Amendment) Act of 2008. After identifying the evolution of the use of electronic means of communication in planning and implementing the Mumbai terrorist attacks (in 2008), in addition to the exponential growth of the number of digital and wire-based crimes being reported; Much of Parliament took action to greatly increase the number of electronic crimes dealt with under the IT Act. New additions to the Cyber Offences crime list include: Section 66A, which deals with transmitting offensive electronic messages; Section 66C criminalises 'identity theft'; Section 66D deals with 'cheating through impersonation' using electronic means of communication; Section 66E provides protection for 'visual privacy'; and Section 66F establishes the crime of 'cyber terrorism' and can result in a life sentence.

As is well documented, Section 66A's vagueness contributed to its people's right to freedom of speech being infringed upon because of the vagueness of the Law. Courts at all levels of the Court review process permitted use of the Law to detain individuals for posting political satire, criticising public officials and for exercises that Constitutional Law clearly protected. In fact, in the 2015 Supreme Court of India's ruling on the Section 66A Law in Shreya Singhal v. Union of India, the Supreme Court found that the vagueness of the Section 66A Law makes it impossible for the Section 66A Law to satisfy the criteria established under Article 19(2) of the Constitution to be classified as a reasonable limitation on the right to free speech. Additionally, also because of this vagueness, by allowing for the banning of speech associated with politically based messages, by banning the use of these messages, the Supreme Court ruled that the Section 66A Law also has an established chilling effect on legitimate free speech.

In 2008, the introduction of Section 43A added civil liability for corporate bodies that neglected to take reasonable security measures with regard to Sensitive Personal Data or Information (SPDI). This was a significant change from the original intent of the Act and recognized for the first time that data protection is a separate regulatory goal that required specific regulation. The rules promulgated in 2011 under Section 43A require the bodies corporate to have a privacy policy, obtain informed consent when collecting SPDI, and implement reasonable security standards.

Unfortunately, the provision has three major limitations: (1) It only applies to bodies corporate and not to the largest processors of data - government agencies and state instrumentalities; (2) The adjudication offices established under Section 46 of the IT Act are under-resourced and very few data protection complaints are ever filed with them, as the majority of disputes are being handled through consumer forums or civil courts; (3) The definition of SPDI is too narrow in that it fails to cover many significant categories of sensitive information such as location data or behavioral profiles generated by digital platforms, which creates a huge gap in the regulatory framework that is being taken advantage of by the platform economy.

The Digital Personal Data Protection Act, 2023 represents the most substantial development in the regulatory environment of cyber law in India since the amendments made to the Information Technology Act of 2008. Five years after three different iterations of the drafting process, the new statute sets forth obligations concerning purpose limitation, data minimisation and reasonable security safeguards for Data Fiduciaries, establishes a new independent adjudicatory authority (the Data Protection Board of India) and introduces enforceable rights of data principals including but not limited to rights of correction, erasure and grievance redressal.

When assessed against the GDPR, significant structural differences can be observed between the two statutes. In particular, the GDPR provides for independence of the supervisory authorities, investigatory powers and the authority to impose significant administrative penalties as against the Data Protection Board created by the DPDPA, which is appointed by the Central Government according to procedures to be established by rule and raises serious concerns as to whether it has any independence from the executive. Moreover, the DPDPA contains an expansive exemption clause which will allow the government to exempt any person receiving services from the provisions of the statute, and has no counterpart in the GDPR. Depending on the manner in which this exemption clause is exercised, the value or purpose of the DPDPA may be nullified. These limitations may require correction through the legislative process as implementation of the DPDPA proceeds.

The study of the previous sections shows a cyber legal architecture of incremental legislative growth. The study identified three main policy implications: each relates to one of the structural deficits discussed above. The need to revise India's cyber offences framework, with a new Cybercrime Act, is the first. The interim period created by the invalidation of Section 66A has been unfilled by an alternative provision that complies with the requirements of the Constitution; the government continues to use provisions of the Bharatiya Nyaya Sanhita which have been challenged on Constitutional grounds to deal with online speech offences. The current framework would benefit from a dedicated Cybercrime Act in line with the framework of the Budapest Convention, based on the inclusion of clear mens rea requirements, proportionate penalties based on the nature and gravity of the offence as well as strong procedural safeguards for digital evidence. It is important to note that any limitation on online expression must undergo the constitutional test as provided in Shreya Singhal and not after expensive constitutional battles. Second, the framework of intermediary liability needs to be updated to reflect the new technological realities. The 2021 Rules' traceability requirement is: (i) technically problematic, and perhaps even more so from a security-law perspective, because it damages the infrastructure for encryption, which is vital for cybersecurity; and (ii) constitutionally problematic in that it meets strong constitutional objections. An effective approach under the EU's Digital Services Act would need large platforms to carry out and publish risk assessments of algorithmic amplification, to put in place measures to make algorithms transparent and accessible to independent auditors, and to create accessible avenues for complaints (not necessarily breakable encryption).

This National Cyber Security Policy 2014 should reaffirm the collective international view that robust encryption must be an integral part of cyber security, and not an obstacle to law enforcement. Third, the implementation of the DPDPA should emphasise the importance of institutional independence as a condition that cannot be compromised for the statute to be effective. The exceptions provided to the State under the DPDPA should be curtailed by legislation, to ensure proportionality, necessity and democratic authorisation as established in K.S. Puttaswamy. The single most important reform that India needs is a consolidation of the existing non-uniform cyber legal framework into a single legal code, divided into sections, that will deal with e-commerce, cybercrime, data protection, intermediary regulation and critical infrastructure protection, and will be based on a rights-respecting framework.

The 2008 amendments broadly extended the applicability of the statute, while the Intermediary Guidelines of 2021 aimed to regulate the platform economy has never been enacted, and the Digital Personal Data Protection Act, 2023 has now created a specific data protection regime. However, the embedding of heterogeneous policymaking goals in a single instrument; the lack of separation of powers in regard to the surveillance powers; the lack of clarity in the implementation architecture of the DPDPA; and the absence of a normative framework on the harms caused by the use of artificial intelligence, as well as on the algorithmic accountability and data flows across borders, are central and not marginal problems in the current architecture of the DPDPA. The comparative study showed that India's governance framework has been found wanting when compared to GDPR and the Budapest Convention in terms of independence of regulatory institutions, proportionality of surveillance powers and the enforceability of digital rights. The only way ahead is for the legislators to be ambitious enough to meet the challenge. An all encompassing Cyber Law Code, developed through participatory multi-stakeholder consultations and designed to reflect the logic of every regulatory domain, with a constitutional underpinning of privacy, free expression, and equality protection, will put India in the right place to respond to the regulatory requirements of AI, quantum computing, and the next phase of digital transformation. The quality of India's cyber legal architecture goes hand in hand with the quality of democratic governance in the digital century.

• Bharatiya Nyaya Sanhita, 2023, No. 45, Acts of Parliament, 2023 (India).

• Budapest Convention on Cybercrime, arts. 2-13, Nov. 23, 2001, E.T.S. No. 185

• Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2018).

• Digital Services Act, Regulation (EU) 2022/2065, arts. 34-40, 2022 O.J. (L 277) 1

• General Data Protection Regulation, Regulation (EU) 2016/679, arts. 51-54, 2016 O.J. (L 119) 1

• Indian Computer Emergency Response Team (CERT-In), Annual Report 2022-23 (Ministry of Elecs. & Info. Tech. 2023) (India);

• National Crime Records Bureau, Crime in India 2022, at ch. 17 (Ministry of Home Affairs 2023) (India).

• Information Technology Act, 2000, §§ 65-74, No. 21, Acts of Parliament, 2000 (India).

• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, rule 4(2), G.S.R. 139(E) (India)

• K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1

• Ministry of Communications & Information Technology, National Cyber Security Policy 2013 (Dep’t of Elecs. & Info. Tech. 2013) (India).

• Nasscom v. Ajay Sood, (2005) 119 DLT 596 (Del. H.C.) (India).

• Shreya Singhal v. Union of India, (2015) 5 SCC 1

• State of Tamil Nadu v. Suhas Katti, Crl. Case No. 4680 of 2004

• UNCITRAL Model Law on Electronic Commerce, G.A. Res. 51/162, U.N. Doc. A/RES/51/162 (Jan. 12, 1996).