Information Technology (Amendment) Act, 2008
BRIEF HISTORY
The Indian Information Technology Act 2000 (“Act”) was a based on the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law[1]; the suggestion was that all States intending to enact a law for the impugned purpose, give favourable consideration to the said Model Law when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information. Thus the Act was enacted to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involved the use of alternatives to traditional or paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies. Also it was considered necessary to give effect to the said resolution and to promote efficient delivery of Government services by means of reliable electronic records. The Act received the assent of the President on the 9th of June, 2000.
The Act was subsequently and substantially amended in 2006 and again in 2008 citing the following objectives:
• With proliferation of information technology enabled services such as e-governance, ecommerce and e-transactions, protection of personal data and information and implementation of security practices and procedures relating to these applications of electronic communications have assumed greater importance and they require harmonization with the provisions of the Information Technology Act. Further, protection of Critical Information Infrastructure is pivotal to national security, economy, public health and safety, so it has become necessary to declare such infrastructure as a protected system so as to restrict its access.
• A rapid increase in the use of computer and internet has given rise to new forms of crimes like publishing sexually explicit materials in electronic form, video voyeurism and breach of confidentiality and leakage of data by intermediary, e-commerce frauds like personation commonly known as Phishing, identity theft and offensive messages through communication services. So, penal provisions are required to be included in the Information Technology Act, the Indian Penal Code, the Indian Evidence Act and the Code of Criminal Procedure to prevent such crimes.
• The United Nations Commission on International Trade Law (UNCITRAL) in the year 2001 adopted the Model Law on Electronic Signatures. The General Assembly of the United Nations by its resolution No. 56/80, dated 12th December, 2001, recommended that all States accord favorable consideration to the said Model Law on Electronic Signatures. Since the digital signatures are linked to a specific technology under the existing provisions of the Information Technology Act, it has become necessary to provide for alternate technology of electronic signatures for bringing harmonization with the said Model Law.
• The service providers may be authorized by the Central Government or the State Government to set up, maintain and upgrade the computerized facilities and also collect, retain appropriate service charges for providing such services at such scale as may be specified by the Central Government or the State Government.
EXTENT APPLICABILITY OF THE ACT
The Act extends to the whole of India, save as otherwise provided in this Act. It can also apply to any offence or contravention provided for in the Act, whether committed in India & outside India by any person, if the act or conduct constituting the offence involves a computer, computer system or computer network located in India .
The main provisions of the Act come in to force on the 9th of June 2000. Certain provisions were given effect on later dates by issuing specific notifications in this regards.
The Act shall not apply to documents or transactions specified in the First Schedule. Every notification issued to amend the first schedule shall be laid before each House of Parliament. Presently, the First schedule contains the following entries:
1. A negotiable instrument (other than cheque) as defined in negotiable instrument Act, 1881.
2. Power of Attorney as defined in P-O-A Act, 1882.
3. A trust as defined in Indian Trusts Act, 1882.
4. A will as defined in Indian Succession Act, 1925 including any other testamentary disposition by whatever name called.
5. Any contract for sale or conveyance of immovable property or any interest in such property.
For this purpose every notification issued by the Central Government to add, amend or delete any item mentioned in the schedule as a pre-requisite place before both houses of the Parliament for their scrutiny and approval.
The provisions of the Act have an overriding effect, notwithstanding anything inconsistent therewith contained in any other law for the time being in force.
DEFINITIONS
In this Act, unless the context otherwise requires, —
a. "access" with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network;
b. "addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary;
c. "adjudicating officer" means an adjudicating officer appointed under subsection (1) of section 46;
d. "affixing electronic signature" with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of electronic signature;
e. "appropriate Government" means as respects any matter,—
i. Enumerated in List II of the Seventh Schedule to the Constitution;
ii. relating to any State law enacted under List III of the Seventh Schedule to the Constitution, the State Government and in any other case, the Central Government;
f. "asymmetric crypto system" means a system of a secure key pair consisting of a private key for creating a electronic signature and a public key to verify the electronic signature;
g. "Certifying Authority" means a person who has been granted a licence to issue a Electronic Signature Certificate under section 24;
h. "certification practice statement" means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Electronic Signature Certificates;
i. "computer" means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;
j. "Computer Network" means the interconnection of one or more Computers or Computer systems or Communication device through- —
i. the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and
ii. terminals or a complex consisting of two or more interconnected computers or communication device whether or not the interconnection is continuously maintained;
k. "computer resource" means computer, computer system, computer network, data, computer data base or software;
l. "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;
m. "Controller" means the Controller of Certifying Authorities appointed under sub-section (l) of section 17;
n. "Cyber Appellate Tribunal" means the Cyber Appellate Tribunal established under sub-section (1) of section 48;
(na). “cyber café” means any facility from where access to the internet is offered by any person in the ordinary course of his business to the members of the public;
(nb). "Cyber Security" means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.
o. "data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
p. "digital signature" means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3;
q. "digital Signature Certificate" means a Digital Signature Certificate issued under subsection (4) of section 35;
r. "electronic form" with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device;
s. "Electronic Gazette" means the Official Gazette published in the electronic form;
t. "electronic record" means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;
(ta). "electronic signature" means authentication of any electronic record by a subscriber by means of an electronic technique specified in the Second schedule and includes a digital signature;
(tb). "Electronic Signature Certificate" means an Electronic Signature Certificate issued under section 35 and includes a Digital Signature Certificate.
u. "function", in relation to a computer, includes logic, control arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer;
v. "information" includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche:
w. "intermediary" with respect to any particular electronic record, means any person who on behalf of another person receives, stores or transmits that record or provides any service in respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes;
x. "key pair", in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a electronic signature created by the private key;
y. "law" includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case can be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;
z. "licence" means a licence granted to a Certifying Authority under section 24;
(za). "originator" means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary;
(zb). "prescribed" means prescribed by rules made under this Act;
(zc). "private key" means the key of a key pair used to create a electronic signature;
(zd). "public key" means the key of a key pair used to verify a electronic signature and listed in the Electronic Signature Certificate;
(ze). "secure system" means computer hardware, software, and procedure that—
a. are reasonably secure from unauthorised access and misuse;
b. provide a reasonable level of reliability and correct operation;
c. are reasonably suited to performing the intended functions; and
d. adhere to generally accepted security procedures;
(zf). "security procedure" means the security procedure prescribed under section 16 by the Central Government;
(zg). "subscriber" means a person in whose name the Electronic Signature Certificate is issued;
(zh). "verify" in relation to a electronic signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether—
a. the initial electronic record was affixed with the electronic signature by the use of private key corresponding to the public key of the subscriber;
b. the initial electronic record is retained intact or has been altered since such electronic record was so affixed with the electronic signature.
Any reference in the Act to any enactment or any provision thereof shall, in relation to an area in which such enactment or such provision is not in force, is to be construed as a reference to the corresponding law or the relevant provision of the corresponding law, if any, in force in that area.
SECTION 3 - AUTHENTICATION OF ELECTRONIC RECORDS BY USE OF DIGITAL SIGNATURE
AUTHENTICATION OF ELECTRONIC RECORDS
The Act provides that the authentication of the electronic record can be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.
A "hash function" is an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known 'as "hash result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible—
a. to derive or reconstruct the original electronic record from the hash result produced by the algorithm;
b. that two different electronic records can produce the same hash result using the algorithm.
The record can be accessed by the use of public key of the subscriber. The private key and the public key are unique to the subscriber and constitute a functioning key pair.
SECTION 3A - AUTHENTICATION OF ELECTRONIC RECORDS BY USE OF ELECTRONIC SIGNATURE.
A subscriber can authenticate any electronic record by such an electronic signature or an electronic authentication technique which is considered reliable and may be specified in the schedules. In order for the electronic signature to be reliable
a. The signature creation data or authentication data are, within the context they are used, linked to the signatory, or as the case may be, the authenticator and to no other person;
b. The signature creation data or authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and to no other person;
c. Any alteration to the electronic signature made after affixing such signature is detectable.
d. Any alteration to the information made after its authentication by electronic signature is detectable.
e. It fulfills other prescribed conditions.
The Central Government can prescribe the procedure for the purpose of ascertaining who has affixed the signature. The Central Government can also, by notification in the Official Gazette, add or omit any reliable electronic signature or electronic authentication technique or the procedure for affixing the same. The notification of such method or procedure is required to be placed before both houses of the Parliament.
ELECTRONIC GOVERNANCE & LEGAL RECOGNITION OF ELECTRONIC RECORDS & ELECTRONIC SIGNATURES
SECTION 4 - ELECTRONIC RECORDS
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is—
a. rendered or made available in an electronic form; and
b. accessible so as to be usable for a subsequent reference.
SECTION 5 - LEGAL RECOGNITION OF ELECTRONIC SIGNATURES
Where any law requires that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement will be deemed to have been satisfied, if such information or matter is authenticated by means of electronic signature affixed in such manner as prescribed by the Central Government.
SECTION - 6 FOUNDATION OF ELECTRONIC GOVERNANCE
Where any law provides for the filing of any form, application or any other document with any authority, agency, owned or controlled by the appropriate Government in a particular manner, Or it provides for the issue or grant of any licence, permit, sanction or approval or the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement is deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as prescribed by the appropriate Government. The appropriate Government is empowered to prescribe rules regarding the manner and the format, in which such electronic records shall be filed, created or issued and the manner or method of payment of any fee for creating, filing or issuing such record.
SECTION 9 - NO RIGHT TO INSIST DOC. TO BE IN ELECTRONIC FORM.
NO Person is conferred the right to insist the Government or any body funded or controlled by it upon accepting, issuing, creating, retaining and preserving any document in the form of electronic records or effecting any monetary transaction in the electronic form.
SECTION 7 - RETENTION OF RECORDS:
Where any law provides that documents, records or information be retained for a specific period, then the requirement will be said to have been met if the documents are retained in electronic format and if the information contained therein remains accessible so as to be usable for subsequent reference in the format it was originally created, generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received, including the details of the identification of the origin, destination, dispatch or receipt of such electronic record are available in the electronic record. These conditions however do not apply to electronic documents which are generated automatically, solely for the purpose of enabling an electronic record to be retention of documents, records or information in the form of electronic records.
SECTION 7A - AUDIT OF DOCUMENTS IN ELECTRONIC FORM:
Where the audit of documents, records or information is required to be conducted under any law, the same shall also be applicable for audit of documents, records or information processed and maintained in electronic form.
SECTION 8 - PUBLICATION OF RULE, REGULATION, ETC., IN ELECTRONIC GAZETTE:
Where any law provides that any rule, regulation, order, bye-law, notification or any other matter will be published in the Official Gazette, then, such requirement is deemed to have been satisfied if such rule, regulation, etc is published in the Official Gazette or Electronic Gazette and the date of publication in such an Electronic Gazette is deemed to be the date of the Gazette which was first published in any form.
SECTION 10 - POWER TO MAKE RULES BY CENTRAL GOVERNMENT IN RESPECT OF ELECTRONIC SIGNATURE:
The Central Government is empowered to prescribe the type of electronic signature, the manner and format in which the electronic signature will be affixed so as to facilitate the identification of the person affixing the electronic signature. The Government will also prescribe the control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and any other matter which is necessary to give legal effect to electronic signatures.
In case of a contract, where the contract formation, the communication of proposals, the acceptance or revocation of the proposals, as the case may be, are expressed in electronic form or by means of an electronic record, the enforceability of the record will not be denied solely on the grounds that such electronic form or means were used to contract.
SECTION 11 - ATTRIBUTION OF ELECTRONIC RECORDS.
An electronic record can be attributed to the originator, if it can be demonstrated that it was sent by the originator himself or by a person authorised by the originator in respect of that electronic record; or by an information system programmed to operate automatically in this regards.
SECTION 12 - ACKNOWLEDGMENT OF RECEIPT
Where the originator (sender) & addressee (recipient) have not settled the manner and form in which the addressee is to acknowledge the of receipt of the electronic record, then in such a case the addressee will acknowledge the receipt of the electronic record either by communicating such receipt, through automated or other means; or by way of conduct of the addressee to indicate to the originator that the electronic record has been received.
Where the originator has stipulated that the electronic record will be binding only on receipt of an acknowledgment of such electronic record by him, then in such a case, unless the addressee sends such an acknowledgment and the originator receives the same, it will be assumed that the electronic record was never sent.
Where the originator has not stipulated that the electronic record will be binding only on receipt of such acknowledgment, and the acknowledgment has not been received by the originator within a reasonable time or a agreed period, then the originator can give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if an acknowledgment is not received within the aforesaid time limit he can after giving notice to the addressee, treat the electronic record as though it has never been sent.
SECTION 13 - TIME AND PLACE OF DESPATCH AND RECEIPT OF ELECTRONIC RECORD
The Originator and the addressee can agree to the time and place of receipt of the electronic record. Generally, unless otherwise agreed to the contrary by the originator and the addressee, when an electronic record enters a computer resource outside the control of the originator or when it enters the computer resource of the addressee, it is deemed to have been dispatched.
If the addressee has designated a specific computer resource and the electronic record is sent to such a designated computer resource, then when the electronic record enters the designated computer resource is deemed to be the time of receipt. If instead of sending to the designated computer resource of the addressee, the originator sends to another computer resource then receipt occurs at the time when the electronic record is retrieved by the addressee from such a computer resource. These would apply even if the place where the computer resource is located in a different place.
An electronic record is deemed to "be dispatched at the place where the originator has his place of business, and is deemed to be received at the place where the addressee has his place of business inspite of the computer resources are located at any other place.
It is possible that the originator or the addressee may have more than one place of business, in such a case the principal place of business, will be the place of business for the purpose of receipt and despatch. If the originator or the addressee does not have a place of business, his usual place of residence will be deemed to be the place of business, in the case the addressee or the originator is a body corporate, then such usual place will be the place where such a body corporate is registered.
SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURES
SECTION 14 - SECURE ELECTRONIC RECORD
Where any security procedure is applied to an electronic record, at a specific point of time, then from such point onwards up to the time of verification, the record is deemed to be a secure electronic record.
SECTION 15 - SECURE ELECTRONIC SIGNATURE
An electronic signature is unique to the subscriber. Once the signature is affixed to an electronic record it can be used to identify the subscriber. It is presumed to be under the exclusive control of the subscriber. The signature signifies the time when it is affixed to an electronic record and the manner in which the signature was created. If any one tries to alter such a signed electronic record, then the signature gets invalidated. An electronic signature will be deemed to be secure if it can be proved that, it was under the exclusive control of the signatory at the time of affixing and the signature data (private key) was stored and affixed in the specified manner.
SECTION 16 - SECURITY PROCEDURE
The Central Government is empowered to prescribe the security procedure and practices considering the commercial circumstances, nature of transactions and such other related factors.
REGULATION OF CERTIFYING AUTHORITIES
SECTION 17 - APPOINTMENT OF CONTROLLER AND OTHER OFFICERS
The Central Government is empowered to appoint a Controller of Certifying Authorities (“CCA”) and such number of Deputy Controllers and Assistant Controllers, other officers and employees. Such an appointment of the Controller, Deputy & Assistant Controllers is to be notified in the Official Gazette The Controller discharges his functions under this Act subject to the general control and directions of the Central Government. The Deputy Controllers (“Dy CA”) and Assistant Controllers (“ACA”), other officers and employees in turn, perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. Such assigned/ delegated functions are assigned by the CCA to the Dy CA & ACA in writing.
The Central Government can prescribe the requirements pertaining to the qualifications, experience and terms and conditions of service of CCA, the Dy CA and the ACA, other officers and employees. Further it can also require that the Head Office and Branch Office of the Controller will be at / established at all such places as specified by the Central Government. The Act provides that there will be a seal of the Office of the Controller.
SECTION 18 - FUNCTIONS OF CONTROLLER
The primary function of the CCA is to regulate the Certifying Authorities(“CA”). For the purpose of regulating the CA the CCA may perform all or any of the following functions, namely:—
• certifying public keys of the Certifying Authorities;
• laying down the standards to be maintained by the Certifying Authorities;
• specifying the qualifications and experience which employees of the Certifying Authorities should possess;
• specifying the conditions subject to which the Certifying Authorities shall conduct their business;
• specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key;
• specifying the form and content of a Digital Signature Certificate and the key,
• specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;
• specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them;
• facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems;
• specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers;
• resolving any conflict of interests between the Certifying Authorities and the subscribers;
• laying down the duties of the Certifying Authorities;
• maintaining a data base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public.
SECTION 19 - RECOGNITION OF FOREIGN CERTIFYING AUTHORITIES
The CCA, with the prior approval of the Central Government and subject to the conditions and restrictions specified in this regards by regulations, by notification in the Official Gazette, can recognize any foreign CA as a CA for the purposes of this Act. Once a foreign CA is granted recognition by the CCA, an Electronic Signature Certificate (“ESC”) issued by such Certifying Authority will be valid for the purposes of this Act.
If any foreign CA who has been granted recognition by the CCA and if the CCA is satisfied that such a CA has contravened any of the conditions or restrictions subject to which the CA was granted recognition under by the CCA, then the CCA after recording the reasons in writing, revoke such recognition by notification in the Official Gazette.
SECTION 21 - LICENCE TO ISSUE ELECTRONIC SIGNATURE CERTIFICATES
Any person can obtain a license to issue an ESC by making an application to the CCA. After receiving the application the CCA verifies whether or not such an applicant has satisfied the eligibility criteria, as specified by the Central Government in respect of qualification, expertise, manpower, financial resources and other infrastructure facilities. Once the eligibility of the applicant is ascertained, the CCA issues a license to the applicant. The licensee is thereafter subject such terms and conditions as are provided for in the regulations issued in this regards. Any license granted under this section is valid for such period as can be provided for by the Central Government. It may be noted that such a license is not transferable or inheritable.
SECTION 22 - APPLICATION FOR LICENSE:
Every application is required to be in the prescribed form. Along with the application the applicant is also required to file:
• a certification practice statement;
• a statement including the procedures with respect to identification of the applicant;
• payment of such fees, not exceeding twenty-five thousand rupees (as prescribed by the Central Government);
• such other documents, as can be prescribed from time to time by the Central Government
An application for renewal of a license is also required to be in the prescribed form accompanied by such fees, which cannot exceed five thousand rupees and has to be made at least forty-five days before the date of expiry of the period of validity of the existing license.
The CCA can, on receipt of an application, after considering the documents accompanying the application and such other factors, as the CCA deems fit, grant the license or reject the application. The applicant is granted a reasonable opportunity of presenting his case to the CCA before his application is rejected.
SECTION 25 - SUSPENSION OF LICENCE
If the CCA, after making an inquiry is satisfied that a CA has
• made an incorrect or false statement in his application for the issue or renewal of licence;
• failed to comply with the terms and conditions subject to which the licence was granted;
• has not maintained the standards required to be followed under this Act;
• contravened any provisions of this Act, rule, regulation or order made there under
then after giving a reasonable opportunity to show cause against the proposed revocation, revoke the license. In the alternative, pending such an inquiry, if the CCA is of the opinion that there exist circumstances for the revocation of the license of the CA, then the CCA can suspend the license till the completion of the inquiry. The period of suspension cannot however exceed a period of 10 days unless the CA has been given a reasonable opportunity of showing cause against the proposed suspension. The CA is barred from issuing any ESCs during his suspension period.
After making an inquiry into an allegation of default and after giving the defaulting CA a reasonable opportunity of being heard, if the CCA is satisfied that the license of the CA need to be suspended or revoked, he can proceed against the CA and suspend or revoke his license. The notice of such an action of suspension or revocation, as the case may be, by the CCA is required to be published in the database and all the repositories maintained by the CCA. The CCA is required also make available such a notice of suspension or revocation of license, through a website which is accessible round the clock. If considered appropriate by the CCA he may publicise the contents of database in appropriate electronic or other media. The CCA can delegate or authorize the Dy. CA or the ACA to exercise any of its power in respect of the regulation of Certified Authorities.
ACCESS TO COMPUTERS AND DATA
Without prejudice to the provisions of sub-section (1) of section 69, the CCA or any person authorized by him will, if he has reasonable cause to suspect that the provisions related to regulation of CAs, rules or regulations made there under, are being contravened, then they can search or access any computer system, any apparatus, data or any other material connected with such system to obtain any information or data contained in or available to such computer system. In doing so they can direct any person in charge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide such reasonable technical and other assistance as the investigating authority may consider necessary.
POWER TO INVESTIGATE CONTRAVENTIONS.
The CCA or any officer authorised by him for this purpose can investigate into any contravention of the provisions of this Act, rules or regulations made thereunder. For the purpose of investigating the contraventions under this Act, the CCA or any authorized officer has the powers similar to the powers which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and the CCA can exercise such powers, subject to such limitations laid down under the Income-tax Act, 1961.
SECTION 30 - OBLIGATIONS OF THE CA
Every CA will, —
a. Make use of secure hardware, software and procedures to prevent intrusion and misuse;
b. Ensure a reasonable level of reliability in the services provided by it;
c. Adhere to security procedures to ensure that the secrecy and privacy of the electronic signatures are assured;
d. be the repository of all Electronic Signature Certificates issued under this Act;
e. publish information regarding its practices, Electronic Signature Certificates and current status of such certificates; and
f. Observe such other standards as may be specified by regulations;
g. Ensure that every person employed or otherwise engaged by it complies with the provisions of this Act, rules, regulations and orders made thereunder;
h. Display its licence at a conspicuous place of the premises in which it carries on its business;
i. surrender his licence, forthwith, to the CCA when the licence is suspended or revoked. Failure to do so, will be deemed be an offence, punishable with imprisonment which can extend up to six months or a fine which can extend up to ten thousand rupees or with both
j. disclose in the manner specified by regulations—
i. its ESC;
ii. any certification practice statement;
iii. notice of the revocation or suspension of its CA certificate, if any; and
iv. any other fact that materially and adversely affects either the reliability of a ESC, which that CA has issued, or the CA's ability to perform its services.
k. Where the CA is of the opinion that the situation so merits which can materially and adversely affect the integrity of its computer system or the conditions subject to which a ESC was granted, then, the CA will—
a. Reasonably notify any person who is likely to be affected by that occurrence; or
b. act in accordance with the procedure specified in its certification practice statement to deal with such event or situation.
The CCA can, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, by notification in the Official Gazette make regulations consistent with this Act and the rules made there under to carry out the purposes of this Act. In particular, and without prejudice to the generality of the foregoing power, such regulations can provide for all or any of the following matters, namely:
a. the particulars relating to maintenance of data-base containing the disclosure record of every Certifying Authority;
b. the conditions and restrictions subject to which the Controller can recognise any foreign Certifying Authority;
c. the terms and conditions subject to which a licence to issue a ESC can be granted;
d. other standards to be observed by a Certifying Authority;
e. the manner in which the Certifying Authority will disclose the information pertaining to ESC, the certification there to, the details of the suspension or revocation of any ESC etc;
f. the particulars of statement which will accompany an Certification of practice of a CA applying for licence to issue ESC;
g. the manner in which the subscriber will communicate the compromise of private key to
h. the certifying Authority.
ELECTRONIC SIGNATURE CERTIFICATES
SECTION 35 - CERTIFYING AUTHORITY TO ISSUE ELECTRONIC SIGNATURE CERTIFICATE.
Any person can make an application to the CA for the issue of a ESC. The application will be in the form prescribed by the Central Government. The application shall be accompanied with the prescribed fee not exceeding twenty five thousand rupees, to be paid to the Certifying Authority. The fee could be different fees for different classes of applicants'. In addition to the fees the application is also required to be accompanied with a certification practice statement or where there is no such statement, a statement containing such particulars, as may be required by regulations.
The CA can consider such an application accompanied with the certification practice statement, and after making the necessary inquiry, as the CA deems fit, either grant the ESC or for reasons to be recorded in writing, reject the application. The application can be rejected only after giving the applicant a reasonable opportunity of being heard.
REPRESENTATIONS UPON ISSUANCE OF ELECTRONIC SIGNATURE CERTIFICATE
A CA while issuing a ESC will certify that it is—
a. Has complied with the provisions, rules and regulations of this Act
b. Has published or made available the ESC to any person relying on it or to a subscriber who has accepted it.
c. The subscriber holds the private key corresponding to the public key, listed in the ESC;
d. the subscriber holds a private key which is capable of creating a digital signature;
e. the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the subscriber;
f. The subscriber's public key and private key constitute a functioning key pair,
g. The information contained in the ESC is accurate; and
h. it has no knowledge of any material fact, which if it had been included in the Electronic Signature Certificate would adversely affect the reliability of the representations made in clauses (a) to (d).
SUSPENSION OF ELECTRONIC SIGNATURE CERTIFICATE
Any ESC which is issued by a CA can be suspended by the CA on the occurrence of one of the following events:
a. on receipt of a specific request to that effect from the subscriber of a ESC or a person duly authorized by such a subscriber
b. if the CA is of the opinion that it is in the interest of the public to do so
The suspension of the ESC by the CA is required to be communicated to the subscriber. The CA cannot suspend the ESC for a period more than 15 days, without providing the subscriber, a reasonable opportunity of being heard.
REVOCATION OF ELECTRONIC SIGNATURE CERTIFICATE
A CA canrevoke a ESC issued by it on a specific request being made to it, by the subscriber or a person duly authorized by him in this regards. The CA can also revoke the ESC upon the death of the subscriber, where the subscriber is an individual, or on dissolution, where the subscriber is a firm or on the winding up, where the subscriber is a corporate entity.
An ESC can be revoked by the CA with immediate effect, after giving the subscriber a reasonable opportunity of being heard if, the CA is of the opinion that a material misrepresentation or concealment of the facts in the ESC or for non fulfillment of any requirement which were pre-requisites for the issue of the ESC or where the CAs private key or security system has been compromised in a manner materially affecting the ESCs reliability or where the subscriber has been adjudged insolvent or on account of death, dissolution or winding-up or any other circumstances as a result of which the subscriber to the ESC ceases to exist. The revocation of a ESC by the CA has to be communicated to the subscriber.
Any suspension or revocation of ESCs is required to be published in the public repositories (one or more as the case may be) maintained by the CA.
DUTIES OF SUBSCRIBERS
Where any Electronic Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Electronic Signature Certificate has been accepted by a subscriber, then, the subscriber will generate the key pair by applying the security procedure. Further the subscriber shall perform such duties as may be prescribed.
ACCEPTANCE OF ELECTRONIC SIGNATURE CERTIFICATE
A subscriber is deemed to have accepted a ESC if he publishes or authorizes the publication of a ESC to one or more persons in a repository, or otherwise demonstrates his approval of the ESC in any manner.
By accepting a ESC the subscriber certifies to all who reasonably rely on the information contained in the ESC that the subscriber holds the private key corresponding to the public key listed in the ESC and is entitled to hold the same. Furthermore all representations made by the subscriber to the CA and all material relevant to the information contained in the ESC are true to the best of his belief.
CONTROL OF PRIVATE KEY
Every subscriber is required to exercise reasonable care to retain control of his private key, which corresponds to the public key listed in his ESC and take all steps to prevent its disclosure to a person not authorized to affix the electronic signature of the subscriber.
If the private key is compromised, then, the subscriber will communicate the same forthwith to the CA in specified manner. The subscriber is liable for all events occurring as a result of the compromising of the private key from the time compromise upto the time he has informed the CA of the private key being compromised.
PENALTIES, COMPENSATION AND ADJUDICATION
The Information Technology Amendment Act 2008 have introduced a host of offencies and prescribed penalties for these offences.
SECTION 43 - PENALTY FOR DAMAGE TO COMPUTER, COMPUTER SYSTEM, ETC
If any person without permission (or the knowledge) of the owner or any other person who is in-charge of a computer, computer system or computer network, —
a. accesses or secures access to such computer, computer system or computer network;
b. downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
c. introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
d. damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
e. disrupts or causes disruption of any computer, computer system or computer network;
f. denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means;
g. provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under;
h. charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;
i. destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
j. Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage;
He can be made liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.
Explanation.— For this purposes,—
i. "computer contaminant" means any set of computer instructions that are designed—
a. to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
b. by any means to usurp the normal operation of the computer, computer system, or computer network;
ii. "computer data base" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;
iii. "computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;
iv. "damage" means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.
v. "Computer Source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form
SECTION 43A - COMPENSATION FOR FAILURE TO PROTECT DATA
When a body corporate is in possession, handling or dealing in sensitive personal data or information in a computer resource that it owns, controls or operates, is found negligent in implementing & maintaining reasonable security practices and procedures and thereby causes wrongful loss or gain to any person, then in such a case the body corporate will be held liable to damages as compensation to a sum not exceeding Rs 5 Crores to the person so effected.
For this purpose, "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
“Reasonable security practices and procedures” would include such practices and procedures which are designed to protect information from unauthorized access, damage, misuse, modification, disclosure etc, as may be agreed to between the parties or as determined by law in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
"Sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
Note: Refer Notification G.S.R. 313(E).— dated 11th April 2011 for Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Notified by the Central Government.
PENALTY FOR FAILURE TO FURNISH INFORMATION RETURN, ETC
If any person who under this Act or any rules or regulations made there under to—
a. Is required by the CCA or CA to furnish any document, return or report fails to do so, will be liable to a penalty not exceeding Rs 1,50,000/-for each such failure;
b. Is required to file any return or furnish any information, books or other documents within the time specified by the regulations, fails to do so, within the time specified, will be liable to a penalty not exceeding Rs 5000/- per day of such continuing default;
c. Fails to maintain books of accounts or records as required, will be liable to a penalty not exceeding
Rs 10,000/- per day of such continuing default.
PUNISHMENT FOR DISCLOSURE OF INFORMATION IN BREACH OF LAWFUL CONTRACT
Unless otherwise provided under this act or under any other act, any person, including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.
COMPENSATION, PENALTIES OR CONFISCATION NOT TO INTERFERE WITH OTHER PUNISHMENT
A penalty imposed or compensation awarded or confiscation under the Act, will not result in avoidance of an award of compensation or imposition of any penalty or punishment under any other law.
RESIDUARY PENALTY
Whoever contravenes any rules or regulations made under this Act, and no penalty has been separately provided for such contravention, will be liable to pay a compensation not exceeding Rs 25,000/- to the person affected by such contravention or a penalty of equal amount.
A penalty imposed under this Act, if it is not paid, can be recovered as an arrear of land revenue and the license or the ESC, as the case may be, can be suspended till the penalty is paid.
COMPOUNDING OF OFFENCES
Notwithstanding anything contained in Code of Criminal Procedure, an offence pertaining to
• Hacking with a computer system
• Transmission of obscene material / content
• Breach of confidentiality and privacy
• Misutilization of personal information
can be compounded under section 77A of the Act. However the benefit of compounding will not be available to a person who has been previously convicted for the same or similar offence or who is liable to enhanced punishment.
No court can take cognizance of any of the above-mentioned offences unless the person aggrieved by the offence lodges a complaint. Only an officer of rank of a Deputy Superintendent of Police can investigate cognizable offences under this act. When an officer in charge of a police station is given information pertaining to a non cognizable offence, he is required to record such information in such records as are prescribed by the State Government. The Officer who receives such information can exercise the same power of investigation (except the power to arrest without warrant), as an Officer in charge of police station would have under section 156 of code of criminal procedure.
SECTION 46 - POWER TO ADJUDICATE
Sec 46 confers the power to adjudicate contravention under the Act to an officer not below the rank of Director to Government of India or equivalent officer of state.
Such appointment shall be made by CG. Person so appointed shall have adequate exp. in field of Info. Technology and such legal and judicial experience as may be prescribed by CG.
The adjucating officer shall exercise jurisdiction to adjudicate matters in which the claim for injury or damage does not exceed rupees five crores.
In respect of claim for injury or damage exceeding rupees five crores, jurisdiction shall vest with the competent court.
For the purpose of holding an inquiry and for the purposes of adjudication the Officer will have the powers of a civil court which are conferred oh the Cyber Appellate Tribunal under sub-section (2) of section 58. All the proceedings held before the Adjudicating Officer will be deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code and for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973 be deemed to be a civil court.
The Officer for the purpose of holding an inquiry, as prescribed by the Central Government, is required to give the person being accused of the contravention a reasonable opportunity for making representation in the matter. If after giving such an opportunity the officer is of the opinion that such person has as alleged contravened the provisions of the Act, or any Rules, regulations and direction there under, can impose such penalty or award such compensation as he thinks fit in accordance with the provisions.
Sec 47 provides that for the purpose of imposing penalty or for awarding compensation the Officer will take into consideration the following:
a. the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
b. the amount of loss caused to any person as a result of the default;
c. the repetitive nature of the default
THE CYBER APPELLATE TRIBUNAL
ESTABLISHMENT & COMPOSITION OF CYBER APPELLATE TRIBUNAL
The Central Government, by notification, can establish one or more appellate tribunals to be known as the Cyber Appellate Tribunal ( “tribunal”). Such notification will also specify the matters and places in relation to which the Cyber Appellate Tribunal can exercise jurisdiction.
CONSITUTION & THE JURISDICTION OF A BENCH
The Central Government in consultation with the Chief Justice of India selects the Chairperson and other members. The Cyber Appellate Tribunal is made up of a Chairperson and such number of Members, as the Central Government deems fit. The Chairperson and one or two Members shal constitute a Bench of the Tribunal. The Tribunal exercises its jurisdiction and all the powers, authority through such a Bench. The Central Government has mandated that the Bench of the Tribunal will sit in New Delhi and at such places which the Central Government in consultation with the Chairperson may resolve. Once having resolved where the Bench will be situated, the Central Government demarcates the areas where the Bench will exercise its jurisdiction notifies such resolution in the Official Gazette. The Chairperson of the Tribunal can transfer the Member (s) from one Bench to another.
Where the circumstances so merit, at any time before or in the course of a case or a matter, if the Chairperson or the Member of the Tribunal are of the view that the nature of the case or matter is such that it ought to be heard by a Bench consisting of more Members, the case can be transferred by the Chairperson to such a Bench as the Chairperson deems fit.
QUALIFICATION OF THE CHAIRPERSON & THE MEMBERS OF THE TRIBUNAL
The Information Technology Amendment Act 2006 and the Information Technology Amendment Act 2008 have introduced a slew of changes in the manner of appointment of the Chairperson and the Members (Judicial as well as non Judicial) of the Cyber Appellate Tribunal. The changes include the basic eligibility criteria, the manner in which the salary and other emoluments will be given/ announced, the requirement of independence and retirement from earlier service.
Only a person who is, or has been, or is qualified to be, a Judge of a High Court. The Members of the Tribunal, barring the Judicial Member will be appointed by the Central Government. Such a Member shall from amongst persons who posses special knowledge and professional experience in the field of Information Technology, Telecommunication, Industry, Management and Consumer Affairs. The Government can only select the Members from the cadre of Central or State Government employees, holding the position of Additional Secretary for a period not less than 2 years or a Joint Secretary to the Government of India or an equivalent position with either the Central or the State Government for a period not less than 7 years.
Only a person who is a member of the Indian Legal Service and has held the position of an Additional Secretary for a period of one year or a Grade I post of the Legal Service for a period not less than 5 years, is qualified to be selected as the Judicial Members of the Tribunal.
Before the appointment of the Chairperson and the Members of the Tribunal, the Central Government satisfies itself that the candidate is an independent person and a person of integrity who will not be interested either financially or in any other way, that may prejudicially influence his discharging of the functions of a Chairperson or as a Member of the Cyber Appellate Tribunal. On his selection, either as a Member of Chairperson of the Tribunal, the candidate (officer of the Central / State Government) is required to retire from his service before he is allowed to join as the Member/ Chairperson of the Cyber Appellate Tribunal
TENURE OF THE CHAIRPERSON & THE MEMBERS OF THE TRIBUNAL
The Chairperson and the Members hold office for a term of five years from the date of entering his office or until they attain the age of sixty five years, which ever occurs earlier During the tenure the Chairperson and the Members will be entitled to such a salary, allowance and other benefits like gratuity, pension, etc as may be prescribed.
FUNCTIONING OF THE BENCH
The Chairperson has the power of general supervision and administration of the conduct of affairs of the Bench. In addition to presiding over the meetings of the Tribunal the Chairperson exercises and discharges such functions and powers as are prescribed in this regards.
The Chairperson distributes the business to a Bench of the Tribunal and directs the manner in which each matter will be dealt with. The Chairperson can also, on receipt of an application in this regards from any of the parties and after giving a notice to such parties and giving them a hearing as he deems proper or suo moto without such a notice, can transfer the matter from one Bench to another for its disposal.
If the Members of a Bench (consisting of 2 Members) differ in opinion on any point, they are required to state the point(s) that they differ on and refer the matter to the Chairperson. The Chairperson will then proceed to hear the point (s) /matter and then decide on the same on the basis of the majority view of the Members who have heard the case including those Members who have heard the case first.
FILLING UP OF VACANCIES, RESIGNATION OR REMOVAL OF A CHAIRPERSON
Once the Chairperson has been appointed neither the salary and allowances nor the other terms and conditions of his service can be varied to his disadvantage. If, for reason other than temporary absence, any vacancy occurs in the office of the Chairperson of a Cyber Appellate Tribunal, then the Central Government is to appoint another person in accordance with the provisions of this Act to fill the said vacancy and the proceedings can be continued before the Cyber Appellate Tribunal from the stage at which the vacancy is filled.
The Chairperson of a Cyber Appellate Tribunal can, address to the Central Government his notice in writing, under his hand to resign his office. Unless a shorter period of relinquishment is permitted by the Central Government, the Chairperson can continue to hold office until the expiry of three months from the date of receipt of such notice or until a person duly appointed as his successor enters upon his office or until the expiry of his term of office, whichever is the earliest.
The Central Government can remove the Chairperson from his office only by way of an order in writing on the grounds of proved misbehavior or incapacity after an inquiry. Such an inquiry can be made only by a Judge of the Supreme Court in which the Chairperson concerned has been informed of the charges against. The Chairperson has to be given a reasonable opportunity of being heard in respect of these charges. The Central Government can, by rules, regulate the procedure for the investigation of misbehavior or incapacity of the aforesaid Chairperson.
The order of the Central Government appointing any person as the Chairperson or Member of a Cyber Appellate Tribunal and no act or proceeding before a Cyber Appellate Tribunal shall not be called in question in any manner on the ground merely of any defect in the constitution of a Cyber Appellate Tribunal.
STAFF OF THE CYBER APPELLATE TRIBUNAL
The Central Government shall provide the Cyber Appellate Tribunal with such officers and employees as required. The officers and employees of the Cyber Appellate Tribunal shall discharge their functions under general superintendence of the Presiding Officer. The salaries and allowances and other conditions of service of the officers and employees of the Cyber Appellate Tribunal shall be such as may be prescribed by the Central Government.
The Chairperson, Members and other officers and employees of a Cyber Appellate Tribunal, the Controller, the Deputy Controller and the Assistant Controllers shall be deemed to be Public Servants within the meaning of section 21 of the Indian Penal Code.
APPEAL TO CYBER APPELLATE TRIBUNAL
Any person aggrieved by an order made by Controller or an adjudicating officer under this Act can prefer an appeal to a Cyber Appellate Tribunal having jurisdiction in the matter. However no appeal shall lie to the Cyber Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties. The appeal can be filed by the aggrieved person within a period of 45 days from the date of receipt of order in the prescribed form and accompanied by prescribed fee. The Cyber Appellate Tribunal can entertain an appeal after the expiry of the said period of 45 days if it is satisfied that there was sufficient cause for not filing it within the prescribed period. The provisions of the Limitation Act, 1963, will, as far as can be, apply to an appeal made to the Cyber Appellate Tribunal.
The appeal filed before the Cyber Appellate Tribunal is to be dealt with by it as expeditiously as possible and an endeavor will be made by the Cyber Appellate Tribunal to dispose of the appeal finally within six months from the date of receipt of the appeal. The appellant can either appear in person or through an authorized representative (one or more legal practitioners) or any of its officers, to present his or its case before the Cyber Appellate Tribunal.
The Cyber Appellate Tribunal can, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. The Cyber Appellate Tribunal will send a copy of every order made by it to the parties to the appeal and to the concerned Controller or adjudicating office
SECTION 58 - PROCEDURE AND POWERS OF THE CYBER APPELLATE TRIBUNAL
The Cyber Appellate Tribunal is not be bound by the procedure laid down by the Code of civil Procedure, 1908 but is be guided by the principles of natural justice and, subject to the other provisions of this Act and of any rules, the Cyber Appellate Tribunal has the powers to regulate its own procedure including the place at which it shall have its sittings. For the purposes of discharging its functions under this Act, the Cyber Appellate Tribunal has the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely:—
a. summoning and enforcing the attendance of any person and examining him on oath;
b. requiring the discovery and production of documents or other electronic records;
c. receiving evidence on affidavits;
d. issuing commissions for the examination of witnesses or documents;
e. reviewing its decisions;
f. dismissing an application for default or deciding it ex pane;
g. any other matter which may be prescribed.
Every proceeding before the Cyber Appellate Tribunal is deemed to be a judicial proceeding within the meaning of sections 193 and 228, and for the purposes of section 196 of the Indian Penal Code and the Cyber Appellate Tribunal is deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973. No Civil Court has the jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered, by or under this Act, to determine and no injunction will be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.
SECTION 62 - APPEAL TO HIGH COURT
Any person aggrieved by any decision or order of the Cyber Appellate Tribunal can file an appeal to the High Court within sixty days from the date of receipt of order of the Cyber Appellate Tribunal, on any question of fact or law arising out of such order. Any delay in filing the appeal to the High Court can be condoned by the High Court, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days.
SECTION 63 - COMPOUNDING OF CONTRAVENTIONS
At any time, before or after the institution of adjudication proceedings, the CCA or an Officer specially authorized in this regards or the Adjudicating Office can compound contraventions under the Act. The compounded amount however cannot, in any case, exceed the maximum penalty imposable for the contravention under this Act. Where any contravention has been compounded, no proceeding or further proceeding, as the case may be, can be taken for the compounded offence. Once a contravention has been compounded, the same person cannot seek relief of compounding for the same or similar contraventions committed within a period of 3 years from the date of compounding.
OFFENCES
The Act has specified that Tampering with computer source documents, Hacking computer system, Publishing of information which is obscene in electronic form or failure of a CA or its employees to follow the directions/ Orders of the CCA, failure to comply with Directions of Controller to a subscriber to extend facilities to decrypt information, accessing a protected system without proper authorization, material mis-representation, Penalty for publishing Electronic Signature Certificate false particulars, Publication for fraudulent purpose, sending of grossly offensive information, false information, etc will be offences.
The various offences and corresponding punishments are summarized and tabulated below with detailed explanation in the following paragraphs.
Section Contents Imprisonment Up to Fine Up to
65 Tampering with computer source code documents 3 years or/and 200,000
66 Hacking with computer system dishonestly or fraudulently 3 years or/and 500,000
66B receiving Stolen computer resource 3 years or/and 100,000
66C Identity Theft - fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person 3 years and 100,000
66D cheating by Personation by using computer resource 3 years and 100,000
66E Violation of Privacy 3 years or/and 200,000
66F Whoever,-
A. with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by –
1. Denial of Access
2. Attempting to Penetrate computer resource
3. Computer containment
B. knowingly or intentionally penetrates and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations, or likely to cause injury to the interests of the sovereignty and integrity of India Imprisonment for Life
67 Publish or transmit Obscene material - 1st time
Subsequent Obscene in elec. Form 3 years and
5 years and 500,000
10,00,000
67A Publishing or transmitting material containing Sexually Explicit Act - 1sttime
Subsequent 5 years and
7 years and 10,00,000
10,00,000
67B Publishing or transmitting material containing Children in Sexually Explicit Act - 1st time
Subsequent 5 years and
7 years and 10,00,000
10,00,000
67C Contravention of Retention or preservation of information by intermediaries 3 years and Not Defined
68 Controller’s directions to certifying Authorities or any employees failure to comply knowingly or intentionally 2 years or/and 100,000
69 Failure to comply with directions for Intercepting, monitoring or decryption of any info transmitted through any computer system/network 7 Years and Not Defined
69A Failure to comply with directions for Blocking for Public Access of any information through any computer resource 7 Years and Not Defined
69B Failure to comply with directions to Monitor and Collect Traffic Data 3 Years and Not Defined
70 Protected system. Any unauthorised access to such system 10 years and Not Defined
70B (7) Failure to provide information called for by the *I.C.E.R.T or comply with directions I year or 1,00,000
71 Penalty for Misrepresentation or suppressing any material fact 2 years or/and 100,000
72 Penalty for breach of confidentiality and privacy of el. records, books, info., etc without consent of person to whom they belong. 2 years or/and 100,000
72A Punishment for Disclosure of information in breach of lawful contract 3 years or/and 500,000
73 Penalty for publishing False Digital Signature Certificate 2 years or/and 100,000
74 Fraudulent Publication 2 years or/and 100,000
75 Act also to apply for offences or contravention committed outside India if the act or conduct constituting the offence involves a computer, computer system or computer network located in India
76 Confiscation of any computer, computer system, floppies, CDs, tape drives or other accessories related thereto in contravention of any provisions of the Act, Rules, Regulations or Orders made.
77 Penalty and Confiscation shall not interfere with other punishments provided under any law.
78 Power to investigate offences by police officer not below rank of Dy. Superintendent of Police.
*I.C.E.R.T - Indian Computer Emergency Response Team to serve as national agency for incident response – Functions in the area of Cyber Security,-
a. collection, analysis and dissemination of information on cyber incidents
b. forecast and alerts of cyber security incidents
c. emergency measures for handling cyber security incidents
d. coordination of cyber incidents response activities
e. issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
f. such other functions relating to cyber security as may be prescribed.
TAMPERING WITH COMPUTER SOURCE DOCUMENTS,
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, can be punished with imprisonment up to three years, or with fine which can extend up to two lakh rupees, or with both. "Computer source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.
UNAUTHORIZED ACCESS TO A COMPUTER SYSTEM
If any person, dishonestly or fraudulently does any act which results in damage to a computer or a computer system or secures unauthorized access to a secure computer system or down loads or copies data etc (acts described under section43 of the Act), the he can be punished with a prison term which can extend upto two years or with a fine which can extend up to ₹Five Lakhs or both. Here the Act refers to the India Penal Code for interpreting the meaning of the words “dishonestly” and “fraudulently”
PUNISHMENT FOR SENDING OFFENSIVE MESSAGES THROUGH COMMUNICATION SERVICE
Any person who sends, by means of a computer resource or a communication device any information that is grossly offensive or has menacing character; or which he knows to be false, or sends any electronic mail or message so as to mislead the addressee about the origin of such message but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device, shall be punishable with imprisonment for a term which may extend to three years and with fine. Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.
PUNISHMENT FOR DISHONESTLY RECEIVING STOLEN COMPUTER RESOURCE OR COMMUNICATION DEVICE
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen shall be punished with imprisonment for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.
PUNISHMENT FOR IDENTITY THEFT
Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
PUNISHMENT FOR CHEATING BY PERSONATION BY USING COMPUTER RESOURCE
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
PUNISHMENT FOR VIOLATION OF PRIVACY.
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.
“Transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
“Capture”, with respect to an image, means to videotape, photograph, film or record by any means;
“Private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
“Publishes” means reproduction in the printed or electronic form and making it available for public;
“Under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that he or she could disrobe in privacy, without being concerned that an image of his private area was being captured or any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.
PUNISHMENT FOR CYBER TERRORISM
Any person with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by denying or cause the denial of access to any person authorized to access computer resource or attempting to penetrate or access a computer resource without authorisation or exceeding authorized access or introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.
The person committing or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.
PUNISHMENT FOR PUBLISHING OR TRANSMITTING OBSCENE MATERIAL IN ELECTRONIC FORM
Any person who publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to fiveyears and also with fine which may extend to ten lakh rupees.
PUNISHMENT FOR PUBLISHING OR TRANSMITTING OF MATERIAL CONTAINING SEXUALLY EXPLICIT ACT,ETC. IN ELECTRONIC FORM
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.
PUNISHMENT FOR PUBLISHING OR TRANSMITTING OF MATERIAL DEPICTING CHILDREN IN SEXUALLY EXPLICIT ACT, ETC. IN ELECTRONIC FORM.
Whoever, publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or facilitates abusing children online or records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:
The above three provisions shall not be applicable to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form if the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern or which is kept or used for bonafide heritage or religious purposes
"Children" means a person who has not completed the age of 18 years.
PRESERVATION AND RETENTION OF INFORMATION BY INTERMEDIARIES
An intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe an any intermediary who intentionally or knowingly abstains from doing the same shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
POWER OF CONTROLLER TO GIVE DIRECTIONS
The CCA can direct a CA or the employees of such a CA to take such measures or cease carrying on such activities as specified in the order if those are necessary to ensure compliance with the provisions of this Act, rules or any regulations made there under. Any person intentionally or knowingly failing to comply with such an order will have committed an offence and will be liable on conviction to imprisonment for a term not exceeding two years or to a fine not exceeding one lakh rupees or to both.
POWERS TO ISSUE DIRECTIONS FOR INTERCEPTION OR MONITORING OR DECRYPTION OF OR BLOCKING OF ANY INFORMATION THROUGH ANY COMPUTER RESOURCE
Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do
• in the interest of the sovereignty or integrity of India,
• defense of India,
• security of the State,
• friendly relations with foreign States
• public order
• for preventing incitement to the commission of any cognizable offence relating to above
• for investigation of any offence,
after recording the reasons there of in writing, can warrant or direct or order any agency of the Government to intercept or monitor or decrypt or block any information transmitted through a computer resource. The Government is required to specify safeguards, subject to which the interception or monitoring or decryption is to be done. Any person, be it a subscriber or an intermediary or any other person who is in charge of the computer resource, is bound to extend all possible cooperation, technical assistance and facility as may be required by the authorities to access or to secure access to the computer resource containing such information; generating, transmitting, receiving or storing such information or intercept or monitor or decrypt or block the information, as the case may be or provide information stored in computer resource. Failure to do so is punishable with an imprisonment for a term which can extend to seven years and also liable to fine.
POWER TO AUTHORIZE TO MONITOR AND COLLECT TRAFFIC DATA OR INFORMATION THROUGH ANY COMPUTER RESOURCE FOR CYBER SECURITY
The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. The Intermediary or any person in-charge of the Computer resource shall when called upon by such agency provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information. The government shll prescribe procedure and safeguards for monitoring and collecting traffic data or information.
Any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
"Computer Contaminant" shall have the meaning assigned to it in section 43
"Traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.
PROTECTED SYSTEM
The Government has notified certain computer resources as Critical Information Infrastructure to be a protected system. Critical Information Infrastructure refers to computer systems or resources the destruction or incapacitation of which would result in a debilitating impact on the national security, economy, public health or safety. The appropriate Government can, by notification in the Official Gazette, declare that any computer, computer system or computer network which directly or indirectly affects the facility of a Critical Information Infrastructure, to be a protected system and authorize the persons who are authorized to access protected systems. In this regards the Government can prescribe specific information security practices and procedures. Any person who secures unauthorized access or attempts to secure unauthorized access to a protected system, can be punished with imprisonment of either description for a term which can extend to ten years and can also be liable to fine.
CREATION OF NATIONAL NODAL AGENCY
The Central Government has the powers through notification to designate any organization of the Government as the national nodal agency for the protection of Critical Information Infrastructure Protection. Such agency shall be responsible for all measures including Research and Development relating to protection of Critical Information Infrastructure.
INDIAN COMPUTER EMERGENCY RESPONSE TEAM TO SERVE AS NATIONAL AGENCY FOR INCIDENT RESPONSE
The Central Government has the powers through notification to appoint an agency of the government to be called the Indian Computer Emergency Response Team. The Central Government shall provide such agency with a Director General and such other officers and employees as may be prescribed. The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,-
a. collection, analysis and dissemination of information on cyber incidents
b. forecast and alerts of cyber security incidents
c. emergency measures for handling cyber security incidents
d. Co-ordination of cyber incidents response activities
e. issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
f. such other functions relating to cyber security as may be prescribed
For carrying out the above functions, the agency may call for information and give direction to the service providers, intermediaries, data centers, body corporate and any other person. Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with such direction shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.
PENALTY FOR MISREPRESENTATION
Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any licence or ESC, as the case may be, can be punished with imprisonment for a term which can extend to two years, or with fine which can extend to one lakh rupees, or with both.
PENALTY FOR BREACH OF CONFIDENTIALITY AND PRIVACY
No person can publish a Electronic Signature Certificate or otherwise make it available to any other person with the knowledge that the CA listed in the certificate has not issued it or the subscriber listed in the certificate has not accepted it or the certificate has been revoked or suspended, unless such publication is in the course of verifying a electronic signature created prior to such suspension or revocation. Such a contravention can be punished with imprisonment for a term which can extend to two years, or with fine which can extend to one lakh rupees, or with both.
PENALTY FOR PUBLISHING ELECTRONIC SIGNATURE CERTIFICATE FALSE IN CERTAIN PARTICULARS
Whoever knowingly creates, publishes or otherwise makes available a ESC for any fraudulent or unlawful purpose can be punished with imprisonment for a term which can extend to two years, or with fine which can extend to one lakh rupees, or with both.
ACT TO APPLY FOR OFFENCE OR CONTRAVENTION COMMITED OUTSIDE INDIA
The Act gives extra territorial jurisdiction in cases where the offence or contraventions are committed from outside India, by any person irrespective of his nationality. The provisions of this Act will apply also to any offence or contravention committed outside India by any person irrespective of his nationality if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. No penalty imposed or confiscation made under this Act can prevent the imposition of any other punishment to which the person affected thereby is liable under any other law for the time being in force.
CONFISCATION
Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act. rules, orders or regulations made there under has been or is being contravened, will be liable to confiscation. Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court can, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit.
INTERMEDIARIES NOT LIABLE IN CERTAIN CASES
Unless otherwise specifically provided to the contrary, an intermediary will be not liable for, any third party information, data or communication link made by him. This exemption is available only if:
• The intermediary’s role is limited to providing access to a communication system over which third parties transmit information or temporarily store the same.
• The intermediary does not
1. Initiate the transmission
2. Select the receiver of transmission or,
3. Modify the information contained in the transmission.
The exemption would however stand withdrawn if intermediary conspires or abets the commission of an unlawful act or after having received the information from the government that any information, data or communication link residing in or connected with computer resources controlled by the intermediary, are being used to commit unlawful acts and such intermediary fails to act expeditiously in removing or disabling access to such link or resource.
EXAMINER OF ELECTRONIC EVIDENCE
For the purpose of providing an expert opinion on electronic form evidence, before any Court or other statutory body, can specify by notification in official gazette any department or body or agency of central government as an examiner of electronic evidence. Here, electronic form evidence means any information of probative value which is stored and transmitted in electronic form. It includes computer evidence, digital audio and digital video, cell phones, fax machines etc.
PROTECTION OF ACTION TAKEN IN GOOD FAITH
No suit, prosecution or other legal proceeding will lie against the Central Government, the State Government, the Controller or any person acting on behalf of him, the Chairperson, Members, officers and the staff of the Cyber Appellate Tribunal for anything which is in good faith done or intended to be done in pursuance of this Act or any rule, regulation or order made there under.
ENCRYPTION METHODS:
The Central Government can prescribe the modes and methods for encryption for the purposes of secure use of electronic medium and for promotion of e-governance and e-commerce.
PUNISHMENT FOR ABETMENT OF OFFENCES
When a person abets any offence and the act being abetted is committed in consequence of the abetment, such a person can be made liable for the same offence and penal consequences awarded as a result, even though abetment, by itself, can not be an offence. An act or offence is said to be committed in consequence of abetment, when it is committed as a consequence of the instigation or a conspiracy. Any person committing an offence punishable by this Act or causes such an offence to be committed, any act during the course of such an attempt is also an offence, punishable as if it were an offence and imprisonment would extend to one- half of the longest term of imprisonment imposable or a fine or both.
PUNISHMENT FOR ATTEMPT TO COMMIT OFFENCES
Any person who attempts to commit an offence punishable by this Act be punished with imprisonment for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.
OFFENCES BY COMPANIES
Where a contravention of any of the provisions of this Act or of any rule, direction or order made under this Act is committed by a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, will be guilty of the contravention and will be liable to be proceeded against and punished accordingly. Any person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention, will be absolved of the allegation of the contravention or committing the offence.
Where it is proved that the contravention, of any of the provisions of this Act or of any rule, direction or order has taken place /been committed by a company with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer will also be deemed to be guilty of the contravention and will be liable to be proceeded against and punished accordingly. Here "company" means any body corporate and includes a firm or other association of individuals; and "director", in relation to a firm, means a partner in the firm.
REMOVAL OF DIFFICULTIES
If any difficulty arises in giving effect to the provisions of this Act, the Central Government can, by order published in the Official Gazette, such order/ direction as it deems necessary or expedient, to remove such difficulties in the provisions of this Act. However, no order for removal of difficulties can be made after the expiry of a period of two years from the commencement of this Act. Every order made, for the removal of difficulties, will be laid as soon as may be after it is made, before each House of Parliament.
POWER OF CENTRAL GOVERNMENT TO MAKE RULES.
The Central Government can, by notification in the Official Gazette and in the Electronic Gazette make rules to carry out the provisions of this Act. In particular, and without prejudice to the generality of the foregoing power, the rules can provide for all or any of the following matters, namely:—
a. the conditions for considering the reliability of electronic signature or authentication technique;
b. the procedure for ascertaining electronic signature or authentication;
c. the manner in which any information or matter can be authenticated by the means of an electronic signature;
d. the electronic form in which filing, issue, grant or payment will be effected;
e. the manner and format in which electronic records will be filed, or issued and the method of .payment;
f. the manner in which the appropriate service provider can collect, retain and appropriate service charges;
g. the matters relating to the type of electronic signature, manner and format in which it can be affixed;
h. the manner of storing and affixing electronic signature;
i. the qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers;
j. the security procedures and practices to be followed;
k. the form in which an application for license for issue of ESC, the eligibility criteria of the applicant and the period of validity of such a license, the amount of fees payable and the the other documents which will accompany an application for licence, the form and the fee for renewal of a licence and the fee payable there of;
l. the form in which application for issue of a ESC can be made and the fee to be paid for the purpose;
m. the manner in which the adjudicating officer will hold inquiry;
n. the qualification and experience which the adjudicating officer will possess;
o. the salary, allowances and the other terms and conditions of service of the Chairperson and Members;
p. the procedure for investigation of misbehaviour or incapacity of the Chairperson and Members;
q. the salary and allowances and other conditions of service of other officers and employees;
r. the form in which appeal, to the Cyber Appellate Tribunal, can be filed the and the fee thereof;
s. any other power of a civil court required to be prescribed for the purposes of the Cyber Appellate Tribunal;
t. Duties of any subscriber and the reasonable security practices and procedures to be adopted while dealing with sensitive personal information
u. the powers and the functions of the Chairperson and the Members of the Cyber Appellate Tribunal
v. safeguards for the interception or monitoring or decryption of information
w. the information security procedures and practices to be followed in respect of protected systems
x. guidelines to be observed by intermediaries
y. modes and methods of encryption for promoting e-governance and e-commerce.
Every rule made by the Central Government notifying such class of documents or transactions as can be notified by the Central Government in the Official Gazette which are outside the purview of this Act and every rule made by it shall be laid, as soon as can be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which can be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the notification or the rule or both Houses agree that the notification or the rule should not be made, the notification or the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that notification or rule.
POWER OF CONTROLLER TO MAKE REGULATIONS
The Controller may, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, by notification in the Official Gazette, make regulations consistent with this Act and the rules in relation to the following matters:
• maintenance of data-base containing the disclosure record of every Certifying Authority
• the conditions and restrictions subject to which the Controller may recognize any foreign Certifying Authority
• the terms and conditions subject to which a license may be granted to a CA
• other standards to be observed by a Certifying. Authority
• the manner in which the Certifying Authority shall disclose the matters specified in relation to DSC
• the particulars of certification practice statement which shall accompany an application
• the manner by which a subscriber communicates the compromise of private key to the Certifying Authority
Every regulation made under this Act shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive- sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the regulation or both Houses agree that the regulation should not be made, the regulation shall there after have effect only in such modified form or be of no effect, as the ease may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that regulation.
POWER OF STATE GOVERNMENT TO MAKE RULES
The State Government can, by notification in the Official Gazette, make rules to carry out
the provisions of this Act. In particular, and without prejudice to the generality of the foregoing power, such rules can provide for all or any of the following matters, namely: —
a. the electronic form in which filing, issue, grant receipt or payment for e licences;
b. for e returns & e payments
c. any other matter which is required to be provided by rules by the State Government.
Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House.
AMENDMENT TO OTHER ACTS
BRIEF HISTORY
The Indian Information Technology Act 2000 (“Act”) was a based on the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law[1]; the suggestion was that all States intending to enact a law for the impugned purpose, give favourable consideration to the said Model Law when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information. Thus the Act was enacted to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involved the use of alternatives to traditional or paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies. Also it was considered necessary to give effect to the said resolution and to promote efficient delivery of Government services by means of reliable electronic records. The Act received the assent of the President on the 9th of June, 2000.
The Act was subsequently and substantially amended in 2006 and again in 2008 citing the following objectives:
• With proliferation of information technology enabled services such as e-governance, ecommerce and e-transactions, protection of personal data and information and implementation of security practices and procedures relating to these applications of electronic communications have assumed greater importance and they require harmonization with the provisions of the Information Technology Act. Further, protection of Critical Information Infrastructure is pivotal to national security, economy, public health and safety, so it has become necessary to declare such infrastructure as a protected system so as to restrict its access.
• A rapid increase in the use of computer and internet has given rise to new forms of crimes like publishing sexually explicit materials in electronic form, video voyeurism and breach of confidentiality and leakage of data by intermediary, e-commerce frauds like personation commonly known as Phishing, identity theft and offensive messages through communication services. So, penal provisions are required to be included in the Information Technology Act, the Indian Penal Code, the Indian Evidence Act and the Code of Criminal Procedure to prevent such crimes.
• The United Nations Commission on International Trade Law (UNCITRAL) in the year 2001 adopted the Model Law on Electronic Signatures. The General Assembly of the United Nations by its resolution No. 56/80, dated 12th December, 2001, recommended that all States accord favorable consideration to the said Model Law on Electronic Signatures. Since the digital signatures are linked to a specific technology under the existing provisions of the Information Technology Act, it has become necessary to provide for alternate technology of electronic signatures for bringing harmonization with the said Model Law.
• The service providers may be authorized by the Central Government or the State Government to set up, maintain and upgrade the computerized facilities and also collect, retain appropriate service charges for providing such services at such scale as may be specified by the Central Government or the State Government.
EXTENT APPLICABILITY OF THE ACT
The Act extends to the whole of India, save as otherwise provided in this Act. It can also apply to any offence or contravention provided for in the Act, whether committed in India & outside India by any person, if the act or conduct constituting the offence involves a computer, computer system or computer network located in India .
The main provisions of the Act come in to force on the 9th of June 2000. Certain provisions were given effect on later dates by issuing specific notifications in this regards.
The Act shall not apply to documents or transactions specified in the First Schedule. Every notification issued to amend the first schedule shall be laid before each House of Parliament. Presently, the First schedule contains the following entries:
1. A negotiable instrument (other than cheque) as defined in negotiable instrument Act, 1881.
2. Power of Attorney as defined in P-O-A Act, 1882.
3. A trust as defined in Indian Trusts Act, 1882.
4. A will as defined in Indian Succession Act, 1925 including any other testamentary disposition by whatever name called.
5. Any contract for sale or conveyance of immovable property or any interest in such property.
For this purpose every notification issued by the Central Government to add, amend or delete any item mentioned in the schedule as a pre-requisite place before both houses of the Parliament for their scrutiny and approval.
The provisions of the Act have an overriding effect, notwithstanding anything inconsistent therewith contained in any other law for the time being in force.
DEFINITIONS
In this Act, unless the context otherwise requires, —
a. "access" with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network;
b. "addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary;
c. "adjudicating officer" means an adjudicating officer appointed under subsection (1) of section 46;
d. "affixing electronic signature" with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of electronic signature;
e. "appropriate Government" means as respects any matter,—
i. Enumerated in List II of the Seventh Schedule to the Constitution;
ii. relating to any State law enacted under List III of the Seventh Schedule to the Constitution, the State Government and in any other case, the Central Government;
f. "asymmetric crypto system" means a system of a secure key pair consisting of a private key for creating a electronic signature and a public key to verify the electronic signature;
g. "Certifying Authority" means a person who has been granted a licence to issue a Electronic Signature Certificate under section 24;
h. "certification practice statement" means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Electronic Signature Certificates;
i. "computer" means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;
j. "Computer Network" means the interconnection of one or more Computers or Computer systems or Communication device through- —
i. the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and
ii. terminals or a complex consisting of two or more interconnected computers or communication device whether or not the interconnection is continuously maintained;
k. "computer resource" means computer, computer system, computer network, data, computer data base or software;
l. "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;
m. "Controller" means the Controller of Certifying Authorities appointed under sub-section (l) of section 17;
n. "Cyber Appellate Tribunal" means the Cyber Appellate Tribunal established under sub-section (1) of section 48;
(na). “cyber café” means any facility from where access to the internet is offered by any person in the ordinary course of his business to the members of the public;
(nb). "Cyber Security" means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.
o. "data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
p. "digital signature" means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3;
q. "digital Signature Certificate" means a Digital Signature Certificate issued under subsection (4) of section 35;
r. "electronic form" with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device;
s. "Electronic Gazette" means the Official Gazette published in the electronic form;
t. "electronic record" means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;
(ta). "electronic signature" means authentication of any electronic record by a subscriber by means of an electronic technique specified in the Second schedule and includes a digital signature;
(tb). "Electronic Signature Certificate" means an Electronic Signature Certificate issued under section 35 and includes a Digital Signature Certificate.
u. "function", in relation to a computer, includes logic, control arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer;
v. "information" includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche:
w. "intermediary" with respect to any particular electronic record, means any person who on behalf of another person receives, stores or transmits that record or provides any service in respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes;
x. "key pair", in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a electronic signature created by the private key;
y. "law" includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case can be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;
z. "licence" means a licence granted to a Certifying Authority under section 24;
(za). "originator" means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary;
(zb). "prescribed" means prescribed by rules made under this Act;
(zc). "private key" means the key of a key pair used to create a electronic signature;
(zd). "public key" means the key of a key pair used to verify a electronic signature and listed in the Electronic Signature Certificate;
(ze). "secure system" means computer hardware, software, and procedure that—
a. are reasonably secure from unauthorised access and misuse;
b. provide a reasonable level of reliability and correct operation;
c. are reasonably suited to performing the intended functions; and
d. adhere to generally accepted security procedures;
(zf). "security procedure" means the security procedure prescribed under section 16 by the Central Government;
(zg). "subscriber" means a person in whose name the Electronic Signature Certificate is issued;
(zh). "verify" in relation to a electronic signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether—
a. the initial electronic record was affixed with the electronic signature by the use of private key corresponding to the public key of the subscriber;
b. the initial electronic record is retained intact or has been altered since such electronic record was so affixed with the electronic signature.
Any reference in the Act to any enactment or any provision thereof shall, in relation to an area in which such enactment or such provision is not in force, is to be construed as a reference to the corresponding law or the relevant provision of the corresponding law, if any, in force in that area.
SECTION 3 - AUTHENTICATION OF ELECTRONIC RECORDS BY USE OF DIGITAL SIGNATURE
AUTHENTICATION OF ELECTRONIC RECORDS
The Act provides that the authentication of the electronic record can be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.
A "hash function" is an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known 'as "hash result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible—
a. to derive or reconstruct the original electronic record from the hash result produced by the algorithm;
b. that two different electronic records can produce the same hash result using the algorithm.
The record can be accessed by the use of public key of the subscriber. The private key and the public key are unique to the subscriber and constitute a functioning key pair.
SECTION 3A - AUTHENTICATION OF ELECTRONIC RECORDS BY USE OF ELECTRONIC SIGNATURE.
A subscriber can authenticate any electronic record by such an electronic signature or an electronic authentication technique which is considered reliable and may be specified in the schedules. In order for the electronic signature to be reliable
a. The signature creation data or authentication data are, within the context they are used, linked to the signatory, or as the case may be, the authenticator and to no other person;
b. The signature creation data or authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and to no other person;
c. Any alteration to the electronic signature made after affixing such signature is detectable.
d. Any alteration to the information made after its authentication by electronic signature is detectable.
e. It fulfills other prescribed conditions.
The Central Government can prescribe the procedure for the purpose of ascertaining who has affixed the signature. The Central Government can also, by notification in the Official Gazette, add or omit any reliable electronic signature or electronic authentication technique or the procedure for affixing the same. The notification of such method or procedure is required to be placed before both houses of the Parliament.
ELECTRONIC GOVERNANCE & LEGAL RECOGNITION OF ELECTRONIC RECORDS & ELECTRONIC SIGNATURES
SECTION 4 - ELECTRONIC RECORDS
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is—
a. rendered or made available in an electronic form; and
b. accessible so as to be usable for a subsequent reference.
SECTION 5 - LEGAL RECOGNITION OF ELECTRONIC SIGNATURES
Where any law requires that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement will be deemed to have been satisfied, if such information or matter is authenticated by means of electronic signature affixed in such manner as prescribed by the Central Government.
SECTION - 6 FOUNDATION OF ELECTRONIC GOVERNANCE
Where any law provides for the filing of any form, application or any other document with any authority, agency, owned or controlled by the appropriate Government in a particular manner, Or it provides for the issue or grant of any licence, permit, sanction or approval or the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement is deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as prescribed by the appropriate Government. The appropriate Government is empowered to prescribe rules regarding the manner and the format, in which such electronic records shall be filed, created or issued and the manner or method of payment of any fee for creating, filing or issuing such record.
SECTION 9 - NO RIGHT TO INSIST DOC. TO BE IN ELECTRONIC FORM.
NO Person is conferred the right to insist the Government or any body funded or controlled by it upon accepting, issuing, creating, retaining and preserving any document in the form of electronic records or effecting any monetary transaction in the electronic form.
SECTION 7 - RETENTION OF RECORDS:
Where any law provides that documents, records or information be retained for a specific period, then the requirement will be said to have been met if the documents are retained in electronic format and if the information contained therein remains accessible so as to be usable for subsequent reference in the format it was originally created, generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received, including the details of the identification of the origin, destination, dispatch or receipt of such electronic record are available in the electronic record. These conditions however do not apply to electronic documents which are generated automatically, solely for the purpose of enabling an electronic record to be retention of documents, records or information in the form of electronic records.
SECTION 7A - AUDIT OF DOCUMENTS IN ELECTRONIC FORM:
Where the audit of documents, records or information is required to be conducted under any law, the same shall also be applicable for audit of documents, records or information processed and maintained in electronic form.
SECTION 8 - PUBLICATION OF RULE, REGULATION, ETC., IN ELECTRONIC GAZETTE:
Where any law provides that any rule, regulation, order, bye-law, notification or any other matter will be published in the Official Gazette, then, such requirement is deemed to have been satisfied if such rule, regulation, etc is published in the Official Gazette or Electronic Gazette and the date of publication in such an Electronic Gazette is deemed to be the date of the Gazette which was first published in any form.
SECTION 10 - POWER TO MAKE RULES BY CENTRAL GOVERNMENT IN RESPECT OF ELECTRONIC SIGNATURE:
The Central Government is empowered to prescribe the type of electronic signature, the manner and format in which the electronic signature will be affixed so as to facilitate the identification of the person affixing the electronic signature. The Government will also prescribe the control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and any other matter which is necessary to give legal effect to electronic signatures.
In case of a contract, where the contract formation, the communication of proposals, the acceptance or revocation of the proposals, as the case may be, are expressed in electronic form or by means of an electronic record, the enforceability of the record will not be denied solely on the grounds that such electronic form or means were used to contract.
SECTION 11 - ATTRIBUTION OF ELECTRONIC RECORDS.
An electronic record can be attributed to the originator, if it can be demonstrated that it was sent by the originator himself or by a person authorised by the originator in respect of that electronic record; or by an information system programmed to operate automatically in this regards.
SECTION 12 - ACKNOWLEDGMENT OF RECEIPT
Where the originator (sender) & addressee (recipient) have not settled the manner and form in which the addressee is to acknowledge the of receipt of the electronic record, then in such a case the addressee will acknowledge the receipt of the electronic record either by communicating such receipt, through automated or other means; or by way of conduct of the addressee to indicate to the originator that the electronic record has been received.
Where the originator has stipulated that the electronic record will be binding only on receipt of an acknowledgment of such electronic record by him, then in such a case, unless the addressee sends such an acknowledgment and the originator receives the same, it will be assumed that the electronic record was never sent.
Where the originator has not stipulated that the electronic record will be binding only on receipt of such acknowledgment, and the acknowledgment has not been received by the originator within a reasonable time or a agreed period, then the originator can give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if an acknowledgment is not received within the aforesaid time limit he can after giving notice to the addressee, treat the electronic record as though it has never been sent.
SECTION 13 - TIME AND PLACE OF DESPATCH AND RECEIPT OF ELECTRONIC RECORD
The Originator and the addressee can agree to the time and place of receipt of the electronic record. Generally, unless otherwise agreed to the contrary by the originator and the addressee, when an electronic record enters a computer resource outside the control of the originator or when it enters the computer resource of the addressee, it is deemed to have been dispatched.
If the addressee has designated a specific computer resource and the electronic record is sent to such a designated computer resource, then when the electronic record enters the designated computer resource is deemed to be the time of receipt. If instead of sending to the designated computer resource of the addressee, the originator sends to another computer resource then receipt occurs at the time when the electronic record is retrieved by the addressee from such a computer resource. These would apply even if the place where the computer resource is located in a different place.
An electronic record is deemed to "be dispatched at the place where the originator has his place of business, and is deemed to be received at the place where the addressee has his place of business inspite of the computer resources are located at any other place.
It is possible that the originator or the addressee may have more than one place of business, in such a case the principal place of business, will be the place of business for the purpose of receipt and despatch. If the originator or the addressee does not have a place of business, his usual place of residence will be deemed to be the place of business, in the case the addressee or the originator is a body corporate, then such usual place will be the place where such a body corporate is registered.
SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURES
SECTION 14 - SECURE ELECTRONIC RECORD
Where any security procedure is applied to an electronic record, at a specific point of time, then from such point onwards up to the time of verification, the record is deemed to be a secure electronic record.
SECTION 15 - SECURE ELECTRONIC SIGNATURE
An electronic signature is unique to the subscriber. Once the signature is affixed to an electronic record it can be used to identify the subscriber. It is presumed to be under the exclusive control of the subscriber. The signature signifies the time when it is affixed to an electronic record and the manner in which the signature was created. If any one tries to alter such a signed electronic record, then the signature gets invalidated. An electronic signature will be deemed to be secure if it can be proved that, it was under the exclusive control of the signatory at the time of affixing and the signature data (private key) was stored and affixed in the specified manner.
SECTION 16 - SECURITY PROCEDURE
The Central Government is empowered to prescribe the security procedure and practices considering the commercial circumstances, nature of transactions and such other related factors.
REGULATION OF CERTIFYING AUTHORITIES
SECTION 17 - APPOINTMENT OF CONTROLLER AND OTHER OFFICERS
The Central Government is empowered to appoint a Controller of Certifying Authorities (“CCA”) and such number of Deputy Controllers and Assistant Controllers, other officers and employees. Such an appointment of the Controller, Deputy & Assistant Controllers is to be notified in the Official Gazette The Controller discharges his functions under this Act subject to the general control and directions of the Central Government. The Deputy Controllers (“Dy CA”) and Assistant Controllers (“ACA”), other officers and employees in turn, perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. Such assigned/ delegated functions are assigned by the CCA to the Dy CA & ACA in writing.
The Central Government can prescribe the requirements pertaining to the qualifications, experience and terms and conditions of service of CCA, the Dy CA and the ACA, other officers and employees. Further it can also require that the Head Office and Branch Office of the Controller will be at / established at all such places as specified by the Central Government. The Act provides that there will be a seal of the Office of the Controller.
SECTION 18 - FUNCTIONS OF CONTROLLER
The primary function of the CCA is to regulate the Certifying Authorities(“CA”). For the purpose of regulating the CA the CCA may perform all or any of the following functions, namely:—
• certifying public keys of the Certifying Authorities;
• laying down the standards to be maintained by the Certifying Authorities;
• specifying the qualifications and experience which employees of the Certifying Authorities should possess;
• specifying the conditions subject to which the Certifying Authorities shall conduct their business;
• specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key;
• specifying the form and content of a Digital Signature Certificate and the key,
• specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;
• specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them;
• facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems;
• specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers;
• resolving any conflict of interests between the Certifying Authorities and the subscribers;
• laying down the duties of the Certifying Authorities;
• maintaining a data base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public.
SECTION 19 - RECOGNITION OF FOREIGN CERTIFYING AUTHORITIES
The CCA, with the prior approval of the Central Government and subject to the conditions and restrictions specified in this regards by regulations, by notification in the Official Gazette, can recognize any foreign CA as a CA for the purposes of this Act. Once a foreign CA is granted recognition by the CCA, an Electronic Signature Certificate (“ESC”) issued by such Certifying Authority will be valid for the purposes of this Act.
If any foreign CA who has been granted recognition by the CCA and if the CCA is satisfied that such a CA has contravened any of the conditions or restrictions subject to which the CA was granted recognition under by the CCA, then the CCA after recording the reasons in writing, revoke such recognition by notification in the Official Gazette.
SECTION 21 - LICENCE TO ISSUE ELECTRONIC SIGNATURE CERTIFICATES
Any person can obtain a license to issue an ESC by making an application to the CCA. After receiving the application the CCA verifies whether or not such an applicant has satisfied the eligibility criteria, as specified by the Central Government in respect of qualification, expertise, manpower, financial resources and other infrastructure facilities. Once the eligibility of the applicant is ascertained, the CCA issues a license to the applicant. The licensee is thereafter subject such terms and conditions as are provided for in the regulations issued in this regards. Any license granted under this section is valid for such period as can be provided for by the Central Government. It may be noted that such a license is not transferable or inheritable.
SECTION 22 - APPLICATION FOR LICENSE:
Every application is required to be in the prescribed form. Along with the application the applicant is also required to file:
• a certification practice statement;
• a statement including the procedures with respect to identification of the applicant;
• payment of such fees, not exceeding twenty-five thousand rupees (as prescribed by the Central Government);
• such other documents, as can be prescribed from time to time by the Central Government
An application for renewal of a license is also required to be in the prescribed form accompanied by such fees, which cannot exceed five thousand rupees and has to be made at least forty-five days before the date of expiry of the period of validity of the existing license.
The CCA can, on receipt of an application, after considering the documents accompanying the application and such other factors, as the CCA deems fit, grant the license or reject the application. The applicant is granted a reasonable opportunity of presenting his case to the CCA before his application is rejected.
SECTION 25 - SUSPENSION OF LICENCE
If the CCA, after making an inquiry is satisfied that a CA has
• made an incorrect or false statement in his application for the issue or renewal of licence;
• failed to comply with the terms and conditions subject to which the licence was granted;
• has not maintained the standards required to be followed under this Act;
• contravened any provisions of this Act, rule, regulation or order made there under
then after giving a reasonable opportunity to show cause against the proposed revocation, revoke the license. In the alternative, pending such an inquiry, if the CCA is of the opinion that there exist circumstances for the revocation of the license of the CA, then the CCA can suspend the license till the completion of the inquiry. The period of suspension cannot however exceed a period of 10 days unless the CA has been given a reasonable opportunity of showing cause against the proposed suspension. The CA is barred from issuing any ESCs during his suspension period.
After making an inquiry into an allegation of default and after giving the defaulting CA a reasonable opportunity of being heard, if the CCA is satisfied that the license of the CA need to be suspended or revoked, he can proceed against the CA and suspend or revoke his license. The notice of such an action of suspension or revocation, as the case may be, by the CCA is required to be published in the database and all the repositories maintained by the CCA. The CCA is required also make available such a notice of suspension or revocation of license, through a website which is accessible round the clock. If considered appropriate by the CCA he may publicise the contents of database in appropriate electronic or other media. The CCA can delegate or authorize the Dy. CA or the ACA to exercise any of its power in respect of the regulation of Certified Authorities.
ACCESS TO COMPUTERS AND DATA
Without prejudice to the provisions of sub-section (1) of section 69, the CCA or any person authorized by him will, if he has reasonable cause to suspect that the provisions related to regulation of CAs, rules or regulations made there under, are being contravened, then they can search or access any computer system, any apparatus, data or any other material connected with such system to obtain any information or data contained in or available to such computer system. In doing so they can direct any person in charge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide such reasonable technical and other assistance as the investigating authority may consider necessary.
POWER TO INVESTIGATE CONTRAVENTIONS.
The CCA or any officer authorised by him for this purpose can investigate into any contravention of the provisions of this Act, rules or regulations made thereunder. For the purpose of investigating the contraventions under this Act, the CCA or any authorized officer has the powers similar to the powers which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and the CCA can exercise such powers, subject to such limitations laid down under the Income-tax Act, 1961.
SECTION 30 - OBLIGATIONS OF THE CA
Every CA will, —
a. Make use of secure hardware, software and procedures to prevent intrusion and misuse;
b. Ensure a reasonable level of reliability in the services provided by it;
c. Adhere to security procedures to ensure that the secrecy and privacy of the electronic signatures are assured;
d. be the repository of all Electronic Signature Certificates issued under this Act;
e. publish information regarding its practices, Electronic Signature Certificates and current status of such certificates; and
f. Observe such other standards as may be specified by regulations;
g. Ensure that every person employed or otherwise engaged by it complies with the provisions of this Act, rules, regulations and orders made thereunder;
h. Display its licence at a conspicuous place of the premises in which it carries on its business;
i. surrender his licence, forthwith, to the CCA when the licence is suspended or revoked. Failure to do so, will be deemed be an offence, punishable with imprisonment which can extend up to six months or a fine which can extend up to ten thousand rupees or with both
j. disclose in the manner specified by regulations—
i. its ESC;
ii. any certification practice statement;
iii. notice of the revocation or suspension of its CA certificate, if any; and
iv. any other fact that materially and adversely affects either the reliability of a ESC, which that CA has issued, or the CA's ability to perform its services.
k. Where the CA is of the opinion that the situation so merits which can materially and adversely affect the integrity of its computer system or the conditions subject to which a ESC was granted, then, the CA will—
a. Reasonably notify any person who is likely to be affected by that occurrence; or
b. act in accordance with the procedure specified in its certification practice statement to deal with such event or situation.
The CCA can, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, by notification in the Official Gazette make regulations consistent with this Act and the rules made there under to carry out the purposes of this Act. In particular, and without prejudice to the generality of the foregoing power, such regulations can provide for all or any of the following matters, namely:
a. the particulars relating to maintenance of data-base containing the disclosure record of every Certifying Authority;
b. the conditions and restrictions subject to which the Controller can recognise any foreign Certifying Authority;
c. the terms and conditions subject to which a licence to issue a ESC can be granted;
d. other standards to be observed by a Certifying Authority;
e. the manner in which the Certifying Authority will disclose the information pertaining to ESC, the certification there to, the details of the suspension or revocation of any ESC etc;
f. the particulars of statement which will accompany an Certification of practice of a CA applying for licence to issue ESC;
g. the manner in which the subscriber will communicate the compromise of private key to
h. the certifying Authority.
ELECTRONIC SIGNATURE CERTIFICATES
SECTION 35 - CERTIFYING AUTHORITY TO ISSUE ELECTRONIC SIGNATURE CERTIFICATE.
Any person can make an application to the CA for the issue of a ESC. The application will be in the form prescribed by the Central Government. The application shall be accompanied with the prescribed fee not exceeding twenty five thousand rupees, to be paid to the Certifying Authority. The fee could be different fees for different classes of applicants'. In addition to the fees the application is also required to be accompanied with a certification practice statement or where there is no such statement, a statement containing such particulars, as may be required by regulations.
The CA can consider such an application accompanied with the certification practice statement, and after making the necessary inquiry, as the CA deems fit, either grant the ESC or for reasons to be recorded in writing, reject the application. The application can be rejected only after giving the applicant a reasonable opportunity of being heard.
REPRESENTATIONS UPON ISSUANCE OF ELECTRONIC SIGNATURE CERTIFICATE
A CA while issuing a ESC will certify that it is—
a. Has complied with the provisions, rules and regulations of this Act
b. Has published or made available the ESC to any person relying on it or to a subscriber who has accepted it.
c. The subscriber holds the private key corresponding to the public key, listed in the ESC;
d. the subscriber holds a private key which is capable of creating a digital signature;
e. the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the subscriber;
f. The subscriber's public key and private key constitute a functioning key pair,
g. The information contained in the ESC is accurate; and
h. it has no knowledge of any material fact, which if it had been included in the Electronic Signature Certificate would adversely affect the reliability of the representations made in clauses (a) to (d).
SUSPENSION OF ELECTRONIC SIGNATURE CERTIFICATE
Any ESC which is issued by a CA can be suspended by the CA on the occurrence of one of the following events:
a. on receipt of a specific request to that effect from the subscriber of a ESC or a person duly authorized by such a subscriber
b. if the CA is of the opinion that it is in the interest of the public to do so
The suspension of the ESC by the CA is required to be communicated to the subscriber. The CA cannot suspend the ESC for a period more than 15 days, without providing the subscriber, a reasonable opportunity of being heard.
REVOCATION OF ELECTRONIC SIGNATURE CERTIFICATE
A CA canrevoke a ESC issued by it on a specific request being made to it, by the subscriber or a person duly authorized by him in this regards. The CA can also revoke the ESC upon the death of the subscriber, where the subscriber is an individual, or on dissolution, where the subscriber is a firm or on the winding up, where the subscriber is a corporate entity.
An ESC can be revoked by the CA with immediate effect, after giving the subscriber a reasonable opportunity of being heard if, the CA is of the opinion that a material misrepresentation or concealment of the facts in the ESC or for non fulfillment of any requirement which were pre-requisites for the issue of the ESC or where the CAs private key or security system has been compromised in a manner materially affecting the ESCs reliability or where the subscriber has been adjudged insolvent or on account of death, dissolution or winding-up or any other circumstances as a result of which the subscriber to the ESC ceases to exist. The revocation of a ESC by the CA has to be communicated to the subscriber.
Any suspension or revocation of ESCs is required to be published in the public repositories (one or more as the case may be) maintained by the CA.
DUTIES OF SUBSCRIBERS
Where any Electronic Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Electronic Signature Certificate has been accepted by a subscriber, then, the subscriber will generate the key pair by applying the security procedure. Further the subscriber shall perform such duties as may be prescribed.
ACCEPTANCE OF ELECTRONIC SIGNATURE CERTIFICATE
A subscriber is deemed to have accepted a ESC if he publishes or authorizes the publication of a ESC to one or more persons in a repository, or otherwise demonstrates his approval of the ESC in any manner.
By accepting a ESC the subscriber certifies to all who reasonably rely on the information contained in the ESC that the subscriber holds the private key corresponding to the public key listed in the ESC and is entitled to hold the same. Furthermore all representations made by the subscriber to the CA and all material relevant to the information contained in the ESC are true to the best of his belief.
CONTROL OF PRIVATE KEY
Every subscriber is required to exercise reasonable care to retain control of his private key, which corresponds to the public key listed in his ESC and take all steps to prevent its disclosure to a person not authorized to affix the electronic signature of the subscriber.
If the private key is compromised, then, the subscriber will communicate the same forthwith to the CA in specified manner. The subscriber is liable for all events occurring as a result of the compromising of the private key from the time compromise upto the time he has informed the CA of the private key being compromised.
PENALTIES, COMPENSATION AND ADJUDICATION
The Information Technology Amendment Act 2008 have introduced a host of offencies and prescribed penalties for these offences.
SECTION 43 - PENALTY FOR DAMAGE TO COMPUTER, COMPUTER SYSTEM, ETC
If any person without permission (or the knowledge) of the owner or any other person who is in-charge of a computer, computer system or computer network, —
a. accesses or secures access to such computer, computer system or computer network;
b. downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
c. introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
d. damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
e. disrupts or causes disruption of any computer, computer system or computer network;
f. denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means;
g. provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under;
h. charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;
i. destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
j. Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage;
He can be made liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.
Explanation.— For this purposes,—
i. "computer contaminant" means any set of computer instructions that are designed—
a. to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
b. by any means to usurp the normal operation of the computer, computer system, or computer network;
ii. "computer data base" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;
iii. "computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;
iv. "damage" means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.
v. "Computer Source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form
SECTION 43A - COMPENSATION FOR FAILURE TO PROTECT DATA
When a body corporate is in possession, handling or dealing in sensitive personal data or information in a computer resource that it owns, controls or operates, is found negligent in implementing & maintaining reasonable security practices and procedures and thereby causes wrongful loss or gain to any person, then in such a case the body corporate will be held liable to damages as compensation to a sum not exceeding Rs 5 Crores to the person so effected.
For this purpose, "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
“Reasonable security practices and procedures” would include such practices and procedures which are designed to protect information from unauthorized access, damage, misuse, modification, disclosure etc, as may be agreed to between the parties or as determined by law in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
"Sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
Note: Refer Notification G.S.R. 313(E).— dated 11th April 2011 for Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Notified by the Central Government.
PENALTY FOR FAILURE TO FURNISH INFORMATION RETURN, ETC
If any person who under this Act or any rules or regulations made there under to—
a. Is required by the CCA or CA to furnish any document, return or report fails to do so, will be liable to a penalty not exceeding Rs 1,50,000/-for each such failure;
b. Is required to file any return or furnish any information, books or other documents within the time specified by the regulations, fails to do so, within the time specified, will be liable to a penalty not exceeding Rs 5000/- per day of such continuing default;
c. Fails to maintain books of accounts or records as required, will be liable to a penalty not exceeding
Rs 10,000/- per day of such continuing default.
PUNISHMENT FOR DISCLOSURE OF INFORMATION IN BREACH OF LAWFUL CONTRACT
Unless otherwise provided under this act or under any other act, any person, including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.
COMPENSATION, PENALTIES OR CONFISCATION NOT TO INTERFERE WITH OTHER PUNISHMENT
A penalty imposed or compensation awarded or confiscation under the Act, will not result in avoidance of an award of compensation or imposition of any penalty or punishment under any other law.
RESIDUARY PENALTY
Whoever contravenes any rules or regulations made under this Act, and no penalty has been separately provided for such contravention, will be liable to pay a compensation not exceeding Rs 25,000/- to the person affected by such contravention or a penalty of equal amount.
A penalty imposed under this Act, if it is not paid, can be recovered as an arrear of land revenue and the license or the ESC, as the case may be, can be suspended till the penalty is paid.
COMPOUNDING OF OFFENCES
Notwithstanding anything contained in Code of Criminal Procedure, an offence pertaining to
• Hacking with a computer system
• Transmission of obscene material / content
• Breach of confidentiality and privacy
• Misutilization of personal information
can be compounded under section 77A of the Act. However the benefit of compounding will not be available to a person who has been previously convicted for the same or similar offence or who is liable to enhanced punishment.
No court can take cognizance of any of the above-mentioned offences unless the person aggrieved by the offence lodges a complaint. Only an officer of rank of a Deputy Superintendent of Police can investigate cognizable offences under this act. When an officer in charge of a police station is given information pertaining to a non cognizable offence, he is required to record such information in such records as are prescribed by the State Government. The Officer who receives such information can exercise the same power of investigation (except the power to arrest without warrant), as an Officer in charge of police station would have under section 156 of code of criminal procedure.
SECTION 46 - POWER TO ADJUDICATE
Sec 46 confers the power to adjudicate contravention under the Act to an officer not below the rank of Director to Government of India or equivalent officer of state.
Such appointment shall be made by CG. Person so appointed shall have adequate exp. in field of Info. Technology and such legal and judicial experience as may be prescribed by CG.
The adjucating officer shall exercise jurisdiction to adjudicate matters in which the claim for injury or damage does not exceed rupees five crores.
In respect of claim for injury or damage exceeding rupees five crores, jurisdiction shall vest with the competent court.
For the purpose of holding an inquiry and for the purposes of adjudication the Officer will have the powers of a civil court which are conferred oh the Cyber Appellate Tribunal under sub-section (2) of section 58. All the proceedings held before the Adjudicating Officer will be deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code and for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973 be deemed to be a civil court.
The Officer for the purpose of holding an inquiry, as prescribed by the Central Government, is required to give the person being accused of the contravention a reasonable opportunity for making representation in the matter. If after giving such an opportunity the officer is of the opinion that such person has as alleged contravened the provisions of the Act, or any Rules, regulations and direction there under, can impose such penalty or award such compensation as he thinks fit in accordance with the provisions.
Sec 47 provides that for the purpose of imposing penalty or for awarding compensation the Officer will take into consideration the following:
a. the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
b. the amount of loss caused to any person as a result of the default;
c. the repetitive nature of the default
THE CYBER APPELLATE TRIBUNAL
ESTABLISHMENT & COMPOSITION OF CYBER APPELLATE TRIBUNAL
The Central Government, by notification, can establish one or more appellate tribunals to be known as the Cyber Appellate Tribunal ( “tribunal”). Such notification will also specify the matters and places in relation to which the Cyber Appellate Tribunal can exercise jurisdiction.
CONSITUTION & THE JURISDICTION OF A BENCH
The Central Government in consultation with the Chief Justice of India selects the Chairperson and other members. The Cyber Appellate Tribunal is made up of a Chairperson and such number of Members, as the Central Government deems fit. The Chairperson and one or two Members shal constitute a Bench of the Tribunal. The Tribunal exercises its jurisdiction and all the powers, authority through such a Bench. The Central Government has mandated that the Bench of the Tribunal will sit in New Delhi and at such places which the Central Government in consultation with the Chairperson may resolve. Once having resolved where the Bench will be situated, the Central Government demarcates the areas where the Bench will exercise its jurisdiction notifies such resolution in the Official Gazette. The Chairperson of the Tribunal can transfer the Member (s) from one Bench to another.
Where the circumstances so merit, at any time before or in the course of a case or a matter, if the Chairperson or the Member of the Tribunal are of the view that the nature of the case or matter is such that it ought to be heard by a Bench consisting of more Members, the case can be transferred by the Chairperson to such a Bench as the Chairperson deems fit.
QUALIFICATION OF THE CHAIRPERSON & THE MEMBERS OF THE TRIBUNAL
The Information Technology Amendment Act 2006 and the Information Technology Amendment Act 2008 have introduced a slew of changes in the manner of appointment of the Chairperson and the Members (Judicial as well as non Judicial) of the Cyber Appellate Tribunal. The changes include the basic eligibility criteria, the manner in which the salary and other emoluments will be given/ announced, the requirement of independence and retirement from earlier service.
Only a person who is, or has been, or is qualified to be, a Judge of a High Court. The Members of the Tribunal, barring the Judicial Member will be appointed by the Central Government. Such a Member shall from amongst persons who posses special knowledge and professional experience in the field of Information Technology, Telecommunication, Industry, Management and Consumer Affairs. The Government can only select the Members from the cadre of Central or State Government employees, holding the position of Additional Secretary for a period not less than 2 years or a Joint Secretary to the Government of India or an equivalent position with either the Central or the State Government for a period not less than 7 years.
Only a person who is a member of the Indian Legal Service and has held the position of an Additional Secretary for a period of one year or a Grade I post of the Legal Service for a period not less than 5 years, is qualified to be selected as the Judicial Members of the Tribunal.
Before the appointment of the Chairperson and the Members of the Tribunal, the Central Government satisfies itself that the candidate is an independent person and a person of integrity who will not be interested either financially or in any other way, that may prejudicially influence his discharging of the functions of a Chairperson or as a Member of the Cyber Appellate Tribunal. On his selection, either as a Member of Chairperson of the Tribunal, the candidate (officer of the Central / State Government) is required to retire from his service before he is allowed to join as the Member/ Chairperson of the Cyber Appellate Tribunal
TENURE OF THE CHAIRPERSON & THE MEMBERS OF THE TRIBUNAL
The Chairperson and the Members hold office for a term of five years from the date of entering his office or until they attain the age of sixty five years, which ever occurs earlier During the tenure the Chairperson and the Members will be entitled to such a salary, allowance and other benefits like gratuity, pension, etc as may be prescribed.
FUNCTIONING OF THE BENCH
The Chairperson has the power of general supervision and administration of the conduct of affairs of the Bench. In addition to presiding over the meetings of the Tribunal the Chairperson exercises and discharges such functions and powers as are prescribed in this regards.
The Chairperson distributes the business to a Bench of the Tribunal and directs the manner in which each matter will be dealt with. The Chairperson can also, on receipt of an application in this regards from any of the parties and after giving a notice to such parties and giving them a hearing as he deems proper or suo moto without such a notice, can transfer the matter from one Bench to another for its disposal.
If the Members of a Bench (consisting of 2 Members) differ in opinion on any point, they are required to state the point(s) that they differ on and refer the matter to the Chairperson. The Chairperson will then proceed to hear the point (s) /matter and then decide on the same on the basis of the majority view of the Members who have heard the case including those Members who have heard the case first.
FILLING UP OF VACANCIES, RESIGNATION OR REMOVAL OF A CHAIRPERSON
Once the Chairperson has been appointed neither the salary and allowances nor the other terms and conditions of his service can be varied to his disadvantage. If, for reason other than temporary absence, any vacancy occurs in the office of the Chairperson of a Cyber Appellate Tribunal, then the Central Government is to appoint another person in accordance with the provisions of this Act to fill the said vacancy and the proceedings can be continued before the Cyber Appellate Tribunal from the stage at which the vacancy is filled.
The Chairperson of a Cyber Appellate Tribunal can, address to the Central Government his notice in writing, under his hand to resign his office. Unless a shorter period of relinquishment is permitted by the Central Government, the Chairperson can continue to hold office until the expiry of three months from the date of receipt of such notice or until a person duly appointed as his successor enters upon his office or until the expiry of his term of office, whichever is the earliest.
The Central Government can remove the Chairperson from his office only by way of an order in writing on the grounds of proved misbehavior or incapacity after an inquiry. Such an inquiry can be made only by a Judge of the Supreme Court in which the Chairperson concerned has been informed of the charges against. The Chairperson has to be given a reasonable opportunity of being heard in respect of these charges. The Central Government can, by rules, regulate the procedure for the investigation of misbehavior or incapacity of the aforesaid Chairperson.
The order of the Central Government appointing any person as the Chairperson or Member of a Cyber Appellate Tribunal and no act or proceeding before a Cyber Appellate Tribunal shall not be called in question in any manner on the ground merely of any defect in the constitution of a Cyber Appellate Tribunal.
STAFF OF THE CYBER APPELLATE TRIBUNAL
The Central Government shall provide the Cyber Appellate Tribunal with such officers and employees as required. The officers and employees of the Cyber Appellate Tribunal shall discharge their functions under general superintendence of the Presiding Officer. The salaries and allowances and other conditions of service of the officers and employees of the Cyber Appellate Tribunal shall be such as may be prescribed by the Central Government.
The Chairperson, Members and other officers and employees of a Cyber Appellate Tribunal, the Controller, the Deputy Controller and the Assistant Controllers shall be deemed to be Public Servants within the meaning of section 21 of the Indian Penal Code.
APPEAL TO CYBER APPELLATE TRIBUNAL
Any person aggrieved by an order made by Controller or an adjudicating officer under this Act can prefer an appeal to a Cyber Appellate Tribunal having jurisdiction in the matter. However no appeal shall lie to the Cyber Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties. The appeal can be filed by the aggrieved person within a period of 45 days from the date of receipt of order in the prescribed form and accompanied by prescribed fee. The Cyber Appellate Tribunal can entertain an appeal after the expiry of the said period of 45 days if it is satisfied that there was sufficient cause for not filing it within the prescribed period. The provisions of the Limitation Act, 1963, will, as far as can be, apply to an appeal made to the Cyber Appellate Tribunal.
The appeal filed before the Cyber Appellate Tribunal is to be dealt with by it as expeditiously as possible and an endeavor will be made by the Cyber Appellate Tribunal to dispose of the appeal finally within six months from the date of receipt of the appeal. The appellant can either appear in person or through an authorized representative (one or more legal practitioners) or any of its officers, to present his or its case before the Cyber Appellate Tribunal.
The Cyber Appellate Tribunal can, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. The Cyber Appellate Tribunal will send a copy of every order made by it to the parties to the appeal and to the concerned Controller or adjudicating office
SECTION 58 - PROCEDURE AND POWERS OF THE CYBER APPELLATE TRIBUNAL
The Cyber Appellate Tribunal is not be bound by the procedure laid down by the Code of civil Procedure, 1908 but is be guided by the principles of natural justice and, subject to the other provisions of this Act and of any rules, the Cyber Appellate Tribunal has the powers to regulate its own procedure including the place at which it shall have its sittings. For the purposes of discharging its functions under this Act, the Cyber Appellate Tribunal has the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely:—
a. summoning and enforcing the attendance of any person and examining him on oath;
b. requiring the discovery and production of documents or other electronic records;
c. receiving evidence on affidavits;
d. issuing commissions for the examination of witnesses or documents;
e. reviewing its decisions;
f. dismissing an application for default or deciding it ex pane;
g. any other matter which may be prescribed.
Every proceeding before the Cyber Appellate Tribunal is deemed to be a judicial proceeding within the meaning of sections 193 and 228, and for the purposes of section 196 of the Indian Penal Code and the Cyber Appellate Tribunal is deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973. No Civil Court has the jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered, by or under this Act, to determine and no injunction will be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.
SECTION 62 - APPEAL TO HIGH COURT
Any person aggrieved by any decision or order of the Cyber Appellate Tribunal can file an appeal to the High Court within sixty days from the date of receipt of order of the Cyber Appellate Tribunal, on any question of fact or law arising out of such order. Any delay in filing the appeal to the High Court can be condoned by the High Court, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days.
SECTION 63 - COMPOUNDING OF CONTRAVENTIONS
At any time, before or after the institution of adjudication proceedings, the CCA or an Officer specially authorized in this regards or the Adjudicating Office can compound contraventions under the Act. The compounded amount however cannot, in any case, exceed the maximum penalty imposable for the contravention under this Act. Where any contravention has been compounded, no proceeding or further proceeding, as the case may be, can be taken for the compounded offence. Once a contravention has been compounded, the same person cannot seek relief of compounding for the same or similar contraventions committed within a period of 3 years from the date of compounding.
OFFENCES
The Act has specified that Tampering with computer source documents, Hacking computer system, Publishing of information which is obscene in electronic form or failure of a CA or its employees to follow the directions/ Orders of the CCA, failure to comply with Directions of Controller to a subscriber to extend facilities to decrypt information, accessing a protected system without proper authorization, material mis-representation, Penalty for publishing Electronic Signature Certificate false particulars, Publication for fraudulent purpose, sending of grossly offensive information, false information, etc will be offences.
The various offences and corresponding punishments are summarized and tabulated below with detailed explanation in the following paragraphs.
Section Contents Imprisonment Up to Fine Up to
65 Tampering with computer source code documents 3 years or/and 200,000
66 Hacking with computer system dishonestly or fraudulently 3 years or/and 500,000
66B receiving Stolen computer resource 3 years or/and 100,000
66C Identity Theft - fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person 3 years and 100,000
66D cheating by Personation by using computer resource 3 years and 100,000
66E Violation of Privacy 3 years or/and 200,000
66F Whoever,-
A. with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by –
1. Denial of Access
2. Attempting to Penetrate computer resource
3. Computer containment
B. knowingly or intentionally penetrates and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations, or likely to cause injury to the interests of the sovereignty and integrity of India Imprisonment for Life
67 Publish or transmit Obscene material - 1st time
Subsequent Obscene in elec. Form 3 years and
5 years and 500,000
10,00,000
67A Publishing or transmitting material containing Sexually Explicit Act - 1sttime
Subsequent 5 years and
7 years and 10,00,000
10,00,000
67B Publishing or transmitting material containing Children in Sexually Explicit Act - 1st time
Subsequent 5 years and
7 years and 10,00,000
10,00,000
67C Contravention of Retention or preservation of information by intermediaries 3 years and Not Defined
68 Controller’s directions to certifying Authorities or any employees failure to comply knowingly or intentionally 2 years or/and 100,000
69 Failure to comply with directions for Intercepting, monitoring or decryption of any info transmitted through any computer system/network 7 Years and Not Defined
69A Failure to comply with directions for Blocking for Public Access of any information through any computer resource 7 Years and Not Defined
69B Failure to comply with directions to Monitor and Collect Traffic Data 3 Years and Not Defined
70 Protected system. Any unauthorised access to such system 10 years and Not Defined
70B (7) Failure to provide information called for by the *I.C.E.R.T or comply with directions I year or 1,00,000
71 Penalty for Misrepresentation or suppressing any material fact 2 years or/and 100,000
72 Penalty for breach of confidentiality and privacy of el. records, books, info., etc without consent of person to whom they belong. 2 years or/and 100,000
72A Punishment for Disclosure of information in breach of lawful contract 3 years or/and 500,000
73 Penalty for publishing False Digital Signature Certificate 2 years or/and 100,000
74 Fraudulent Publication 2 years or/and 100,000
75 Act also to apply for offences or contravention committed outside India if the act or conduct constituting the offence involves a computer, computer system or computer network located in India
76 Confiscation of any computer, computer system, floppies, CDs, tape drives or other accessories related thereto in contravention of any provisions of the Act, Rules, Regulations or Orders made.
77 Penalty and Confiscation shall not interfere with other punishments provided under any law.
78 Power to investigate offences by police officer not below rank of Dy. Superintendent of Police.
*I.C.E.R.T - Indian Computer Emergency Response Team to serve as national agency for incident response – Functions in the area of Cyber Security,-
a. collection, analysis and dissemination of information on cyber incidents
b. forecast and alerts of cyber security incidents
c. emergency measures for handling cyber security incidents
d. coordination of cyber incidents response activities
e. issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
f. such other functions relating to cyber security as may be prescribed.
TAMPERING WITH COMPUTER SOURCE DOCUMENTS,
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, can be punished with imprisonment up to three years, or with fine which can extend up to two lakh rupees, or with both. "Computer source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.
UNAUTHORIZED ACCESS TO A COMPUTER SYSTEM
If any person, dishonestly or fraudulently does any act which results in damage to a computer or a computer system or secures unauthorized access to a secure computer system or down loads or copies data etc (acts described under section43 of the Act), the he can be punished with a prison term which can extend upto two years or with a fine which can extend up to ₹Five Lakhs or both. Here the Act refers to the India Penal Code for interpreting the meaning of the words “dishonestly” and “fraudulently”
PUNISHMENT FOR SENDING OFFENSIVE MESSAGES THROUGH COMMUNICATION SERVICE
Any person who sends, by means of a computer resource or a communication device any information that is grossly offensive or has menacing character; or which he knows to be false, or sends any electronic mail or message so as to mislead the addressee about the origin of such message but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device, shall be punishable with imprisonment for a term which may extend to three years and with fine. Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.
PUNISHMENT FOR DISHONESTLY RECEIVING STOLEN COMPUTER RESOURCE OR COMMUNICATION DEVICE
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen shall be punished with imprisonment for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.
PUNISHMENT FOR IDENTITY THEFT
Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
PUNISHMENT FOR CHEATING BY PERSONATION BY USING COMPUTER RESOURCE
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
PUNISHMENT FOR VIOLATION OF PRIVACY.
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.
“Transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
“Capture”, with respect to an image, means to videotape, photograph, film or record by any means;
“Private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
“Publishes” means reproduction in the printed or electronic form and making it available for public;
“Under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that he or she could disrobe in privacy, without being concerned that an image of his private area was being captured or any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.
PUNISHMENT FOR CYBER TERRORISM
Any person with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by denying or cause the denial of access to any person authorized to access computer resource or attempting to penetrate or access a computer resource without authorisation or exceeding authorized access or introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.
The person committing or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.
PUNISHMENT FOR PUBLISHING OR TRANSMITTING OBSCENE MATERIAL IN ELECTRONIC FORM
Any person who publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to fiveyears and also with fine which may extend to ten lakh rupees.
PUNISHMENT FOR PUBLISHING OR TRANSMITTING OF MATERIAL CONTAINING SEXUALLY EXPLICIT ACT,ETC. IN ELECTRONIC FORM
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.
PUNISHMENT FOR PUBLISHING OR TRANSMITTING OF MATERIAL DEPICTING CHILDREN IN SEXUALLY EXPLICIT ACT, ETC. IN ELECTRONIC FORM.
Whoever, publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or facilitates abusing children online or records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:
The above three provisions shall not be applicable to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form if the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern or which is kept or used for bonafide heritage or religious purposes
"Children" means a person who has not completed the age of 18 years.
PRESERVATION AND RETENTION OF INFORMATION BY INTERMEDIARIES
An intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe an any intermediary who intentionally or knowingly abstains from doing the same shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
POWER OF CONTROLLER TO GIVE DIRECTIONS
The CCA can direct a CA or the employees of such a CA to take such measures or cease carrying on such activities as specified in the order if those are necessary to ensure compliance with the provisions of this Act, rules or any regulations made there under. Any person intentionally or knowingly failing to comply with such an order will have committed an offence and will be liable on conviction to imprisonment for a term not exceeding two years or to a fine not exceeding one lakh rupees or to both.
POWERS TO ISSUE DIRECTIONS FOR INTERCEPTION OR MONITORING OR DECRYPTION OF OR BLOCKING OF ANY INFORMATION THROUGH ANY COMPUTER RESOURCE
Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do
• in the interest of the sovereignty or integrity of India,
• defense of India,
• security of the State,
• friendly relations with foreign States
• public order
• for preventing incitement to the commission of any cognizable offence relating to above
• for investigation of any offence,
after recording the reasons there of in writing, can warrant or direct or order any agency of the Government to intercept or monitor or decrypt or block any information transmitted through a computer resource. The Government is required to specify safeguards, subject to which the interception or monitoring or decryption is to be done. Any person, be it a subscriber or an intermediary or any other person who is in charge of the computer resource, is bound to extend all possible cooperation, technical assistance and facility as may be required by the authorities to access or to secure access to the computer resource containing such information; generating, transmitting, receiving or storing such information or intercept or monitor or decrypt or block the information, as the case may be or provide information stored in computer resource. Failure to do so is punishable with an imprisonment for a term which can extend to seven years and also liable to fine.
POWER TO AUTHORIZE TO MONITOR AND COLLECT TRAFFIC DATA OR INFORMATION THROUGH ANY COMPUTER RESOURCE FOR CYBER SECURITY
The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. The Intermediary or any person in-charge of the Computer resource shall when called upon by such agency provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information. The government shll prescribe procedure and safeguards for monitoring and collecting traffic data or information.
Any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
"Computer Contaminant" shall have the meaning assigned to it in section 43
"Traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.
PROTECTED SYSTEM
The Government has notified certain computer resources as Critical Information Infrastructure to be a protected system. Critical Information Infrastructure refers to computer systems or resources the destruction or incapacitation of which would result in a debilitating impact on the national security, economy, public health or safety. The appropriate Government can, by notification in the Official Gazette, declare that any computer, computer system or computer network which directly or indirectly affects the facility of a Critical Information Infrastructure, to be a protected system and authorize the persons who are authorized to access protected systems. In this regards the Government can prescribe specific information security practices and procedures. Any person who secures unauthorized access or attempts to secure unauthorized access to a protected system, can be punished with imprisonment of either description for a term which can extend to ten years and can also be liable to fine.
CREATION OF NATIONAL NODAL AGENCY
The Central Government has the powers through notification to designate any organization of the Government as the national nodal agency for the protection of Critical Information Infrastructure Protection. Such agency shall be responsible for all measures including Research and Development relating to protection of Critical Information Infrastructure.
INDIAN COMPUTER EMERGENCY RESPONSE TEAM TO SERVE AS NATIONAL AGENCY FOR INCIDENT RESPONSE
The Central Government has the powers through notification to appoint an agency of the government to be called the Indian Computer Emergency Response Team. The Central Government shall provide such agency with a Director General and such other officers and employees as may be prescribed. The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,-
a. collection, analysis and dissemination of information on cyber incidents
b. forecast and alerts of cyber security incidents
c. emergency measures for handling cyber security incidents
d. Co-ordination of cyber incidents response activities
e. issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
f. such other functions relating to cyber security as may be prescribed
For carrying out the above functions, the agency may call for information and give direction to the service providers, intermediaries, data centers, body corporate and any other person. Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with such direction shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.
PENALTY FOR MISREPRESENTATION
Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any licence or ESC, as the case may be, can be punished with imprisonment for a term which can extend to two years, or with fine which can extend to one lakh rupees, or with both.
PENALTY FOR BREACH OF CONFIDENTIALITY AND PRIVACY
No person can publish a Electronic Signature Certificate or otherwise make it available to any other person with the knowledge that the CA listed in the certificate has not issued it or the subscriber listed in the certificate has not accepted it or the certificate has been revoked or suspended, unless such publication is in the course of verifying a electronic signature created prior to such suspension or revocation. Such a contravention can be punished with imprisonment for a term which can extend to two years, or with fine which can extend to one lakh rupees, or with both.
PENALTY FOR PUBLISHING ELECTRONIC SIGNATURE CERTIFICATE FALSE IN CERTAIN PARTICULARS
Whoever knowingly creates, publishes or otherwise makes available a ESC for any fraudulent or unlawful purpose can be punished with imprisonment for a term which can extend to two years, or with fine which can extend to one lakh rupees, or with both.
ACT TO APPLY FOR OFFENCE OR CONTRAVENTION COMMITED OUTSIDE INDIA
The Act gives extra territorial jurisdiction in cases where the offence or contraventions are committed from outside India, by any person irrespective of his nationality. The provisions of this Act will apply also to any offence or contravention committed outside India by any person irrespective of his nationality if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. No penalty imposed or confiscation made under this Act can prevent the imposition of any other punishment to which the person affected thereby is liable under any other law for the time being in force.
CONFISCATION
Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act. rules, orders or regulations made there under has been or is being contravened, will be liable to confiscation. Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court can, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit.
INTERMEDIARIES NOT LIABLE IN CERTAIN CASES
Unless otherwise specifically provided to the contrary, an intermediary will be not liable for, any third party information, data or communication link made by him. This exemption is available only if:
• The intermediary’s role is limited to providing access to a communication system over which third parties transmit information or temporarily store the same.
• The intermediary does not
1. Initiate the transmission
2. Select the receiver of transmission or,
3. Modify the information contained in the transmission.
The exemption would however stand withdrawn if intermediary conspires or abets the commission of an unlawful act or after having received the information from the government that any information, data or communication link residing in or connected with computer resources controlled by the intermediary, are being used to commit unlawful acts and such intermediary fails to act expeditiously in removing or disabling access to such link or resource.
EXAMINER OF ELECTRONIC EVIDENCE
For the purpose of providing an expert opinion on electronic form evidence, before any Court or other statutory body, can specify by notification in official gazette any department or body or agency of central government as an examiner of electronic evidence. Here, electronic form evidence means any information of probative value which is stored and transmitted in electronic form. It includes computer evidence, digital audio and digital video, cell phones, fax machines etc.
PROTECTION OF ACTION TAKEN IN GOOD FAITH
No suit, prosecution or other legal proceeding will lie against the Central Government, the State Government, the Controller or any person acting on behalf of him, the Chairperson, Members, officers and the staff of the Cyber Appellate Tribunal for anything which is in good faith done or intended to be done in pursuance of this Act or any rule, regulation or order made there under.
ENCRYPTION METHODS:
The Central Government can prescribe the modes and methods for encryption for the purposes of secure use of electronic medium and for promotion of e-governance and e-commerce.
PUNISHMENT FOR ABETMENT OF OFFENCES
When a person abets any offence and the act being abetted is committed in consequence of the abetment, such a person can be made liable for the same offence and penal consequences awarded as a result, even though abetment, by itself, can not be an offence. An act or offence is said to be committed in consequence of abetment, when it is committed as a consequence of the instigation or a conspiracy. Any person committing an offence punishable by this Act or causes such an offence to be committed, any act during the course of such an attempt is also an offence, punishable as if it were an offence and imprisonment would extend to one- half of the longest term of imprisonment imposable or a fine or both.
PUNISHMENT FOR ATTEMPT TO COMMIT OFFENCES
Any person who attempts to commit an offence punishable by this Act be punished with imprisonment for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.
OFFENCES BY COMPANIES
Where a contravention of any of the provisions of this Act or of any rule, direction or order made under this Act is committed by a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, will be guilty of the contravention and will be liable to be proceeded against and punished accordingly. Any person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention, will be absolved of the allegation of the contravention or committing the offence.
Where it is proved that the contravention, of any of the provisions of this Act or of any rule, direction or order has taken place /been committed by a company with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer will also be deemed to be guilty of the contravention and will be liable to be proceeded against and punished accordingly. Here "company" means any body corporate and includes a firm or other association of individuals; and "director", in relation to a firm, means a partner in the firm.
REMOVAL OF DIFFICULTIES
If any difficulty arises in giving effect to the provisions of this Act, the Central Government can, by order published in the Official Gazette, such order/ direction as it deems necessary or expedient, to remove such difficulties in the provisions of this Act. However, no order for removal of difficulties can be made after the expiry of a period of two years from the commencement of this Act. Every order made, for the removal of difficulties, will be laid as soon as may be after it is made, before each House of Parliament.
POWER OF CENTRAL GOVERNMENT TO MAKE RULES.
The Central Government can, by notification in the Official Gazette and in the Electronic Gazette make rules to carry out the provisions of this Act. In particular, and without prejudice to the generality of the foregoing power, the rules can provide for all or any of the following matters, namely:—
a. the conditions for considering the reliability of electronic signature or authentication technique;
b. the procedure for ascertaining electronic signature or authentication;
c. the manner in which any information or matter can be authenticated by the means of an electronic signature;
d. the electronic form in which filing, issue, grant or payment will be effected;
e. the manner and format in which electronic records will be filed, or issued and the method of .payment;
f. the manner in which the appropriate service provider can collect, retain and appropriate service charges;
g. the matters relating to the type of electronic signature, manner and format in which it can be affixed;
h. the manner of storing and affixing electronic signature;
i. the qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers;
j. the security procedures and practices to be followed;
k. the form in which an application for license for issue of ESC, the eligibility criteria of the applicant and the period of validity of such a license, the amount of fees payable and the the other documents which will accompany an application for licence, the form and the fee for renewal of a licence and the fee payable there of;
l. the form in which application for issue of a ESC can be made and the fee to be paid for the purpose;
m. the manner in which the adjudicating officer will hold inquiry;
n. the qualification and experience which the adjudicating officer will possess;
o. the salary, allowances and the other terms and conditions of service of the Chairperson and Members;
p. the procedure for investigation of misbehaviour or incapacity of the Chairperson and Members;
q. the salary and allowances and other conditions of service of other officers and employees;
r. the form in which appeal, to the Cyber Appellate Tribunal, can be filed the and the fee thereof;
s. any other power of a civil court required to be prescribed for the purposes of the Cyber Appellate Tribunal;
t. Duties of any subscriber and the reasonable security practices and procedures to be adopted while dealing with sensitive personal information
u. the powers and the functions of the Chairperson and the Members of the Cyber Appellate Tribunal
v. safeguards for the interception or monitoring or decryption of information
w. the information security procedures and practices to be followed in respect of protected systems
x. guidelines to be observed by intermediaries
y. modes and methods of encryption for promoting e-governance and e-commerce.
Every rule made by the Central Government notifying such class of documents or transactions as can be notified by the Central Government in the Official Gazette which are outside the purview of this Act and every rule made by it shall be laid, as soon as can be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which can be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the notification or the rule or both Houses agree that the notification or the rule should not be made, the notification or the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that notification or rule.
POWER OF CONTROLLER TO MAKE REGULATIONS
The Controller may, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, by notification in the Official Gazette, make regulations consistent with this Act and the rules in relation to the following matters:
• maintenance of data-base containing the disclosure record of every Certifying Authority
• the conditions and restrictions subject to which the Controller may recognize any foreign Certifying Authority
• the terms and conditions subject to which a license may be granted to a CA
• other standards to be observed by a Certifying. Authority
• the manner in which the Certifying Authority shall disclose the matters specified in relation to DSC
• the particulars of certification practice statement which shall accompany an application
• the manner by which a subscriber communicates the compromise of private key to the Certifying Authority
Every regulation made under this Act shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive- sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the regulation or both Houses agree that the regulation should not be made, the regulation shall there after have effect only in such modified form or be of no effect, as the ease may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that regulation.
POWER OF STATE GOVERNMENT TO MAKE RULES
The State Government can, by notification in the Official Gazette, make rules to carry out
the provisions of this Act. In particular, and without prejudice to the generality of the foregoing power, such rules can provide for all or any of the following matters, namely: —
a. the electronic form in which filing, issue, grant receipt or payment for e licences;
b. for e returns & e payments
c. any other matter which is required to be provided by rules by the State Government.
Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House.
AMENDMENT TO OTHER ACTS
The Indian Penal Code, The Indian Evidence Act, 1872, The Bankers' Books Evidence Act, 1891, The Reserve Bank of India Act, 1934, shall be amended in the manner specified in the Schedules to this Act.
No comments:
Post a Comment