NEW TECHNOLOGY LAWS

WITH SPECIAL REFERENCE TO

CYBER LAWS

Dr. ANJALI DIXIT

i
 Published by

Mittal Publication

India: SCO-367, 1st Floor, Sector 44D, Chandigarh - 160047

UK: Office 7038, 182-184 High Street North, East Ham, London E6 2JA, United Kingdom.
Email: [email protected]
Website: https://mittalpublication.com

Edition : First Published in 2023 (Mittal Publication)

ISBN : 978-81-19291-28-1
Copyright : © Dr. ANJALI DIXIT
2023 All Rights Reserved

This book has been published with all reasonable efforts taken to make the material
error-free after the consent of the respective authors. No part of this book shall be
used, reproduced in any manner whatsoever without written consent from the
editors, except in the case of brief quotations embodied in critical articles and
reviews. The author of this book is solely responsible and liable for its content.

No part of this publication may be reproduced or transmitted in any form or by any

means, electronic, mechanical, photocopying, recording or any information storage
and retrieval system, without the prior written permission of the publisher

NO. OF PAGES : 206

Price : Rs.600.00/-

ii
 PREFACE

It gives us immense pleasure and satisfaction to present the first edition of ‘New Technology
Laws With Special Reference to Cyber Laws’. Cyber Law & Technology are terms used to
describe the legal issues pertaining to the use of technologies in the field of ‘Banking’,
‘Digital world’, ‘Commerce’, ‘Intellectual Property Rights’, ‘Medical’ and ‘Pharmacy’.
This text book aims to be useful to both undergraduate and postgraduate students from a wide
variety of disciplines, including criminology, psychology and information technology.
Because of the diversity of backgrounds of potential readers, this book presumes no prior
knowledge of either the psychological or technological aspects of cybercrime – key concepts
in both areas are defined as they arise in the chapters that follow. The chapters consider
research that has been conducted in each area, but also apply psychological theories and
models to each type of cybercrime. The chapters also consider many aspects of each
cybercrime – they do not simply consider the offender, but also effects on the victims, suitable
punishments, potential preventative measures and comparisons to similar offline offences.
Most chapters stand alone, so it is possible for the reader to dip in to any point in the book.
We hope that you enjoy reading this book as much as we enjoy researching this evolving and
cutting-edge topic.

iii
 Overview of the book

Subject matters of this book has been organized in ten chapters. First chapter deals with the
concept of Cyber Law in India. It covers the salient features of the Information Technology
Act, 2000 with the special reference to ‘Cyber Appellate Tribunal’. Chapter two covers the
various kinds of cyber crimes with the penalties under the laws. This chapter considers crimes
that can occur without computers but that have become more prevalent or easier because of
technology – such as copyright infringement, fraud, identity theft, terrorism, bullying,
stalking, child pornography and sexual predation of children. Chapter three basically deals
with the new concept of digital personal data protection in India. Chapter four consist with the
E-Commerce and online contract system. Chapter five highlight the E-Banking system in
India and Chapter six online security offerings.
Chapter seven introduce the reader to the key concepts involved – specifically IP Rights and
related issues. Chapter eight and nine covers the use of technology in the field of the
broadcasting and medical science. Chapter ten covers the E- pharmacy concept in India.
This text has been designed as per the syllabus of the various Universities throughout India.
We are fully confident that the book would prove useful to the students of Under graduation,
Post graduation and beneficial for the research scholars as well as professionals.
Certainly no book can be completed without active cooperation and appreciation of colleagues
and friends. We would like to place on record our sincere thanks to all friends. We express our
gratitude to our family members for their constant support and understanding without which
this project would never have been completed.
This book would not have taken its present shape without the continuous support and
encouragement from the editorial and production team of Mittal Publications.. We hope the
readers will enjoy reading the book as much as we enjoyed writing it. Though all possible care
has been taken to avoid errors, we would be thankful if errors and misprints are pointed out by
learned teachers and students.

iv
 CONTENTS

S.NO. CHAPTERS PAGE

NUMBERS
1. CYBER LAW IN INDIA
1
A- INTRODUCTION
• Advantages of Cyber Laws
• Historical Background
• Areas of Cyber Laws
• Objectives of Information Technology legislation
in India

B- NEED OF CYBER LAW

C- SALIENT FEATURES OF INFORMATION

TECHNOLOGY ACT, 2000
• Features of Information Technology Act, 2000
• Overview of Information Technology Act, 2000
• Applicability
• Definitions

D- CYBER APPELLATE TRIBUNAL

• Establishment of the Tribunal
• Composition
• Qualifications for appointment
• The Term of Office
• Powers
• Finality of Orders
• Appeal to Cyber Appellant Tribunal
• Power and procedure of the Cyber Appellant Tribunal
• Right to Legal Representation
• Civil Court not to have jurisdiction
• Appeal to the High Court
• Compounding of contraventions
• Recovery of Penalty

v
2. CYBER OFFENCES & PENALTIES 32

• Introduction
• Structure of the Information Technology Act, 2000
• Cyber Offences and Penalties under the Information
Technology Act, 2000 as amended in 2008
• Tampering with computer source documents
• Punishment for sending offensive messages through
communication service, etc.
• Punishment for dishonestly receiving stolen computer
resource or communication device
• Punishment for identity theft
• Punishment for cheating by personation by using
computer resource
• Punishment for violation of privacy
• Punishment for Cyber Terrorism
• Punishment for publishing or transmitting obscene
material in electronic form
• Punishment for publishing or transmitting of material
containing sexually explicit act etc. in electronic form
• Punishment for publishing or transmitting of material
depicting children in sexually explicit act etc. in
electronic form
• Transmission of electronic message and
communication
• Commentary on the powers to intercept, monitor and
block websites
• Penalty for misrepresentation
• Penalty for breach of confidentiality and privacy
• Punishment for disclosure of information in breach of
lawful contract
• Penalty for publishing Electronic Signature Certificate
false in certain particulars
• Publication for fraudulent purpose
• Act to apply for offence or contravention committed
outside India
• Cyber Offences and Penalties and Punishments
• Legislations in other nations

vi
3. DIGITAL PERSONAL DATA PROTECTION IN INDIA 50
• Need for data protection laws
• When can the government interfere with data
• Scope of the Act
• Objectives of the Act
• Salient features of the Act
• Major amendments in legislation
• Development of data protection legislations in India
• Digital Personal Data Protection Bill (DPDP Bill,
2022)
• Key Features of The DPDP Act, 2023
• New Regulatory Structure for Regulating Data Privacy

4. E-COMMERCE & ONLINE CONTACTING

• Introduction 75
• Definitions
• History of E-Commerce
• Salient features of e-commerce
• Advantages of E-commerce
• Proxy Services
• Models of E-commerce
• E-Commerce Applications
• Online Privacy And E-Contracts
• Formation of Online Contract
• Validity of Online Contract
• Evidentiary Value of Online Contract
• Remedies For Breach of Online Contract
• Online privacy issues related to e-contracts
• Indian laws governing e-contracts

5. E-BANKING
• Introduction 98
• Different types of online financial transactions
• Issues in Internet Banking

vii
 • Threats to Mobile Banking
• Best Practices for Users to remain safe
• The legal structure of e-banking in India
• Security Standards Of RBI

6. ONLINE SECURITIES OFFERING

• Introduction 116
• Understanding Security Token Offerings and their
Interplay with Securities Law in India
• The National Strategy on Blockchain
• RBI on macro-financial risks
• CERT Guidelines
• Central Bank Digital Currency (“CBDC”)
• Prevention of money laundering
• Digital lending
• Legal Challenges
• Impending contemporaneous legislation
• Law surrounding Exchanges
• Potential Way Forward
• SEBI’s Regulatory Framework for Online Bond
Trading Platform
• Over-The-Counter Exchange of India

7. COMMERCE AND INTELLECTUAL PROPERTY ISSUES

• Introduction 129
• What is IPR?
• Types of IPR
• Importance of Intellectual Property in E-Commerce
• What is the Commercialization of IPR?
• Competition Law and IPR
• Confidentiality Issues and Its Maintenance
• Employee Confidentiality

8. BROADCASTING
• Introduction 145
• Radio Services
• Foreign Investment
A- REGULATION AND CONTROL OF BROADCASTING
B-LAW RELATING TO CABLE TV NETWORK

viii
9. GENETIC AND MEDICAL TECHNOLOGIES
167
A- REGULATION OF GENETIC TECHNOLOGY
B- RULES AND REGULATIONS OF MEDICAL
TECHNOLOGY
10. E-PHARMACY & TECHNOLOGIES 181

ix
x
 CHAPTER 1

CYBER LAWS IN INDIA

Introduction
As globalization and computerization grew rapidly in India, cyber regulations began to take
shape. Every year, a startling number of cybercrimes are reported in India, and the problem is
only getting worse. This is due to India's digital transformation, which has increased the pool
of naive targets for cyber con artists. This necessitates having a fundamental understanding of
the regulations that apply to India's cyberspace.
Year 2008 saw an amendment to India's Cyber Laws, often known as the Information
Technology Act, which added cybercrimes relating to banking and financial operations.
The area of the legal system that is related to legal informatics and that regulates the electronic
exchange of information, e-commerce, software, and information security is known as cyber
law, also known as Internet law or cyber law. It is connected to legal informatics and
electronic components like computers, software, hardware, and information systems. It covers
a wide range of themes, including online privacy and freedom of expression, as well as access
to and use of the Internet, which includes several subtopics.
Cyber Laws in India
India has laws against cybercrime, which is any crime committed using technology and a
computer as a tool. Citizens are prevented from sharing private information with strangers
online by cybercrime laws. Internet law and regulation are collectively referred to as "cyber
law" in this context. Cyber laws cover anything that has to do with, is connected to, or results
from legal matters or any citizen activity in cyberspace.
• Legal issues relating to the usage of network information technology and devices'
distributive, transactional, and communicative features are covered by cyber law. It
covers all of the laws, regulations, and constitutional clauses that apply to networks
and computers.
The Act defines the various types of cybercrime and the penalties associated with them.
Crime is both a social and economic phenomenon. It is as old as human society. Many ancient
books right from pre-historic days, and mythological stories have spoken about crimes
committed by individuals be it against another individual like ordinary theft and burglary or
against the nation like spying, treason etc.
Kautilya’s Arthashastra written around 350 BC, considered to be an authentic administrative
treatise in India, discusses the various crimes, security initiatives to be taken by the rulers,
possible crimes in a state etc. and also advocates punishment for the list of some stipulated

1 | New Technology Laws With Special Reference To Cyber Laws

offences. Different kinds of punishments have been prescribed for listed offences and the
concept of restoration of loss to the victims has also been discussed in it.
Crime is both a social and economic phenomenon. It is as old as human society. Many ancient
books right from pre-historic days, and mythological stories have spoken about crimes
committed by individuals be it against another individual like ordinary theft and burglary or
against the nation like spying, treason etc. Kautilya’s Arthashastra written around 350 BC,
considered to be an authentic administrative treatise in India, discusses the various crimes,
security initiatives to be taken by the rulers, possible crimes in a state etc. and also advocates
punishment for the list of some stipulated offences. Different kinds of punishments have been
prescribed for listed offences and the concept of restoration of loss to the victims has also been
discussed in it.
Crime in any form adversely affects all the members of the society. In developing economies,
cyber crime has increased at rapid strides, due to the rapid diffusion of the Internet and the
digitisation of economic activities. Thanks to the huge penetration of technology in almost all
walks of society right from corporate governance and state administration, up to the lowest
level of petty shop keepers computerizing their billing system, we find computers and other
electronic devices pervading the human life. The penetration is so deep that man cannot spend
a day without computers or a mobile. Snatching some one’s mobile will tantamount to
dumping one in solitary confinement!
Cyber Crime is not defined in Information Technology Act 2000 nor in the I.T. Amendment
Act 2008 nor in any other legislation in India. In fact, it cannot be too. Offence or crime has
been dealt with elaborately listing various acts and the punishments for each, under the Indian
Penal Code, 1860 and quite a few other legislations too. Hence, to define cyber crime, we can
say, it is just a combination of crime and computer. To put it in simple terms ‘any offence or
crime in which a computer is used is a cyber crime’. Interestingly even a petty offence like
stealing or pick-pocket can be brought within the broader purview of cyber crime if the basic
data or aid to such an offence is a computer or an information stored in a computer used (or
misused) by the fraudster. The I.T. Act defines a computer, computer network, data,
information and all other necessary ingredients that form part of a cyber crime, about which
we will now be discussing in detail.1
In a cyber crime, computer or the data itself the target or the object of offence or a tool in
committing some other offence, providing the necessary inputs for that offence. All such acts
of crime will come under the broader definition of cyber crime.
The Genesis of IT legislation in India: Mid 90’s saw an impetus in globalization and
computerization, with more and more nations computerizing their governance, and e-
commerce seeing an enormous growth. Until then, most of international trade and transactions
were done through documents being transmitted through post and by telex only. Evidences
and records, until then, were predominantly paper evidences and paper records or other forms
of hard-copies only. With much of international trade being done through electronic
communication and with email gaining momentum, an urgent and imminent need was felt for

1
Information Technology Act, 2000, Preamble
2 | New Technology Laws With Special Reference To Cyber Laws
recognizing electronic records ie the data what is stored in a computer or an external storage
attached thereto. The United Nations Commission on International Trade Law (UNCITRAL)
adopted the Model Law on e-commerce in 1996. The General Assembly of United Nations
passed a resolution in January 1997 inter alia, recommending all States in the UN to give
favourable considerations to the said Model Law, which provides for recognition to electronic
records and according it the same treatment like a paper communication and record. The
Information Technology Act 20002, which was passed and revised in 2008 to cover many
types of offenses under Indian cyber law, has been in effect since the establishment of cyber
laws in India. This Act is based on the Resolution A/RES/51/162 adopted by the General
Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic
Commerce earlier adopted by the United Nations Commission on International Trade Law
(UNCITRAL) in its twenty ninth session3.
UNCITRAL’s Model Law on Electronic Commerce but it also unfolds various aspects of
information technology to promote efficient delivery of Government services by means of
reliable electronic records.
The question is weather UNCITRAL’s Model Law on Electronic Commerce cold be used as
an external aid to interpret various provisions of the Act? One has to be careful in using
external aid , like the Model Law to interpret the legislative intent behind the Act.
It was held by the Supreme Court in Konkan Rialway Corporation Ltd. v. Rani Construction
(P) Ltd. 4,
“That the UNCITRAL Model Law (on International Arbitration ) was only taken into account
in the drafting of the Arbitration and Conciliation Act, 1996 is patent from the statement of
objects and reasons of the Act. The Act and the Model Law are not identically drafted”…..
“the Model Law and judgments and literature thereon are, therefore, not a guide to the
interpretation of the Act…”
It is important to understand that while enacting the Information Technology Act, 2000, the
legislative intent has been two fold, over that the enactment of such a nature should not ignore
the national or municipal perspective of information technology and two that the enactment to
have an international perspective as advocated by the said Model Law.
Advantages of Cyber Laws
Following are the major advantages of cyber law
• Utilizing the legal framework, the Act provides, businesses can now conduct e-
commerce.

2
Information Technology Act, 2000
3
The UN General Assembly by its resolution 2205 (XXI)of 17 December, 1966 created United Nations
Commission on International Trade Law (UNCITRAL) with a mandate to further the progressive
harmonization and unification of the law of International trade and in that prospect to bear in mind
the interests of all people, in particular these of developing countries in the extensive development of
international trade by adopting Model Laws of different genre.
4
(2002) 2 SCC 388
3 | New Technology Laws With Special Reference To Cyber Laws
 • In the Act, digital signatures have been given legitimacy and authorization.
• It has made it possible for corporate organizations to issue digital signature certificates
and operate as certifying authorities.
• It paves the way for e-government by enabling the government to publish alerts
online.
• It allows businesses or organizations to electronically submit any forms, applications,
or other documents to any offices, authorities, bodies, or agencies that are owned or
managed by the appropriate government using any e-forms that may be specified by
that government.
• The IT Act also addresses the crucial security concerns that are essential to the
success of electronic transaction.
Historical Background
On October 17, 2000, the Information Technology Act of 2000 went into effect. This Act is
applicable to all of India, and its provisions also apply to any violation or offense committed
by any individual, regardless of nationality, even outside the Republic of India's territorial
authority. Such an offense or contravention shall include a computer, computer system, or
computer network located in India that is subject to the provisions of this Act. The
extraterritorial applicability of the provisions of the IT Act 2000 is provided by Section 1(2)
read in conjunction with Section 75 5 . Moreover, the Act further amends the Indian Penal
Code, 1860, The Indian Evidence Act, 1872, the Banker’s Books Evidence Act, 1891 and the
Reserve Bank of India Act, 1934.
The Information Technology Act of 2000 in India has made an effort to include legal ideas
found in other information technology-related laws that have already been passed in other
nations as well as different information technology law-related guidelines. The Act recognizes
electronic signatures and grants electronic contracts legal validity. Defamation (sending
offensive communications), hacking, data theft, virus spreading, identity theft, pornography,
child pornography, and cyber terrorism are now all considered crimes under this modern
legislation.
Cyber laws cover the following statutes, rules, and guidelines.
• Information Technology Act,2000
• Information Technology (Certifying Authorities) Rules,2000
• Information Technology (Security Procedure) Rules, 2004
• Information Technology (Certifying Authority) Regulations, 2001
• The Indian Evidence Act, 1872
• The Bankers Books Evidence Act, 1891

5
Information Technology Act, 2000, Section 2 r/w Section 75
4 | New Technology Laws With Special Reference To Cyber Laws
The government has moved to expedite the process of updating the IT Act as a result of
emerging technology, an explosion in digital business models, and a significant rise in
cybercrime.
By providing the necessary inputs, the computer or data itself serves as the victim, the object
of the crime, or a tool in committing another crime in a cybercrime. All of these criminal
activities fall under the broad concept of "cybercrime."
Cyber law includes regulations on
• Online crimes
• Digital and electronic signatures
• Intangible assets
• Preserving the privacy of data
Areas of Cyber Laws
There are seven areas where cyber law used most −
• Fraud − Cyber laws are essential to consumers' protection against online fraud.
Legislation is created to stop online financial crimes, including credit card theft,
identity theft, and others. Identity thieves may be charged as accomplices or as state
criminals. They might also run into a victim-driven civil lawsuit. Cyber attorneys
work to both defend and prosecute clients accused of online fraud.
• Copyright − Copyright violations have become easier because of the internet.
Copyright infringement was all too common in the early days of online
communication. To file a lawsuit to impose copyright protections, businesses and
individuals both need lawyers. Cyber law defends people's and businesses' rights to
make money off of their creative works in the domain of copyright violation.
• Defamation − Many employees use the internet to express themselves. Using the
internet to spread untrue information might cross the line into defamation. Laws
against defamation are civil laws that protect people from false public statements that
might hurt someone's reputation or a business. Defamation legislation refers to when
individuals use the internet to make claims that are illegal under civil laws.
• Harassment and Stalking − Criminal laws that prohibit stalking and harassment can
occasionally be broken by online words. There is a violation of both civil and criminal
statutes when someone repeatedly posts threatening comments about another
individual online. When stalking occurs online or through other electronic
communication, cyber lawyers both prosecute and defend the victim.
• Freedom of Speech − An essential component of internet law is freedom of speech.
Freedom of speech rules also let people express their opinions, despite the fact that
cybercrime laws prohibit specific acts online. The boundaries of free expression,
particularly those imposed by laws against obscenity, must be discussed with clients

5 | New Technology Laws With Special Reference To Cyber Laws

 by cyber attorneys. In cases where it is disputed whether a client's acts qualify as free
speech, cyber lawyers may also stand up for their clients.
• Trade secrets − Cyber laws are frequently used by businesses doing online
transactions to safeguard their trade secrets. For instance, the algorithms used by
Google and other online search engines to generate search results are developed over a
long period of time. They also devote a lot of work to creating other features,
including search services for flights, intelligent assistance, and maps. Cyber security
laws support these businesses in taking legal action when required to safeguard their
trade secrets.
• Contract and Employment − Cyber law is used each time a user clicks a button
acknowledging their agreement to a website's terms and conditions. Every website has
terms and conditions relating to privacy issues in some way6.
Objectives of Information Technology legislation in India: .
It is against this background the Government of India enacted its Information Technology Act
2000 with the objectives as follows, stated in the preface to the Act itself
“to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as
"electronic commerce", which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents with the
Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act,
1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and
for matters connected therewith or incidental thereto.”
The Information Technology Act, 2000, was thus passed as the Act No.21 of 2000, got
President assent on 9 June and was made effective from 17 October 2000.
The Act essentially deals with the following issues:
• Legal Recognition of Electronic Documents
• Legal Recognition of Digital Signatures
• Offenses and Contraventions
• Justice Dispensation Systems for cyber crimes.
Amendment Act 2008: Being the first legislation in the nation on technology, computers and
ecommerce and e-communication, the Act was the subject of extensive debates, elaborate
reviews and detailed criticisms, with one arm of the industry criticizing some sections of the
Act to be draconian and other stating it is too diluted and lenient. There were some
conspicuous omissions too resulting in the investigators relying more and more on the time-
tested (one and half century-old) Indian Penal Code even in technology based cases with the
I.T. Act also being referred in the process and the reliance more on IPC rather on the ITA.
Thus the need for an amendment – a detailed one – was felt for the I.T. Act almost from the
year 2003- 04 itself. Major industry bodies were consulted and advisory groups were formed

6
Information Technology Act, 2000
6 | New Technology Laws With Special Reference To Cyber Laws
to go into the perceived lacunae in the I.T. Act and comparing it with similar legislations in
other nations and to suggest recommendations. Such recommendations were analysed and
subsequently taken up as a comprehensive Amendment Act and after considerable
administrative procedures, the consolidated amendment called the Information Technology
Amendment Act 2008 was placed in the Parliament and passed without much debate, towards
the end of 2008 (by which time the Mumbai terrorist attack of 26 November 2008 had taken
place). This Amendment Act got the President assent on 5 Feb 2009 and was made effective
from 27 October 2009.
Features of Information Technology Act, 2000
Following are the features of the Act:
• The Act is based on the Model Law on e-commerce adopted by UNCITRAL.
• It has extra-territorial jurisdiction.
• It defines various terminologies used in the Act like cyber cafes, computer
systems, digital signatures, electronic records, data, asymmetric cryptosystems,
etc under Section 2(1). 7
• It protects all the transactions and contracts made through electronic means and
says that all such contracts are valid. (Section 10A)8
• It also gives recognition to digital signatures and provides methods of
authentication.
• It contains provisions related to the appointment of the Controller and its powers.
• It recognises foreign certifying authorities (Section 19)9.
• It also provides various penalties in case a computer system is damaged by
anyone other than the owner of the system10.
• The Act also provides provisions for an Appellate Tribunal to be established
under the Act. All the appeals from the decisions of the Controller or other
Adjudicating officers lie to the Appellate tribunal.
• Further, an appeal from the tribunal lies with the High Court.
• The Act describes various offences related to data and defines their punishment.
• It provides circumstances where the intermediaries are not held liable even if the
privacy of data is breached.
• A cyber regulation advisory committee is set up under the Act to advise the
Central Government on all matters related to e-commerce or digital signatures.

7
Information Technology Act, 2000, Section 2
8
Information Technology Act, 2000, Section 10-A
9
Information Technology Act, 2000, Section 19
10
Information Technology Act, 2000
7 | New Technology Laws With Special Reference To Cyber Laws
How the Act is structured: The Act totally has 13 chapters and 90 sections (the last four
sections namely sections 91 to 94 in the ITA 200011 dealt with the amendments to the four
Acts namely the Indian Penal Code 1860, The Indian Evidence Act 1872, The Bankers’ Books
Evidence Act 1891 and the Reserve Bank of India Act 1934). The Act begins with preliminary
and definitions and from thereon the chapters that follow deal with authentication of electronic
records, digital signatures, electronic signatures etc
Elaborate procedures for certifying authorities (for digital certificates as per IT Act -2000 and
since replaced by electronic signatures in the ITAA -2008) have been spelt out. The civil
offence of data theft and the process of adjudication and appellate procedures have been
described. Then the Act goes on to define and describe some of the well-known cyber crimes
and lays down the punishments therefore. Then the concept of due diligence, role of
intermediaries and some miscellaneous provisions have been described.
Rules and procedures mentioned in the Act have also been laid down in a phased manner, with
the latest one on the definition of private and sensitive personal data and the role of
intermediaries, due diligence etc., being defined as recently as April 2011.
Overview of Information Technology Act, 2000
The Act deals with e-commerce and all the transactions done through it. It gives provisions for
the validity and recognition of electronic records along with a license that is necessary to issue
any digital or electronic signatures. The article further gives an overview of the Act.
As the Act has laid down the statutory principles as ‘Information Technology’ it is hence
being referred as the Information Technology Act.
The aforesaid sub-section (2) provides that the Act extends to the whole of India (including
Jammu & Kashmir). In order to extend the provisions of Act to the State of Jammu &
Kashmir, Article 253 of the Constitution of India12.
Also, in the true spirit of ‘one wired’ world the Act applies to any offence or contravention
committed there under outside India by any person. In other words the Act’s extent is to cover:
“any offence or contravention committed outside India by any person”13.
This is nothing but an international perspective that the Act is looking into. The sub-section
(2) highlights extra territorial’s jurisdictional power of the nation over the wrong doer,
irrespective of his nationality, domicile status, etc14.

11
Information Technology Act, 2000, Sections 91-99
12
Article 253 of the Constitution of India deals with the law to give effect to international agreements.
It states that Parliament has the power to make laws for the whole or any part of the country for
carrying into effect the agreements with one or more countries.
13
Information Technology Act, 2000, Section 75 (1)
14
Information Technology Act, 2000, Section 75 (2) , For the purposes of sub-section (1), this Act shall
apply to an offence or contravention committed outside India by any person if the act or conduct
constituting the offence or contravention involves a computer, computer system or computer network
located in India
8 | New Technology Laws With Special Reference To Cyber Laws
Applicability: The Act extends to the whole of India and except as otherwise provided, it
applies to also any offence or contravention there under committed outside India by any
person. There are some specific exclusions to the Act (ie where it is not applicable) as detailed
in the First Schedule, stated below:
a) negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable
Instruments Act, 1881;
b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882;
c) a trust as defined in section 3 of the Indian Trusts Act, 1882
d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 including
any other testamentary disposition
e) any contract for the sale or conveyance of immovable property or any interest in such
property;
f) any such class of documents or transactions as may be notified by the Central Government
Definitions:
The Information Technology Act, 2000 15 defines many important words used in common
computer parlance like ‘access’, ‘computer resource’, ‘computer system’, ‘communication
device’, ‘data’, ‘information’, ’security procedure’ etc.
“Access”16 has been defined with reference to a ‘computer’ [S. 2(1) (i)] ‘computer system’ [S.
2(1) (l)], ‘computer network’[S. 2(1) (j)], ‘Communication devices’ [S. 2(1) (ha)] as defined
under the Act.
The term covers both physical and virtual access to a computer, computer system or computer
networks. Unauthorized access means unauthorized access with the logical, arithmetical or
memory function resources of a computer network or communication device.
“Addressee”17 is to be read and understood in relation with the originator [ S. 2(1) (b) and
intermediary [ S. 2(1) (w) as defined under the Act. An addressee is a recipient of the
electronic record planned by the originator.
“Adjudicating officer” 18 is one of the statutory authority under this Act. Power of the
adjudicating officer is to adjudge any person who has committed a contravention under the
Chapter IX of this Act.

15
Information Technology Act, 2000
16
Information Technology Act, 2000, Section 2 (1) (a), ‘ Access’ with its grammatical variations and
cognate expressions means gaining entry into, instructing or communicating with the logical,
arithmetical, or memory function resources of a computer, computer system or computer network;’
17
Information Technology Act, 2000, Section 2 (1) (b), ‘―addressee‖ means a person who is intended
by the originator to receive the electronic record but does not include any intermediary;’
18
Information Technology Act, 2000, Section 2 (1) (c), ‘adjudicating officer‖ means an adjudicating
officer appointed under sub-section (1) of section 46’
9 | New Technology Laws With Special Reference To Cyber Laws
“Affixing electronic signature” with its grammatical variations and cognate expressions means
adoption of any methodology or procedure by a person for the purpose of authenticating an
electronic record by means of digital signature19.
A person or subscriber may authenticate an electronic record by affixing his electronic
signature.
“Appellate Tribunal‖ means the Appellate Tribunal referred to in sub-section (1) of section
4820”
“Appropriate Government” means as respects any matter,– (i) enumerated in List II of the
Seventh Schedule to the Constitution; (ii) relating to any State law enacted under List III of
the Seventh Schedule to the Constitution, the State Government and in any other case, the
Central Government21.
Term appropriate Government has been referred to in the following Sections. -
Section 6(1) & Section 6(2) Use electronic records & electronic
signatures in Government and its agencies
Section 6 A Delivery of services by service providers
Section 69 Power to issue directions to intercept, monitor
or decrypt any information through any
computer resource
Section 70 Protected System
Section 79 Exemption from liability of Intermediary in
certain cases

That is, any State under the Union of India has the power to frame rules to carry out the
provisions regarding ‘use of electronic records and electronic (digital) signatures in
Government and its agencies’ 22 and declaring any computer resources which directly or
indirectly affects the facility of Critical Information Infrastructure, to be a protected system. 23
“Asymmetric crypto system”24, ‘means a system of a secure key pair consisting of a private
key for creating a digital signature and a public key to verify the digital signature 25’.

19
Information Technology Act, 2000, Section 2 (1) (d)
20
Information Technology Act, 2000, Section 2 (1) (da). Ins. by Act 7 of 2017, S. 169
21
Information Technology Act, 2000, Section 2 (1) (e).
22
Information Technology Act, 2000, Section 6
23
Information Technology Act, 2000, Section 70
24
Schedule V of the Information Technology (Certifying Authorities) Rules, 2000, defines encryption
as- “The process of transforming plaintext data into an unintelligible form (cipher text) such that the
original data either cannot be recovered (one-way encryption) or cannot be recovered without using an
inverse decryption process (two-way encryption).”
25
Information Technology Act, 2000, Section 2 (f)
10 | New Technology Laws With Special Reference To Cyber Laws
The Act provides a dual key approach, where one key is used to encrypt (private key) 26 and
other one to decrypt (public key) 27 to create and verify electronic signature respectively. The
aforesaid definition highlights a secured system of creating and verifying electronic signature.
“Certifying Authority” means a person who has been granted a licence to issue a electronic
signature Certificate under section 24 by the Controller of Certifying Authority to issue
Electronic Signature28 Certificate to the subscribers29.
Presently there are eight licensed CAs in India. They are: Customs and Central Excise,
National Informatics Center (NIC), Institute of Development & Research in Banking
Technology (IDRBT), Tata Consultancy Services Ltd., Mahanagar Telephone Nigam Ltd.
(MTNL), Safescrypt Ltd. & (n) Code Solutions and E-Mudra.
“Certification practice statement” means a statement issued by a Certifying Authority to
specify the practices that the Certifying Authority employs in issuing electronic signature 30
Certificates31. Certification practice statement represents a kind of contractual obligation that a
Certifying Authority has to fulfill vis-à-vis Controller and the subscriber. A Certification
practice statement controls the Certifying Authority’s public certificate issueance, acceptance,
use, suspension, activation and revocation of a Electronic Signature Certificate Significantly
over a period of time CA’s may amend their respective CPS.
“Communication device”, means cell phones, personal digital assistance or combination of
both or any other device used to communicate, send or transmit any text, video, audio or
image32.
The definition of the word ‘computer’ itself assumes significance here.
‘Computer’ means any electronic magnetic, optical or other high-speed data processing device
or system which performs logical, arithmetic, and memory functions by manipulations of
electronic, magnetic or optical impulses, and includes all input, output, processing, storage,
computer software, or communication facilities which are connected or related to the
computer in a computer system or computer network;
So is the word ‘computer system’ which means a device or a collection of devices with input,
output and storage capabilities. Interestingly, the word ‘computer’ and ‘computer system’
have been so widely defined to mean any electronic device with data processing capability,
performing computer functions like logical, arithmetic and memory functions with input,
storage and output capabilities. A careful reading of the words will make one understand that a
high-end programmable gadgets like even a washing machine or switches and routers used in
a network can all be brought under the definition

26
Information Technology Act, 2000, Section 2(1) (zc)
27
Information Technology Act, 2000, Section 2 (1)(zd)
28
As subs. by Act 10 of 2009
29
Information Technology Act, 2000, Section 2 (1)(g)
30
As subs. by Act 10 of 2009
31
Information Technology Act, 2000, Section 2 (1)(h)

32
Information Technology Act, 2000, Section 2(1)(ha)
11 | New Technology Laws With Special Reference To Cyber Laws
Similarly the word ‘communication devices’ inserted in the ITAA-200833 has been given an
inclusive definition, taking into its coverage cell phones, personal digital assistance or such
other devices used to transmit any text, video etc like what was later being marketed as i-Pad
or other similar devices on Wi-fi and cellular models. Definitions for some words like ‘cyber
café’ were also later incorporated in the ITAA 2008 when ‘Indian Computer response
Emergency Team’ was included.
Digital Signature: ‘Electronic signature’ was defined in the ITAA -2008 whereas the earlier
ITA -2000 covered in detail about digital signature, defining it and elaborating the procedure
to obtain the digital signature certificate and giving it legal validity. Digital signature was
defined in the ITA -2000 as “authentication of electronic record” as per procedure laid down
in Section 3 and Section 3 discussed the use of asymmetric crypto system and the use of
Public Key Infrastructure and hash function etc. This was later criticized to be technology
dependent ie., relying on the specific technology of asymmetric crypto system and the hash
function generating a pair of public and private key authentication etc.
Electronic records and signatures
The Act defines electronic records under Section 2(1)(t)34, which includes any data, image,
record, or file sent through an electronic mode. According to Section 2(1)(ta), any signature
used to authenticate any electronic record that is in the form of a digital signature is called an
electronic signature. However, such authentication will be affected by asymmetric
cryptosystems and hash functions as given under Section 3 of the Act.
Section 3A further gives the conditions of a reliable electronic signature. These are:
• If the signatures are linked to the signatory or authenticator, they are considered
reliable.
• If the signatures are under the control of the signatory at the time of signing.
• Any alteration to such a signature must be detectable after fixation or alteration.
• The alteration done to any information which is authenticated by the signature
must be detectable.
• It must also fulfill any other conditions as specified by the Central Government.
The government can anytime make rules for electronic signatures according to Section 10 of
the Act. The attribution of an electronic record is given under Section 11 of the Act. An
electronic record is attributed if it is sent by the originator or any other person on his behalf.
The person receiving the electronic record must acknowledge the receipt of receiving the
record in any manner if the originator has not specified any particular manner. (Section 12).
According to Section 13, an electronic record is said to be dispatched if it enters another
computer source that is outside the control of the originator. The time of receipt is determined
in the following ways:
• When the addressee has given any computer resource,

33
Information Technology (Amendment) Act, 2008
34
Information Technology Act, 2000, Section 2
12 | New Technology Laws With Special Reference To Cyber Laws
 o Receipt occurs on the entry of an electronic record into the
designated computer resource.
o In case the record is sent to any other computer system, the receipt
occurs when it is retrieved by the addressee.
• When the addressee has not specified any computer resource, the receipt occurs
when the record enters any computer source of the addressee.
e-Governance: Chapter III discusses Electronic governance issues and procedures and the
legal recognition to electronic records is dealt with in detail in Section 4 followed by
description of procedures on electronic records, storage and maintenance and according
recognition to the validity of contracts formed through electronic means.
Certifying authorities
Appointment of Controller35
Section 17 talks about the appointment of the controller, deputy controllers, assistant
controllers, and other employees of certifying authorities. The deputy controllers and assistant
controllers are under the control of the controller and perform the functions as specified by
him. The term, qualifications, experience and conditions of service of the Controller of
certifying authorities will be determined by the Central Government. It will also decide the
place of the head office of the Controller.
Functions of the Controller36
According to Section 18, the following are the functions of the Controller of certifying
authority:
• He supervises all the activities of certifying authorities.
• Public keys are certified by him.
• He lays down the rules and standards to be followed by certifying authorities.
• He specifies the qualifications and experience required to become an employee of
a certifying authority.
• He specifies the procedure to be followed in maintaining the accounts of
authority.
• He determines the terms and conditions of the appointment of auditors.
• He supervises the conduct of businesses and dealings of the authorities.
• He facilitates the establishment of an electronic system jointly or solely.
• He maintains all the particulars of the certifying authorities and specifies the
duties of the officers.
• He has to resolve any kind of conflict between the authorities and subscribers.

35
Information Technology Act, 2000, Section 17
36
Information Technology Act, 2000, Section 18
13 | New Technology Laws With Special Reference To Cyber Laws
 • All information and official documents issued by the authorities must bear the
seal of the office of the Controller.
License for electronic signatures 37
It is necessary to obtain a license certificate in order to issue an electronic signature. Section
21 of the Act provides that any such license can be obtained by making an application to the
controller who, after considering all the documents, decides either to accept or reject the
application. The license issued is valid for the term as prescribed by the central government
and is transferable and heritable. It is regulated by terms and conditions provided by the
government.
According to Section 22 of the Act, an application must fulfill the following requirements:
• A certificate of practice statement.
• Identity proof of the applicant.
• Fees of Rupees 25,000 must be paid.
• Any other document as specified by the central government.
The license can be renewed by making an application before 45 days from the expiry of the
license along with payment of fees, i.e., Rupees 25000. (Section 23)
Any license can be suspended on the grounds specified in Section 24 of the Act. However, no
certifying authority can suspend the license without giving the applicant a reasonable
opportunity to be heard. The grounds of suspension are:
• The applicant makes a false application for renewal with false and fabricated
information.
• Failure to comply with the terms and conditions of the license.
• A person fails to comply with the provisions of the Act.
• He did not follow the procedure given in Section 30 of the Act.
The notice of suspension of any such license must be published by the Controller in his
maintained records and data.
Powers of certifying authorities38
Following are the powers and functions of certifying authorities:
• Every such authority must use hardware that is free from any kind of intrusion.
(Section 3039)
• It must adhere to security procedures to ensure the privacy of electronic
signatures.

37
Information Technology Act, 2000, Section 21
38
Information Technology Act, 2000, Section 30
39
Information Technology Act, 2000, Section 30
14 | New Technology Laws With Special Reference To Cyber Laws
 • It must publish information related to its practice, electronic certificates and the
status of these certificates.
• It must be reliable in its work.
• The authority has the power to issue electronic certificates. (Section 3540)
• The authority has to issue a digital signature certificate and certify that:
o The subscriber owns a private key along with a public key as given
in the certificate.
o The key can make a digital signature and can be verified.
o All the information given by subscribers is accurate and reliable.
• The authorities can suspend the certificate of digital signature for not more than
15 days. (Section 3741)
• According to Section 38, a certificate can be revoked by the authorities on the
following grounds:
o If the subscriber himself makes such an application.
o If he dies.
o In case, the subscriber is a company then on the winding up of the
company, the certificate is revoked.
Circumstances where intermediaries are not held liable42
Section 2(1)(w) of the Act defines the term ‘intermediary’ as one who receives, transmits, or
stores data or information of people on behalf of someone else and provides services like
telecom, search engines and internet services, online payment, etc. Usually, when the data
stored by such intermediaries is misused, they are held liable. But the Act provides certain
instances where they cannot be held liable under Section 7943. These are:
• In the case of third-party information or communication, intermediaries will not
be held liable.
• If the only function of the intermediary was to provide access to a communication
system and nothing else, then also they are not held liable for any offence.
• If the intermediary does not initiate such transmissions or select the receiver or
modify any information in any transmission, it cannot be made liable.
• The intermediary does its work with care and due diligence.
However, the section has the following exemptions where intermediaries cannot be exempted
from the liability:

40
Information Technology Act, 2000, Section 35
41
Information Technology Act, 2000, Section 37
42
Information Technology Act, 2000, Section 79
43
Information Technology Act, 2000, Section 79
15 | New Technology Laws With Special Reference To Cyber Laws
 • It is involved in any unlawful act either by abetting, inducing or by threats or
promises.
• It has not removed any such data or disabled access that is used for the
commission of unlawful acts as notified by the Central Government.
Offences and their punishments under Information Technology Act, 2000

S.
Offences Section Punishment
No.

Tampering with the documents stored Section Imprisonment of 3 years or a

1.
in a computer system 65 fine of Rs. 2 lakhs or both.

Imprisonment of 3 years or a
Offences related to computers or any Section
2. fine that extends to Rs. 5
act mentioned in Section 43. 66
lakhs or both.

Receiving a stolen computer source or Section Imprisonment for 3 years or a

3.
device dishonestly 66B fine of Rs. 1 lakh or both.

Section Imprisonment of 3 years or a

4. Identity theft
66C fine of Rs. 1 lakh or both

Either imprisonment for 3

Section
5. Cheating by personation years or a fine of Rs. 1 lakh
66D
or both.

Either imprisonment up to 3
Section
6. Violation of privacy years or a fine of Rs. 2 lakhs
66E
or both

Section
7. Cyber terrorism Life imprisonment
66F

Transmitting obscene material in Section Imprisonment of 5 years and

8.
electronic form. 67 a fine of Rs. 10 lakhs.

Transmission of any material

Section Imprisonment of 7 years and
9. containing sexually explicit acts
67A a fine of Rs. 10 lakhs.
through an electronic mode.

Depicting children in sexually explicit

Section Imprisonment of 7 years and
10. form and transmitting such material
67B a fine of Rs. 10 lakhs.
through electronic mode

11. Failure to preserve and retain the Section Imprisonment for 3 years and

16 | New Technology Laws With Special Reference To Cyber Laws

 information by intermediaries 67C a fine.

Penalties under Information Technology Act, 2000

The Act provides penalties and compensation in the following cases:
Penalty for damaging a computer system44
If a person other than the owner uses the computer system and damages it, he shall have to pay
all such damages by way of compensation (Section 43). Other reasons for penalties and
compensation are:
• If he downloads or copies any information stored in the system.
• Introduces any virus to the computer system.
• Disrupts the system.
• Denies access to the owner or person authorised to use the computer.
• Tampers or manipulates the computer system.
• Destroys, deletes or makes any alteration to the information stored in the system.
• Steals the information stored therein.
Compensation in the case of failure to protect data
According to Section 43A, if any corporation or company has stored the data of its employees
or other citizens or any sensitive data in its computer system but fails to protect it from
hackers and other such activities, it shall be liable to pay compensation.
Failure to furnish the required information
If any person who is asked to furnish any information or a particular document or maintain
books of accounts fails to do so, he shall be liable to pay the penalty. In the case of reports and
documents, the penalty ranges from Rupees one lakh to Rupees fifty thousand. For books of
accounts or records, the penalty is Rs. 5000. (Section 44)45
Residuary Penalty
If any person contravenes any provision of this Act and no penalty or compensation is
specified, he shall be liable to pay compensation or a penalty of Rs. 25000.
Appellate tribunal
According to Section 48 of the Act, the Telecom dispute settlement and appellate tribunal
under Section 14 of the Telecom Regulatory Authority of India Act, 1997 shall act as the
appellate tribunal under the Information Technology Act, 2000. This amendment was made
after the commencement of the Finance Act of 2017.

44
Information Technology Act, 2000, Section 43
45
Information Technology Act, 2000, Section 44
17 | New Technology Laws With Special Reference To Cyber Laws
All the appeals from the orders of the controller or adjudicating officer will lie to the tribunal,
but if the order is decided with the consent of the parties, then there will be no appeal. The
tribunal will dispose of the appeal as soon as possible but in not more than 6 months from the
date of such appeal. (Section 57)
According to Section 62 of the Act, any person if not satisfied with the order or decision of the
tribunal may appeal to the High Court within 60 days of such order.
Powers 46
According to Section 58 of the Act, the tribunal is not bound to follow any provisions of
the Code of Civil Procedure, 1908 and must give decisions on the basis of natural justice.
However, it has the same powers as given to a civil court under the Code. These are:
• Summon any person and procure his attendance.
• Examine any person on oath.
• Ask to discover or produce documents.
• Receive evidence on affidavits.
• Examination of witnesses.
• Review decisions.
• Dismissal of any application.
Amendments to Information Technology Act, 2000
With the advancement of time and technology, it was necessary to bring some changes to the
Act to meet the needs of society, and so it was amended.
Amendment of 2008
The amendment in 2008 brought changes to Section 66A of the Act. This was the most
controversial section as it provided the punishment for sending any offensive messages
through electronic mode. Any message or information that created hatred or hampered the
integrity and security of the country was prohibited. However, it had not defined the word
‘offensive’ and what constitutes such messages, because of which many people were arrested
on this ground. This section was further struck down by the Supreme Court in the case
of Shreya Singhal v. Union of India (2015).
Another amendment was made in Section 69A of the Act, which empowered the government
to block internet sites for national security and integrity. The authorities or intermediaries
could monitor or decrypt the personal information stored with them.
The 2015 Amendment Bill
The bill was initiated to make amendments to the Act for the protection of fundamental rights
guaranteed by the Constitution of the country to its citizens. The bill made an attempt to make
changes to Section 66A, which provides the punishment for sending offensive messages

46
Information Technology Act, 2000, Section 58
18 | New Technology Laws With Special Reference To Cyber Laws
through electronic means. The section did not define what amounts to offensive messages and
what acts would constitute the offence. It was further struck down by the Supreme Court in the
case of Shreya Singhal declaring it as violative of Article 19.
Information Technology Intermediaries Guidelines (Amendment) Rules, 2018
The government in 2018 issued some guidelines for the intermediaries in order to make them
accountable and regulate their activities. Some of these are:
• The intermediaries were required to publish and amend their privacy policies so
that citizens could be protected from unethical activities like pornography,
objectionable messages and images, messages spreading hatred, etc.
• They must provide the information to the government as and when it is sought
within 72 hours for national security.
• It is mandatory for every intermediary to appoint a ‘nodal person of contact’ for
24×7 service.
• They must have technologies that could help in reducing unlawful activities done
online.
• The rules also break end-to-end encryption if needed to determine the origin of
harmful messages.

Information Technology (Intermediaries Guidelines and Digital Media Ethics Code)

Rules 2021
The government of India in 2021 drafted certain rules to be followed by the intermediaries.
The rules made it mandatory for intermediaries to work with due diligence and appoint a
grievance officer. They were also required to form a Grievance Appellate Tribunal. All
complaints from users must be acknowledged within 24 hours and resolved within 15 days. It
also provides a “Code of Ethics” for the people publishing news and current affairs, which
makes it controversial. Many believe that the rules curtail freedom of speech and expression
and freedom of the press.
The intermediaries were also required to share the information and details of a suspicious user
with the government if there was any threat to the security and integrity of the country. As a
result of this, writ petitions were filed in various high courts against the rules. Recently, the
Bombay High Court stayed in the case of Agij Promotion of Nineteenonea Media Pvt. Ltd. vs.
Union of India (2021) and Nikhil Mangesg Wagle vs. Union of India (2021) the two provisions
of the rules related to the Code of Ethics for digital media and publishers.
Landmark judgments on Information Technology Act, 2000
Shreya Singhal v. Union of India (2015)
Facts
In this case, 2 girls were arrested for posting comments online on the issue of shutdown in
Mumbai after the death of a political leader of Shiv Sena. They were charged under Section
19 | New Technology Laws With Special Reference To Cyber Laws
66A for posting the offensive comments in electronic form. As a result, the constitutional
validity of the Section was challenged in the Supreme Court stating that it infringes
upon Article 19 of the Constitution.
Issue
Whether Section 66A is constitutionally valid or not?
Judgment
The Court, in this case, observed that the language of the Section is ambiguous and vague,
which violates the freedom of speech and expression of the citizens. It then struck down the
entire Section on the ground that it was violative of Article 19 of the Constitution. It opined
that the Section empowered police officers to arrest any person whom they think has posted or
messaged anything offensive. Since the word ‘offensive’ was not defined anywhere in the Act,
they interpreted it differently in each case. This amounted to an abuse of power by the police
and a threat to peace and harmony.
M/S Gujarat Petrosynthese Ltd and Rajendra Prasad Yadav v. Union of India (2014)
Facts
In this case, the petitioners demanded the appointment of a chairperson to the Cyber Appellate
Tribunal so that cases can be disposed of quickly and someone can keep a check on the
workings of CAT. The respondents submitted that a chairperson would be appointed soon.
Issue
Appointment of the chairperson of CAT.
Judgment
The Court ordered the appointment of the chairperson and must see this as a matter of urgency
and take into account Section 53 of the Act.
Christian Louboutin SAS v. Nakul Bajaj and Ors (2018)
Facts
In this case, a suit was filed by a shoe company to seek an order of injunction against the
defendants for using its trademarks and logo.
Issue
Whether the protection of “safe harbour” under Section 79 of the Act be applied in this case?
Judgment
The Court in this case observed that the defendant was not an intermediary as their website
was a platform for the supply of various products. It used third-party information and
promoted vendors in order to attract consumers for them. The Court held that e-commerce
platforms are different from the intermediaries and the rights granted to them in Section 79 of
the Act. It ordered the intermediaries to work with due diligence and not infringe the rights of

20 | New Technology Laws With Special Reference To Cyber Laws

the trademark owner. They must take steps to recognise the authenticity and genuineness of
the products while dealing with any merchant or dealer.
The Court added that if the intermediaries act negligently regarding IPR and indulge in any
sort of abetment or incitement of unlawful or illegal activity, they will be exempted from the
protection of safe harbour under Section 79 of the Act. Any active participation in e-
commerce would also lead to the same. It also referred to the intermediaries guidelines, which
state that no intermediary must violate any intellectual property rights of anyone while
displaying any content on its website.
Loopholes in Information Technology Act, 2000
The Act provides various provisions related to digital signatures and electronic records, along
with the liability of intermediaries, but fails in various other aspects. These are:
No provision for breach of data
The provisions of the Act only talk about gathering the information and data of the citizens
and its dissemination. It does not provide any remedy for the breach and leak of data, nor does
it mention the responsibility or accountability of anyone if it is breached by any entity or
government organization. It only provides for a penalty if an individual or intermediary does
not cooperate with the government in surveillance.
No address to privacy issues
The Act failed in addressing the privacy issues of an individual. Any intermediary could store
any sensitive personal data of an individual and give it to the government for surveillance.
This amounts to a violation of the privacy of an individual. This concern has been neglected
by the makers.
Simple punishments
Though the Act describes certain offences committed through electronic means, the
punishments given therein are much simpler. To reduce such crimes, punishments must be
rigorous.
Lack of trained officers
With the help of money and power, one can easily escape liability. At times, these cases go
unreported because of a social stigma that police will not address such complaints.
A report shows that police officers must be trained to handle cybercrimes and have expertise
in technology so that they can quickly investigate a case and refer it for speedy disposal.
No regulation over Cyber Crimes
With the advancement of technology, cyber crimes are increasing at a greater pace. The
offences described in the Act are limited, while on the other hand, various types of cyber
crimes are already prevailing, which if not addressed properly within time, may create a
menace. These crimes do not affect any human body directly but can do so indirectly by
misusing the sensitive data of any person. Thus, the need of the hour is to regulate such
crimes. This is where the Act lacks.

21 | New Technology Laws With Special Reference To Cyber Laws

The Act is a step toward protecting the data and sensitive information stored with the
intermediaries online. It gives various provisions which benefit the citizens and protect their
data from being misused or lost. However, with the advancement of e-commerce and online
transactions, it is necessary to deal with problems like internet speed and security, transactions
that are struck, the safety of passwords, cookies, etc. Cyber crimes are increasing at a great
pace, and there is a need to have a mechanism to detect and control them.
CYBER APPELLATE TRIBUNAL
Computers, the Internet, and ICT, or e-revolution, have transformed people’s lives in the
twenty-first century. E-communication has mostly replaced paper-based communication in
recent years. As a result, new terms like the cyber world, e-transaction, e-banking, e-return,
and e-contracts have emerged. Aside from the good aspects of the e-revolution, there is also a
bad aspect of computers, namely, the internet and ICT in the hands of criminals, which has
turned into a weapon of crime. As a result, a new panel of members, known as Cyber Law,
Cyber Space Law, Information Technology Law, or Internet Law, was formed to address the
issues of cybercrime in cyberspace.
The Information Technology Act, 2000 which came into force on 17th, October 2000 was
enacted to provide legal recognition for transactions carried out by means of electronic data
inter change and other means of electronic communication, commonly referred to as
“electronic commerce” which involve the use of alternatives to paper based methods of
communication and storage of information, to facilitate electronic filing of documents with the
Government Agencies and to amend the Indian Penal Code, the Indian Evidence Act, 1872,
the Bankers Book of Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and also for
matters connected therewith or incidental thereto.
The first and the only Cyber Appellate Tribunal in the country has been established by the
Central Government in accordance with the provisions contained under Section 48(1) of the
Information Technology Act, 2000. The Tribunal initially known as the Cyber Regulations
Appellate Tribunal (CRAT). After amendment of the IT Act in the year 2008 (Which came
into effect on 27.10.2009) is known as the Cyber Appellate Tribunal (CAT). The Tribunal
started functioning from October, 2006 in a portion of the Department of Information
Technology building at CGO Complex, Lodhi Road, New Delhi. The Act provided for the
Tribunal to be headed by a Presiding Officer who is or who was or who is qualified to be a
Judge of a High Court. Hon’ble Mr. Justice R.C. Jain, a retired Judge of Delhi High Court was
the first Presiding Officer of the Cyber Appellate Tribunal, who joined as Presiding Officer on
4th October, 2006. The tenure of Mr. Justice R. C. Jain, as Presiding Officer of Cyber
Appellate Tribunal expired on 7th December, 2007.
Cyber legislation and the Information Technology Act of 2000, as amended in 2008, are being
developed in India to combat computer crimes. The Information Technology Act of 2000 is a
law that establishes legal recognition for transactions carried out via Electronic Data
Interchange (EDI) and other forms of electronic communication. It is India’s principal
legislation governing cybercrime and electronic trade (e-Commerce). Electronic data
interchange or electronic filing of the information is referred to as e-Commerce.

22 | New Technology Laws With Special Reference To Cyber Laws

The Information Technology Act of 2000, which took effect on October 17, 2000, was enacted
to provide legal recognition for transactions carried out through electronic data interchange
and other forms of electronic communication, also known as “electronic commerce,” involve
the use of alternatives to paper-based methods of communication and information storage, to
make electronic filing of documents with government agencies easier, and to amend the
Information Technology Act of 2000.
The Internet network has vastly grown over vast geographic distances, allowing for fast
communication between even the most remote parts of the globe. Various global institutions
see the need for rules to regulate this new hemisphere as human activities in this limitless new
universe continues to expand. The Information Technology (IT) Act 2000 was established in
India to keep up with the continuous flux. The IT Act was conceived and formed according to
the Model Law of the United Nations Commission on International Trade Law (UNCITRAL).
The Cyber Appellant Tribunal was created under the Information Act of 2000. The tribunal
solely has appellant jurisdiction, as its name implies. As a result, it has the ability to exercise
its appellant jurisdiction over a judgment or order made by the Controller of Certifying
Authorities or the adjudicating official, both on the facts and in law. In other words, it has the
legal authority to investigate the decision or order’s accuracy, legality, and propriety. The
Central Government has created the country’s first and only Cyber Appellate Tribunal in line
with the terms of Section 48(1) of the Information Technology Act, 2000.
Establishment of the Tribunal (Section 48)
This Section explains how the Cyber Appellant Tribunal will be established. The central
government will issue a notification establishing one or more appellant tribunals. The Central
Government also lists all of the subjects and locations that come under the Tribunal’s
jurisdiction in the announcement47.
As per Section 48, Cyber Appellant Tribunal established by following means
(1) The Central Government shall, by notification, establish one or more appellate tribunals to
be known as the Cyber Regulations Appellate Tribunal..
(2) The Central Government shall also specify, in the notification referred to in subsection
(1), the matters and places in relation to which the Cyber Appellate Tribunal may exercise
jurisdiction.
Though the aforesaid sub-section (1) provides for appointment of one or more appellate
tribunals by the Central Government but the language of the rule 13 of the cyber regulation
tribunal rules, 2000 make it clear that there shall only be one tribunal and it shall ordinarily
hold its sitting at New Delhi.
The aforesaid rule has further provided a lot of flexibility to cyber appellate tribunal as far as
its sittings are concerned. That is, if at any time, the Chairperson of the Tribunal is satisfied
that circumstances exist which rendered it necessary to have sittings of the tribunal at any

47
Information Technology Act, 2000
23 | New Technology Laws With Special Reference To Cyber Laws
place other than New Delhi, the Chairperson may direct to hold the sittings at any such
appropriate place.
It is for the chairperson to exercise this ‘rule of sittings’ in a most appropriate and judicious
manner. The tribunal shall notify to the parties the date and the place of the hearing of the
application.
It is for the Central Government to specify by order the matters and places in relation to which
the cyber appellate tribunal may exercise jurisdiction.
It was held by the Supreme Court in Union of India vs. Paras Laminates (p) limited “there are
no doubt that the tribunal functions as a court within the limits of its jurisdiction. It has all the
powers conferred expressly by the statue. Furthermore, being a judicial body, it has all the
powers conferred expressly by the statue. Furthermore, being a judicial body, it has all the
powers expressly and impliedly granted.
Composition (Section 49)
This Section explains that the Presiding Officer of the Cyber Appellate Tribunal, who will be
nominated by the Central Government, will be the sole member of the Cyber Appellate
Tribunal. The appellant tribunal has been transformed into a multi-member body. The
Tribunal will henceforth be composed of a Chairperson and as many additional members as
the Central Government may designate by publication in the Official Gazette. The Central
Government, in collaboration with the Chief Justice of India, selects the Chairperson and
Members of the Tribunal. The Tribunal’s Presiding Officer is now known as the Chairperson.
Qualifications for appointment (Section 50)
Section 50 – A person cannot be appointed as the Presiding Officer of a Cyber Appellate
Tribunal unless he or she has the following qualifications:
(a) Is, or has been, or is qualified to be, a Judge of a High Court; or
(b) Is or was a member of the Indian Legal Service, and now holds or has held a Grade I
position in that service for at least three years.
The Term of Office (Section 51)
Section – The Presiding Officer of a Cyber Appellate Tribunal serves for five years from the
date of appointment or until he reaches the age of 65, whichever comes first.
Termination or Resignation
The central government has the authority to end the service of a member or chairperson of the
CAT, and this authority is discretionary. This means the government is not obligated to
provide specific reasons for ending the appointment. However, it is expected that if the
government decides to terminate the appointment, it should do so fairly and reasonably.
There are certain reasons for removal from the position of a member or chairperson of the
cyber appellate tribunal (CAT), as explained in Section 48(5) of the Information Technology
Act, 2000. These reasons include:

24 | New Technology Laws With Special Reference To Cyber Laws

 1. Misconduct or misbehavior: This relates to any inappropriate actions or behavior,
such as corruption, dishonesty, or misuse of power, not suitable for a CAT member or
chairperson.
2. Incompetence or inefficiency: This refers to not fulfilling the duties of a CAT
member or chairperson adequately.
3. Negligence: This involves not exercising reasonable care in performing the duties of a
CAT member or chairperson.
4. Unsoundness of mind: This covers any mental illness or disability that makes it
difficult for CAT members or chairperson to perform their duties effectively.
5. Physical infirmity: This includes any physical disability that hampers a CAT member
or chairperson from effectively carrying out their duties.
This power is important to ensure that the CAT is made up of members suitable for their roles.
It also acts as a prevention against any misconduct or misbehavior by members and
chairpersons of the CAT.
Salary, allowances and other terms and conditions of service of Presiding Officer
[section 52]
The salary and allowances payable to, and the other terms and conditions of service including
pension, gratuity and other retirement benefits of. the Presiding Officer of a Cyber Appellate
Tribunal shall be such as may be prescribed: Provided that neither the salary and allowances
nor the other terms and conditions of service of the Presiding Officer shall be varied to his
disadvantage after appointment.
Powers of Superintendence, direction, etc. [Section 52A]
The Chairperson of the cyber appellate tribunal shall have powers of general superintendence
and directions in the conduct of the affairs of that Tribunal, exercise and discharge such
powers and functions of the Tribunal as may be prescribed.
The chairperson being the head of the cyber appellate tribunal has both executive and
administrative powers of general superintendence and directions in the conduct of the affair of
the Tribunal, which may include presiding over the meeting of the Tribunal, exercise and
discharge such powers and functions of the Tribunal as may be prescribed.

25 | New Technology Laws With Special Reference To Cyber Laws

Distribution of Business among Benches [Section-52 B]
Where Benches are constituted, the Chairperson of the Cyber Appellate Tribunal may, by
order, distribute the business of that Tribunal amongst the Benches and also the matters to be
dealt with by each Bench. The aforesaid section refers to an administrative function, i.e.
distribution of business among benches. It shall be the prerogative of the Chairperson to
distribute the business amongst the Benches and also the matters to be deal with by each
Bench. This provision may become useful in the coming years with the increase in litigation
and more and more appeals coming before the Cyber Appellate Tribunal.
Powers of the Chairperson to transfer cases [Section 52 C]
On the application of any of the parties and after notice to the parties, and after hearing such of
them as he may deem proper to be heard, or suo motu without such notice, the Chairperson of
the Cyber Appellate Tribunal may transfer any case pending before one bench, for disposal to
any other bench. The aforesaid section refers to a judicial function, i.e. power of the
chairperson to transfer cases after either following the laid down procedure or suo moto may
transfer any case pending before one bench, for disposal to any other bench.
Decision by Majority [Section 52 D]
If the Members of a Bench consisting of two members differ in opinion on any point, they
shall state the point or points on which they differ, and make a reference to the Chairperson of
the cyber appellate tribunal who shall hear the point or points himself and such point or points
shall be decided according to the opinion of the majority of the Members who have heard the
case, including those who first heard it. The aforesaid section advocates the rule-decision by
majority. This section also refers to constitution of large Bench, if the members of the Bench
consisting of two members differ in opinion on any point, it shall be prerogative of the
Chairperson to constitute such large bench. The larger bench shall be headed by the
Chairperson and consist of Members, including those who first heard it.
Filling up of vacancies [section 53]
If, for reason other than temporary absence, any vacancy occurs in the office n the Presiding
Officer of a Cyber Appellate Tribunal, then the Central Government shall appoint another
person in accordance with the provisions of this Act to fill the vacancy and the proceedings
may be continued before the Cyber Appellate Tribunal from the stage at which the vacancy is
filled.
Resignation and removal (Section 54)
Section 54, The chairperson or a member of the cyber appellant tribunal might resign by
writing to the federal government and informing them of their decision. Provided, however,
that the Presiding Officer shall continue to hold office until the expiration of three months
from the date of receipt of such notice, or until a person duly appointed as his successor enters
upon his office, or until the expiration of his term of office, whichever comes first unless he is
permitted by the Central Government to relinquish his office sooner48.

48
Information Technology Act, 2000, Section 54
26 | New Technology Laws With Special Reference To Cyber Laws
The Central Government has the authority to dismiss the Presiding Officer of the Cyber
Appellate Tribunal if there is evidence of misbehaviour or inability. However, only after a
Supreme Court Judge has conducted an investigation and the Presiding Officer has been
informed of the accusations against him and has had a sufficient opportunity to defend
himself. The method for investigating misbehaviour or incompetence of the Presiding Officer
might be regulated by the Central Government.
The Central Government may, by rules, regulate the procedure for the investigation of
misbehaviour or incapacity of the aforesaid Presiding Officer.
Finality of Orders (Section 55)
Section 55 of the Information Technology Act of 2000 prohibits judicial review of two
matters: an order of the Central Government designating any individual as the Chairperson of
the CAT, and any procedure before a CAT based solely on a flaw in the CAT’s constitution.
This provision assures the smooth and uninterrupted operation of the Tribunal by making the
decision creating the CAT definitive and prohibiting judicial review of any Tribunal
proceedings based on a flaw in the Tribunal’s constitution49.
Saff of the Cyber Appellant Tribunal (Section 56)
Section 56– All the staff, employees and other officers are provided by the central
government, as it will think fit. All the officers and employees will work under the
superintendence of the chairperson. The central government will prescribe the salaries,
allowances and all other conditions of services of the employees and officers50.
Appeal to Cyber Appellant Tribunal (Section 57)
Section 57– If a person is dissatisfied with the Controller’s or Adjudicating Officer’s
decision, he or she may file a complaint with the Cyber Appellate Tribunal, which has
jurisdiction over the case. An order rendered by an adjudicating official with the permission of
the parties, however, is not subject to appeal to the Cyber Appellate Tribunal. The individual
must file, along with the specified fees, within 25 days after receiving the order from the
Controller or Adjudicating Officer. If the Tribunal is satisfied with the grounds for the delay in
submitting the appeal, it may hear it even after the 25-day period has passed.
The Cyber Appellant Tribunal shall transmit a copy of every order to all parties to the appeal
as well as the appropriate Controller or adjudicating official. The tribunal will also make every
effort to resolve the appeal within six months of receiving it51.
In Chappan v/s Moidin Kutti, It was claimed that the presence of a superior and interior court
relationship, as well as the capacity of the former to review two judgments of the latter, are
two requirements for appellant jurisdiction.

49
Information Technology Act, 2000, Section 55
50
Information Technology Act, 2000, Section 56
51
Information Technology Act, 2000, Section 58
27 | New Technology Laws With Special Reference To Cyber Laws
Power and procedure of the Cyber Appellant Tribunal (Section 58)
The Cyber Appellate Tribunal’s method and powers are laid forth in Section 58 of the
Information Technology Act, 2000
Sub-clause (1) Section 58 states that the Cyber Appellate Tribunal is not bound by the Code of
Civil Procedure, 1908, but rather by the principles of natural justice and that the Cyber
Appellate Tribunal, subject to the other provisions of this Act and any rules, has the authority
to regulate its own procedure, including the location of its hearings.
Clause (2) Section 58 stipulates that, for the purposes of executing its responsibilities under
this Act, the Cyber Appellate Tribunal shall have the same powers as a civil court under the
Code of Civil Procedure, 1908, while trying an action, in respect of the following matters:
(a) Summoning and enforcing the attendance of any person and examining him on oath;
(b) Requiring the discovery and production of documents or other electronic records;
(c) Receiving evidence on affidavits;
(d) Issuing commissions for the examination of witnesses or documents;
(e) Reviewing its decisions;
(f) Dismissing an application for default or deciding it ex parte;
(g) Any other matter which may be prescribed.
Clause (3) Section 58 states that any proceeding before the Cyber Appellate Tribunal is
deemed to be a judicial proceeding for the purposes of Sections 193 and 228 of the Indian
Penal Code, and the Cyber Appellate Tribunal is deemed to be a civil court for the purposes of
Section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973.
In Union of India v. T. R. Verma, It is claimed that it is established law that courts must
observe the law of natural justice, which states that a party must be given the chance to present
any relevant evidence on which he relies. Evidence should be taken in the presence of the
parties, and cross-questioning should be allowed.
• Powers of the Cyber Appellate Tribunal
The Cyber Appellate Tribunal is equipped with a range of powers to ensure its effective
functioning:
• Summoning and Examination: It can summon individuals, enforce their attendance, and
examine them under oath, ensuring a thorough fact-finding process.
• Discovery and Production: The Tribunal can require the discovery and production of
documents or other electronic records, facilitating the collection of crucial evidence.
• Evidence on Affidavits: The Tribunal can receive evidence in the form of affidavits,
expediting the evidentiary process.
• Commissions Issuance: It has the authority to issue commissions for the examination of
witnesses or documents, ensuring the comprehensive gathering of information.

28 | New Technology Laws With Special Reference To Cyber Laws

• Reviewing Decisions: The Cyber Appellate Tribunal is empowered to review its decisions,
a necessary element for ensuring fairness and justice.
• Default and Ex Parte Decisions: It can dismiss applications for default or decide them ex
parte, addressing cases where parties fail to adhere to procedural requirements.
• Other Prescribed Matters: The Tribunal has the flexibility to deal with any other matter
that may be prescribed by law, ensuring it can adapt to evolving needs and circumstances.
Right to Legal Representation (Section 59)
Section 59 – The appellant has the option of appearing in person or appointing one or more
legal representatives to represent him before the tribunal.
Limitation (Section 60)
The limitations restrictions of the Limitation Act of 1963 apply to Tribunal appeals.
Civil Court not to have jurisdiction (Section 61)
Section 61– No civil court can consider a suit or action in that area if the IT Act of 2000
authorizes the adjudicating officer or the Cyber Appellate Tribunal to deal with particular
concerns. Furthermore, no court can issue an injunction against any conduct taken by a person
in the exercise of any authority conferred by the Act52.
Appeal to the High Court (Section 62)
Section – A person aggrieved by the CAT’s decision or order may submit an appeal to the HC
within sixty days of the date of notification of the Tribunal’s decision or order to him on any
point of fact or law arising out of such order, according to Section 62 of the IT Act. The HC
may if satisfied that the appellant was prevented from submitting the appeal within the
specified term by sufficient cause, allow it to be submitted within an additional period of not
more than sixty days53.
Compounding of contraventions [section 63]
(1) Any contravention under this Chapter may, either before or after the institution of
adjudication proceedings, be compounded by the Controller or such other officer as may be
specially authorised by him in this behalf or by the adjudicating officer, as the case may be,
subject to such conditions as the Controller or such other officer or the adjudicating officer
may specify: Provided that such sum shall not, in any case, exceed the maximum amount of
the penalty which may be imposed under this Act for the contravention so compounded.
(2) Nothing in sub-section (1) shall apply to a person who commits the same or similar
contravention within a period of three years from the date on which the first contravention,
committed by him, was compounded. Explanation.—for the purposes of this sub-section, any
second or subsequent contravention committed after the expiry of a period of three years from
the date on which the contravention was previously compounded shall be deemed to be a first
contravention.

52
Information Technology Act, 2000, Section 61
53
Information Technology Act, 2000, Section 62
29 | New Technology Laws With Special Reference To Cyber Laws
(3) Where any contravention has been compounded under sub-section (1), no proceeding or
further proceeding, as the case may be, shall be taken against the person guilty of such
contravention in respect of the contravention so compounded.
Recovery of Penalty (Section 64)
If a penalty issued under this Act is not paid, it is collected as land revenue arrears.
Furthermore, until the penalty is paid, the license or digital signature certificate is suspended54.
The purpose of enacting the I.T. Act was straightforward. The government wanted to offer and
support electronic, digital transactions while also safeguarding against all types of cybercrime.
Because of the quantity of traffic on the internet and the amount of money individuals transact
through online means, it was critical to strengthen the cyber world. Although the cyber world
is vastly different from the actual world, it has the capability to participate in crimes that occur
in the real world. The Cyber Appellant Tribunal was created to combat cybercrime and punish
individuals involved. The effectiveness of the Cyber Appellant Tribunal may be improved by
increasing public and government knowledge, as well as attempts to deploy enough staff. It is
critical to improving technical capability in order to deal with any circumstance that may arise.
Integrity, secrecy, and authenticity of communication routes and procedures are required.
The Cyber Appellate Tribunal has, for the purposes of discharging its functions under the IT
Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908.
However, is not bound by the procedure laid down by the Code of Civil Procedure, 1908 but
is guided by the principles of natural justice and, subject to the other provisions of this Act and
of any rules. The Cyber Appellate Tribunal has powers to regulate its own procedure including
the place at which it has its sittings.
Every proceeding before the Cyber Appellate Tribunal shall be deemed to be a judicial
proceeding within the meaning of sections 193 and 228, and for the purposes of section 196 of
the Indian Penal Code and the Cyber Appellate Tribunal shall be deemed to be a civil court for
the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure,1973.

Certain sorts of offenses necessitate the use of tribunals that can make decisions more quickly.
The judgment is likely to be made quickly if it follows the natural justice system rather than
the C.P.C. In M/s. Gujarat Petrosynthese Ltd. and Mr. Rajendra Prasad Yadav v. Union of
India it sought for a direction to the Respondent to designate a Chairperson to the Cyber
Appellate Tribunal (CAT) in order to guarantee that the tribunal’s hearings were convened on
a regular basis. In court, it was said that the department would take all necessary steps to fill
the position of chairman within the time limit of six months, and that attempts would be made
to appoint the chairperson even before the time limit expired, in the public interest. On these
grounds, the petition was dismissed. Despite the above judgment, no appointment to the cyber
appellate tribunal has been made as of yet, and it has been inactive since 2011..
To ensure the efficacy of the Cyber Appellate Tribunal, a multifaceted approach is
indispensable. First and foremost, there is a compelling need to foster awareness among the

54
Information Technology Act, 2000, Section 64
30 | New Technology Laws With Special Reference To Cyber Laws
general public and relevant authorities. Informed and vigilant citizens are better equipped to
identify and report cybercrimes, and law enforcement agencies must remain abreast of
evolving threats and legal remedies.
The technological landscape is marked by its dynamism, demanding an unwavering
commitment to staying ahead of the curve. To address the myriad challenges presented by
ever-evolving technology and cyber threats, the Tribunal must continually enhance its
technological capabilities.
The battle against cybercrimes calls for a holistic strategy. While the Cyber Appellate
Tribunal forms a pivotal component of this strategy, it is most effective when accompanied by
heightened public awareness, adequate resources, technological proficiency, and a
commitment to upholding the principles of justice. As the cyber world continues to evolve, so
too must our approach to combating the crimes that pervade it.

31 | New Technology Laws With Special Reference To Cyber Laws

 CHAPTER 2

CYBER OFFENCES & PENALTIES

Introduction
With the advent of technology the world today has shrunk into a micro chip and so has
everyone’s life. Computer, internet and e-communication have substituted paper based
communication by digital and electronic communication. The United Nations Commission on
International Trade Law (UNCITRAL) realizing the impetus being given to computerization
adopted the Model Law on e-commerce in 1996. The General Assembly of United Nations
passed a resolution in January 1997 inter alia, recommending all States in the UN to give
favorable considerations to the said Model Law, which provides for recognition to electronic
records and according it the same treatment like a paper communication and record. India was
also a signatory to this Model Law and therefore became mandatory for it to revise its
National Law as per the said Model Law. Therefore, in order to keep at pace with the
requirements of the International Trading and also to allure industries into adopting this
convenient way to transactions and storing data, the Information and Technology Act, 2000
was passed by both the Rajya Sabha and the Lok Sabha in May 2000 and the Act was
amended in 2008 which came into force from 27th October, 2009. The preamble quotes:
“An Act to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as
“electronic commerce”, which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents with the
Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act,
1872, the Banker's Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and
for matters connected therewith or incidental thereto.” (Information Technology Act, 2000)
Structure of the Information Technology Act, 2000
The Act 55 in total has 13 chapters and 90 sections The Act begins with preliminary and
definitions (Chapter 2) and from there on the chapters that follow deal with authentication of
electronic records, digital signatures, electronic signatures etc. Elaborate procedures for
certifying authorities (for digital certificates as per Information Technology Act -2000 and
since replaced by electronic signatures in the Information Technology Act Amendment -
2008) have been spelt out. The civil offence of data theft and the process of adjudication and 5
appellate procedures have been described. Then the Act goes on to define and describe some
of the well-known cyber crimes and lays down the punishments therefore. Then the concept of

55
Information Technology Act, 2000

32 | New Technology Laws With Special Reference To Cyber Laws

due diligence, role of intermediaries and some miscellaneous provisions have been described.
Rules and procedures mentioned in the Act have also been laid down in a phased manner, with
the latest one on the definition of private and sensitive personal data and the role of
intermediaries, due diligence etc., being defined as recently as April 2011.
Cyber Offences and Penalties under the Information Technology Act, 2000 as amended
in 2008
Cyber crime or offences have not been defined in the Act explicitly but has been categorised
in different sections along-with the sanctions. However, for understanding, cyber offences can
be viewed as the unlawful acts which are carried in a very sophisticated manner in which
either the computer is the tool or target or both . Cyber offences are usually generalised into
three categories that are the ones committed against person, property and the government.
Chapter 11 of the Act covers the offences and the Penalties that are accrued upon when the
law is threatened. Section 43 deals with penalties and compensation for damage to computer,
computer system etc. This section is the first major and significant legislative step in India to
combat the issue of data theft. The IT industry has for long been clamouring for a legislation
in India to address the crime of data theft, just like physical theft or larceny of goods and
commodities. This Section addresses the civil offence of theft of data. If any person without
permission of the owner or any other person who is in charge of a computer, accesses or
downloads, copies or extracts any data or introduces any computer contaminant like virus or
damages or disrupts any computer or denies access to a computer to an authorised user or
tampers etc…he shall be liable to pay damages to the person so affected. Earlier in the ITA -
2000 the maximum damages under this head was Rs.1 crore, which (the ceiling) was since
removed in the ITAA 2008.
The essence of this Section is civil liability. Criminality in the offence of data theft is being
separately dealt with later under Sections 65 and 66. Writing a virus program or spreading a
virus mail, a bot, a Trojan or any other malware in a computer network or causing a Denial of
Service Attack in a server will all come under this Section and attract civil liability by way of
compensation. Under this Section, words like Computer Virus, Compute Contaminant,
Computer database and Source Code are all described and defined.
The cyber offences as mentioned under the Information Technology Act, 2000 have been
delineated below:
Section 65: Tampering with computer source documents
Any person who knowingly or intentionally conceals, destroys or alters, or causes another to
conceal, destroy or alter any computer source code used for a computer, computer program,
computer system or computer network, when the computer source code is required to be kept
or maintained by law for the time being in force, shall be punishable56.
Tampering with source documents is dealt with under this section. Concealing, destroying,
altering any computer source code when the same is required to be kept or maintained by law
is an offence punishable with three years imprisonment or two lakh rupees or with both.

56
Information Technology Act, 2000, Section 65
33 | New Technology Laws With Special Reference To Cyber Laws
Fabrication of an electronic record or committing forgery by way of interpolations in CD
produced as evidence in a court attract punishment under this Section. Computer source code
under this Section refers to the listing of programmes, computer commands, design and layout
etc in any form57.
Section 66: Computer related offences are dealt with under this Section. Data theft stated in
Section 43 is referred to in this Section. Whereas it was a plain and simple civil offence with
the remedy of compensation and damages only, in that Section, here it is the same act but with
a criminal intention thus making it a criminal offence. The act of data theft or the offence
stated in Section 43 if done dishonestly or fraudulently becomes a punishable offence under
this Section and attracts imprisonment upto three years or a fine of five lakh rupees or both.
Earlier hacking was defined in Sec 66 and it was an offence.
Now after the amendment, data theft of Sec 43 is being referred to in Sec 66 by making this
section more purposeful and the word ‘hacking’ is not used. The word ‘hacking’ was earlier
called a crime in this Section and at the same time, courses on ‘ethical hacking’ were also
taught academically. This led to an anomalous situation of people asking how an illegal
activity be taught academically with a word ‘ethical’ prefixed to it. Then can there be training
programmes, for instance, on “Ethical burglary”, “Ethical Assault” etc say for courses on
physical defence? This tricky situation was put an end to, by the ITAA when it re-phrased the
Section 66 by mapping it with the civil liability of Section 43 and removing the word
‘Hacking’. However the act of hacking is still certainly an offence as per this Section, though
some experts interpret ‘hacking’ as generally for good purposes (obviously to facilitate
naming of the courses as ethical hacking) and ‘cracking’ for illegal purposes. It would be
relevant to note that the technology involved in both is the same and the act is the same,
whereas in ‘hacking’ the owner’s consent is obtained or assumed and the latter act ‘cracking’
is perceived to be an offence58.
Section 66 is now a widened one with a list of offences as follows:
Section 66A: Punishment for sending offensive messages through communication
service, etc. (Now, not in existence as per Shreya Singhal vs. Union of India Case and it is
struck down by the Supreme Court. 59
Section 66B: Punishment for dishonestly receiving stolen computer resource or
communication device
Any person who, dishonestly received or retains any stolen computer resource or
communication device knowing or having reason to believe the same to be stolen computer
resource or communication device, shall be punished60.

57
Bhim Sen Garg vs State of Rajasthan and others, 2006, Cri LJ, 3463, Raj 2411
58
Information Technology Act, 2000, Section 66
59
Notably, experts like Halder (2013) feel that this section should be replaced with a new law or it
should be amended appropriately).
60
Information Technology Act, 2000, Section 66 B
34 | New Technology Laws With Special Reference To Cyber Laws
Section 66C: Punishment for identity theft
Any person who, fraudulently or dishonestly makes use of the electronic signature, password,
or any other unique identification feature of any other person, shall be punished61.

Section 66D: Punishment for cheating by personation by using computer resource

Any person who, by means for any communication device or computer resource cheats by
personating, shall be punished62
Section 66E: Punishment for violation of privacy
Any person who, intentionally or knowingly captures, publishes or transmits the image of a
private area of any person without his or her consent, under circumstances violating the
privacy of that person, shall be punished; ‘Publishes’ means reproduction in the printed or
electronic form and making it available for public63.
Section 66F: Punishment for Cyber Terrorism
A person commits the offence of cyber terrorism if he,
(i). with intent to threaten the unity, integrity, security or sovereignty of India or to strike
terror in the people or any section of the people –
a. denies or causes the denial of access to any person authorized to access computer resource;
or
b. attempts to penetrate or access a computer resource without authorization or by exceeding
authorized access; or
c. introduces or causes to introduce any computer contaminant; and by means of such conduct
causes or is likely to cause death or injuries to persons, or damage to or destruction of
property, or knowing that it is likely to cause damage or destruction of supplies or services
essential to the life of the community, or adversely affect the critical information
infrastructure.
(ii). Knowingly or intentionally accesses or penetrates a computer resource without
authorization or exceeding authorized access, and by means of such conduct obtains access to
information, data or computer database that is restricted for reasons of the security of the State
or foreign relations, or any restricted information, data or computer database, with reasons to
believe that such information, data or computer database so obtained may be used to cause or
likely to cause injury to the interests of the sovereignty and integrity of India, the security of
the State, friendly relations with foreign States, public order, decency or morality, or in
relation to contempt of court, defamation or incitement to an offence, or to the advantage of
any foreign nation, group of individuals or otherwise64.

61
Information Technology Act, 2000, Section 66 C
62
Information Technology Act, 2000, Section 66D
63
Information Technology Act, 2000, Section E
64
Information Technology Act, 2000, Section 66 F
35 | New Technology Laws With Special Reference To Cyber Laws
It may be observed that all acts under S.66 are cognizable and non-bailable offences. Intention
or the knowledge to cause wrongful loss to others ie the existence of criminal intention and the
evil mind ie concept of mens rea, destruction, deletion, alteration or diminishing in value or
utility of data are all the major ingredients to bring any act under this Section. To summarise,
what was civil liability with entitlement for compensations and damages in Section 43, has
been referred to here, if committed with criminal intent, making it a criminal liability
attracting imprisonment and fine or both.
Section 67: Punishment for publishing or transmitting obscene material in electronic
form
Any person who, publishes or transmits or causes to be published or transmitted in the
electronic form, any material which is lascivious or appeals to the prurient interest or if its
effect is such as to tend to deprave and corrupt persons who are likely, having regard to all
relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be
punished;
The earlier Section in ITA was later widened as per ITAA 2008 in which child pornography
and retention of records by intermediaries were all included.
This Section is of historical importance since the landmark judgement in what is considered to
be the first ever conviction under I.T. Act 2000 in India, was obtained in this Section in the
famous case “State of Tamil Nadu vs Suhas Katti” on 5 November 2004. The strength of the
Section and the reliability of electronic evidences were proved by the prosecution and
conviction was brought about in this case, involving sending obscene message in the name of
a married women amounting to cyber stalking, email spoofing and the criminal activity stated
in this Section.
Section 67A: Punishment for publishing or transmitting of material containing sexually
explicit act etc. in electronic form
Any person who, publishes or transmits or causes to be published or transmitted in the
electronic form any material which contains sexually explicit act or conduct, shall be
punished;
Child Pornography has been exclusively dealt with under Section 67B. Depicting children
engaged in sexually explicit act, creating text or digital images or advertising or promoting
such material depicting children in obscene or indecent manner etc or facilitating abusing
children online or inducing children to online relationship with one or more children etc come
under this Section. ‘Children’ means persons who have not completed 18 years of age, for the
purpose of this Section. Punishment for the first conviction is imprisonment for a maximum of
five years and fine of ten lakh rupees and in the event of subsequent conviction with
imprisonment of seven years and fine of ten lakh rupees.
Bonafide heritage material being printed or distributed for the purpose of education or
literature etc are specifically excluded from the coverage of this Section, to ensure that
printing and distribution of ancient epics or heritage material or pure academic books on
education and medicine are not unduly affected.

36 | New Technology Laws With Special Reference To Cyber Laws

Screening videographs and photographs of illegal activities through Internet all come under
this category, making pornographic video or MMS clippings or distributing such clippings
through mobile or other forms of communication through the Internet fall under this category
Section 67C fixes the responsibility to intermediaries that they shall preserve and retain such
information as may be specified for such duration and in such manner as the Central
Government may prescribe. Non-compliance is an offence with imprisonment upto three years
or fine.
Section 67B: Punishment for publishing or transmitting of material depicting children in
sexually explicit act etc. in electronic form
Any person who,
a. Publishes or transmits or causes to be published or transmitted material in any electronic
form which depicts children engaged in sexually explicit act or conduct; or
b. Creates text or digital images, collects, seeks, browses, downloads, advertises, promotes,
exchanges or distributes material in any electronic form depicting children in obscene or
indecent or sexually explicit manner; or
c. Cultivates, entices or induces children to online relationship with one or more children for
and on sexually explicit act or in a manner that may offend a reasonable adult on the computer
resource; or
d. Facilitates abusing children online; or
e. Records in any electronic form own abuse or that of others pertaining to sexually explicit
act with children shall be punished;
However, these provisions does not extend to any book, pamphlet, paper, writing, drawing,
painting representation or figure in electronic form which is proved to be justified as being for
the public good on the ground that such material is in the interest of science, literature, art or
learning or other objects of general concern65;
Transmission of electronic message and communication:
Section 69: This is an interesting section in the sense that it empowers the Government or
agencies as stipulated in the Section, to intercept, monitor or decrypt any information
generated, transmitted, received or stored in any computer resource, subject to compliance of
procedure as laid down here. This power can be exercised if the Central Government or the
State Government, as the case may be, is satisfied that it is necessary or expedient in the
interest of sovereignty or integrity of India, defence of India, security of the State, friendly
relations with foreign States or public order or for preventing incitement to the commission of
any cognizable offence relating to above or for investigation of any offence. In any such case
too, the necessary procedure as may be prescribed, is to be followed and the reasons for taking
such action are to be recorded in writing, by order, directing any agency of the appropriate
Government. The subscriber or intermediary shall extend all facilities and technical assistance
when called upon to do so.

65
Information Technology Act, 2000, Section 69
37 | New Technology Laws With Special Reference To Cyber Laws
Section 69A inserted in the ITAA, vests with the Central Government or any of its officers
with the powers to issue directions for blocking for public access of any information through
any computer resource, under the same circumstances as mentioned above. Section 69B
discusses the power to authorise to monitor and collect traffic data or information through any
computer resource.
Commentary on the powers to intercept, monitor and block websites:
In short, under the conditions laid down in the Section, power to intercept, monitor or decrypt
does exist. It would be interesting to trace the history of telephone tapping in India and the
legislative provisions (or the lack of it?) in our nation and compare it with the powers
mentioned here. Until the passage of this Section in the ITAA, phone tapping was governed by
Clause 5(2) of the Indian Telegraph Act of 1885, which said that “On the occurrence of any
public emergency, or in the interest of the public safety, the Government may, if satisfied that
it is necessary or expedient so to do in the interests of the sovereignty and integrity of India,
the security of the State, friendly relations with foreign States or public order or for preventing
incitement to the commission of an offence, for reasons to be recorded in writing, by order,
direct that any message or class of messages to or from any person or class of persons, or
relating to any particular subject, brought for transmission by or transmitted or received by
any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be
disclosed to the Government making the order or an officer thereof mentioned in the order”.
Other sections of the act mention that the government should formulate “precautions to be
taken for preventing the improper interception or disclosure of messages”. There have been
many attempts, rather many requests, to formulate rules to govern the operation of Clause
5(2). But ever since 1885, no government has formulated any such precautions, maybe for
obvious reasons to retain the spying powers for almost a century.
A writ petition was filed in the Supreme Court in 1991 by the People’s Union for Civil
Liberties, challenging the constitutional validity of this Clause 5(2). The petition argued that it
infringed the constitutional right to freedom of speech and expression and to life and personal
liberty. In December 1996, the Supreme Court delivered its judgment, pointing out that
“unless a public emergency has occurred or the interest of public safety demands, the
authorities have no jurisdiction to exercise the powers” given them under 5(2). They went on
to define them thus: a public emergency was the “prevailing of a sudden condition or state of
affairs affecting the people at large calling for immediate action”, and public safety “means
the state or condition of freedom from danger or risk for the people at large”. Without those
two, however “necessary or expedient”, it could not do so. Procedures for keeping such
records and the layer of authorities etc were also stipulated.
Now, this Section 69 of ITAA is far more intrusive and more powerful than the above-cited
provision of Indian Telegraph Act 1885. Under this ITAA Section, the nominated Government
official will be able to listen in to all phone calls, read the SMSs and emails, and monitor the
websites that one visited, subject to adherence to the prescribed procedures and without a
warrant from a magistrate’s order. In view of the foregoing, this Section was critizised to be
draconian vesting the government with much more powers than required.

38 | New Technology Laws With Special Reference To Cyber Laws

Having said this, we should not be oblivious to the fact that this power (of intercepting,
monitoring and blocking) is something which the Government represented by the Indian
Computer Emergency Response Team, (the National Nodal Agency, as nominated in Section
70B of ITAA) has very rarely exercised. Perhaps believing in the freedom of expression and
having confidence in the self-regulative nature of the industry, the CERT-In has stated that
these powers are very sparingly (and almost never) used by it.
Critical Information Infrastructure and Protected System have been discussed in Section 70.
The Indian Computer Emergency Response Team (CERT-In) coming under the Ministry of
Information and Technology, Government of India, has been designated as the National Nodal
Agency for incident response. By virtue of this, CERT-In will perform activities like
collection, analysis and dissemination of information on cyber incidents, forecasts and alerts
of cyber security incidents, emergency measures for handling cyber security incidents etc.
The role of CERT-In in e-publishing security vulnerabilities and security alerts is remarkable.
The Minister of State for Communications and IT Mr.Sachin Pilot said in a written reply to
the Rajya Sabha said that (as reported in the Press), CERT-In has handled over 13,000 such
incidents in 2011 compared to 8,266 incidents in 2009. CERT-In has observed that there is
significant increase in the number of cyber security incidents in the country. A total of 8,266,
10,315 and 13,301 security incidents were reported to and handled by CERT-In during 2009,
2010 and 2011, respectively," These security incidents include website intrusions, phishing,
network probing, spread of malicious code like virus, worms and spam, he added. Hence the
role of CERT-In is very crucial and there are much expectations from CERT In not just in
giving out the alerts but in combating cyber crime, use the weapon of monitoring the web-
traffic, intercepting and blocking the site, whenever so required and with due process of law.
Penalty for breach of confidentiality and privacy is discussed in Section 72 with the
punishment being imprisonment for a term upto two years or a fine of one lakh rupees or both.
Considering the global nature of cyber crime and understanding the real time scenario of
fraudster living in one part of the world and committing a data theft or DoS(Denial of Service)
kind of an attack or other cyber crime in an entirely different part of the world, Section 75
clearly states that the Act applies to offences or contravention committed outside India, if the
contravention or the offence involves a computer or a computer network located in India. This
Act has over-riding provisions especially with regard to the regulations stipulated in the Code
of Criminal Procedure. As per Section 78, notwithstanding anything contained in the Code of
Criminal Procedure, a police officer not below the rank of an Inspector shall investigate an
offence under this Act. Such powers were conferred to officers not below the rank of a Deputy
Superintendent of Police earlier in the ITA which was later amended as Inspector in the ITAA.
Section 71: Penalty for misrepresentation
Any person who makes any misrepresentation to, or suppresses any material fact from the
Controller or the Certifying Authority for obtaining any licence or Electronic Signature

39 | New Technology Laws With Special Reference To Cyber Laws

Certificate shall be punished with imprisonment for a term which may extend to 2 years or
with fine which may extend to Rs. 1 lakh or with both66.
Section 72: Penalty for breach of confidentiality and privacy
If any person who, in pursuance of any of the powers conferred under this Act, rules or
regulations made there under, has secured access to any electronic record, book, register,
correspondence, information, document or other material without the consent of the person
concerned and discloses such electronic record, book, register, correspondence, information,
document or other material to any other person shall be punished with imprisonment for a
term which may extend to 2 years or with fine which may extend to Rs. 1 lakh or with both 67
Section 72A: Punishment for disclosure of information in breach of lawful contract
Any person including an intermediary who, while providing services under the terms of lawful
contract, has secured access to any material containing personal information about another
person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful
gain discloses without the consent of the person concerned or in breach of a lawful contract,
such material to any other person, shall be punished with imprisonment for a term which may
extend to 3 years or with fine which may extend to Rs. 5 lakh or with both68.
Section 73: Penalty for publishing Electronic Signature Certificate false in certain
particulars
No person shall publish an Electronic Signature Certificate or otherwise make it available to
any other person with the knowledge that –
a. The Certifying Authority listed in the certificate has not issued it; or
b. The subscriber listed in the certificate has not accepted it; or
c. The certificate has been revoked or suspended, unless such publication is for the purpose of
verifying a electronic signature created prior to such suspension or revocation
Any person who contravenes above provisions shall be punished with imprisonment for a term
which may extend to 2 years or with fine which may extend to Rs. 1 lakh or with both69.
Section 74: Publication for fraudulent purpose
Any person, who knowingly creates, publishes or otherwise makes available an Electronic
Signature Certificate for any fraudulent or unlawful purpose shall be punished with
imprisonment for a term which may extend to 2 years or with fine which may extend to Rs. 1
lakh or with both70.

66
Information Technology Act, 2000, Section 71
67
Information Technology Act, 2000, Section
68
Information Technology Act, 2000, Section 72 A
69
Information Technology Act, 2000, Section 73
70
Information Technology Act, 2000, Section 74
40 | New Technology Laws With Special Reference To Cyber Laws
Section 75: Act to apply for offence or contravention committed outside India
The provisions of this Act shall apply also to any offence or contravention committed outside
India by any person irrespective of his nationality. However, for such liability the act or
conduct constituting the offence or contravention should involve a computer, computer system
or computer network located in India71.
Due Diligence: Liability of intermediaries and the concept of Due Diligence has been
discussed in Section 79. As per this, intermediary shall not be liable for any third party
information hosted by him, if his function is limited to providing access to a communication
system over which information made available by third parties is transmitted or temporarily
stored or hosted or if he does not initiate the transmission, select the receiver of the
transmission and select or modify the information contained in the transmission and if he
observes due diligence and follows the guidelines prescribed by the Central Government.
To put it in simple terms, evidences (information) taken from computers or electronic storage
devices and produced as print-outs or in electronic media are valid if they are taken from
system handled properly with no scope for manipulation of data and ensuring integrity of data
produced directly with or without human intervention etc and accompanied by a certificate
signed by a responsible person declaring as to the correctness of the records taken from a
system a computer with all the precautions as laid down in the Section
However, this Section is often being misunderstood by one part of the industry to mean that
computer print-outs can be taken as evidences and are valid as proper records, even if they are
not signed. We find many computer generated letters emanating from big corporates with
proper space below for signature under the words “Your faithfully” or “truly” and the
signature space left blank, with a Post Script remark at the bottom “This is a computer
generated letter and hence does not require signature”. The Act does not anywhere say that
‘computer print-outs need not be signed and can be taken as record’.
The Bankers’ Books Evidence(BBE) Act 1891 Amendment to this Act has been included as
the third schedule in ITA. Prior to the passing of ITA, any evidence from a bank to be
produced in a court, necessitated production of the original ledger or other register for
verification at some stage with the copy retained in the court records as exhibits. With the
passing of the ITA the definitions part of the BBE Act stood amended as: "’bankers. books’
include ledgers, day-books, cash-books, account-books and all other books used in the
ordinary business of a bank whether kept in the written form or as printouts of data stored in a
floppy, disc, tape or any other form of electro-magnetic data storage device”. When the books
consist of printouts of data stored in a floppy, disc, tape etc, a printout of such entry ...certified
in accordance with the provisions ....to the effect that it is a printout of such entry or a copy of
such printout by the principal accountant or branch manager; and (b) a certificate by a person
in-charge of computer system containing a brief description of the computer system and the
particulars of the safeguards adopted by the system to ensure that data is entered or any other
operation performed only by authorised persons; the safeguards adopted to prevent and detect
unauthorised change of data ...to retrieve data that is lost due to systemic failure or..

71
Information Technology Act, 2000, Section 78
41 | New Technology Laws With Special Reference To Cyber Laws
In short, just like in the Indian Evidence Act, the provisions in Bankers Books Evidence Act
make the printout from a computer system or a floppy or disc or a tape as a valid document
and evidence, provided, such print-out is accompanied by a certificate stating that it is a true
extract from the official records of the bank and that such entries or records are from a
computerised system with proper integrity of data, wherein data cannot be manipulated or
accessed in an unauthorised manner or is not lost or tamperable due to system failure or such
other reasons.
Here again, let us reiterate that the law does not state that any computerised print-out even if
not signed, constitutes a valid record. But still even many banks of repute (both public sector
and private sector) often send out printed letters to customers with the space for signature at
the bottom left blank after the line “Yours faithfully” etc and with a remark as Post Script
reading: “This is a computer generated letter and hence does not require signature”. Such
interpretation is grossly misleading and sends a message to public that computer generated
reports or letters need not be signed, which is never mentioned anywhere in nor is the import
of the ITA or the BBE.
The next Act that was amended by the ITA is the Reserve Bank of India Act, 1934. Section 58
of the Act sub-section (2), after clause (p), a clause relating to the regulation of funds transfer
through electronic means between banks (ie transactions like RTGS and NEFT and other
funds transfers) was inserted, to facilitate such electronic funds transfer and ensure legal
admissibility of documents and records therein
The table 1 briefly enumerates the cyber offences as laid under the IT Act, 2000 (Amendment
2008) with the punishments and penalties
Cyber Offences and Penalties and Punishments
S.NO. SECTION OFFENCE PUNISHMENT
1. 65 Tampering with computer Imprisonment upto 3 years or fine
source documents upto Rs 2 lakh or both
2. 66 Computer related offences Imprisonment upto 3 years or fine
upto Rs 5 lakh or both
3. 66 B Dishonestly receiving the Imprisonment upto 3 years or fine
stolen computer resource and upto Rs. 1 lakh
communication device
4. 65 C Theft of identity Imprisonment upto 3 years
5. 66 D Cheating by personation by Imprisonment upto 3 years and
using computer resource or fine upto Rs. 1 lakh
communication device
6. 66 E Violation of Privacy Imprisonment upto 3 years or fine
upto Rs. 2 lakh or both
7. 66 F Cyber Terrorism Life Imprisonment

42 | New Technology Laws With Special Reference To Cyber Laws

8. 67 Publishing or transmitting Upon 1st conviction with
obscene material in e-form imprisonment upto 3 years and
fine upto Rs 5 lakh; and upon 2nd
or subsequent conviction with
imprisonment upto 5 years and
fine upto Rs 10 lakh.
9. 67 A Publishing or transmitting Upon 1st conviction with
material containing sexually imprisonment upto 5 years and
explicit act in e-form fine upto Rs 10 lakh; and upon
2nd or subsequent conviction with
imprisonment upto 7 years and
fine upto Rs 10 lakh.
10. 67 B Publishing or transmitting Upon 1st conviction with
material depicting children in imprisonment upto 5 years and
sexually explicit act etc. in e- fine upto Rs 10 lakh; and upon
form 2nd or subsequent conviction with
imprisonment upto 7 years and
fine upto Rs 10 lakh
11. 67 C Violating the directions to Imprisonment upto 3 years and
preserve and retain the fine
information by intermediaries
12. 68 Violating the directions of Imprisonment upto 2 years or fine
Controller by Certifying upto Rs 1 lakh or both
Authority or his employee
13. 69 Violating the directions of the Imprisonment upto 7 years and
Central Government or State fine
Government to a subscriber to
extend facilities to decrypt
information
14. 69 A Violating the directions to Imprisonment upto 7 years and
block any information for fine
access by the public
15. 69 B Violating the directions to Imprisonment upto 3 years and
monitor and collect traffic data fine
or information
16. 70 Unauthorized access to a Imprisonment upto 10 years and
computer fine
17. 70 B Violating the directions of the Imprisonment upto 1 years or fine
Indian Computer Emergency upto Rs 1 lakh or both

43 | New Technology Laws With Special Reference To Cyber Laws

 Response Team (CERT-IN)
18. 71 Penalty for misrepresentation Imprisonment upto 2 years or fine
upto Rs 1 lakh or both
19. 72 Penalty for breach of Imprisonment upto 2 years or fine
confidentiality and privacy upto Rs 1 lakh or both
20. 72 A Disclosure of information in Imprisonment upto 3 years or fine
breach of lawful contract upto Rs 5 lakh or boUpto 5 lakh.
21. 73 Penalty for publishing Imprisonment upto 2 years or fine
electronic signature certificate upto Rs 1 lakh or both
false in certain particulars
22. 74 Publication for fraudulent Imprisonment upto 2 years or fine
purpose upto Rs 1 lakh or both

The Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules have since been notified by the Government of India, Dept
of I.T. on 11 April 2011. Any body corporate or a person on its behalf shall be considered to
have complied with reasonable security practices and procedures, if they have implemented
such security practices and standards and have a comprehensive documented information
security programme and information security policies containing managerial, technical,
operational and physical security control measures commensurate with the information assets
being protected with the nature of business. In the event of an information security breach, the
body corporate or a person on its behalf shall be required to demonstrate, as and when called
upon to do so by the agency mandated under the law, that they have implemented security
control measures as per their documented information security programme and information
security policies. The international Standard IS/ISO/IEC 27001 on "Information Technology –
Security Techniques - Information Security Management System - Requirements" is one such
standard referred to in sub-rule (1).
In view of the foregoing, it has now become a major compliance issue on the part of not only
IT companies but also those in the Banking and Financial Sector especially those banks with
huge computerised operations dealing with public data and depending heavily on technology.
In times of a litigation or any security breach resulting in a claim of compensation of financial
loss amount or damages, it would be the huge responsibility on the part of those body
corporate to prove that that said “Reasonable Security Practices and Procedures” were actually
in place and all the steps mentioned in the Rules passed in April 2011 stated above, have been
taken.
In the near future, this is one of the sections that is going to create much noise and be the
subject of much debates in the event of litigations, like in re-defining the role of an employee,
the responsibility of an employer or the top management in data protection and issues like the
actual and vicarious responsibility, the actual and contributory negligence of all stake holders
involved etc.
44 | New Technology Laws With Special Reference To Cyber Laws
The issue has wider ramifications especially in the case of a cloud computing scenario (the
practice of using a network of remote servers hosted on the Internet to store, manage, and
process data, rather than a local server, with the services managed by the provider sold on
demand, for the amount of time used) where more and more organisations handle the data of
others and the information is stored elsewhere and not in the owners’ system. Possibly, more
debates will emanate on the question of information owners vis a vis the information container
and the information custodians and the Service Level Agreements of all parties involved will
assume a greater significance.
Adjudication:
Having dealt with civil offences, the Act then goes on to describe civil remedy to such
offences in the form of adjudication without having to resort to the procedure of filing a
complaint with the police or other investigating agencies. Adjudication powers and procedures
have been elaborately laid down in Sections 46 and thereafter. The Central Government may
appoint any officer not below the rank of a director to the Government of India or a state
Government as the adjudicator. The I.T. Secretary in any state is normally the nominated
Adjudicator for all civil offences arising out of data thefts and resultant losses in the particular
state. If at all one section can be criticized to be absolutely lacking in popularity in the IT Act,
it is this provision. In the first ten years of existence of the ITA, there have been only a very
few applications made in the nation, that too in the major metros almost all of which are under
different stages of judicial process and adjudications have been obtained in possibly less than
five cases. The first adjudication obtained under this provision was in Chennai, Tamil Nadu, in
a case involving ICICI Bank in which the bank was told to compensate the applicant with the
amount wrongfully debited in Internet Banking, along with cost and damages. in April 2010.
This section should be given much popularity and awareness should be spread among the
public especially the victims of cyber crimes and data theft that such a procedure does exist
without recourse to going to the police and filing a case. It is time the state spends some time
and thought in enhancing awareness on the provision of adjudication for civil offences in
cyber litigations like data theft etc so that the purpose for which such useful provisions have
been made, are effectively utilized by the litigant public.
There is an appellate procedure under this process and the composition of Cyber Appellate
Tribunal at the national level, has also been described in the Act. Every adjudicating officer
has the powers of a civil court and the Cyber Appellate Tribunal has the powers vested in a
civil court under the Code of Civil Procedure.
Observations on ITA and ITAA:
Having discussed in detail all the provisions of ITA and ITAA, let us now look at some of the
broader areas of omissions and commissions in the Act and the general criticism the Acts have
faced over the years.
Awareness: There is no serious provision for creating awareness and putting such initiatives
in place in the Act. The government or the investigating agencies like the Police department
(whose job has been made comparatively easier and focused, thanks to the passing of the IT
Act), have taken any serious step to create public awareness about the provisions in these

45 | New Technology Laws With Special Reference To Cyber Laws

legislations, which is absolutely essential considering the fact that this is a new area and
technology has to be learnt by all the stake-holders like the judicial officers, legal
professionals, litigant public and the public or users at large. Especially, provisions like scope
for adjudication process is never known to many including those in the investigating agencies.
Jurisdiction: This is a major issue which is not satisfactorily addressed in the ITA or ITAA.
Jurisdiction has been mentioned in Sections 46, 48, 57 and 61 in the context of adjudication
process and the appellate procedure connected with and again in Section 80 and as part of the
police officers’ powers to enter, search a public place for a cyber crime etc. In the context of
electronic record, Section 13 (3) and (4) discuss the place of dispatch and receipt of electronic
record which may be taken as jurisprudence issues
However some fundamental issues like if the mail of someone is hacked and the accused is a
resident of a city in some state coming to know of it in a different city, which police station
does he go to? If he is an employee of a Multi National Company with branches throughout
the world and in many metros in India and is often on tour in India and he suspects another
individual say an employee of the same firm in his branch or headquarters office and informs
the police that evidence could lie in the suspect’s computer system itself, where does he go to
file he complaint. Often, the investigators do not accept such complaints on the grounds of
jurisdiction and there are occasions that the judicial officers too have hesitated to deal with
such cases. The knowledge that cyber crime is geography-agnostic, borderless, territory-free
and sans all jurisdiction and frontiers and happens in ‘cloud’ or the ‘space’, has to be spread
and proper training is to be given to all concerned players in the field.
Evidences: Evidences are a major concern in cyber crimes. Pat of evidences is the ‘crime
scene’ issues. In cyber crime, there is no cyber crime. We cannot mark a place nor a computer
nor a network, nor seize the hard-disk immediately and keep it under lock and key keep it as
an exhibit taken from the crime scene.
Very often, nothing could be seen as a scene in cyber crime! The evidences, the data, the
network and the related gadgets along with of course the log files and trail of events
emanating or recorded in the system are actually the crime scene. While filing cases under IT
Act, be it as a civil case in the adjudication process or a criminal complaint filed with the
police, many often, evidences may lie in some system like the intermediaries’ computers or
some times in the opponent’s computer system too. In all such cases, unless the police swing
into action swiftly and seize the systems and capture the evidences, such vital evidences could
be easily destroyed. In fact, if one knows that his computer is going to be seized, he would
immediately go for destruction of evidences (formatting, removing the history, removing the
cookies, changing the registry and user login set ups, reconfiguring the system files etc) since
most of the computer history and log files are volatile in nature.
There is no major initiative in India on common repositories of electronic evidences by which
in the event of any dispute (including civil) the affected computer may be handed over to a
common trusted third party with proper software tools, who may keep a copy of the entire disk
and return the original to the owner, so that he can keep using it at will and the copy will be
produced as evidence whenever required. For this there are software tools like ‘EnCase’ wih a
global recognition and our own C-DAC tools which are available with much retrieval
46 | New Technology Laws With Special Reference To Cyber Laws
facilities, search features without giving any room for further writing and preserving the
original version with date stamp for production as evidence.
Non coverage of many crimes: While there are many legislations in not only many Western
countries but also some smaller nations in the East, India has only one legislation -- the ITA
and ITAA. Hence it is quite natural that many issues on cyber crimes and many crimes per se
are left uncovered. Many cyber crimes like cyber squatting with an evil attention to extort
money. Spam mails, ISP’s liability in copyright infringement, data privacy issues have not
been given adequate coverage.
Let us now discuss some of the other relevant legislations in the nation that deal with cyber
crimes in various sectors.
Prevention of Money Laundering Act:
Black money has always been a serious evil in any developing economy. Nation builders,
lawmakers and particularly the country’s financial administrators have always taken persistent
efforts to curb the evil of black money and all sorts of illegally earned income. A major
initiative taken in this direction in India is the Anti Money Laundering Act 2002. A main
objective of the Act was to provide for confiscation of property derived from, or involved in,
money laundering.
Money laundering though not defined in the Act, can be construed to mean directly or
indirectly attempting to indulge in any process or activity connected with the proceeds of
crime and projecting it as untainted property. The Act stipulates that whoever commits the
offence of money laundering shall be punishable with rigorous imprisonment for a term which
shall not be less than three years but may extend to seven years and also be liable to a fine
which may extend to five lakh rupees.
Money laundering involves a process of getting the money from illegal sources, layering it in
any legal source, integrating it as part of any legal system like banking and actually using it.
Since the banking as an industry has a major and significant role to play in the act of money
laundering, it is now a serious responsibility on the part of banks to ensure that banking
channel is not used in the criminal activity. Much more than a responsibility, it is now a
compliance issue as well.
Obligations of banks include maintenance of records of all transactions of the nature and value
specified in the rules, furnish information of the transactions within the prescribed time,
whenever warranted and verify and maintain records of the identity of all customers. Hence,
as a corollary, adherence to Know Your Customer norms and maintenance of all KYC records
assumes a very major significance and becomes a compliance issue. Records of cash
transactions and suspicious transactions are to be kept and reported as stipulated. Non
compliance on any of these will render the concerned bank official liable for the offence of
money laundering and guilty under the Act.
e-Records Maintenance Policy of Banks:
Computerisation started in most of the banks in India from end 80’s in a small way in the form
of standalone systems called Advanced Ledger Posting Machines (Separate PC for every

47 | New Technology Laws With Special Reference To Cyber Laws

counter/activity) which then led to the era of Total Branch Automation or Computerisation in
early or mid 90’s. TBA or TBC as it was popularly called, marked the beginning of a
networked environment on a Local Area Network under a client-server architecture when
records used to be maintained in electronic manner in hard-disks and external media like tapes
etc for backup purposes.
Ever since passing of the ITA and according of recognition to electronic records, it has
become mandatory on the part of banks to maintain proper computerized system for electronic
records. Conventionally, all legacy systems in the banks always do have a record maintenance
policy often with RBI’s and their individual Board approval stipulating the period of
preservation for all sorts of records, ledgers, vouchers, register, letters, documents etc.
Thanks to computerisation and introduction of computerized data maintenance and often
computergenerated vouchers also, most of the banks became responsive to the computerized
environment and quite a few have started the process of formulating their own Electronic
Records Maintenance Policy. Indian Banks’ Association took the initiative in bringing out a
book on Banks’ e-Records Maintenance Policy to serve as a model for use and adoption in
banks suiting the individual bank’s technological setup. Hence banks should ensure that e-
records maintenance policy with details of e-records, their nature, their upkeep, the
technological requirements, off-site backup, retrieval systems, access control and access
privileges initiatives should be in place, if not already done already.
On the legal compliance side especially after the Rules were passed in April 2011, on the
“Reasonable Security Practices and Procedures” as part of ITAA 2008 Section 43A, banks
should strive well to prove that they have all the security policies in place like compliance
with ISO 27001 standards etc and e-records are maintained. Besides, the certificate to be given
as an annexure to e-evidences as stipulated in the BBE Act also emphasizes this point of
maintenance of e-records in a proper ensuring proper backup, ensuring against tamperability,
always ensuring confidentiality, integrity, availability and Non Repudiation. This policy
should not be confused with the Information Technology Business Continuity and Disaster
Recovery Plan or Policy nor the Data Warehousing initiatives. Focus on all these three
policies (BCDRP, DWH and E-records Maintenance Policy) are individually different, serving
different purposes, using different technologies and maybe coming under different
administrative controls too at the managerial level.
Legislations in other nations:
As against the lone legislation ITA and ITAA in India, in many other nations globally, there
are many legislations governing e-commerce and cyber crimes going into all the facets of
cyber crimes. Data Communication, storage, child pornography, electronic records and data
privacy have all been addressed in separate Acts and Rules giving thrust in the particular area
focused in the Act. In the US, they have the Health Insurance Portability and Accountability
Act popularly known as HIPAA which inter alia, regulates all health and insurance related
records, their upkeep and maintenance and the issues of privacy and confidentiality involved
in such records. Companies dealing with US firms ensure HIPAA compliance insofar as the
data relating to such corporate are handled by them. The Sarbanes-Oxley Act (SOX) signed
into law in 2002 and named after its authors Senator Paul Sarbanes and Representative Paul
48 | New Technology Laws With Special Reference To Cyber Laws
Oxley, mandated a number of reforms to enhance corporate responsibility, enhance financial
disclosures, and combat corporate and accounting fraud. Besides, there are a number of laws
in the US both at the federal level and at different states level like the Cable Communications
Policy Act, Children’s Internet Protection Act, Children’s Online Privacy Protection Act etc.
In the UK, the Data Protection Act and the Privacy and Electronic Communications
Regulations etc are all regulatory legislations already existing in the area of information
security and cyber crime prevention, besides cyber crime law passed recently in August 2011.
Similarly, we have cyber crime legislations and other rules and regulations in other nations.
Besides, most of the Indian corporate including some Public Sector undertakings use
Operating Systems that are from the West especially the US and many software utilities and
hardware items and sometimes firmware are from abroad. In such cases, the actual reach and
import of IT Act Sections dealing with a utility software or a system software or an Operating
System upgrade or update used for downloading the software utility, is to be specifically
addressed, as otherwise a peculiar situation may come, when the user may not know whether
the upgrade or the patch is getting downloaded or any spyware getting installed. The Act does
not address the government’s policy on keeping the backup of corporates including the PSUs
and PSBs in our county or abroad and if kept abroad, the subjective legal jurisprudence on
such software backups.
The legislation incorporates within its understanding the various cyber offences that the world
is under the threat of in the contemporary era. Proper and timely implementation of the Act
may help curb the cyber menace and also make the cyber space a more secure, safe and easy
space for storage, transactions and definitely sharing. Its linkages with other Acts like the
Indian Evidence Act, 1872 and the Bankers Book Evidence Act 1891 have made it a
comprehensive and umbrella Act to deal with any kind of cyber crime. Its proper
interpretation and implementation is what is the need of the hour.
To quote the noted cyber law expert in the nation and Supreme Court advocate Shri Pavan
Duggal, “While the lawmakers have to be complemented for their admirable work removing
various deficiencies in the Indian Cyberlaw and making it technologically neutral, yet it
appears that there has been a major mismatch between the expectation of the nation and the
resultant effect of the amended legislation. The most bizarre and startling aspect of the new
amendments is that these amendments seek to make the Indian cyberlaw a cyber crime
friendly legislation; - a legislation that goes extremely soft on cyber criminals, with a soft
heart; a legislation that chooses to encourage cyber criminals by lessening the quantum of
punishment accorded to them under the existing law; ….. a legislation which makes a majority
of cybercrimes stipulated under the IT Act as bailable offences; a legislation that is likely to
pave way for India to become the potential cyber crime capital of the world……”

49 | New Technology Laws With Special Reference To Cyber Laws

 CHAPTER 3

DIGITAL PERSONAL DATA

PROTECTION IN INDIA
Introduction
Data protection safeguards sensitive data against loss, manipulation, and misuse. The Hon’ble
Supreme Court of India established the right to privacy as a fundamental right under Article
21 of the Constitution of India as part of the right to life and personal liberty in the case
of Justice K.S. Puttaswamy v. Union of India (2017), also called the “privacy judgement.” An
aspect of the right to privacy known as “informational privacy” has been acknowledged. The
court also observed that information about a person and the right to access that information
also require the protection of privacy. There are several proposed bills for data protection and
the contributions of the Bureau of Indian Standards on data privacy. The Information
Technology Act, 2000 (IT Act) and Indian Contract Act, 1872 are currently the data protection
legislation in India because there isn’t any special legislation for this matter yet.
Need for data protection laws
The legislation on data protection explains what must be done to make sure that private data is
treated ethically and appropriately.
1. Data protection laws control the gathering, use, transfer, and disclosure of
personal information and the security of that information.
2. It gives people access to their data, establishes accountability standards for
businesses that process it, and includes redressals for improper or harmful
processing.
3. Data protection laws also provide remedies for false profiles and fraud that can
also be made using stolen information.
4. When information falls into the wrong hands, it can jeopardise people’s safety in
various ways, including their economic security, physical safety, and personal
integrity, so to protect the users from that exploitation, data protection laws are
significant.
Need for data protection laws in India
1. Millions of Indians use hundreds of applications daily, creating data trails that
may be misused to create profiles, target advertisements, and forecast activity and
trends.

50 | New Technology Laws With Special Reference To Cyber Laws

 2. In India, the intersection of the different laws for different fields creates
ambiguity and it is one of the primary reasons behind the breach of a large
amount of data. There is not yet a single codified law in India that pays close
attention to all the aspects of data protection and keeps a record for the penalties
that should be imposed.
3. Countless examples of nonexistent and malfunctioning grievance redressal
mechanisms need to be quickly resurrected and reviewed. The enforcement
mechanism frequently encounters a number of implementation issues while
handling cases related to data breaches and cybersecurity.
4. Since India is a nation-state, the data of the citizens is considered a national
asset. Depending on India’s security and geopolitical objectives, this national
asset may need to be protected and stored within national borders. That would
include not only the corporates, but also Non- Governmental Organisations and
governmental bodies.
5. Despite India being a member to several international organisations that focus on
data protection mechanisms like the United Nations Commission on International
Trade and the provisions in Directive Principles of State Policies. Article 38 is
related to the overall welfare of citizens. Privacy and data protection are
essentially related to a welfare state. It also states in Article 51 that in order to
create international peace and security, the State should work to promote
adherence to treaty obligations and international law.
When can the government interfere with data
The users’ data must be maintained privately and in strict secrecy by any governmental or
private institution, organisation, or agency. The government can, however, intercept, monitor,
and decrypt information generated, transmitted, received, or stored in any computer resource
under the exceptions mentioned in Section 69 of the Information Technology Act, 200072.
Section 69
Section 69 of the Information Technology Act, 2000, provides that the government may
demand the disclosure of any information in the public interest when it leads to illegal
activities that compromise the national security, sovereignty, and integrity of India, the
defence, the security of the state, its friendly relations, or public order when there are
violations of the law or fraud.
Section 69A
The central government may request that any government agency or intermediary limit public
access to any information created, sent, received, stored, or hosted on any computer resource
under Section 69A for comparable reasons and grounds (as mentioned above). The term
“intermediaries” would additionally mean search engines, online payment and auction sites,
online marketplaces, and cyber cafés, and also cover telecom service, network service,

72
Information Technology Act, 2000
51 | New Technology Laws With Special Reference To Cyber Laws
Internet service, and web hosting providers. However, such requests for limiting access would
have to be supported by written justifications.
Section 69B
The central government, for improving data security and for identifying, analysing, and
preventing invasion or computer contamination in the nation, may, by notification in the
Official Gazette, authenticate any institution of the government to supervise and gather traffic
data or information generated, transmitted, or received over any computer resource. Section
69B grants the authority to track and acquire traffic data or information.
Information Technology Act, 2000
On October 17, 2000, the Information Technology Act of 2000 was passed. It is the main
Indian legislation governing e-commerce and cybercrime issues. The legislation was passed to
uplift e-governance, provide legal backing for online transactions, and fight cybercrime. The
primary goal of the law is to facilitate legal and reliable digital, computerised, and online
operations and lessen or eliminate cybercrimes.
The international organisation United Nations Commission On International Trade Law
(UNCITRAL) adopted the UNCITRAL Model Law on Electronic commerce (E-commerce)
,1996 to bring legal consistency across several nations and it prompted the Government of
India to enact legislation for India based on the guidelines provided in UNCITRAL, which
was later revised and approved by the Ministry of Electronics and Information Technology
and came to be known as the Information Technology Act of 2000. India became the twelfth
nation to modify its cyber laws.
Scope of the Act
The Information Technology Act, 2000 is applicable all over India and also has extraterritorial
jurisdiction, which applies to cybercrimes conducted outside India. If an Indian system or
network is included, regardless of the offender’s country, it would be dealt with under the
Act.
Objectives of the Act
• To give legal status to all operations conducted electronically, whether through
data interchange, other electronic communication, or e-commerce, as compared to
the previous paper-based manner of communication.
• To validate digital signatures as legal proof of any information or documents
requiring legal verification.
• To enable the electronic submission of papers with government departments and
agencies.
• To make electronic data storage easier in India.
• To approve and make it easier for banks and other financial organisations to
transfer money electronically.

52 | New Technology Laws With Special Reference To Cyber Laws

Salient features of the Act
The salient features of the Act73 are as follows:
• There are 94 Sections in the Act, divided into 13 Chapters and 4 Schedules.
• All smart contracts made over secure electronic means are legally validated under
it.
• The Act keeps the required security precautions in check and a legal framework
for digital signatures using cryptosystem was also added.
• Electronic records have been authenticated.
• There are also provisions for setting up a Cyber Regulations Advisory Committee
to advise the Controller and the central government.
• The Act permits senior police officers and other officials to enter any public space
and make arrests for offences covered by the Act without a warrant.
• Powers of attorney, negotiable instruments, wills, and other similar documents
are not subject to the regulations contained in this Act.
• Finally, this act outlines the numerous cybercrimes and violations, defines them,
and specifies the associated penalties.
•
The IT Act of 2000 was amended by IT Amendment Act, 2008. As a result, all types
of communication tools and computer resources were now included in the scope and
ambit of the IT act 2000.
Amendments to the IT Act in 2008
The use of devices and the internet has rapidly increased, which has led to new types of crimes
like sending offensive emails and messages, child pornography, cyberterrorism, posting
overtly sexual online material, video voyeurism, information leakage by intermediaries, and e-
commerce scams like data theft and cheating by false representation, also known as phishing.
So, the Information Technology Act of 2000 was needed to incorporate punitive measures.
Cybersecurity, data protection, and the adoption of security methods and processes relating to
these uses of online means have taken on greater significance due to the rise of digital
information services like e-governance, e-commerce, and e-transactions. Furthermore,
safeguarding critical information infrastructure is essential for maintaining public health,
safety, the economic and national security; as a result, it has become vital to designate such
infrastructure as a safeguarded system to prevent illegal access.
Amendments in Definitions
• The word “Digital” has been changed to “Electronic” in the definition section,
among other notable changes. As indicated above, this modification broadens the
scope of the IT Act beyond digital media, making it more technologically neutral

73
Information Technology Act, 2000
53 | New Technology Laws With Special Reference To Cyber Laws
 as the creation of an electronic signature does not need any particular
technological procedure. It would clearly refer to only online transactions even if
they were.
• A new definition has also been inserted for “intermediary.”
• The inclusion of “cell phones, personal digital assistants,” and other similar
devices in the definition of “communication devices” defines its clear-cut
applicability.
• Another crucial addition that will impact the new Data Protection regulations
provided under the Information Technology Act, 2008 is the broad definition
of “cyber security” which now includes safeguarding data and equipment from
unauthorised access, usage, publication, etc.
Major amendments in legislation
Section 66A
Sending offensive information over a communication device through an online device is
prohibited by Section 66A of the Information Technology (Amendment) Act, 2008. This
includes dangerous and inappropriate messages as well as messages that are misleading or
inaccurate but are transmitted with the intent to “cause irritation, discomfort, fear, hindrance,
humiliation, harm, criminal intimidation, hostility, hatred, or ill will” even while the sender is
aware of their falsity.
Section 67 and 67A
The vast volume of “obscene” content shared online has long gathered attention in India. So it
should be no surprise that obscenity is forbidden offline and online in the nation. Section
67 and 67A of the IT Act, which forbids obscene and sexually explicit information, have
proven to be crucial measures to control it.
Section 69A
The Central Government may restrict content under Section 69A of the IT (Amendment) Act,
2008, if it deems that any such content threatens the sovereignty, security, integrity, or
defence of the state, public order, friendly relations with foreign states, or attempts to incite
the commission of a crime related to any of those as mentioned earlier. An independent set of
rules called “Information Technology Rules (Blocking of Access of Information by Public
Rules), 2009” has been notified for the enforcement of Section 69A, and it is called
the Blocking Rules.
Section 77A and 77B
According to Section 77A of the ITA, 2008, all offences under this Act—aside from those that
carry a life sentence or a sentence of more than three years in prison, involve enhanced
punishment, negatively impact the socioeconomic standing of the nation, or involve offences
against women or minors under the age of 18—can now be combined into a single offence.

54 | New Technology Laws With Special Reference To Cyber Laws

In accordance with Section 77B, regardless of the provisions of the Code of Criminal
Procedure, 1973, all offences with a three-year or longer sentence are cognizable and subject
to bail.
Section 79
The intermediaries in India are subject to regulation under Section 79 of the Information
Technology Act, 2008. This section gained notoriety primarily due to the notorious IT Rules,
or Intermediary Guidelines Rules, created under the power of the central government to make
rules under Sections 87(1) and 87(2)(zg).
A “safe harbour” feature in Section 79 of the Act exempts intermediaries from responsibility
for the actions of third parties under certain circumstances. This provisional immunity is
granted to intermediaries under Section 79(1) of the Act with respect to any information, data,
or communication connection made available or hosted by them on behalf of a third party. For
Example: If a person or bot puts up any illegal content on Facebook, Facebook by “safe
harbour” provision would escape liability by claiming that they had no knowledge about such
activities.
Sections 79(2) and 79(3) of the Act apply to these exemptions. Essentially, circumstances,
where the intermediary engages in technological, automated, or passive activities, are covered
by Section 79(2). In order for Section 79(2) to be applicable, intermediaries must not be aware
of or in charge of the data being sent or stored.
Additionally, the “notice and takedown” system envisioned by Section 79(3)(b) mandates that
the intermediary remove illegal information as soon as it has actual knowledge of its
existence.
The tremendous growth in internet usage has, however, resulted in an uptick in criminality,
including child pornography, cyberterrorism, publishing sexually explicit information online,
and video voyeurism. So, these provisions were needed to be included in the Information
Technology Act, 2000.
Development of data protection legislations in India
The Supreme Court of India has established the right to privacy and data protection as a
fundamental right in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), and
the present legislative framework for privacy outlined in the Information Technology Rules,
2011 (IT Rules, 2011) which governs the “collecting, receiving, possessing, storing, dealing,
handling, retaining, using, transferring, disclosing sensitive personal data or information,
security practices and procedures for handling personal information”. However this provision
is considered to be insufficient as it fails to address among other issues, the misuse of data
collected from children, breaches of data by corporations outside India and the limited scope
of the definition of sensitive data.
It was insufficient on four levels:
• First, the existing model assumed that privacy is a statutory right rather than a
fundamental one and does not apply to the state’s processing of individual data.

55 | New Technology Laws With Special Reference To Cyber Laws

 • Second, it understood only a few data types that must be shielded.
• Third, it imposed few responsibilities on data controllers, which can also be
waived by contract.
• Fourth, there were few punishments for the violators.
Personal Data Protection Bill, 2018
The Justice Srikrishna Committee, tasked by the Ministry of Electronics and Information
Technology (MeitY) with drafting data protection legislation for India, came out with the
initial proposal of the legislation, the Personal Data Protection Bill, 201874. The government
enacted this plan and presented it in Lok Sabha, but it was sent for further modification for the
following reasons:
1. The new provision on data localisation may be the part that generated the greatest
public controversy. The law mandates that data fiduciaries keep “at least one
serving copy” of customer information on an Indian server or data centre. The
only rationale for such a rule is to make it simple for law enforcement to get this
information.
2. This brings up the bill’s second issue: it permits the processing of personal data in
the interests of state security if permitted and in accordance with legal procedure.
It also allowed for the processing of personal data for the detection, investigation,
and prosecution of any crime or other legal infraction. Given India’s inadequate
laws prohibiting state monitoring, the state’s access to all personal data presents a
serious danger to the right to privacy.
3. Last but not least, the draft law established a regulatory framework that was not
independent enough: the regulatory system was heavily under the influence of the
central government and was susceptible to being captured by businesses. On the
proposal of an independent commission, the proposed legislation granted the
central government the right to nominate members of the data protection
authority. Five years were a very little period for a new institution to learn the
ropes and obtain the independence it needs to function as an efficient regulator,
yet that is how long the appointment could last.
Personal Data Protection Bill, 2019
This was followed by the Personal Data Protection Bill, 2019, which was later withdrawn
amid promises of a replacement measure that would adhere to India’s extensive legal system,
keeping in mind the other 81 suggested modifications by the Joint Parliament Committee75.
Data Protection Bill, 2021
The Data Protection Bill, 2021, was a single law put out by the committee that would cover
both personal and non-personal datasets. The report’s recommendation to move toward total
localization of data was under question. A data protection authority had also been suggested in

74
Personal Data Protection Bill, 2018
75
Personal Data Protection Bill, 2019
56 | New Technology Laws With Special Reference To Cyber Laws
the withdrawn bill. As it develops the framework for the cross-border transfer, accountability
of entities processing data, and potential remedies for unauthorised and harmful processing, it
had also recommended to explicitly stating the flow and usage of personal data as well as
defending the rights of individuals for whom the personal data are processed76.
Digital Personal Data Protection Bill (DPDP Bill, 2022)
Every digital processing of private information is now subject to the Digital Personal Data
Protection Bill (DPDP Bill, 2022). This would cover both personally identifiable information
gathered online and offline that has been converted to digital form for handling. This bill will
affect the legal safeguards offered to customers of Indian start-ups doing business abroad,
affecting their competitiveness. This viewpoint is further supported by the bill, which exempts
the majority of its safeguards from applying to data fiduciaries in India who process personal
data belonging to citizens of India.77
Comparison of the Digital Personal Data Protection bill with previous bills
Territorial Implementation of the Bill
The territorial implementation of the law, is that the Bill also addresses handling personal data
gathered by data controllers on Indian soil and used to provide products and services there.
The previous laws were limited to India and had no provisions for any offence committed
outside the territory of India.
Fine
Digital Personal Data Protection Bill 2022, which was released, to up to Rs 500 crore. The
previous laws were limited to a maximum fine amount of Rs 250 crore. The government
increased the fine amount for breaking the rules outlined in the new DPDP bill to make sure
that the offenders comply strictly with the laws.
Rights
Right to be forgotten
Prior to this, the Union Government’s adjudicating officer had to authorise a request to be
forgotten before the right could be used. The right to be forgotten for processing, which was
previously restricted to disclosure, has been expanded according to the recommendations
made in the Data Protection Bill, 2021.
Right to access data
According to the Srikrishna Report, a data fiduciary could enforce the substantive duties of a
data fiduciary by exercising rights to confirmation and access. The PDP Bill incorporated the
2018 bill’s requirements while also granting the data principal the right to access all of the
data fiduciaries with whom their personal data had been shared in one location. In accordance
with the Data Protection Bill, 2021, the data subject has the option to choose a legal heir or

76
Data Protection Bill, 2021
77
Digital Personal Data Protection Bill, 2023
57 | New Technology Laws With Special Reference To Cyber Laws
legal representative as their nominee, who will be able to exercise their rights to confirmation
and access as well as their right to be forgotten in the case of their passing.
Consent
Most data protection laws designate specific types of personal data as “sensitive personal data
” due to the higher risk of harm that may be caused by its unauthorised processing like
biometric information, health information, genetic information, etc. So, clear consent will be
required before processing, and data protection impact assessments are required, giving this
personal data a higher level of safety as per the DPDP bill 2022. In PDP Bill, 2019, consent
was made a significant part of the Act, and it even mentioned the provision for withdrawal.
And before that in 2018 the JPC suggested a change in the consent as it had to be explicitly
taken.
Regulation of Non-Personal Data
The DPDP Bill 2022 lays down the provision of laying down rules every year for the
processing of non-personal data, whereas the PDP Bill, 2019 permits the central government
to ask any data fiduciary to give the record for non-personal data. And the prior, PDP Bill,
2018 made no mention of this provision at all.
Bureau of Indian Standards on data privacy
A separate organisation that regulates data, the Bureau of Indian Standards (“BIS”), has
released new standards for data privacy assurance, namely the IS 17428. BIS was established
as a national standards authority. It is designed to give enterprises a privacy assurance
foundation to set up, carry out, keep up with, and constantly enhance their data privacy
management system. It is an accreditation that companies may use to reassure their clients and
staff about their privacy policies. It can also be strategically employed to set a company apart
from its rivals in the market to control standardisation, conformity evaluation, and quality
control of both goods and services in India.78
This part talks about the requirements of any organisation. For an organisation to properly
define its role and obligations, the IS Requirements give fundamental definitions of “data
controller,” “data processor,” “personal information,” “sensitive personal information,
processing, consent,” etc., so that institutions can comply with them accordingly.

78
The Bureau of Indian Standards has published two Indian Standards, which are IS 17428- Data
Privacy Assurance [Part 1] Engineering and Management Requirements and IS 17428- Data Privacy
Assurance [Part 2] Engineering and Management Guidelines.

IS 17428: Data Privacy Assurance [Part 1] Engineering and Management Requirements

58 | New Technology Laws With Special Reference To Cyber Laws

IS 17428: Data Privacy Assurance [Part 2] Engineering and Management Guidelines
It gives specific, suggesting approaches that help in carrying out these standards. It provides
fundamental standards for technical design and information management and is lawful. The IS
Guidelines offer in-depth advice on the methods and best practices to follow in order to
comply with the IS requirements. The IS Guidelines additionally outline important facets to
take into account for network infrastructure security and privacy.
Features of the new standards for data privacy
• During the development life cycle of any product, service, or solution, the
business must consider specific technical and design criteria.
• The organisation’s privacy needs to consider the relevant jurisdiction, like
verifying and testing the relevant data privacy control before and during
development.
• Additionally, the company must set up certain privacy management procedures.
• Duties like- the types of personal data and outsourcing regulations; the types of
private information and leasing regulations; describing its organisational
structure, roles, and procedures for responsibility, communication, and
governance;
• A list of such material and its flow- impose privacy regulations, determine the
data retention duration and keep records of documentation and logs, create a
technique for privacy effect assessments, create a grievance redressal framework
that identifies the grievance officer, make their information public, and
establishes processes for submitting and escalating complaints.
• Improve the knowledge of the organisation’s personnel who handle personal
information.
Why India needs a new codified data protection law
1. India has seen huge technological advancements and is at par with other
countries, but it lags with definite and stringent laws which address all the recent
changes in the way our data is handled. Over the last two decades, countries like
the USA, China and many more have adopted new laws for data protection. India
currently lags uniform legislation. The times require India to adopt new laws so
that it can walk hand in hand with other countries.
2. The current Information Technology Act, 2000 is moderately handling India’s
data protection issues, yet it is not very strict as it falls short in implementing the
provisions properly. Data Protection with strict implementation is currently a
requirement of India.
3. Spamming is also an issue that has recently taken prevalence where a user
receives a large number of the same messages, repeatedly and clutters their
inboxes. The USA and several European countries have laws punishing the

59 | New Technology Laws With Special Reference To Cyber Laws

 sender of these spams but India has no mention of it. Laws addressing recently
arising problems are the need of the hour.
4. Online transactions also need to be addressed specifically, as it is currently being
regulated by RBI norms, which should be addressed by relevant laws, which
necessitates new laws on data protection in India even more.
5. Technology is outdated even before it is introduced, and it stands corrected in the
situation India is in right now. There are several provisions like online banking,
publication rules, cyber defamation, cyber terrorism, cryptocurrency and NFTs
that are in dire need of being addressed by proper legislation so that issues related
to them can be resolved.
Important cases
State of Tamil Nadu v. Suhas Katti (2004)
In the case of State of Tamil Nadu v. Suhas Katti (2004), the victim filed a complaint under
Sections 67 of the IT Act and 469 and 509 of the Indian Penal Code, 1860. In order to
humiliate the woman, the accused posted pornographic remarks about the victim in a number
of groups. In order to harm her reputation, he also disclosed her mobile number and opened a
fraudulent account in her name. According to the aforementioned Sections, the court found the
accused guilty.
This case is significant because it encouraged citizens all around the nation to come forward
and report incidents of online abuse.
Amar Singh v. Union of India (2011)
The petitioner in this case of Amar Singh v. Union of India (2011) claimed that his telecom
service provider had secretly recorded his calls. According to him, the alleged monitoring
violated his basic right to privacy under Article 21 of the Indian Constitution. The service
provider said that it was carrying out the directives of the authorities (the government of
NCT). In light of Sections 69, 69A, and 69B of the IT Act, 2000, this case is significant. The
Court noted that a telecom service provider carries out a public-facing activity. It has a natural
need to behave sensibly and responsibly. Additionally, it was held by the court that the service
provider must confirm the legitimacy of any government orders “to tap phones” when they
include serious errors. In order to avoid unlawful call interception, the court further ordered
the central government to establish specific directives and rules.
Shreya Singhal v. Union of India (2015)
In the landmark case of Shreya Singhal v. Union of India (2015), two ladies were held by the
police for reportedly making inappropriate and disrespectful remarks on Facebook over the
appropriateness of announcing a bandh in Mumbai following the passing of a political leader.
According to Section 66A of the Information Technology Act of 2000 (ITA), the police could
make the arrest of a person if that information was sent through a computer resource or
communication device with the intent to cause “annoyance, inconvenience, danger, insult,
injury, hatred, or ill will.”

60 | New Technology Laws With Special Reference To Cyber Laws

The entire Section 66A was declared unconstitutional by the Supreme Court of India on the
grounds that its intended protection against annoyance, inconvenience, danger, obstruction,
insult, injury, and criminal intimidation went beyond the bounds of reasonable restrictions
under Article 19(2) of the Indian Constitution.
Justice K.S. Puttaswamy (Retd) v. Union of India (2017)
The nine-judge bench of the Supreme Court of India in the case of Justice K.S. Puttaswamy
(Retd) v. Union of India (2017) upholds the right to privacy as a right which is protected by
the Constitution of India. According to this case, the government’s plan for a standard
biometric identity that would be needed for accessing government services and benefits was
contested in the suit, which was initiated by retired Judge K.S. Puttaswamy. The government
made the claim that the Constitution did not specifically guarantee the right to privacy. As
stated by the court, privacy is a basic right or freedom protected by Article 21, which states
that “No person shall be deprived of his life or personal liberty except according to procedure
established by law.”
Praveen Arimbrathodiyil v. Union of India (2021)
The Union Government published a set of regulations in 2021. Using the authority granted to
it by Section 87 of the IT Act of 2000, the Information Technology (Intermediaries
Guidelines) Rules, 2011, are replaced by these regulations. The government aims to control
internet streaming services, social media intermediaries, and digital news outlets through these
regulations. According to these regulations, social media intermediaries must adhere to the
laid down internal grievance redressal process. In circumstances of significant offences, these
intermediaries are also compelled to provide the government with the details of the person
who sent the offensive communication. Under the guidelines, intermediaries who violate them
forfeit the protection granted to them by Section 79 of the IT Act.
As stated in the guidelines, intermediaries who violate them forfeit the protection granted to
them by Section 79 of the IT Act. The regulations also mandate that the digital news media
establish an internal grievance redressal system and adhere to an ethical code of conduct. In
this case, several companies, including WhatsApp, Quint, LiveLaw, and the Foundation for
Independent Journalists, have contested these regulations. The outcomes of the judgement will
impact the future direction of Indian law in information technology, for which the petition is
currently pending before the Supreme Court for listing.
Digital Personal Data Protection (DPDP) Act, 2023
In early August 2023, the Indian Parliament passed the Digital Personal Data Protection
(DPDP) Act, 2023. The new law is the first cross-sectoral law on personal data protection in
India and has been enacted after more than half a decade of deliberations. 79 The key question
this paper discusses is whether this seemingly interminable period of deliberations resulted in
a “good” law—whether the law protects personal data adequately, and in addition, whether it
properly balances, as the preamble to the law states, “the right of individuals to protect their

79
Anirudh Burman, “Will India’s Proposed Data Protection Law Protect Privacy and Promote
Growth?,” Carnegie India, March 9, 2020, https://carnegieindia.org/2020/03/09/will-india-s-proposed-
data-protection-law-protect-privacy-and-promote-growth-pub-81217.
61 | New Technology Laws With Special Reference To Cyber Laws
personal data” on one hand and “the need to process such personal data for lawful purposes”
on the other.
To answer this question, the paper first details the key features of the law and compares it to
earlier versions, especially the previous official bill introduced by the government in
Parliament in 2019.80 The second part of the paper then examines the DPDP Act from two
perspectives. First, it highlights certain potentially problematic features of this law to
understand its consequences for consumers and businesses as well as the Indian state. Second,
it places the act in context of the developments and deliberations that have taken place over
the last five years or so. The third part speculates on the key factors that will influence the
development of data protection regulation in India in the next few years.
The 2023 act is the second version of the bill introduced in Parliament, and fourth overall. An
initial version was prepared by a committee of experts and circulated for public feedback in
2018.81 This was followed by the government’s version of the bill that was introduced in
Parliament in 2019—the Personal Data Protection Bill, 2019. This version was studied by a
parliamentary committee that published its report in December 2021. 82 The government,
however, withdrew this bill, and in November 2022, published a fresh draft for public
consultations—the draft Digital Personal Data Protection Bill, 2022.
These four drafts were preceded by a landmark 2017 judgment by India’s Supreme Court
in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. The judgment declared that
the right to privacy is part of the fundamental right to life in India and that the right to
informational privacy is part of this right. The judgment, however, did not describe the
specific contours of the right to informational privacy, and it also did not lay down specific
mechanisms through which this right was to be protected.
Following this, the first government version of the law, the Personal Data Protection Bill,
2019, was introduced in Parliament in December 2019. This version was expansive in scope
and proposed cross-sectoral, economy-wide data protection regulation to be overseen by an
all-powerful data protection regulator—the Data Protection Authority (DPA). The 2019 bill
provided for a preventive framework. It imposed a number of obligations on entities collecting
personal data—to provide notice and take consent from individuals, to store accurate data in a
secure manner, and to use it only for purposes listed in the notice. Businesses were also
required to delete data once the purpose was satisfied and to provide consumers rights to
access, erase, and port their data. Businesses were required to maintain security safeguards
and transparency requirements, implement “privacy by design” requirements, and create
grievance redress systems. Finally, this bill introduced an entity known as “consent

80
Ibid
81
“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation),” Official Journal of
the European Union, May 4, 2016, https://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679.
82
Anirudh Burman, “The Withdrawal of the Proposed Data Protection Law Is a Pragmatic Move,”
Carnegie India, August 22, 2022, https://carnegieindia.org/2022/08/22/withdrawal-of-proposed-data-
protection-law-is-pragmatic-move-pub-87710.
62 | New Technology Laws With Special Reference To Cyber Laws
managers,” who were intermediaries for collecting and providing consent to businesses on
behalf of individuals.
The bill grouped personal data into different categories and required elevated levels of
protection for “sensitive” and “critical” personal data. Certain businesses were also to be
categorized as “significant data fiduciaries,” and additional obligations were proposed for
them—registration in India, data audits, and data impact assessments. In addition, the bill
imposed localization restrictions on the cross-border flows of certain categories of data. The
DPA was empowered to impose penalties on businesses for violating these requirements. The
bill also proposed to criminalize activities related to the deanonymization of individuals from
anonymized datasets.
The 2019 bill exempted certain entities and businesses from notice and consent requirements
under certain circumstances—for lawful state functions, medical and health services during
emergencies or epidemics, breakdown of public order, employment-related data processing,
the prevention and detection of unlawful activity, whistleblowing, and credit recovery, among
others.
The 2019 bill also had a provision to empower the government to regulate nonpersonal data. It
allowed the government to require private entities to hand over specific nonpersonal data that
the government asked for as per conditions it prescribed. In short, the 2019 bill proposed a
comprehensive, cross-sectoral framework based on preventive requirements for businesses
(defined as “data fiduciaries”) and rights for individuals or consumers (“data principals”).
This regulatory structure was based mostly on the 2018 draft bill proposed by the Srikrishna
Committee—the committee, chaired by Justice B.N. Srikrishna, a retired Supreme Court
judge, was set up by the Ministry of Electronics & Information Technology in July 2017 to
help frame data protection norms. The recommendations of this committee, in turn, were
based on major regulatory developments that were popular while the work of the committee
was proceeding. Primary among these was the European Union’s (EU’s) General Data
Protection Regulation (GDPR). While the general preventive framework of the 2019 bill was
welcome, its expansive scope was problematic. It created a number of significant compliance
requirements that would have affected both big and small firms in the economy. It also
proposed the creation of a DPA that had significant regulation-making and supervisory
powers. These regulations would have further detailed the already significant compliance
requirements in the bill. The novelty of the law and the lack of prior experience in
implementing a data protection law of this nature would have created serious risks of
overregulation or under-regulation.
The DPDP Act is based on the draft proposed by the government in November 2022, which
adopted a radically different approach to data protection regulation. 83 The next section details
the key provisions of the act.

83
The Digital Personal Data Protection Bill, 2022.
63 | New Technology Laws With Special Reference To Cyber Laws
KEY FEATURES OF THE DPDP ACT, 2023
Compared to the 2019 version of the bill, the DPDP Act, 2023 is more modest—it has reduced
obligations for businesses and protections for consumers. On the one hand, the regulatory
structure is simpler, but on the other, it vests the central government with unguided
discretionary powers in some cases.
Applicability to Nonresidents
The DPDP Act applies to Indian residents and businesses collecting the data of Indian
residents. Interestingly, it also applies to non-citizens living in India whose data processing “in
connection with any activity related to offering of goods or services” happens outside India.
This has implications for, say, a U.S. citizen residing in India being provided digital goods or
services within India by a provider based outside India.
Purposes of Data Collection and Processing
The 2023 act allows personal data to be processed for any lawful purpose. The entity
processing data can do so either by taking the concerned individual’s consent or for
“legitimate uses,” a term that has been explained in the law.
Consent must be “free, specific, informed, unconditional and unambiguous with a clear
affirmative action” and for a specific purpose. The data collected has to be limited to that
necessary for the specified purpose. A clear notice containing these details has to be provided
to consumers, including the rights of the concerned individual and the grievance redress
mechanism. Individuals have the right to withdraw consent if consent is the ground on which
data is being processed.
Legitimate uses are defined as: (a) a situation where an individual has voluntarily provided
personal data for a specified purpose; (b) the provisioning of any subsidy, benefit, service,
license, certificate, or permit by any agency or department of the Indian state, if the individual
has previously consented to receiving any other such service from the state (this is a potential
issue since it enables different government agencies providing these services to access
personal data stored with other agencies of the government); (c) sovereignty or security; (d)
fulfilling a legal obligation to disclose information to the state; (e) compliance with
judgments, decrees, or orders; (f) medical emergency or threat to life or epidemics or threat to
public health; and (g) disaster or breakdown of public order.
Rights of Users/Consumers of Data-Related Products and Services
The DPDP Act also creates rights and obligations for individuals. These include the right to
get a summary of all the collected data and to know the identities of all other data fiduciaries
and data processors with whom the personal data has been shared, along with a description of
the data shared. Individuals also have the right to correction, completion, updating, and
erasure of their data. Besides, they have a right to obtain redress for their grievances and a
right to nominate persons who will receive their data.

64 | New Technology Laws With Special Reference To Cyber Laws

Obligations on Data Fiduciaries
Entities responsible for collecting, storing, and processing digital personal data are defined as
data fiduciaries and have defined obligations. These include: (a) maintaining security
safeguards; (b) ensuring completeness, accuracy, and consistency of personal data; (c)
intimation of data breach in a prescribed manner to the Data Protection Board of India (DPB);
(d) data erasure on consent withdrawal or on the expiry of the specified purpose; (e) the data
fiduciary having to appoint a data protection officer and set up grievance redress mechanisms;
and (f) the consent of the parent/guardian being mandatory in the case of children/minors
(those under eighteen years of age). The DPDP Act also states that any processing that is
likely to have a detrimental effect on a child is not permitted. The law prohibits tracking,
behavioral monitoring, and targeted advertising directed at children. The government can
prescribe exemptions from these requirements for specified purposes. This is potentially a
problem since the powers to exempt are broad and without any guidelines.
While the 2023 act retains the broad categories of obligations for the most part, the key
difference from the 2019 bill is the absence of the scope for the regulator, the DPA, to make
detailed regulations on these obligations. In addition, the substantive requirements under each
of these categories have been reduced.
There is an additional category of data fiduciaries known as significant data fiduciaries
(SDFs). The government will designate data fiduciaries as SDFs based on certain criteria—
volume and sensitivity of data and risks to data protection rights, sovereignty and integrity,
electoral democracy, security, and public order.
SDFs will have additional obligations that include: (a) appointing a data protection officer
based in India who will be answerable to the board of directors or the governing body of the
SDF and will also serve as the point of contact for grievance redressal; and (b) conducting
data protection impact assessments and audits and taking other measures as prescribed by the
government. The 2019 bill required that SDFs register in India. This requirement has been
removed from the 2023 act.
Moderation of Data Localization Requirements
The 2023 law reverses course on the issue of data localization. While the 2019 bill restricted
certain data flows, the 2023 law only states that the government may restrict flows to certain
countries by notification. While this is not explicit, the power to restrict data flows seems to be
to provide the government necessary legal powers for national security purposes. The law also
states that this will not impact measures taken by sector-specific agencies that have or may
impose localization requirements. For example, the Reserve Bank of India’s localization
requirements will continue to be legally valid.
Exemptions From Obligations Under the Law
The law provides exemptions from consent and notice requirements as well as most
obligations of data fiduciaries and related requirements in certain cases: (a) where processing
is necessary for enforcing any legal right or claim; (b) personal data has to be processed by
courts or tribunals, or for the prevention, detection, investigation, or prosecution of any

65 | New Technology Laws With Special Reference To Cyber Laws

offenses; (c) where the personal data of non-Indian residents is being processed within India;
and so on.
In addition, the law exempts certain purposes and entities completely from its purview. These
include:
1. Processing in the interests of the sovereignty and integrity of India, security of the state,
friendly relations with foreign states, maintenance of public order, or preventing
incitement to any cognizable offense. This will allow investigative and security agencies to
remain outside the purview of this law.
2. Data processing necessary for research, archiving, or statistical purposes if the personal
data is not to be used to take any decision specific to a data principal.
3. The government can exempt certain classes of data fiduciaries, including startups, from
some provisions—notice, completeness, accuracy, consistency, and erasure.
4. One problematic provision allows the government to, “before expiry of five years from the
date of commencement of this Act,” declare that any provision of this law shall not apply
to such data fiduciary or classes of data fiduciaries for such period as may be specified in
the notification. This is a significant and wide discretionary power and is not
circumscribed by any guidance on the basis for such exemption, the categories that may be
exempted, and the time period for which such exemptions can operate.
New Regulatory Structure for Regulating Data Privacy
The 2023 law completely changes the proposed regulatory institutional design. The 2019 bill
proposed an independent regulatory agency. The DPA was proposed on the lines of similar
government agencies in many EU countries that function independently of government and
implement the GDPR. The proposed Indian DPA was arguably more powerful since it was
proposed to have much more extensive regulation-making powers than DPAs under the
GDPR. In addition to framing regulations, the DPA would have been responsible for framing
codes of conduct for businesses, investigating cases of noncompliance, collecting supervisory
information, and imposing penalties on businesses.
In contrast, the 2023 law establishes the DPB. The board is not a regulatory entity and is very
different from the DPA. Compared to the latter, the board has a limited mandate to oversee the
prevention of data breaches and direct remedial action and to conduct inquiries and issue
penalties for noncompliance with the law. The board does not have any powers to frame
regulations or codes of conduct or to call for information to supervise the workings of
businesses. It can only do so during the process of conducting inquiries.
The members of the board will be appointed by the government, and the terms and conditions
of their service will be prescribed in rules made by the government. The law states that these
terms and conditions cannot be varied to a member’s disadvantage during their tenure.
The law allows the board to impose monetary penalties of up to 250 crore rupees
(approximately $30.5 million). Appeals from the board’s orders will go to an existing
tribunal— the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). In addition to
monetary penalties, the bill allows data fiduciaries to provide voluntary undertakings to the
66 | New Technology Laws With Special Reference To Cyber Laws
board as a form of settlement of any complaints against them. Therefore, the board is a very
different institution in design compared to the DPA.
Finally, the 2023 law contains a novel provision not included or discussed in any previous
version. This is Section 37, which allows the government, based on a reference from the
board, to block the public’s access to any information that enables a data fiduciary to provide
goods or services in India. This has to be based on two criteria: (a) the board has imposed
penalties against such data fiduciaries on two or more prior occasions, and (b) the board has
recommended a blockage. The government has to provide the data fiduciary an opportunity to
be heard before taking such action.
ANALYZING THE DPDP ACT, 2023
This section analyzes the 2023 act from two perspectives. First, it explains the broad structure
of the law and highlights its key features and issues. Second, it contextualizes the law in the
background of the different drafts proposed before this and elaborates upon the deliberations
that have led to it.
How Well Does the DPDP Act, 2023, Protect Privacy?
The 2023 act creates, for the first time, a data privacy law in India. It requires consent to be
taken before personal data is processed and provides a limited number of exceptions that are
clearly enumerated in the law. It provides consumers the right to access, correct, update, and
erase their data, in addition to a right to nomination. It creates additional safeguards for the
processing of children’s data. For businesses, it creates purpose limitations and obligations to
provide notice of data collection and processing and mandates security safeguards. The law
requires the creation of grievance redress mechanisms by businesses. The DPB will also
handle complaints and grievances and is empowered to issue penalties for noncompliance with
the law.
For the first time, therefore, India has a statutory framework for data protection. The presence
of the law will gradually lead to the development of minimal standards of behavior and
compliance among businesses that collect data. In this regard, the approach of the government
toward implementing and enforcing the law will be the critical variable—for example,
whether implementation will be focused on data-heavy businesses or across the economy
would be an important factor.
However, other than open questions related to implementation, there are some concerns with
different provisions of the law and their potential for undermining the protections seemingly
accorded in it.
First, the exceptions carved out for consent empower the state significantly and place state
imperatives on a different pedestal compared to private entities. While this may be truly
legitimate in some circumstances, like disasters or emergencies, the law enlarges the scope of
such circumstances. For example, Section 7(b) of the law enables the government to sidestep
consent requirements where a government service beneficiary has previously consented to
receiving any other benefit from the state. While this may allow easier access to personal data
of beneficiaries for receiving government services, it also creates a potential for the
government to aggregate databases. This is because making true use of the potential of this
67 | New Technology Laws With Special Reference To Cyber Laws
provision would mean that government agencies would have to be exempted from purpose
limitations that require personal data to be deleted after the purpose of the data has been
satisfied.
Another example of this is the set of exemptions to the state for investigative, prosecutorial,
and national security purposes. In Section 17(1)(c), the law exempts the requirements of notice
and consent, among others, for the purposes of processing for “prevention, detection,
investigation or prosecution of any offence or contravention of any law.” 27 While this is
understandable, Section 17(2)(a) subsequently provides a blanket exemption from the whole
law to any government agency that the government may notify, in the interests of sovereignty,
security, integrity, public order, and preventing incitement. Given the fact that Section
17(1)(c) already exists, Section 17(2)(a) only indicates the desire of Parliament to ensure a
complete non-application of the data protection law to certain state agencies.
Provisions like these create a separate category of activity that is beyond the purview of data
privacy requirements. It is problematic that the Indian state is not subject to many of the
constraints that private entities are, especially in cases where there is no pressing requirement
for such an exception.
Second, the discretionary rule-making powers that the government has under the law could, in
some cases, undermine the protections provided in the law. For example, under Section 17(5),
the government has the power to declare that any provisions of this law will not apply to any
business or class of businesses within five years of the commencement of the law. There is no
time frame for the operation of this exemption or any guidance on how this provision is to be
used. An optimistic interpretation of this provision would suggest that this could be used to
allow sunrise industries or startups some time to comply with the law. However, provision for
this has already been made in Section 17(3), which provides limited exemptions to startups
and other industries the government may notify. Therefore, Section 17(5) could potentially be
used in a manner that defeats the purpose of the law. It is worth reiterating that the law only
limits the government’s power to give these exemptions for an initial period of five years. It
does not provide any limit on how long these exemptions can last for.
Similarly, the government has some unguided rule-making powers for exempting businesses
from certain requirements regarding the processing of children’s data. Sections 9(1) to 9(3)
specify certain requirements for the same—they require parental consent and prohibit
profiling, among others. Section 9(4) allows the government to exempt any business or class
of businesses from Sections 9(1) to 9(3) “subject to such conditions, as may be prescribed.”
This provision, again, fails to indicate on what grounds this exemption will be given, how the
conditions are to be determined, and so on. Since there is a lack of sufficient guidance, this
provision is also subject to misuse.
While there are other provisions where the government has powers to prescribe conditions and
make substantive rules, the examples highlighted above provide almost no guidance. This is
also problematic when judged against the tenets of Indian administrative law, which requires
that laws should not confer unguided and excessive discretion on the implementing
authority.28 If improperly used, such legal provisions are potentially in violation of the Indian
Constitution.
68 | New Technology Laws With Special Reference To Cyber Laws
Third, the design of the DPB is problematic. The board is an independent agency with a
limited mandate, and the government will create mechanisms for the selection and
appointment of its members. While the law sets out qualifications for members, it does not
state how many members shall be on the board and requires only one of them to be a legal
expert. This last provision is a problem since one of the board’s main functions is to issue
penalties and directions for noncompliance.
In addition, the chairperson of the DPB is empowered to authorize any board member to
perform “any of the functions of the board and conduct any of its proceedings.” It is possible
that the chairperson may not authorize the legal member of the board to conduct the
proceedings leading up to the issuance of a penalty. This design also fails to maintain an
internal separation of functions between the members conducting inquiries and the
chairperson. Since the chairperson appoints members to conduct inquiries, they may
potentially not discharge this function impartially in all cases.
Therefore, while the DPDP Act creates data privacy protections in law for the first time,
certain provisions in the law can effectively undermine its benefits if the government does not
act under them in the most scrupulous manner possible.
Tracing the Evolution of the Debate on the Legislation
The DPDP Act is a remarkable shift in the approach toward data protection legislation
compared to the 2018 draft bill and the 2019 bill introduced in Parliament. This shift was most
visible in the November 2022 draft bill and has now been enshrined in the 2023 law. There are
three major axes on which this shift is visible.
1. Reductions in rights and obligations, and compliance: The 2018 and 2019 versions of the
bill adopted a more expansive and all-encompassing framework toward data protection. As the
preceding sections of this paper explain, many of these rights and obligations have been either
diluted or discarded—data portability, for example, has been completely removed, while
others such as the right to be forgotten have been recast to a simpler right to “erasure.”
Detailed prescriptions regarding the contents of notices and privacy by design requirements,
among others, have been discarded, and it is now up to businesses to translate these
requirements. This is a better and more innovation-friendly approach. Given the lack of prior
data protection law and jurisprudence, firms will experiment with different approaches to
translate them into business practices. The practices that do not meet the requirements of the
DPDP Act will be adjudicated in the DPB, the TDSAT, and the courts. This process will
provide for an organic emergence of good practices suited to the Indian context.
This reduction in prescriptive requirements and overall compliance should also be seen in the
context of the shift away from criminalization. The 2018 bill created a number of criminal
offenses. The 2019 bill reduced this to just one—deanonymization. The 2022 draft and the
2023 version do not provide for any criminal offenses and stipulate only monetary penalties to
be directed by the DPB.
2. A sharper focus on data privacy: The 2018 draft, and more so the 2019 draft, included
several provisions that were only tangentially related to data privacy. For example, the
provision mandating the sharing of nonpersonal data did not further privacy interests in any
69 | New Technology Laws With Special Reference To Cyber Laws
way. Similarly, data localization requirements have been shown to have only a tangential
relationship to data privacy, and better alternatives exist to achieve the same objectives. Their
presence in the 2018 and 2019 bills were a source of uncertainty. In addition, data localization
became a proxy for debates on issues such as data sovereignty, something that, again, is not
directly related to the issue of privacy.
3. The abandonment of a “regulatory” law: The 2018 and 2019 bills created a legislative
framework that had a high degree of regulatory intensity—the bills provided a full-fledged
independent regulator, the DPA, with extensive powers to frame regulations and codes of
conduct on many provisions within those bills, such as notice and consent requirements,
security safeguards, manner of storage of data, and so on. In addition, the DPA would have
had powers to collect information necessary for ensuring compliance with the law and impose
penalties for noncompliance. The DPA, therefore, was proposed to have many more
touchpoints with the economy, and its mandate, by definition, required it to be relatively more
interventionist.
These legislative proposals made the DPA a centerpiece of the regulatory framework, and the
agency was expected to function like other Indian independent regulators, such as the
Securities and Exchange Board of India and the Telecom Regulatory Authority of India. The
DPA was expected to exercise these powers across all sectors of the Indian economy. It would
have had to prescribe standards for all the legal provisions that provided for standard-setting
requirements through regulations, modify and update them periodically, conduct the necessary
stakeholder consultations across different economic sectors, create or identify research to
support its regulatory agenda, and build its regulatory legitimacy. The proposed legislative
role of the DPA in 2018 and 2019 was thus one of high regulatory intensity. Given this wide
remit, it would have faced obvious challenges related to deciding on its overall approach,
prioritizing among its many functions and objectives, and building the internal capabilities
required to deliver on this expansive mandate.
The DPDP Act does away with the idea of an independent regulator like the DPA. The DPB
does not have many regulation-making powers under this law. Its powers are limited to
ensuring remedial actions against any data breaches and issuing directions to businesses
requiring them to comply with the law. In addition, the DPB can pass orders issuing penalties
or imposing voluntary settlements for noncompliance with the law. This is not a design that is
“regulatory” in the same way as the proposed DPA in the 2018 and 2019 versions and is a
major shift in approach. The DPB’s limited mandate will create less frequent touchpoints with
the economy even though its orders regarding compliance or noncompliance will be extremely
consequential.
These shifts have occurred incrementally over the last few years. The 2018 bill proposed an
expansive law based closely on the GDPR. The 2019 bill rationalized some provisions while
retaining most of them and adding to the regulatory expanse. It imported concerns that were at
best tangential to privacy concerns in some cases. The 2022 bill and the 2023 act are a major
shift away from this expansive framework. This indicates a change in how Parliament and the
Indian government now view the salience of the data protection law to India’s economy. In
2017 and 2018, there were a few animating factors that led to the early versions of the bill.

70 | New Technology Laws With Special Reference To Cyber Laws

The Supreme Court had recently declared privacy to be a fundamental right and was about to
rule on the constitutionality of India’s biometric ID project, Aadhaar. In addition, there was a
global debate on data protection regulation sparked off by the impending implementation of
the GDPR. The regulation was enacted in 2016 and came into force in 2018. At that point in
time, it was viewed as a viable template for adoption and influenced deliberations on the
Indian law.29
By 2022, the GDPR had been in effect for four years, and numerous issues with its design and
implementation had been voiced.30 The Indian Supreme Court had upheld the use of Aadhaar
for certain purposes and the potential constitutional law issues had been resolved. Arguably,
deliberations on the different versions of the data protection legislation also allowed concerns
about the proposed framework to be articulated consistently. This was especially visible on
issues such as data localization.31 The long period of deliberations, therefore, allowed the shift
to a more pragmatic version of the law to be finally enacted.
However, one part of the government’s approach toward the law has remained noticeably
consistent—the exemptions given for state functions. State surveillance agencies have been
consistently exempted from the application of data protection requirements. The 2018 draft
bill sought to narrow the scope of exemptions and proposed some checks and balances, which
were diluted in the 2019 bill. The 2019 bill instead gave the central government the power to
exempt any national security agency from any or all provisions of the proposed legislation. A
similar provision has now been enacted into the law—other non-security-related government
uses of data will continue to be exempted from certain parts of the law. Lastly, as pointed out
earlier, the DPDP Act also gives the government problematic levels of unfettered discretion in
some cases.
The next part of this paper speculates on how two developing strains of data-related
regulation—the working of the data protection law and the concerns of national security and
sovereignty—are likely to inform the next stage of data regulation in India.
LOOKING FORWARD TO THE IMPLEMENTATION OF THE DATA
PROTECTION LAW
Now that the DPDP Act is law, there will be three key sources of regulatory development
under the same.
The first will be the rules framed by the central government to implement the law. The DPDP
Act provides significant rule-making powers to the central government. These include:
• the manner in which notices will be given to consumers;84
• the manner in which consent managers will function;85
• the manner in which businesses will inform their consumers and the DPB
about data breaches;86

84
The Digital Personal Data Protection Act, 2023, Section 5
85
The Digital Personal Data Protection Act, 2023, Section 8(6)
86
The Digital Personal Data Protection Act, 2023, Section 9
71 | New Technology Laws With Special Reference To Cyber Laws
• the manner in which parental consent will be sought for processing
children’s data and related exemptions;87
• the manner in which consumers will exercise their rights against data
fiduciaries;88
• the manner of appointment of DPB members, the terms and conditions of
their service, and the procedures for the functioning of the board;89
• data impact assessments and other measures to be taken by significant data
fiduciaries;38 and
• the procedure to be followed by the appellate tribunal, the TDSAT, in
hearing appeals from the DPB.39
These are not insignificant powers. However, as already discussed, these powers of rule-
making pale in comparison to the ones that were proposed to be given to the DPA under the
previously proposed versions of the law. The intensity of regulation will, therefore, be much
lower under the DPDP Act than it would have been under the 2019 bill. In creating this
framework, the Indian Parliament has opted for a modest approach to creating elaborate rules
and regulations. This will consequentially allow greater scope for experimentation and
innovation in the Indian technology landscape relative to the 2019 bill and its predecessor.
While many of these powers pertain to procedural issues, the central government has
substantive rule-making powers as well. The fact that these rule-making powers are with the
central government is problematic.
The most consequential of these is the power to grant exemptions. The exercise of this power
will be contingent on two factors—the degree of technocratic competency within the relevant
departments of the central government and the degree to which the relevant officers can
function autonomously and technocratically. Historically, the Indian state’s response to
improve competence and autonomy in economic regulation has been to move these functions
to independent regulatory agencies. In this case, however, such powers have been retained
with the central government.
On the other hand, the lack of any prior regulatory expertise on data protection also lends itself
to an argument in favor of greater political inputs at an incipient stage of regulatory
development. Historically, the Indian government directly regulated many subjects before
transferring them to independent regulators and, in the process, developed a certain degree of
institutional capability within the relevant departments. This has been the case for various
subjects such as insurance, pension, telecom, electricity, and so on. While these departments
did not necessarily regulate well, the exercise of these powers did create some technical and
supervisory capacity within the relevant departments.
The critical consideration, therefore, is whether the drafters of the DPDP Act consider the
framework under the law as a first step in the development of an independent regulator.

87
The Digital Personal Data Protection Act, 2023, Section 11, 12, 13 & 28
88
The Digital Personal Data Protection Act, 2023, Section 22, 23, 28
89
The Digital Personal Data Protection Act, 2023, Section 10 (2)
72 | New Technology Laws With Special Reference To Cyber Laws
The second key source of regulatory development will be the decisions of the DPB in cases
where it initiates an inquiry against regulated entities. The reasoning of the DPB and the
penalties and directions it issues will be the first set of decisions on data privacy regulation
under a new law. These decisions will not just contribute to jurisprudence on the subject but
also provide guidance to businesses on how to implement and comply with the DPDP Act.
The procedures the board follows, the quality of its reasoning, and the clarity of its decisions
will shape both market behavior and future regulation in India.
In this regard, the composition of the board and the qualifications of its members conducting
inquiries will be critical. The law has definite weaknesses in this regard, as discussed earlier.
The proper implementation of the law will, therefore, depend on the government adopting best
practices in appointment and selection and creating a culture of noninterference, since the law
does not contain many standard provisions present in other Indian laws.
The third key source of regulatory development will be the directions that the DPB is
empowered to issue under the law. While the DPDP Act requires the board to observe certain
specified procedural rules while conducting inquiries and issuing penalties, it does not provide
any such guidance for issuing directions to regulated entities. This is problematic since
directions will also be binding and impose compliance costs. It is, therefore, appropriate that
the board should create certain checks and balances for issuing directions. At the very least,
the board should provide any regulated entity with a formal opportunity to furnish their
response to a draft direction before such a direction is formally issued to them. Absent this, the
board may develop a predilection toward regulation by direction.
The trajectory of these three strands of regulatory decision-making will significantly shape
India’s technology markets and data-related policy for the next few years. Since the law does
not contain adequate checks and balances, the onus will be on the central government to
ensure that best practices in administrative law and decisionmaking are incorporated via the
procedural rules that the DPDP Act empowers it to make.
The other main factor that will shape the development of data protection regulation will be the
larger imperatives of exercising sovereign control over data and data businesses in India. The
development of the DPDP Act was significantly influenced by the call to exercise control over
Indian data for the benefit of Indians. This was most visible during the debate on issues related
to data localization and nonpersonal data. While the provisions in the final law represent a
significant moderation from the provisions in the draft proposals, the larger concerns over
sovereignty and security will influence the development of this law.
One clear example of this is Section 37 of the law that enables the central government to block
access to any information that can be communicated by a data fiduciary. This is a new
insertion, and it is highly debatable whether this provision has any relevance to personal data
privacy.
Outside the DPDP Act, the evolving framework of laws regulating social media companies, IT
services, and businesses, among others, will also exercise indirect influence on how data
protection regulation develops. In 2021, the Indian government issued new guidelines for
social media intermediaries that required, among others, measures to trace originators of social
media content on over-the-top (OTT) messaging platforms. These requirements were
73 | New Technology Laws With Special Reference To Cyber Laws
challenged in courts and a final decision is awaited. The outcome will determine the nature
and scope of the powers enjoyed by investigative agencies under the exemptions granted by
the DPDP Act.
Another example is that of data localization. While the DPDP Act does not restrict data flows
across borders, many Indian sectoral regulators, like the Reserve Bank of India, do impose
localization requirements. The progressive adoption of localization by other regulators may
make the liberal provisions of the DPDP Act superfluous.
Some legal requirements aimed at regulating social media and big tech companies are
emanating organically due to India’s rapid digital transformation in the past decade and the
fact that the regulatory framework is outdated.40 India’s IT minister has stated that a
replacement to India’s Information Technology Act, 2000 is in the works. This newer version
of the IT Act, as well as other similar legislations, is also likely to influence the working of the
DPDP Act. In each of these developments, it will be important to ensure that the nature and
scope of sovereign control to be exercised is for a legitimate purpose and that it does not
overserve the needs of the Indian state to the detriment of privacy, commerce, and innovation.
While the DPDP Act is a culmination of more than five years of debate and deliberation, it
marks the start of statutory personal data protection regulation. The regulatory developments
and the institutional arrangements that take shape over the next few years will decide how well
(or not) personal data privacy is protected. The new law provides the necessary scaffolding,
but it is not sufficient for de facto data privacy to materialize.
It is debatable whether the earlier versions of the bill would have resulted in better privacy
protection in any meaningful way.41 However, the transformation of the contents of different
versions of the law is indicative of the changed approach of the government to privacy
protection. The fact that the current version of the law, as compared to the earlier ones,
imposes much lower costs on Indian businesses is positive.
Overall, the law itself is modest and pragmatic. This is welcome. However, in some cases, it is
exceedingly so, to the potential detriment of privacy interests. The fact that a significant
degree of discretionary power on substantive issues is vested with the central government
means that a lot will depend on how well the government is committed to protecting privacy.

74 | New Technology Laws With Special Reference To Cyber Laws

 CHAPTER-4

E-COMMERCE

INTRODUCTION
DEFINITIONS
Electronic commerce is broadly defined as the use of computer networks to complete business
transactions. The networks involved include the internet, intranets, extranet and other private
networks.
It is therefore the use of computer applications communicating over networks to enable buyers
and seller to complete transaction.
The transactions may include buying, selling and exchanging information.
Today many industry experts consider e-commerce to be a subset of e-business.
E-business refers to business activities beyond buying and selling and includes activities such
as using the internet to enhance customer service, co-ordinate activities with business partners
and to facilitate communication and knowledge management within organizations.
E-business deals with evaluating electronic market place to better serve the collective needs of
entire industries.
E-Commerce or Electronics Commerce is a methodology of modern business, which
addresses the need of business organizations, vendors and customers to reduce cost and
improve the quality of goods and services while increasing the speed of delivery.
E-commerce is based on the client-server architecture. A client can be an application, which
uses a Graphical User Interface (GUI) that sends request to a server for certain services. The
server is the provider of the services requested by the client. In E-commerce, a client refers to
a customer who requests for certain services and the server refers to the business application
through which the services are provided. The business application that provides services is
deployed on a Web' server. The E - Commerce Web server is a computer program that
provides services to "other computer programs and serves requested Hyper Text Mark-up
Language (HTML) pages or files. In client-server architecture, a machine can be both a client
as well as a server.
E-commerce refers to the paperless exchange of business information using the following
ways:
• Electronic Data Exchange (EDI)

75 | New Technology Laws With Special Reference To Cyber Laws

 • Electronic Mail (e-mail)
• Electronic Bulletin Boards
• Electronic Fund Transfer (EFT)
• Other Network-based technologies
E-commerce is the buying and selling of goods or services via the internet, and the transfer of
money and data to complete the sales. It’s also known as electronic commerce or internet
commerce. t uses internet, where consumers can access different stores and place their orders
online for products and services on their own devices. It eliminates the need to go to retail
stores and provides convenience at the fingertip to look at options and make a choice. After an
order is placed the customer’s browser communicates constantly with the server hosting the
online store website. Data is shared back and forth. Common E-commerce marketplace
platform we use regularly are Amazon, eBay, Wayfare etc. Vendors offering E-commerce
platform services for clients hosting their own online store sites include Shopify,
WooCommerce etc.
History of E-Commerce
The history of Ecommerce seems rather short but its journey started over 40 years ago in hushed
science labs
• In the 1960s, very early on in the history of Ecommerce, its purpose was to exchange long
distance electronic data. In these early days of Ecommerce, users consisted of only very large
companies, such as banks and military departments, who used it for command control
communication purposes. This was called EDI, and was used for electronic data interchange.
• Originally, electronic commerce was identified as the facilitation of commercial transactions
electronically, using technology such as Electronic Data Interchange (EDI) and Electronic
Funds Transfer (EFT). These were both introduced in the late 1970s, allowing businesses to
send commercial documents like purchase orders or invoices electronically.
• The growth and acceptance of credit cards, automated teller machines (ATM) and telephone
banking in the 1980s were also forms of electronic commerce
• In 1982 Transmission Control Protocol and Internet Protocol known as TCP & IP was
developed. This was the first system to send information in small packets along different
routes using packet switching technology, like today's Internet! As opposed to sending the
information streaming down one route
• Beginning in the 1990s, electronic commerce would include enterprise resource planning
systems (ERP), data mining and data warehousing
• In 1995, with the introduction of online payment methods, two companies that we all know of
today took their first steps into the world of Ecommerce. Today Amazon and ebay are both
amongst the most successful companies on the Internet

76 | New Technology Laws With Special Reference To Cyber Laws

Salient features of e-commerce
E-Commerce has several unique features of its own. Some of them are described here.
• Global Reach– E-commerce allows business transactions to be easier, faster and on a
global scale. Any product is made available to anyone who can afford it and has
access to internet. In the changing times where the entire world is becoming one tech
village, E-commerce is the next step to consuming products and content. It can be
more convenient and more effective as compared to traditional commerce. The market
potential is huge, as it caters to the populace of the whole world.
• Information Density– The market information, business quality information, as well
as that of consumers is condensed and consolidated better than before. The electronic
commerce technology reduces the information collection, storage, communication and
processing costs. It is more cost effective than forms of physical stores. At the same
time, the accuracy and timeliness of the information technology has greatly increased.
“The goal is to turn data into information, and information into insight”- Carly
Fiorina, ex-CEO of Hewlett-Packard.
• Universal Standards– E-commerce technology cites universal technical standards
followed and carried out all across the globe. It follows the technical standard of the
internet. Standard affects such things as market entry costs, cost of the goods in the
market etc. The standard can make the existence of technology business easier, which
77 | New Technology Laws With Special Reference To Cyber Laws
 can reduce the cost, technique of indirect costs in addition can set the electronic
commerce website 10$ / month.
• Publicity– For the publicity and marketing purpose, E-Commerce is as good as
television technology. It can put up billboards, signs, video, audio etc. Branding has a
different face value in commerce, and creative advertising is a predominant practice in
business. E-commerce also enjoys this.
• Personalization– Catering to each customer’s unique need is a feature of E-
commerce. The user experience is monitored and targeted ads are provided to the
customer’s liking. User preferences and previous behaviour helps in that.
• Ubiquity– A shoe or clothing retail store invites customers to go to the physical store
and purchase what they desire. Its physical presence makes it practically impossible to
be available in every corner of the world. However, E-commerce is ubiquitous,
present everywhere, bringing customers closer to sellers of products and services on a
virtual platform.
• Interactivity– There is a two way communication, where consumers can track orders,
send feedback, put complaints, communicate their worries to the seller. And the
sellers can address the same. It tries to emulate the retail experience at this point.
• Non-Cash Payment- E-Commerce enables the use of credit cards, debit cards, smart
cards, electronic fund transfer via bank's website, and other modes of electronics
payment.
• 24x7 Service availability-E-commerce automates the business of enterprises and the
way they provide services to their customers. It is available anytime, anywhere.
• Advertising/Marketing- E-commerce increases the reach of advertising of products
and services of businesses. It helps in better marketing management of
products/services.
• Improved Sales- Using e-commerce, orders for the products can be generated
anytime, anywhere without any human intervention. It gives a big boost to existing
sales volumes.
• Support- E-commerce provides various ways to provide pre-sales and post-sales
assistance to provide better services to customers.
• Inventory Management-E-commerce automates inventory management. Reports get
generated instantly when required. Product inventory management becomes very
efficient and easy to maintain.
• Communication improvement- E-commerce provides ways for faster, efficient,
reliable communication with customers and partners.
Advantages of E-commerce
Like all things, E-commerce has its own set of virtues and vices. The advantages of it are
discussed here.

78 | New Technology Laws With Special Reference To Cyber Laws

Advantages to Organizations
• Using e-commerce, organizations can expand their market to national and
international markets with minimum capital investment. An organization can easily.
locate more customers, best suppliers, and suitable business partners across the globe.
• E-commerce helps organizations to reduce the cost to create process, distribute,
retrieve and manage the paper based information by digitizing the information.
• E-commerce improves the brand image of the company.
• E-commerce helps organizations to provide better customer service.
• E-commerce helps to simplify the business processes and makes them faster and
efficient.
• E-commerce reduces the paper work.
• E-commerce increases the productivity of organizations. It supports "pull" type
supply management. In "pull" type supply management, a business process starts
when a request comes from a customer and it uses just-in-time manufacturing way.
Advantages to Customers
• It provides 24x7 support. Customers can enquire about a product or service and place
orders anytime, anywhere from any location.
• E-commerce application provides users with more options and quicker delivery of
products.
• E-commerce application provides users with more options to compare and select the
cheaper and better options.
• A customer can put review comments about a product and can see what others are
buying, or see the review comments of other customers before making a final
purchase.
• E-commerce provides options of virtual auctions.
• It provides readily available information. A customer can see the relevant detailed
information within seconds, rather than waiting for days or weeks.
• E-Commerce increases the competition among organizations and as a result,
organizations provides substantial discounts to customers.
Advantages to Society
• Customers need not travel to shop a product, thus less traffic on road and low air
pollution.
• E-commerce helps in reducing the cost of products, so less affluent people can also
afford the products.
• E-commerce has enabled rural areas to access services and products, which are
otherwise not available to them.
• E-commerce helps the government to deliver public services such as healthcare,
education, social services at a reduced cost and in an improved manner.

79 | New Technology Laws With Special Reference To Cyber Laws

Disadvantages/challenges faced

The disadvantages of e-commerce can be broadly classified into two major categories:
• Technical disadvantages
• Non-technical disadvantages
Technical Disadvantages
• There can be lack of system security, reliability or standards owing to poor
implementation of e-commerce.
• The software development industry is still evolving and keeps changing rapidly.
• In many countries, network bandwidth might cause an issue.
• Special types of web servers or other software might be required by the vendor,
setting the e-commerce environment apart from network servers.
• Sometimes, it becomes difficult to integrate an e-commerce software or website with
existing applications or databases.
• There could be software/hardware compatibility issues, as some e-commerce
software may be incompatible with some operating system or any other component.
Non-Technical Disadvantages
• Initial cost: The cost of creating/building an e-commerce application in-house may be
very high. There could be delays in launching an e-Commerce application due to
mistakes, and lack of experience.
• User resistance: Users may not trust the site being an unknown faceless seller. Such
mistrust makes it difficult to convince traditional users to switch from physical
Security/ Privacy: It is difficult to ensure the security stores to online/virtual stores. or
privacy on online transactions.
• Lack of touch or feel of products during online shopping is a drawback.
• E-commerce applications are still evolving and changing rapidly.
• Internet access is still not cheaper and is inconvenient to use for many potential
customers, for example, those living in remote villages
Proxy Services :
A proxy service is an intermediary role played by software or a dedicated computer
system between an endpoint device and a client which is requesting the service. The proxy
service may exist on the same machine or on a separate server. The proxy service enables the
client to connect to a different server and provides easy access to services like Web pages,
connections or files. The main purpose of a proxy service is to filter requests to ensure that no
dangerous traffic creeps in by applying strict routing rules and to boost the performance of the
system. A proxy service works simply – when a proxy service receives a request, for example,
to open a Web page, it looks for the already cached pages. If it finds the requested page in the
already cached page, it returns it to the user. If the page is not yet cached, proxy service uses
its own IP address to fetch the page from the server for the client. Proxy services are mainly of

80 | New Technology Laws With Special Reference To Cyber Laws

two types – forward proxy and reverse proxy. Forward proxy is an Internet-facing proxy that
is used to retrieve a range of sources. A reverse proxy is particularly used for protection and
security of the server. It includes tasks like caching, authentication and decryption. Other
types of proxies include transparent proxies, anonymous proxies, DNS proxies and highly
anonymous proxies.
Models of E-commerce
There are several models of E-commerce that are discussed below.
Business-to-business (B2B) E-commerce refers to the electronic exchange of products,
services or information between businesses rather than between businesses and consumers.
Online directories, and data exchange as well as product and supply exchange websites are
examples of B2B model. These allow businesses to look for information on products and
services and to initiate transaction. B2B E-commerce is primarily concerned with a business
selling a good or service to another business, like a manufacturer and wholesaler, or a
wholesaler and a retailer. This kind of E-commerce isn’t consumer-facing. It usually involves
products like raw materials, software, or products that are combined. With the help of B2B E-
commerce, companies are able to improve the efficiency of several common business
functions, including supplier management, inventory management and payment management.
Business-to-consumer (B2C) is the retail part of E-commerce on the internet. It is the kind
where businesses sell products, services or information directly to consumers. B2C E-
commerce is the most popular E-commerce model. Business to Consumer means that the sale
is taking place between a business and a consumer, like when someone buys a rug from an
online retailer. The term was popular during the dot-com boom of the late 1990s. at that point
of time, online retailers and sellers of goods were a novelty. Today, there are plenty of virtual
stores and malls on the internet that are engaged in selling all kinds of consumer goods.
Amazon dominates this model worldwide.
Consumer-to-consumer (C2C) is a type of E-commerce in which the consumers trade
products, services and information with each other online. These transactions are generally
conducted through a third party that provides an online platform on which the transactions are
carried out. Online auctions and classified advertisements are two examples of C2C platforms.
Consumer to consumer sales take place on platforms like eBay, Craigslist, Etsy, Fivver, etc.
eBay is a very interesting case. Even though it is a business, this form of E-commerce could
also be called C2B2C which is ‘consumer-to-business-to-consumer’.
Its difference with C2B is that consumer-to-business (C2B) is a type of E-commerce in
which consumers make their products and services available online for companies to bid on
and purchase. This is the opposite of the orthodox model of B2C. C2B encompasses
influencers offering exposure, photographers, consultants, freelance writers, etc. iStock is an
example. Another example would be a job board.
Business-to-administration (B2A) is a type of E-commerce which brings under its ambit
transactions made between companies and public administration or government bodies. State
administration requires several e-services concerning fiscal, security, legal and other matters.
This kind of E-commerce has gone through a considerable growth in the past few years.

81 | New Technology Laws With Special Reference To Cyber Laws

 Consumer-to-administration (C2A) refers to transactions conducted online between
individual consumers and public administration or government bodies. The government rarely
buys products or services from citizens, but individuals frequently use electronic means in the
following areas- in case of education, it encompasses and uses disseminating information,
distance learning/online lectures, etc. In case of social security, distributing information,
making payments. Under the sub category of taxation, it include filing tax returns, making
payments, etc. Government considers matters of health as well by making appointments,
providing information about illnesses, making health services payments among others.
Mobile E-commerce (M-commerce) is a type of E-commerce on the rise that features online
sales transactions made using mobile devices, such as smart phones and tablets. M-commerce
includes mobile shopping, mobile banking and mobile payments.
Examples:- Here are some examples of types of e-commerce. Retail is sale of products
directly to a consumer without an intermediary. Dropshipping is the sale of products that are
manufactured and shipped to consumers via a third party. Digital products are downloadable
items like templates, courses, e-books, software, or media that must be purchased for use.
Wholesale products are usually sold to a retailer in bulk, who then sells the products to
consumers. Services are skills like coaching, writing, influencer marketing, etc., that are
purchased and paid for online. Subscription is a popular D2C model where services are the
recurring purchases of products or services on a regular basis. Crowdfunding allows sellers to
raise start-up capital in order to bring their product to the market. Once enough consumers
have purchased the item, it’s then created and shipped. Some top E-commerce companies are-
Amazon, Alibaba, Walmart, eBay, Wayfair. Vendors offering e-commerce platform services
for clients hosting their own online store sites include: Shopify, WooCommerce, Magento,
Squarespace, BigCommerce, Ecwid etc.
E-Commerce Applications
E-Marketing:-
• E-Marketing also known as Internet Marketing, Online Marketing, Web Marketing.
• It is the marketing of products or services over the internet.
• It is consider to be broad in scope because not refers to marketing on the internet but also
done in Email and wireless media.
• E-Marketing ties together the creative and technical aspects of the internet, including
design development, advertising and sales.
• Internet marketing is associated with several business models i.e., B2C, B2B, C2C.
• Internet marketing is inexpensive when examine the ratio of cost to the reach of the
target.
E-Advertising:-
• It is also known as online advertising it is a form of promotion that uses internet and
World Wide Web to deliver marketing messages to attracts customers.
Example: Banner ads, Social network advertising, online classified advertising etc.

82 | New Technology Laws With Special Reference To Cyber Laws

 • The growth of these particular media attracts the attention of advertisers as a more
productive source to bring in consumers.

E-Banking:-
• Means any user with a personal computer and browser can get connected to his banks,
website to perform any of the banking functions. In internet banking system the bank has a
centralized data base i.e., web-enabled.
• Best example for E-Banking is ATM.
• An ATM is an electronic fund transfer terminal capable of handling cash deposits,
transfer, Balance enquiries, cash withdrawals, and pay bills.
SERVICES THROUGH E-BANKING:
• Bill Payment Service
• Fund Transfer
• Investing through Internet Banking
• Shopping
E-Learning:-
• E-Learning comprises all forms of electronically supported learning and teaching.
• E-Learning applications and processes include web-based learning, computer-based
learning.
• Content is delivered via. The internet, intranet/extranet, audio, or video tape, satellite TV.
• E-Learning is naturally suited to distance and flexible learning, but can also be used
conjunction with face-to-face teaching.
• E-Learning can also refer to the educational website such as those offering learning
scenarios worst and interactive exercises for children.
• A learning management system (LMS) is software used for delivering, tracking, and
managing training /education.
Mobile Commerce:-
• Mobile Commerce also known as M-Commerce, is the ability to conduct, commerce as a
mobile device, such as mobile phone.
• Banks and other financial institutions use mobile commerce to allow their customers to
access account information and make transactions, such as purchasing, withdrawals etc.,
• Using a mobile browser customers can shop online without having to be at their personal
computer.
SERVICES ARE:
1. Mobile ticketing
2. Mobile contract purchase and delivery mainly consumes of the sale of ring tones,
wallpapers and games of mobile phones.
3. Local base services
83 | New Technology Laws With Special Reference To Cyber Laws
 • Local discount offers
• Local weather
4. Information services
• News
• Sports, Scores
Online Shopping:-
➢ Online shopping is the process whereby consumers directly buy goods or services from a
sell in real time, without intermediary services over the internet.
➢ An online shop, e-shop, e-store, internet shop web shop, web store, online store, or virtual
shop evokes the physical analogy of buying products or services in a shopping center.
➢ In order to shop online, one must be able to have access to a computer, a bank account
and debit card.
➢ Online shoppers commonly use credit card to make payments , however some systems
enable users to create accounts and pay by alternative means ,such as
• Cheque.
• Debit cards.
• Gift cards
➢ Online stores are usually available 24 hours a day
Entertainment:-
The conventional media that have been used for entertainment are
1. Books/magazines.
2. Radio.
3. Television/films.
4. Video games.
Online books /newspapers, online radio, online television, online firms, and online games are
common place in internet where we can entertain.
Online social networking websites are one of the biggest sources of E-entertainment for today’s
tech-savvy generation.
Legal aspects
There are several legal aspects like intellectual property issues, consumer protection issues,
content regulation, intermediary liability etc. and statutes that help in bringing principles of E-
commerce under discipline. For example, Foreign Exchange Management Act (FEMA)
regulates the foreign investment in E-commerce. Mukesh Bansal-led Myntra secured $50
million investment led by Premji Invest along with existing investors Accel Partners and Tiger
Global. In February 2014, Kunal Bahl led Snapdeal amassed $133 million funding led by

84 | New Technology Laws With Special Reference To Cyber Laws

eBay, Kalaari Capital, Nexus Venture Partners, Bessemer Venture Partners, Intel Capital and
Saama Capital.
The IT Act deals with the Data Protection aspects. For example, in the case of LIC India v.
Consumer Education & Research Center 90 the Supreme Court interpreted an insurance
policy issued by Life Insurance Corporation of India by bringing in certain elements of public
purpose. The court declared certain term clauses in the policy, pertaining to restricting the
benefit of the policy only to those people employed in the Government as void under article
14 of the Constitution.
ONLINE PRIVACY AND E-CONTRACTS
In recent times, with the advancement of technology the internet has revolutionised the way
humans communicate and exchange information around the world. The information is
transferred more widely and instantly irrespective of geographical location and time, this is
where e-commerce and e-contracts have come into existence.
In India, e-contracts are now booming due to growing economic commercial business. In this
regard, the rise in technology and the internet has led to the acceptance of these contracts. In
present times each and every transition over the internet is governed in the form of e-contracts.
Privacy is the basic fundamental right of every human but it is being violated in numerous
ways. One such way is through online contracts. Online privacy is linked with e-contracts.
With the emergence and steady growth of e–commerce, there is a quick elevation in the use of
e-contracts. But the concept of e-contract is still not unclouded, it faces lot of challenges. The
law of contract in India gives a statutory recognition to the common contractual rule. The
Indian Contract Act, 1872 does not lay down the rights and duties which the law will enforce
but it deals with the limiting principles, subject to which parties may create right and duties for
themselves.
MEANING OF CONTRACT
The Indian Contract Act, 1872 deals with the principles of law of contract, its essential
elements, its formation, its performance and the remedies for the breach of contracts. It
determines the circumstances in which promises are made by the parties to a contract, general
principles of the formation of contract and also prescribes the remedies which are available in
the Court of law for the breach of contract against a person who fails to perform his
undertaking created under the Contract.
As per Section 10 of the Indian Contract Law, 1872, an agreement is a contract which is
enforceable by law. An agreement is enforceable by law and can be defined as a valid contract
if it is made by competent parties, out of their free consent and for lawful object and
consideration. In simple words, a contract is an agreement binding between two or more
parties intending to create a legal relationship, in which one makes the proposal while the
other accepts the proposal or offer and thus it becomes a promise. Such acceptance has to be
certain and not vague and must be free from any undue influence, force or misrepresentation.
Both the parties to the contract must be major, sound mind and not declared disqualified by

90
1995 AIR 1811, 1995 SCC (5) 482
85 | New Technology Laws With Special Reference To Cyber Laws
any law for the time being in force in India. As per Section 23 of the Indian Contract Act,
1872 the object of the contract and the consideration must be lawful. It must be certain,
definite and not vague and such as are capable of performance. A contract may be made by
words spoken or written. In India, usually where there is a statutory need that contract for
example Agreements relating to mortgage, sale, lease etc must be made in writing, attested by
witnesses, signed by the parties and to be registered by the parties in order to make that
agreement enforceable.
Definition of e-contracts
E-Contracts are the contracts that are formed between two parties through negotiations via
electronic means. They are the legal documents that are created and signed digitally in a
paperless approach that do not require any paper, ink, printer for creating copies of the
agreement, which are also known as online contracts or digital contracts. E-Contracts save
time and money by eliminating physical meetings to sign an agreement. It also provides an
opportunity for the seller to reach millions of consumers irrespective of time and also without
the involvement of any brokers or middlemen. For instance, the bipartite contract entered by
the customer and the sellers in Amazon.in, Flipkart.com, or Myntra.com for the sale of
products on the website.
In case of an online contract, the seller who intends to sell their products, present their
products, prices and terms for buying such products to the prospective buyers. In turn, the
buyers who are interested in buying the products either consider or click on the ‘I Agree’ or
‘Click to Agree’ option for indicating the acceptance of the terms presented by the seller or
they can sign electronically. Electronic signatures can be done in different ways like typing the
name of the signer’s in the specific signature space, copying and pasting the scanned version
of the signature or clicking an option meant for that purpose. Once the terms are accepted and
the payment is made, the transaction can be completed. The communication is basically made
between two computers through servers. The online contract is brought to the scenario to help
people in the way of formulating and implementing policies of commercial contracts within
business directed over internet. Online Contract is modelled for the sale, purchase and supply
of products and services to both consumers and business associates.
Online can be categorized into three types mainly i.e. browse or web wrap contracts, shrink
wrap contracts and clickwrap contracts. Other kinds of online contracts include employment
contract, contractor agreement, consultant agreement, Sale re-sale and distributor agreements,
non-disclosure agreements, software development and licensing agreements, source code
escrow agreements. Though these online contracts are witnessed in our everyday life, most of
us are not aware of the legal complexities connected to it; the use of online contract faces
many technical and legal challenges.
TYPES OF ONLINE CONTRACT
Online contracts can be of three types mainly i.e. shrink-wrap agreements, click or web-wrap
agreements and browse-wrap agreements. In our everyday life, we usually witness these types
of online contracts. Other types of online contracts include employment contract, contractor
agreement, consultant agreement, Sale re-sale and distributor agreements, non-disclosure
agreements, software development and licensing agreements, source code escrow agreements.
86 | New Technology Laws With Special Reference To Cyber Laws
 • Shrink-wrap agreements are usually the licensed agreement applicable in case of
software products buying. In case of shrink-wrap agreements, with opening of the
packaging of the software product, the terms and conditions to access such
software product are enforced upon the person who buys it. Shrink-wrap
agreements are simply those which are accepted by user at the time of installation
of software from a CD-ROM, for example, Nokia pc-suite. Sometimes additional
terms can be observed only after loading the product on the computer and then if
the buyer does not agree to those additional terms, then he has an option of
returning the software product. As soon as the purchaser tears the packaging or
the cover for accessing the software product, shrink-wrap agreement gives
protection by indemnifying the manufacturer of the product for any copyright or
intellectual property rights violation. Though, in India, there is no stable judicial
decision or precedent on the validity of shrink-wrap agreements.
• Click- wrap agreements are web based agreements which require the assent or
consent of the user by way of clicking “I Agree’ or “I Accept” or “Ok” button on
the dialog box. In click –wrap agreements, the user basically have to agree to the
terms and conditions for usage of the particular software. Users who disagree to
the terms and conditions will not be able to use or buy the product upon
cancellation or rejection. A person witnesses web-wrap agreements almost
regularly. The terms and conditions for usage are exposed to the users prior to
acceptance. For agreement of an online shopping site etc.
• An agreement made intended to be binding on two or more parties by the use of
website can be called a browse wrap agreement. In case of browse wrap
agreement a regular user of a particular website deemed to accept the terms of use
and other policies of the website for continuous use.
Though these online contracts have become common in our daily, there are no precise judicial
precedents on the validity and enforceability of shrink-wrap and click-wrap agreements. Other
countries have dealt with these online agreements such as courts in the United States have held
that as far as the general principles of contract are not violated, both shrink-wrap agreements
and click- wrap agreements are enforceable.
Essentials of e-contracts
The essential elements of online contract is discussed below:
• Offer – Just like paper made or conventional contract, one of the most essential
elements of online contract is the requirement of an offer to be made. There must
be a lawful proposal or offer made by one party known as the proposer and it is
the starting point of a contract. By browsing and choosing the goods and services
available on the website of the seller, the consumer makes an offer to purchase
such in relation with the invitation to offer made by the seller. A proposal must be
distinguished from the invitation to offer or treat and must be made with an
intention to create legal relationship. An offer or proposal is revocable and can be
withdrawn at any time before it is accepted because once it is accepted by the
other party, it becomes a promise.
87 | New Technology Laws With Special Reference To Cyber Laws
• Acceptance – When a proposal or offer is made is accepted by the person to
whom the offer is made, it becomes a promise. The acceptance of the proposal
must be unconditional and absolute and must be communicated to the proposer or
the offeror. In case of an online contract, offer and acceptance can be made
through e-mails or by filing requisite form provided in the website. They may
also need to take an online agreement by clicking on ‘I Agree’ or ‘I Accept’ for
availing the services offered.
• Intention to create legal relationship – If there is no intention of creating legal
relationship on the part of the parties to contract, there is no contract between
them. It is an essential element of valid contract that parties to the contract must
have intention to create legal relationships. The intention of the parties is to be
considered by the Court in each case and must be ascertained from the terms of
the agreement and surrounding consequences. Agreement of social or domestic
nature do not create legal relationship, hence they are not contracts and are not
enforceable by law. In the case of arrangements regulating social relations, it
follows as a matter of course that parties do not intend legal consequences to
follow. For example, an invitation for marriage to a friend or family through e-
mails or fax or through any means of telecommunication is not a contract.
• There must be a lawful object – Parties to the agreement must contract for a
legal object. A contract is only enforceable by law only when it is made for a
lawful purpose. It must not defeat any provision of law and must not be
fraudulent in nature. Thus a contract on a website designed for the purpose of
selling illegal substances online is a void contract. If an agreement is made to
cause injury to any person or his property, such agreement is not lawful and
therefore to be considered as void. If any competent Court regards any agreement
as opposed to public policy, it is a void contract.
• There must be a legal or lawful consideration – Consideration is one of most
important element of a contract. The basic rule is that when a party to a contract
promises to perform his promise he must get something in return for the
performance of his promise. Consideration is something of some value in the eyes
of law. It may be of some benefit, right, interest or profit given to the party as
inducement of promise. An act constituting consideration must be moved at the
desire of the promisor and must be legal, real and not imaginary. Promises that
are physically impossible to perform cannot have real consideration. For eg. an
online site that offers purchase of land in moon.
• Capacity of parties – Parties to a contract must be capable of entering into a
contract. He must attain the age of majority and must be of sound mind. He must
not be disqualified from contracting by any law for the time being in force. In our
country an agreement where either party is a minor has no significance. It is
considered as void ab-initio. As per Section 12 of the Indian Contract Act, 1872,
any person who is in a position to judge and safeguard his own interest is of
sound mind and capable enough to enter into a contract. When a person is

88 | New Technology Laws With Special Reference To Cyber Laws

 declared insolvent by any competent Court, he cannot enter into a contract
relating to his property. In the old age foundation case of Mohori Bibee vs.
Dharmodas Ghose,91 it was held by the Privy Council that an agreement by a
minor is void.
• There must be free and unaffected consent – Consent which is defined under
Section 13 of the Indian Contract Act, 1872 is an essential requirement of a
contract. It is basically the meeting of minds of the parties. When both agree upon
the same thing in the same manner, they are said to consent. In case consent is
caused by coercion, it is voidable at the option of the party whose consent was so
caused. Coercion includes physical compulsion, threat, and violence. Consent has
to be free and genuine and not induced by misrepresentation, undue influence i.e
a case where one person is in a position to dominate the will of another. But in
case of online contract there is a narrow scope of physical communication
between the website and the customer availing their service, they just give
consent by clicking the option that ensures free and genuine consent.
• Possibility of performance – The terms and conditions of agreement must be
certain and not vague and must also be such as are capable of performance. An
agreement to do an act impossible in itself cannot be enforced as per section 29 of
the Indian Contract Act, 1872. It is the general rule that the promisors of the
contract to perform the promise but there other persons also who may perform
under certain circumstances such as an agent if appointed by the promisor for this
purpose, legal representative in case of death of a promisor. The time, place and
manner of the performance of contract are fixed generally at the desire and
conveniences of the parties. Various rules regarding the time and place of contract
are laid down under section 46 to 50 and section 55. When the time is the essence
of contract, a promisor is expected to perform his promise with the stipulated time
period and if he fails to do so, the contract becomes voidable at the option of the
promisee.
FORMATION OF ONLINE CONTRACT
The Indian Contract Act, 1872 gives a lawful status to the common contractual rule. A valid
contract is formed by free consent of competent parties for a lawful object and consideration.
This Act does not prescribe any specific provision for communicating offer and acceptance. It
may be made in writing or by word of mouth or inferred from the conduct of the parties and
the circumstances. Express contract is said to be expressed and entered into by words spoken
or written where the offer and acceptance are expressly agreed upon at the time of formation
of the contract. When the contract is inferred from the conduct of the parties, a contract is said
to be implied. Such contract comes into existence on account of conduct or act of the parties.
The Information Technology Act, 2000 has made certain provisions for the validity and the
formation of online contracts but no specific legislation has been incorporated for the validity

91
(1903) 30 Cal. 539
89 | New Technology Laws With Special Reference To Cyber Laws
of online contracts in India. Even if no specific provision is made for the validity of online
contracts, it cannot be challenged based on technical grounds.
There are few processes available for forming an electronic contract such as e-mail by which
offers and acceptances can be exchanged. An online contract can be formed by completing the
website form provided for availing good or services offered by the seller in the website for
example air tickets. The person who intends to avail the good or services offered in the
website can place an order on the website by filling the concerned form and communicating
such. The goods offered can be delivered directly through electronic means for eg. e- tickets or
may be later for eg. clothes. Another process available for the formation of an online contract
is through online agreements by clicking on the button that says ‘ I Accept’ while connecting
to a software and by clicking on ‘I Agree’ button while signing up for an e-mail account.
Online contract is formed through new modes of communication such as e-mail, internet, fax
and telephone. The requirement of essential element such as offer and acceptance in online
contract formation is as much essential as it is for the formation of paper based traditional
contract. Contract formation over websites is quite different from the earlier ways of contract
formation. Online contract formation mainly raises issues in relation to the applicability of the
offer and acceptance rule. It is the website which acts as the retailer and responds as per the
consumer’s action. When a consumer is interested in downloading songs, videos or movies
from a retailer website in lieu of payment, the consumer will have to agree to the standard
terms of the retailer’s website by clicking the particular option button. Once the terms are
agreed by the consumer and the acceptance is expressed, it is the responsibility of the website
to deliver the service to the consumer. And lastly, on making the appropriate payment, the
contract is completed between the consumer and the retailer’s website for the particular
transaction.
Processes Formation of e-contracts
Processes available for forming e-contracts include:
1. E-mail
Where an offer and acceptance can be exchanged either by e-mail or it can be collected with
fax, paper documents, and telephonic discussions. The e-mail contracts are considered to be
valid and are enforceable when the terms and conditions of the contract are agreed upon by
both the parties on the acceptance of an issued offer, where there is an intention to create a
legally binding contract and a vital element of consideration as agreed by the parties. For
example, in the case of Trimex International FZE Limited, Dubai v. Vedanta Aluminium Ltd.,
the parties have completely agreed to the terms of the contract via email, where the supreme
court upheld the validity of this contract on its observations and stated, “once the contract is
concluded orally or in writing, the mere fact that a formal contract has to be prepared and
initiated by the parties would not affect either the acceptance of the contract entered into or
implementation thereof, even if the formal contract has never been initiated.”
2. Website forms
Where the sellers can offer goods or services through their websites and the goods or services
can be directly delivered; such as software, and e-tickets or delivered later such as clothes and
90 | New Technology Laws With Special Reference To Cyber Laws
accessories. These types of agreements are entered into when the customers order certain
goods or services by filling in and submitting an on-screen order form and the seller accepts
such orders. For example, orders made by customers on Amazon or Flipkart for purchase of
clothes and accessories, or booking of e-tickets on airindia.in or irctc.co.in.
3. Online agreements
Where the users may require to make an online agreement to be eligible to avail services.
There are three types of online agreements;
a. Click-wrap contracts: these contracts are enforced by clicking on ‘I Accept/ I Agree’ while
installing software or signing up for an email account.
In the case of Hotmail Corporation v. Van $ Money Pie Inc, et al92, the validity of the click-
wrap agreements was first considered, when the court held that “the defendant is bound by
terms of the license as he clicked on the box containing ‘I Agree’ thereby indicating his assent
to be bound.”
b. Browse-wrap contracts: these contracts are enforced wherein the terms and conditions are
provided through a hyperlink and are predetermined.
When we click the download button to install any app on the Playstore, knowingly or
unknowingly we give consent that we are bound by the terms and conditions of the
application.
In the case of Specht v. Netscape, the court held that “A consumer’s click on the download
button doesn’t communicate assent to contractual terms if the offer didn’t make clear to the
consumer that by clicking on the download button would signify assent to those terms.”
c. Shrink-wrap contracts: these contracts refer to licensee agreements that are wrapped with
the software where a customer or consumer cannot read the terms of the agreement until the
package is accepted and paid. An example of such an agreement is the End User License
Agreement (EULA).
In a US case, ProCD. Inc. v. Zeidenburg93, the court held that “the purchaser after reading the
terms of the license featured outside the wrap license opens the cover that is coupled with the
fact that he accepts the whole terms of the license that appears on the screen by a Keystroke,
constitutes the acceptance of the terms by conduct.” Therefore it is confirmed that the shrink-
wrap agreements are valid contracts and enforceable against the software purchaser.
VALIDITY OF ONLINE CONTRACT
The Information Technology Act, 2000 provides various procedural, administrative guidelines
and regulates the provisions relating to all kinds of electronic transactions. These include
computer data protection, authentication of documents by way of digital or electronic
signature. Though electronic contracts have been given recognition by the IT Act, 2000, but
majority feels it less secured to get into any kind of online contracts as there are no concrete

92
47 U.S.P.Q.2d (BNA) 1020, 1998 US Dist. LEXIS 10729, 1998 WL 388389 (N.D. Cal. Apr. 16,
1998).
93
86F .3d 1447 (7th Cir. 1996)
91 | New Technology Laws With Special Reference To Cyber Laws
judicial precedents for the validity and enforceability of online contracts in India. In case of
browse wrap contracts, we usually accept the terms and conditions of the contract by clicking
the button that indicates ‘ I Agree’ and in case of shrink wrap contract or purchase of a
software product, assent is given by the consumer or the purchaser with tearing of the wrapper
and using it. Many have the tendency of not reading the terms and conditions carefully before
agreeing to such. But these actions should be taken consciously and carefully only after
reading the terms of the contract properly as it leads to a valid contract and the terms can be
strictly enforced against them.
However courts in other countries such as US, have dealt with validity and enforceability of
contracts such as shrink wrap and click wrap contracts. It was held in the famous case
of ProCD. Inc. versus Zeidenburg94 “that the very fact that purchaser after reading the terms
of the license featured outside the wrap license opens the cover coupled with the fact that he
accepts the whole terms of the license that appears on the screen by a key stroke, constitutes
an acceptance of the terms by conduct.” Thus it is confirmed that shrink wrap agreements are
valid contracts and are enforceable against the purchaser of the software. But the
enforceability of the shrink wrap agreement is extended as far as the general principles of
contract are not violated. The validity of click wrap agreement was first considered when the
Court for northern district of California upheld in the famous case of Hotmail Corporation that
“the defendant is bound by the terms of the license as he clicked on the box containing “I
agree” thereby indicating his assent to be bound” [Hotmail Corporation v. Van $ Money Pie
Inc, et al95].
It was also held by the Appellate Division of Superior Court of New Jersey, that by clicking
the “I Agree” option given in the dialogue box the plaintiff has entered into a valid and
binding contract and can be made liable for the terms and conditions laid down in the contract.
Click wrap agreements are thus valid and enforceable in US as long as the offer and
acceptance rule is taken into consideration.
In the year 2015, an initiative known as ‘Digital India’ was launched by Narendra D. Modi,
the present Prime Minister of India. This campaign was launched to ensure that government
services available to the citizens of our country in any electronic way which will lead to the
improvement of online infrastructure and internet connectivity in our country. The initiative of
Digital India aims to connect rural areas with high speed internet networks and consists of
three components such as the creation of digital infrastructure, Delivery of services digitally
and digital literacy. Its main object is to make our country digitally empowered in the field of
technology.
With the wide spread expansion and globalization of technology, existence of online contract
has become regular in our life right from buying daily groceries from the market to
withdrawing money from an ATM. Electronic contracts by use of technology is much cost
effective and delay can be instantly removed in comparison to traditional paper based
contracts. There is less chance of committing errors as it is much automated. It provides an

94
Ibid
95
47 U.S.P.Q.2d (BNA) 1020, 1998 US Dist. LEXIS 10729, 1998 WL 388389 (N.D. Cal. Apr. 16,
1998)
92 | New Technology Laws With Special Reference To Cyber Laws
opportunity to the seller to reach millions of consumers irrespective of distance and most
importantly without the involvement of middlemen or any brokers.
The Indian Contract Act, 1872 provides a basic contractual rule that a contract is valid if it is
made by competent parties out of their free consent for a lawful object and consideration.
There is no specific way of communicating offer and acceptance; it can be done verbally, in
writing or even by conduct. Thus oral contracts are as valid as written contracts; the only
condition is they should posses all the essentials of a valid contract. It was held in the case
of Bhagwandas Goverdhandas Kedia v. Girdharilal Parshottamdas96, “that ordinarily, it is
the acceptance of offer and intimidation of that acceptance which results in a contract. This
intimation must be by some external manifestation which the law regards as sufficient. Hence,
even in the absence of any specific legislation validating e-contracts cannot be challenged
because they are as much valid as a traditional contract is.”
An online contract is simply a communication between two parties in regard to transfer of
goods/services. And as per Indian Evidence Act any e- mail communication and other
communication made electronically is recognized as valid evidence in a Court of law. By
considering the points, it can be concluded that the contract that follows the communication is
valid too and Indian law thus recognizes the validity of online contracts.
The citizens of India are encouraging the concept of Digital India, but there are no definite
legislations relating to the transactions done over computerized communication networks.
Several laws such as The Indian Contract Act, 1872, Information Technology Act, 2000,
Indian Copyright Act, 1957 and the Consumer Protection Act, 1986 to some extent are
working and acting on resolving issues that arise relating to the formation and validation of
online contracts. The Information Technology Act, 2000 is the Act that governs the
transactions conducted over internet and explains the considerable mode of acceptance of the
offer and provides the rules for revocation of offer and acceptance in a vague or indefinite
manner. Hence, a separate law for regulating contracts based on electronic devices is highly
recommended.
EVIDENTIARY VALUE OF ONLINE CONTRACT
In a country like India, where the literacy rate is not so high, the concept of ‘Digital India’ is a
far reach. People still feel insecure to do online based transactions mainly because the terms
and conditions of such contracts are not transparent. Another major issue is the nature of the
law governing the electronic contracts. Even if the IT Act, 2000 has legalized electronic
contracts, there are no definite provisions mentioned in the Act.
Documents are mainly registered for conservation of evidence, assurance of title and to protect
oneself from fraud. The evidentiary value of electronic contracts has been given recognition
and can be understood in the light of various sections of Indian Evidence Act. Sec 65B of the
Indian Evidence Act deals with the admissibility of electronic records. As per Sec 65B of the
Indian Evidence Act any information contained in an electronic record produced by the
computer in printed, stored or copied form shall deemed to be a document and it can be
admissible as an evidence in any proceeding without further proof of the original subject to

96
1966 AIR 543, 1966 SCR (1) 656
93 | New Technology Laws With Special Reference To Cyber Laws
following conditions are satisfied such as the computer from where it was produced was in
regular use by a person having lawful control over the system at the time of producing it,
during the ordinary course of activities the information was fed into the system on a regular
basis, the output computer was in a proper operating condition and have not affected the
accuracy of the data entered.
Section 85A, 85B, 88A, 90A and 85C of the Indian Evidence Act deal with the presumptions
as to electronic records. Sec 85A has been inserted later to confirm the validity of electronic
contracts. It says that any electronic record in the form of electronic agreement is concluded
and gets recognition the moment a digital signature is affixed to such record. The presumption
of electronic record is valid only in case of five years old record and electronic messages that
fall within the range of Section 85B, Section 88A and Section 90A of Indian Evidence Act.
REMEDIES FOR BREACH OF ONLINE CONTRACT
There is no specific rule in case of breach of online contract but the rules regarding remedies
for breach of contract can be followed as provided in The Indian Contract Act. A valid
contract gives rise to co- relative rights and obligations and they are enforceable in the court of
law when infringed on breach of contract. The Contract Act mainly talks about two remedies
for the breach of contract such as Damages and Quantum Merit. But few other remedies are
also available as provided in the Specific Relief Act such as specific performance of contract
and injunction restraining the other party from making a breach of contract.
Sec 73 and Sec 74 of the Indian Contract Act, 1872 deals with the rules regarding the remedy
of damages on breach of contract. The person whose rights are infringed by the breach of
contract may bring an action for damages or compensation in terms of monetary value for the
loss suffered by the party. There are two main aspects to be considered when any action of
damages i.e remoteness of damage and measure of damage. Sec 73 to 75 provides rules
regarding the assessment of damages based on the famous case Hadley vs. Baxendale 97 .
According to the rules laid down in this case, there can be damages which naturally arose on
the usual course of things from such breach of contract and can be called ordinary damages
and secondly, damages for loss arose from special circumstances i.e special damages. There
are also other kinds of damages mentioned in the Act such as nominal damage, pre- contract
expenditure, compensation for mental agony and liquidated damages. Nominal damages are
those substantial damages awarded by the Court in recognition of right of the aggrieved party
in cases where the party has not suffered any monetary loss on the breach of contract.
Whereas, pre- contract expenditure may be recovered as damages if such is within the
knowledge of the parties. Liquidated damages are those pre-determined damages decided by
the parties at the time of formation of the contract i.e amount of compensation payable in the
event of breach of such contract.
When a person has done some work under a contract and the other party repudiates the
contract or at the occurrence of an event that makes further performance of the contract
impossible, the party who has performed his work can claim remuneration for the work

97
[1854] EWHC J70, (1854) 156 ER 145
94 | New Technology Laws With Special Reference To Cyber Laws
already done. And under such circumstances the party can file suit upon quantum merit and
claim for the value of work he has done.
Online privacy issues related to e-contracts
Contracts have become a common part of our day-to-day lives that most of us don’t even
realize that we have entered into one such contract. When we use online platforms such as
Facebook, Instagram, Netflix, or other platforms, knowingly or unknowingly we enter into
online agreements by providing our personal information, signing up on these platforms by
creating an account, and clicking on ‘I agree’ to certain provided terms and conditions.
Privacy concerns with Facebook
For years, Facebook had faced numerous privacy concerns. There are instances that arose
from the company’s revenue model that involved selling information about users which led to
violation of privacy.
In 2018, Cambridge Analytica, a British political consulting firm was exposed by a sting
operation where it collected private data of around fifty million users of Facebook from friend
lists of Facebook users to create psychometric profiles to be used by personalized political
apps, campaigns, ads. It also used fake news to swing elections around the world. With regard
to this Facebook had received many warnings about its data security policies but Facebook
didn’t take any preventive steps to curb these.
Privacy concerns with Instagram
Instagram has provided three arbitrary terms and conditions which violate the user’s privacy,
these include;
• Instagram has sole copyright over the content and photographs that are posted on
its platform. It means the prima facie account is of the user but the copyright over
the account is of Instagram.
• Instagram has the right to disclose the personal information provided by the users
to third parties.
• Class action suit cannot be filed against Instagram, which means a suit cannot be
filed against Instagram collectively.
Privacy concerns with Netflix
Netflix contains two arbitrary and unreasonable policies that violate the information of the
users, which are;
• Netflix can change its terms and conditions anytime without letting its users
know, where it can even disclose the personal data of the users without informing
them.
• It can also disclose personal information to third parties without the consent of
the users.

95 | New Technology Laws With Special Reference To Cyber Laws

Indian laws governing e-contracts
Indian Contract Act, 1872
The Indian Contract Act, 1872 regulates the contracts in India. Like ordinary contracts, the e-
contracts are also primarily governed by the codified provisions of the Indian Contract Act.
An e-contract to be legally enforceable should fulfill all the essential requirements of the
provisions that are provided under the Act.
Information Technology Act, 2000
E-Contracts have also found statutory recognition under the Information Technology Act,
2000. According to Section 3 of the Act, the verification of e-contracts is affirmed by fixing
the ‘e-signature; or ‘digital signature’ of both the parties on them. Section 4 of the IT Act,
2000 provides lawful acknowledgement of the e-records, where the information is related as a
hardcopy or printed structure and is made accessible to the client for further reference. Section
65 to Section 71 of the IT Act provides for punishments related to cybercrimes in India.
India has legalised the validity of e-contracts under Section 10-A of the IT Act, 2000. In
regard to this, the IT Act excludes certain e-transactions from the documents which are
negotiable instruments, power of attorney, trust deed, will, sale deed, or conveyance deed with
regard to immovable property.
Indian Evidence Act
Section 65 of the Indian Evidence Act, 1872 provides that the court should recognize the e-
documents produced for the formation of the contract. In the case of Societies Fes Products
Nestle S.A & Anr v. Essar Industries & Ors., admission of e-contracts in Delhi High Court
paved way for the immediate introduction of Section 65A and Section 65B in the Indian
Evidence Act, 1872, where according to Section 65 the content of electronic records can be
proved by parties in accordance with section 65B of the Act.
In the case of State of Delhi v. Mohd. Afzal and Ors., the Delhi High Court held that
“electronic records are admissible as evidence.” In the State of Punjab and Ors. v. Amritsar
Beverages Ltd. and Ors., the supreme court in this case observed that “Section 63 of the
Indian Evidence Act makes media like paper, optical or magnetic forms admissible in courts.
Section 65-B of the Indian Evidence Act also provides that the information contained in the
form of an electronic record is admissible in court without procuring the original document.
Therefore, the admissibility of the same is subject to various conditions that are prescribed
under Section 65-B of the Evidence Act.
Execution of an electronic record has been exhaustively dealt with in the case of Arjun
Panditrao Khotkar v. Kailash Kushanrao Gorantyal and Others (2020) interpreting Sections
65 A and 65B. The originality of an electronic record can be proved by the owner if they are
able to prove the above-mentioned points either by stepping into the witness box or by
providing a printout of such electronic document in accordance with Section 65B along with
certificate as under Section 65B(4) as provided in Anvar P.V v. P.K Basheer & Ors (2014).
Under Section 47A, the Court can refer to the opinion of the Certifying Authority which has
issued the electronic Signature Certificate as a relevant fact to form an opinion. Furthermore,
96 | New Technology Laws With Special Reference To Cyber Laws
under Sections 85A & 85B, it gets the benefit of presumption unless otherwise proved. The
Court presumes that:
1. That the electronic record has not been altered since the time it has received the status
of being secured.
2. That the subscriber had the intention of signing/ approving the electronic record upon
affixing the secured digital signature.
Thus, the recognized electronic signatures are deemed valid unless the contrary is proved.
Documents on which digital and electronic signatures are invalid
The Central Government has also provided on what classes of documents the electronic
signatures cannot be used. These include:
1. Any class of documents as stated by the central government through a notification
published in the Official Gazette.
2. Any contract for the sale of immovable property, interest or conveyance in such
property.
3. Power of Attorney as per Section 1A of the Powers of Attorney Act, 1882.
4. A will and/or testament as per Section 2(h) of the Indian Succession Act, 1925.
5. A negotiable instrument(except cheque) as per Section 13 of the Negotiable
Instruments Act, 1881.
6. A trust as per Section 3 of the Indian Trusts Act, 1882.
Remedies for breach of e-contracts
There is no specific rule in case of any breach of e-contract, so in order to seek appropriate
remedy for such breach the remedies for breach of contract provided in the Indian Contract
Act can be followed. The Contract Act mainly talks about two remedies for breach of
contracts such as damages and quantum meruit. Section 73 and Section 74 of the Indian
Contract Act provide rules regarding the remedy for damages by breach of contract. There are
few other remedies available as provided in the Specific Relief Act such as specific
performance of contract and Injunction restraining the other party from making the breach of
contract.
The Laws of Information Technology in India has come a long way since the enactment of the
IT Act, 2000. However, there exists uncertainties and confusion with respect to many aspects
of an online contract, especially on the requirements of signature and stamping. With the
current trend of demonetisation and digitization, eradicating any uncertainties in validity of e-
contracts seems to be the need of the day and we sincerely hope the Government would take
necessary steps in this regard.

97 | New Technology Laws With Special Reference To Cyber Laws

 CHAPTER-5

E-BANKING
The word ‘Banking’ has been defined in the Banking Regulation Act, 194998 as ‘the accepting,
for the purpose of lending or investment, of deposits of money from the public, repayable on
demand or otherwise, and withdrawal by cheque, draft, order or otherwise’. Thus banking
means an industry that deals with cash, credit and other financial instruments. The bank
accepts deposits from its account holders and uses those deposits in lending loans for the
purpose of investment and earns interest in return. A connection of two or more computers is
called as a network and a connection of two or more such networks is called as internetwork
or Internet. It is the largest connection of such systems. Internet is often described as
‘Information Superhighway’ as it is a means to reach innumerable destinations. Thus the
word internet may be defined as a global system of interconnected computer networks that
uses the Internet protocol or Transmission Control Protocol (IP & TCP) to communicate
between the networks and devices. And thus accordingly, Internet Banking may be defined as
a form of banking wherein the funds are transferred through an internet based medium
between financial institutions, rather than an exchange of cash, checks, or other negotiable
instruments99.

Albert Einstein once said, “Technological progress is like an axe in the hands of a
pathological criminal”, this quote of Albert Einstein is the main crux of this paper, put forth
in a simpler manner. The linking of the internet and banking has made the procedures,
techniques and processes of banking simpler, easier, faster and efficient. Since the internet
works on big chunks of data that are exploited by malicious elements, such as hackers,
spammers, drudgers and infection vector creators who target and compromise data of financial
institutions by using unlawful methods to put the safety, security and privacy of various
individuals who confide, rely and trust the Banking infrastructure of India at risk. To protect
the faith reposed by Indians in the Banking System, there are laws enacted by the Parliament
of India to protect the confidence placed in the e-banking system, meanwhile, the currently
existing legal structure is sufficient but due to the entry of artificial intelligence and daily
evolution of technology, the current legal structure might fall short by a yardstick until and
unless it undergoes an upgrade to protect Indian consumers. The objective of this paper is to
analyse the existing legal structure of e-banking and give some constructive recommendations
to upgrade, improve, enhance, and adapt to the forthcoming future of the banking processes in
India.

98
Section 5(c), The IT Act, 2000, No. 21, Act of Parliament, 2000 (India)
99
Gunjan Bhagtan & Jhanvi Pandya, Contemporary Legal Issues in Indian E Banking System, Volume
2, Issue 1, JBIL, 40, 38-48, 2019.
98 | New Technology Laws With Special Reference To Cyber Laws
Banking is defined as the business of accepting monetary deposits from the public with the
sole objective of loaning, or financing, repaying money on receiving requests, and withdrawal
of money via any financial instrument. The internet has been called the “highway of
information” because it possesses the capability to connect billions of people across the globe
at the touch of a button at the same time internet uses IP Addresses (Internet Protocol
Address) to identify, locate and detect servers across its network to communicate information
in bytes across the network laid down by the Service Provider.
Different types of online financial transactions are:
National Electronic Fund Transfer (NEFT)
National Electronic Funds Transfer (NEFT) is a nation-wide payment system facilitating one-
to-one funds transfer. Under this Scheme, individuals, firms and corporates can electronically
transfer funds from any bank branch to any individual, firm or corporate having an account
with any other bank branch in the country participating in the Scheme. Individuals, firms or
corporates maintaining accounts with a bank branch can transfer funds using NEFT. Even
such individuals who do not have a bank account (walk-in customers) can also deposit cash at
the NEFT-enabled branches with instructions to transfer funds using NEFT. However, such
cash remittances will be restricted to a maximum of Rs.50,000/- per transaction. NEFT, thus,
facilitates originators or remitters to initiate funds transfer transactions even without having a
bank account. Presently, NEFT operates in hourly batches - there are twelve settlements from
8 am to 7 pm on week days (Monday through Friday) and six settlements from 8 am to 1 pm
on Saturdays.
Real Time Gross Settlement (RTGS)
RTGS is defined as the continuous (real-time) settlement of funds transfers individually on an
order by order basis (without netting). 'Real Time' means the processing of instructions at the
time they are received rather than at some later time; 'Gross Settlement' means the settlement
of funds transfer instructions occurs individually (on an instruction by instruction basis).
Considering that the funds settlement takes place in the books of the Reserve Bank of India,
the payments are final and irrevocable. The RTGS system is primarily meant for large value
transactions. The minimum amount to be remitted through RTGS is 2 lakh. There is no upper
ceiling for RTGS transactions. The RTGS service for customer's transactions is available to
banks from 9.00 hours to 16.30 hours on week days and from 9.00 hours to 14:00 hours on
Saturdays for settlement at the RBI end. However, the timings that the banks follow may vary
depending on the customer timings of the bank branches.
Electronic Clearing System (ECS)
ECS is an alternative method for effecting payment transactions in respect of the utility-bill-
payments such as telephone bills, electricity bills, insurance premia, card payments and loan
repayments, etc., which would obviate the need for issuing and handling paper instruments
and thereby facilitate improved customer service by banks / companies / corporations /
government departments, etc., collecting / receiving the payments.

99 | New Technology Laws With Special Reference To Cyber Laws

Immediate Payment Service (IMPS)
IMPS offers an instant, 24X7, interbank electronic fund transfer service through mobile
phones. IMPS is an emphatic tool to transfer money instantly within banks across India
through mobile, internet and ATM which is not only safe but also economical both in financial
and non-financial perspectives.
Objectives of IMPS:
• To enable bank customers to use mobile instruments as a channel for accessing their
banks accounts and remit funds
• Making payment simpler just with the mobile number of the beneficiary
• To sub-serve the goal of Reserve Bank of India (RBI) in electronification of retail
payments
• To facilitate mobile payment systems already introduced in India with the Reserve
Bank of India Mobile Payment Guidelines 2008 to be inter-operable across banks and
mobile operators in a safe and secured manner
• To build the foundation for a full range of mobile based Banking services.
Some of the distinctive features of i-banking are:

1. Internet banking has removed the traditional geographical barriers as nowadays the
customer can access the banking services from anywhere without actually visiting the bank.
But it is pertinent to note here that this feature of Internet banking has raised a jurisdictional
issue as to which jurisdiction or supervisory system such matter be subjected.
2. It has reduced the traditionally associated banking risks and problems like infrastructure
requirements, manpower requirements, etc., but at the same time, i-banking has increased
security related issues as well.
3. It is cost and time effective to both the banker and the customer and it facilitates
transactions all time including holidays as well.
ISSUES IN INTERNET BANKING
After looking at the distinguishing features of Internet Banking, we can say that i-banking has
increased the ease of doing business in India. Though there are few Regulatory and
Supervisory concerns that arise mainly out of the distinguishing features highlighted above.
These concerns can broadly be categorized into the following four categories:-
(i) Legal and regulatory issues,
(ii) Security and technology issues,
(iii) Supervisory and operational issues, and
(iv) Authentication issues.
Some of these issues are more susceptible than others, for eg, the privacy breach issue.
100 | New Technology Laws With Special Reference To Cyber Laws
Security and Privacy Issues:- The greatest roadblock in the adoption of internet banking is
Security, it is a prominent risk factor for the internet banking system, and this is one of the
major areas of concern for the regulators. Security issues may be classified as: Internal or
External, Human or Non-Human, Incidental or accidental. The security issue involves
adopting internationally accepted technology, encryptions/ decryptions, verification of digital
signatures, etc. Easy access to financial accounts makes internet banking an easy and simple
target for hackers. ‘Phishing’ is one of the most common methods of hacking and gaining
confidential information of customers.
Privacy is vital for mankind in today’s world. And a lack of securitized transactions may result
in loss of data, theft, tampering with customers or bank’s information, etc. which may result in
money laundering, and other frauds. There have been many instances wherein security breach
has resulted in leakage of important data and thus, we can say that security issues are the
major roadblock in a fully-fledged adoption of internet banking in India.
Legal Issues:- As we know that the internet is a public domain, where geographical territories
are eliminated, and therefore this raises issues relating to the jurisdiction of law, the difference
in the legal rules for electronic commerce, etc. Let’s discern this with a practical illustration:
‘A’ (accessing the internet from Indian) makes a transaction through his account in Bank ‘B’
(situated in the U.K), and transfers the amount to ‘C’ (a resident of U.S.). Now in this
illustration, a question of jurisdiction arises, as to in whose jurisdiction does the matter fall in,
whether to apply the laws of the country where the internet is accessed, or where the bank is
situated or at the place where the transaction has taken place? Allied to this question, where
the income has actually been earned, and who should levy the tax on such transaction? There
is still no definite answer to these questions, although this legal issue is being debated, and is
expected to head away to some positive result in the near future.
Supervisory and Operational Issues:- Operational risk is the risk of direct, or indirect, loss
resulting from inadequate or failed internal processes, people, and systems, or from external
events.7 They are the most common risk associated with internet banking and are also known
as Transactional Risks. Operational risks involve: inaccurate processing of the transactions,
non-enforceability of contracts, unauthorized access, intrusion in the bank’s system, etc. This
kind of risk generally arises due to the inefficient design of the banking software, other
technological inefficiencies, human negligence, fraudulent activity by employees etc8 .
Security and operational issues are two terms often used interchangeably, though there is a
thin line difference between these two.
Authentication Issues:- The Authentication issue typically involves security procedures like:
PIN No., Customer Relation No., Password, OTP, Account No., etc are involved to test the
authenticity of an instrument. Different nations have set out different parameters to judge the
authenticity of a transaction. In India, The Information Technology Act, 2000 100 provides that
any subscriber may authenticate his electronic record through a Digital Signature. The issue
with authentication is that the Act recognizes only one particular technology for authenticating
electronic documents (i.e asymmetric cryptosystem), so this raises the doubt whether the law

100
Section 3(2), The IT Act, 2000, No. 21, Act of Parliament, 2000 (India).
101 | New Technology Laws With Special Reference To Cyber Laws
recognizes other banking authentication technologies or not. Legislatures of other countries
have kept the authentication process technologically neutral.
Threats to Mobile Banking
1. Mobile Banking Malwares: There have been incidents that involved sophisticated virus
infecting bank¿s mobile apps users to steal password details and even thwart twofactor
authentication, by presenting victims with a fake version of the login screen when they access
their legitimatebanking application. A key vector by which the mobile banking malware get
into the mobile device is through malicious applications posing aslegitimate applications those
users download and then become infected.
For prevention against Malware attacks:
• Download and use antimalware protection for the mobile phone or tablet device.
• Keep the Banking App software up to date: Using the latest version of software allows
receiving important stability and security fixes timely.
• Use security software: Applications for detecting and removing threats, includig
firewalls, virus and malware detection and intrusion-
detection systems, mobile security solutions should be installed and activated.
• Reputed applications should only be download onto the smart phone from the market
after look at the developer's name, reviews
and star ratings and check the permissions that the application requests and ensuring t
hat the requests match the features provided by that application.
2. Phishing/Smishing/Vishing Attack : An attacker attempts phishing on to a mobile phone
through SMS (Short Message Service),text message, telephone call, fax, voicemail etc. with a
purpose to convince the recipients to share their sensitive or personal information. For
prevention against phishing attacks Emails or text messages asking the user to confirm or
provide personal information (Debit/Credit/ATM pin, CVV, expiry date, passwords, etc.)
should be ignored. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) should be
adequately implemented in mobile banking apps thus helping to prevent phishing and man¬-
in-¬the--middle attacks.
3. Jailbroken or Rooted Devices : This is practiced to gain unrestricted or administrative
access to the device's entire file system, at the risk of exposing the device vulnerable to the
malicious apps download by breaking its inherent security model and limitations,
allowing mobile malware and rogue apps to infect the device and control critical functions
such as SMS. Thus the mobile banking app security is exposed to extreme risk on a jail broken
device.
4. Outdated OSs and Non secure Network Connections : Risk factors such as out¬dated
operating system versions, use of non secure Wi¬ Fi network in mobile devices allow
cybercriminals to exploit an existing online banking session to steal funds and credentials.
For prevention: Use Secure Network Connections: It's important to be connected only to the
trusted networks. Avoid the use of public WiFi networks. More secure and trusted WiFi
connections identified as "WPA or WPA2" requiring strong passwords should be used.

102 | New Technology Laws With Special Reference To Cyber Laws

Best Practices for Users to remain safe

• Enable Passwords On Devices:

Strong passwords should be enabled on the users phones, tablets, and other mobile de
vices before mobile bankingapps can be used. Additional layers of security inherently
provided by these devices should be used.
• Bank account number or IPIN should not be stored on the user’s mobile phone.
• The user should report the loss of mobile phone to the bank for them to disable the use
r's IPIN and his access to the bank's account through Mobile Banking app.
• When downloading the Bank’s Mobile app in the mobile device, the user should go to
a trusted source such as the App Store on the iPhone® and iPod touch® or Android
Market. User can alternately check the Bank’s website for the details of the ways
to receive App download URL, whether in the response to his SMS or email to the
bank and then install the application. The app from any other third party source should
not be downloaded .
The legal structure of e-banking in India
E-Banking or Internet Banking has eliminated the need for paper and physical financial
instruments because funds, money and capital can be easily accessed and transferred to the
beneficiary on this online platform, therefore Internet Banking has reduced problems like
geographical barriers, lack of infrastructure, cost, difficulty in obtaining loans and time
consumption. Therefore, it is important to know the existing legal structure of e-banking and
the challenges that lie therein.
Reserve Bank of India minimum standards on e-banking
On 17th October 2000 the Ministry of Information Technology issued a notification exercising
its authority under the Information Technology Act, 2000. Pursuant to this notice the Reserve
Bank of India (hereafter referred to as “RBI”) issued a notification dated 14.06.2001 and
formed the S.R. Mittal Working Group Committee and subsequently the
previous notification of 14th June 2001 was amended by RBI notification dated 20.07.2005,
where the need for the approval of RBI was scrapped off, the following were the minimum
benchmarks of security set up by the RBI:
1. Highly encoded 128 Bit Security Socket Layer based digital signatures for
authentication purposes. Every bank should have Security Officer solely dealing
with information technology and shall work towards the execution of the rules
made under the IT Act, among other things, the Board of Directors shall approve
the security policy that is adopted by the bank.
2. At that time login id, password, biometric verification were new notions, hence
the banks were asked to adapt to such new concepts wherein the bank must make
sure that Internet and Digital Banking System respects the security and privacy by
maintaining a line of proxy server-based firewall. All the security structures were
to be tested before any kind of Internet Banking facility was available, whereas

103 | New Technology Laws With Special Reference To Cyber Laws

 the upgradation, bug removal and other security software were deemed necessary
to be installed.
3. Any security fissure which might open up during the E-banking must be reported
and taken care of at the earliest possible opportunity and future policies should be
framed while keeping in mind security fissures that are incurred from time to
time. Meanwhile, the burden lies upon the bank to keep both encoded and
decoded records of all the transactions and messages received during e-
transactions.
According to these guidelines, all the scheduled commercial banks were required to seek prior
permission of the Reserve Bank to offer Internet Banking Services. In 2005, the Reserve Bank
issued another notification, in which it reviewed all the above guidelines and advised that the
i-banking should continue to be governed by the above guidelines only. However, the
provision of prior approval of the Reserve Bank to offer i-banking was withdrawn.
SECURITY STANDARDS OF RBI101
(i) There are two types of Keys 102 in a digital signature: Public Key and Private Key. RBI
recommends Public Key Infrastructure (PKI) transaction to secure transactions, but since there
was no certified PKIs, thus until then transactions were taking place through SSL (Security
Socket Layer). SSL is highly encrypted and meets the international standards. The RBI
recommends 128 Bits SSL for secured transactions.
(ii) As per the RBIs guidelines the security policy of each financial institution should be duly
approved by the Board of Directors of that particular institute. The guidelines further
recommend that each institute must have a Security Officer who exclusively deals only with
information systems and leads the implementation of Information Technology related policies
(iii) Various new concepts were like user-id, password, etc were introduced. Banks were
ordered to use logical access controls to data, systems, applications, telecommunications lines
etc. Common types of logical access control includes userids, passwords, smart cards or other
biometric technologies.
(iv) Banks were required to ensure that there was no direct connection between the Internet
and the Banks System. This step was taken to facilitate high level of control and monitoring.
At the minimum, to ensure this bank’s should use a proxy server type of firewall. Firewall was
highly recommended which could thoroughly inspect the information in sensitive systems of
the bank.
(v) All the systems lined up with the modem should be isolated so as to prevent the intrusion
of any other proxy server in the network
(vi) All the unnecessary services should be disabled. The server should be isolated from such
kind of services.

101
Reserve Banki of India, GUIDELINES ON INTERNET BANKING IN INDIA
(http://cashlessindia.gov.in/CERT-In%20Advisory%20Notes-
Mobile%20and%20Cloud%20Data%20Security.pdf)
102
Wondershare Sign X, Public Key & Private Key in Digital Signature.
104 | New Technology Laws With Special Reference To Cyber Laws
(vii) If any security breach is seen it must be immediately seen and should be reported
immediately and the follow up action must be kept in mind while farming future policies.
Banks must acquire all the tools that are required for monitoring the system and protect it from
intrusions and attacks. Such tools should be regularly used to ensure security and to avoid
security breach. In addition to the above, the Banks should also educate their security
personnel and also the end-users on a continuous basis.
(viii) Banks should have proper schedules for banking data backup and must ensure proper
infrastructure. The guidelines also recommended to have periodical testing of backed up data
so as to ensure recovery without any loss of data in limited time frame.
(ix) Banks should maintain proper record keeping facilities for legal purposes. Its messages
and transactions must necessarily be kept in both encrypted and decrypted form.
(x) Security infrastructure must be properly tested before resuming normal Internet banking
operations. The banking systems must be periodically update there system application to
removes bugs and to upgrade to a newer version which would give better service and security.
Information Technology Act, 2000 (“IT Act”)
E-banking is mainly regulated by the Banking Regulation Act, 1949 and the Reserve Bank of
India Act, 1934 but all sorts of cybercrimes and electronic payment related systems are
regulated by the IT Act and the important features of the IT Act which should be noted are:
1. The legislative intent behind the IT Act is to enable e-commerce and governance
wherein all electronic documents and digital signatures are recognized under IT
Act which should be retained and analysed properly by the bank because all
contracts and electronic transactions are lawful and enforceable under this Act.
2. No e-banking transaction can survive if it is not in conformity with the provisions
of the IT Act because the protection of privacy and crypto function-based
authentication of E-transactions can only take place under the umbrella of this
Act as theft of data via unethical means of hacking, creation and spreading of the
virus is punishable under this Act. In fairness, the Act also grants immunity to
prevent harassment to Internet Service Providers and intermediaries over the
illegal activities committed on their networks.
3. With the immunity granted, a duty is cast on the Bank (intermediary) to keep a
record and conserve the same as directed by the Central Government from time to
time, meanwhile the violation of security or privacy of E-transactions during
sign-in, password typing, and other confidential information is protected under
the aegis of this Act, wherein any violation thereof has been made punishable.
This act have a direct bearing on the working of the internet banking in India and thus
it can be said that Internet banking cannot be operated without being in conformity
with the IT Act 2000. Following are the points which highlight the importance of
Information Technology Act, 2000 in regards to internet banking:
(i) Scrutinization of Documents: Any banking transaction requires scrutinization
and retention of various documents and in internet banking these documents are
105 | New Technology Laws With Special Reference To Cyber Laws
 retained and scrutinized in electronic form. The legal recognition to these electronic
documents is given by the IT Act only103.
(ii) Electronic Transaction: Every transaction entered electronically is recognized by
the provision of the IT Act. Section 10-A of the Act gives validity and enforceability
to a electronic transaction, and thus without the provisions of IT Act no internet
banking transaction can be challenged in the court of law104.
(iii) Authentication: Authentication of these electronic records for the purpose of
electronic banking should be in accordance with the provision of this act.
(iv) Digital Signature: If the documents are signed electronically of digitally it is
governed according to the provisions of this act only. Thus, this act would satisfy the
signing of a document for the purposes of Internet Banking.105
(v) Privacy: Privacy is very important in internet banking because if privacy and
security wouldn't had been there, Internet banking may not have survived.106
(vi) Data theft: Section 66 of the IT Act penalizes a number of acts relating to theft of
done on computer system, few ways in which data theft can be done are: hacking,
introducing and spreading viruses through computer networks, etc.
(vii) The object of the IT Act is to facilitate e-commerce and e-governance which are
important for the functioning of Internet banking in India.
By looking at the above points it can be said that the Information Technology Act,
2000 has laid down the basic legal framework conducive to the Internet banking in
India. And thus accordingly a comprehensive way needs to be adopted so as to bring
uniformity and harmony between the provisions of the IT act and the guidelines
issued by the Reserve Bank of India.
Few of the important provisions of the IT Act are as follows:-
a) Section 3(2): This section recognizes only one particular technology (crypto
function and hash function) as a means of authenticating electronic records. This
approach has been kept technology neutral in various nations.
b) Section 4: This provision gives legal recognition to all the contracts and
agreements made in electronic form.
c) Section 72: It provides for the penalty in case of privacy breach
d) Section 79: It provides immunity to the network service providers and excludes
them from liability in case of any illegal activity committed through their network.

103
Chapter III of The IT Act, 2000, No. 21, Act of Parliament, 2000 (India).
104
Validity of contracts formed through electronic means.
105
Electronic Document
106
Penalized under Section 72 of The IT Act, 2000, No. 21, Act of Parliament, 2000 (India)
106 | New Technology Laws With Special Reference To Cyber Laws
 In January 2011, RBI constituted G Gopalakrishna Working Group to review the
security of Electronic Banking in India. The committee on April 2011 notified 107 few
changes which constitute the current regulatory guidelines
Indian Penal Code, 1860
Many of the Internet Banking related crimes are penalized by the Indian Penal Code. There
are various provisions of IPC which protects Internet Banking related frauds, theft, etc. Un -
surprisingly there are a number of provisions in the Indian Penal Code that overlaps the IT
Act, 2000. Few of those provisions are discussed below:
1. Data Theft: As defined under Section 378 of IPC, theft also includes theft of data online or
otherwise. There are a number of ways in which the data relating to internet banking can be
stolen like for example: hacking, spreading viruses, destroying computer systems, denying
access to a person authorized. And thus protection of data becomes crucial. And IPC bars such
activities protects the interest of internet banking users. Section 424 108 of IPC also bars data
theft in India by punishing the person who assists or conceals the data
2. Receipt of a stolen property: If any person receives the furtherance of any property stolen
from an internet banking transaction, he shall be held liable u/s 411 109of IPC and shall be
punished with imprisonment up-to 3 months or with fine or with both. This provision of IPC is
similar to Section 66-B of the IT Act, which provides Punishment for dishonestly receiving
stolen computer resource or communication device.
3. Cheating by Personation: Section 411 (Dishonestly receiving stolen property) of IPC
provides punishment for or any act committed through cheating by personation. Section 66-C
110
of IT Act also punishes the same. Any person who commits the offence of cheating by
means of computer is said to do Cheating by Personation.
4. Mischief: It is needless to say that any person who, with a wrongful intention, introduces
viruses into computer system, damages the computer system or denies the access to the person
authorized to use that system, shall be liable for mischief, which is punishable under Section
425 of IPC with imprisonment up-to 3 months or with fine or with both.
5. Forgery: In Internet Banking Transactions forgery can be done by giving false electronic
documents or other records111 .
There are a number of other criminal activities which the IPC doesn't punish, but are
punishable under the IT Act. Few of them are:

107
WORKING GROUP ON ELECTRONIC BANKING, Report
108
Section 424: Dishonest or fraudulent removal or concealment of property, Indian Penal Code, Act
No 45 of The Imperial Legislative Council, 1860.
109
Section 411 IPC: Dishonestly receiving stolen property, Indian Penal Code, Act No 45 of The
Imperial Legislative Council, 1860
110
Section 66-C IT Act: Identity theft and cheating by personation, The IT Act, 2000, No. 21, Act of
Parliament, 2000 (India).
111
Section 468 of IPC, Indian Penal Code, Act No 45 of The Imperial Legislative Council, 1860
107 | New Technology Laws With Special Reference To Cyber Laws
1. IPC doesn't punishes a person who charges the services availed by him to the account of
some other person by tampering or manipulating any computer system, or computer network.
Such an act is punished u/s 43(h) of the IT Act.
2. Tampering with computer source document. To a certain extent it is punished u/s 409 of
IPC but it is not extensively been described there. And thus section 65 of the IT Act deals with
it.
3. Violation of Security/Privacy while transacting online: Punishable u/s 66E of IT Act.
Privacy while logging, entering password, transacting, is very important in Internet Banking
4. Preservation of Intermediaries (Banks in our case): Section 67 requires an 'intermediary' to
preserve and retain all such information that the central government prescribes. This provision
was challenged before the court in the case of Shreya Singhal vs. UOI 112 , wherein the court
affirmed the validity of this section.
Other Legislations
1. INCOME TAX ACT 1961: Section 40A(3): The Benefit of this section is available to the
account holder only when the amount is transferred through internet banking or through a
cheque. This section is intended to prevent tax evasion and to bring all the transactions above
20000 under the preview of the bank.
2. NEGOTIABLE INSTRUMENT ACT, 1881: Section 6: The concept of Truncated
Cheque and e-cheque was added. These cheques are negotiable instruments in electronic
format which are a part of internet banking. All of these instruments are required to maintain
minimum safety requirements with the use of digital signatures (which may be linked with
biometric).
3. PREVENTION OF MONEY LAUNDERING ACT, 2002: Section 11: It imposes a duty
on every financial institution and intermediary to maintain a record of every transaction. This
applies to all the banks whether offering physical or internet services. This provision helps the
prevention of money laundering from taking place through the internet banking.
4. CONSUMER PROTECTION ACT, 1986: This act aims to protect the interests of the
consumers. It is also applicable to Banking Services as well. The issues such as privacy, the
secrecy of consumer’s accounts and the rights and liabilities of customers and banks, etc. in
respect of internet banking are protected through this act.
Legal remedies and some solutions to the problems in the existing legal structure
There are various issues in e-banking which the existing legal structure has failed to address,
hence the following are some of the remedies and solutions to the existing cyber problems
faced during e-banking:
1. Jurisdiction and enforceability- Since the internet is a borderless world and
cybercrimes threaten the sanctity of e-banking, herein cyber-attacks can take
place from any computer either located in India or abroad hence Section 75 of the
IT Act gives universal jurisdiction whenever any sort of cyberattack takes place

112
(2013) 12 S.C.C. 73
108 | New Technology Laws With Special Reference To Cyber Laws
 on any computer located within the territory of India. Such crimes are
investigated and prosecuted by cyber cells which are located across various
districts in India. If a cyberattack is foreign state sponsored, then compensation
by means of attachment of property existing in India of that foreign state can be
claimed by the Republic of India.
2. Seeking Compensation, Penalty, and prosecution by Cyber Cells- Under
Section 43A and 72 of the IT Act any theft, breach of confidential data, cheating
or offences of the same nature are liable to be penalized and the victim shall be
compensated in case any fraud takes place during E-Banking transactions. It is
also pertinent to note that the Banker’s Book Evidence Act mandates that bank
records in digital format can also be appreciated by the Court as it can be treated
as documentary evidence under Sections 65A and 65B of the Indian Evidence
Act, 1872.
3. Approaching the Consumer Forum- Disputes regarding the privacy of
consumer accounts, rights, deficiency in E-banking services, liabilities of banks
towards its customers, and the rights of consumers can be enforced by the
Consumer Forum having the relevant pecuniary jurisdiction under the Consumer
Protection Act, 2019.
4. Approaching Special Court for Money Laundering cases- Under Section 11 of
the Prevention of Money Laundering Act, 2002, any money laundering taking
place through E-Banking can be prosecuted and prevented under the aegis of this
Act and Section 11 also casts a burden upon the Bank to maintain a record of
each and every transaction occurring through its electronic payment gateway.
IMPACT OF INTERNET BANKING
Internet Banking transaction are much cheaper than the physical banking transactions. The
Set-up of Internet banking is comparatively cheaper to the banks and thus, it is leading to the
introduction of a lot of new trends in the Banking world. Traditional Banking System may
find it difficult to raise additional cash or investment in the Stock Markets, but this in contrast
to the Internet Banking System seems to be a relatively easier task to interact investment.
Internet Banking has now become an integral part of global financial market, so as to meet the
needs of different financial markets/ institutions. And thus accordingly Internet Banking has a
bold impact in the global and local markets, and its popularity has been growing exponentially
as the internet users in the world increases.
Internet Banking Offers a Number of Advantages to the Customers and the Banking
Institutions. Few of which are mentioned below:
• From Banking Institution’s Point of View
1. Reduces the cost of delivering services
2. Gives a competitive advantage to the banks from their peers
3. Promotional Advertisements on their site may also generate some additional
revenue
4. Paperless transactions

109 | New Technology Laws With Special Reference To Cyber Laws

 5. Increase in Investments, as the customers can apply for loans electronically without
visiting the banks.
• From Customer’s Point of View:
1. 24 x 7 access to the banking services
2. Access to the account activity in a very quick time
3. Application for loans, ATM Cards, etc
4. Home based transfer of funds, payment for purchasing something online, etc.113

OBLIGATION OF BANKS
Few obligations which every banking institution is bound to follow:
1. Duty to maintain Secrecy of customers account: This obligation was introduced
in the Tournier’s Case114 back in 1924, in which it was held that banker has a duty to
maintain the secrecy of customers account details, the nature and the details of the
accounts should not be disclosed to anybody, because it may effect the reputation,
credit worthiness of the customer. Now with the growing sphere of internet banking
and the increasing menaces of cyber crimes this duty has became more difficult
because of the presence of Hackers.
2. Duty to produce documents to the courts115: Whenever the court calls for any
document it is the duty of the banker to bring those documents before the court. This
is basically an exception to the above mentioned principal of secrecy. The banker
shall produce the documents whenever the court calls for it, it won’t amount to
privacy breach.
3. Obligation to verify the validity of digital signature: This must be done in
accordance to the procedure established under the IT Act, 2000. The law is very strict
in relation to forged document, and thus it is the duty on the paying bank to verify the
validity of the signatures
4. Obligation to provide services to the customers: Banking institutions offers a
variety of services to its customers (few of them discussed in the next section). It is
the obligation of the bank to extend these services to the Internet Banking Users as
well. The same had been expressed by the apex Court in the case of Vimal Chandra
Grover vs. Bank of India116
SERVICES ON INTERNET BANKING
1. Information System: The customers of Internet Banking may get the general
information like loan facilities, bank products and their features, account activity, etc.

113
Dr. Prof Renu & Mr. Kuldeep Singh, The Impact of E Banking on use of Banking Services and
customer satisfaction IJTSRD, Volume 3, Issue 4, Pg. 23
114
Tournier v. National Provincial & Union Bank of England, (1924), K.B., 461
115
Section 4, The Bankers Book Evidence Act, Act No, 18 of 1891
116
AIR 2000 SC 2181
110 | New Technology Laws With Special Reference To Cyber Laws
 They can also download various forms or applications like the loan application
form.117
2. Transfer System: Every internet banking user can transfer funds to anyone from
their home itself. Of course if anyone wants to transact online he needs few details
relating to his account like his account number, password, CRN No., etc. The users
can also see their account balance, transactions, statements, etc. (These information
are available in read only mode format only). The customers authentication is mostly
done through passwords.118
3. Various other services are also offered, few of which are: Ticket Bookings,
mobile recharge, shopping, investments, payment of bills, etc.119
Banking System always has an important role to play in the economy of every nation.
The banking system as it stands today has become more intricate with different
services stemming from reliance on technological changes which has shaped the
complete banking system from a manual intensive industry to a highly automated and
technologically dependent industry. Now the internet banking enables the business
anywhere any at anytime. Internet Banking has now become a virtual blessing as it
eliminates few of the problems in the Banking sector and had been proved
advantageous to both, the banks and its customers.
CAPACITY BUILDING AND AWARENESS PROGRAMMES BY THE
GOVERNMENT
DIGISHALA – EDUCATIONAL TV CHANNEL FOR DIGITAL PAYMENTS
ON DD FREE DISH
Door Darshan (DD) Free Dish reaches to around 2 to 2.5 crore families, mostly in
rural areas and people from poor background. The DigiShala is an education and non-
commercial TV channel on DD Free Dish with aim to:
• Impart education related to the digital payment ecosystem, its tools, benefits and
processes
• Inform and educate citizens about Digital India - cashless, faceless and paperless
• Encourage citizens especially in rural and semi urban areas to use digital payments as
well as other products and services offered by Digital India
DigiShala Subscription Details
• Free to Air (FTA) Channel with receiving frequency: 11590 MHz
• Satellite/Location: GSAT 15 (DD Direct DTH), 93.5 degree East
• Broadcasted nationally on DD Free Dish DTH service

117
K.C SHEKAR., BANKING THEORY AND PRACTICE, 45, (20th Edition, 2007).
118
Ibid
119
JOGA ROA, COMPUTER CONTRACTS AND INFORMATION TECHNOLOGY LAW, 123,
(2ND Edition, 2005).
111 | New Technology Laws With Special Reference To Cyber Laws
 • affordable service without any subscription fees
DigiShala TV Channel is also available on channel no 2032 on Dish TV (of Zee
Group)
DigiShala Programme Portolio
Range of educational programmes on Digital India in multiple regional languages
Sessions with focus on:
• Step by step demos of making digital payments using UPI, USSD, Aadhaar, e-
Wallets, cards etc
• Talk shows and panel discussions with experts
• Case studies on business transformation using digital payments
• Information about products and services under the Digital India programme
SCHEMES BY GOVERNMENT
Digital Finance for Rural India: Creating Awareness and Access through Common
Service Centres (CSCs)
Ministry of Electronics and IT (MeitY) has launched a new scheme entitled “Digital Finance
for Rural India: Creating Awareness and Access through Common Service Centres (CSCs)”
under Digital Saksharta Abhiyan (DISHA) with objectives to enable the CSCs to become
Digital Financial Hubs, by hosting awareness sessions on government policies and digital
finance options available for rural citizens as well as enabling various mechanism of digital
financial services such as IMPS, UPI, Bank PoS machines etc. with an outlay of ₹ 65.625
crore.
2 lakhs Common Service Centres (CSCs) to provide capacity building, awareness access for
digital payments methods to around1 crore rural citizensand 25 lakhs merchants across India.
Each CSC would reach out to 40 households in the catchment area, covering one person from
each household. Apart from rural citizens, each CSC would also target 10 Merchants per
Panchayat to facilitate them in getting POS machines or digital payment mechanism.
VITTIYA SAKSHARTA ABHIYAN (VISAKA)
Ministry of Human Resource Development (MHRD) views the institutions of higher
education in the country, faculty members and students to take the lead and act as engines of
this transformational shift.The purpose of the `Vittiya Saksharta Abhiyan’ is to actively
engage the youth/ students of Higher Education Institutions to encourage and motivate all
payers and payees to use a digitally enabled cashless economic system for transfer of funds.
The best way of leadership is to lead by example. All heads of higher educational institutions
should plan for a cashless campus, within a limited timeframe, for all transactions within the
campus. Various options of digital transactions are presented here. To begin with, the faculty,
staff and students, whom we refer to as engines of change, need to dispel the commonly held
belief that digital transactions are complex and necessarily require a smart phone and internet
connectivity. They need to further educate their family members and people in their
112 | New Technology Laws With Special Reference To Cyber Laws
immediate surroundings and motivate them for digital transactions. NCC/NSS volunteers of
an institute may take up a major market and interact with shop owners, including vendors, and
their associations with an objective of developing a cashless market focusing on each point of
sale120.
PROMOTING DIGITAL PAYMENTS WITHIN GOVERNMENT
Ministry of Electronics and Information Technology (MeitY), Government of India envisages
Paperless, Cashless and Faceless services across the country, especially in rural and remote
parts of India. MeitY further envisages common e-Governance infrastructure that will offer
end-to-end transactional experience for a citizen, businesses as well as internal government
functions, which includes accessing various services and making payments and receipts
through electronic modes. The Apex Committee on Digital India has recommended a targeted
and time bound approach to implement digital payments for citizens across all the e-Services
of Government Ministries and Departments. Against this backdrop, MeitY has notified
Guideline for Electronic Payments and Receipts (EPR), intended for Central Public Sector
Undertakings, State Governments, Govt. of India Autonomous Bodies, and Municipalities for
expeditiously implementing appropriate mechanism to enable electronic payments and
receipts. The objective of this guideline is to provide guidelines for Departments to:
• Assess various services involving payments and receipts by types of services and level
of electronic payment enablement
• Provide actionable instructions for universal adoption of electronic payment modes
for each type of service through various payment channels
• Provide guidelines on engagement with various payment service providers
The Guidelines for Electronic Payments and Receipts (EPR) will be implemented through
assessment of the department’s overall status of services offered and maintain a repository of
services offered by departments. This repository will be used for measuring and tracking of
adoption level electronic payments across departments in India. Furthermore, information of
departments requiring payments integration will be shared with Government and private sector
Payment Systems providers (PSPs) for enablement of Electronic modes and channels of
payments121.

LUCKY GRAHAK YOJANA AND DIGI-धन VYAPAR YOJANA

NITI Aayog announces the launch of the schemes Lucky Grahak Yojana and the Digi-
धन Vyapar Yojana to give cash awards to consumers and merchants who utilize digital
payment instruments for personal consumption expenditures. The primary aim of these
schemes is to incentivize digital transactions so that electronic payments are adopted by
all sections of the society, especially the poor and the middle class.

120
http://cashlessindia.gov.in/NITIAayog_step-by-
step%20presentation%20on%20digital%20payments_English.pdf
121
http://cashlessindia.gov.in/promoting_digital_payments.html
113 | New Technology Laws With Special Reference To Cyber Laws
The scheme will become operational with the first draw on 25 th December, 2016 (as a
Christmas gift to the nation) leading up to a Mega Draw on Babasaheb Ambedkar
Jayanti on 14th April 2017. It will comprise of two major components, one for the Consumers
and the other for the Merchants:
• Lucky Grahak Yojana [Consumers]:
• Daily reward of Rs 1000 to be given to 15,000 lucky Consumers for a period
of 100 days;
• Weekly prizes worth Rs 1 lakh, Rs 10,000 and Rs. 5000 for Consumers who
use the alternate modes of digital Payments
This will include all forms of transactions viz. UPI, USSD, AEPS and RuPay
Cards but will for the time being exclude transactions through Private Credit
Cards and Digital Wallets.

• Digi-धन Vyapar Yojana[ Merchants]:

• Prizes for Merchants for all digital transactions conducted at Merchant

establishments
• Weekly prizes worth Rs. 50,000, Rs 5,000 and Rs. 2,500
• Mega Draw on 14th of April – Ambedkar Jayanti
• 3 Mega Prizes for consumers worth Rs 1 cr, 50 lakh, 25 lakh for digital
transactions between 8thNovember, 2016 to 13th April, 2017 to be announced
on 14th April, 2017
• 3 Mega Prizes for merchants worth Rs 50 lakhs, 25 lakh, 12 lakh for digital
transactions between 8th November, 2016 to 13th April, 2017 to be
announced on 14th April, 2017
To ensure that the focus of the scheme is on small transactions (entered into by common
people), incentives shall be restricted to transactions within the range of Rs 50 and Rs 3000.
All transactions between consumers and merchants; consumers and government agencies and
all AEPS transactions will be considered for the incentive scheme. 122
Bharat Interface for Money (BHIM)
Bharat Interface for Money (BHIM) provides fast, secure, reliable medium to make digital
payments through your mobile phone using UPI (Unified Payment Interface) platform via
Mobile App and USSD (Unstructured Supplementary Service Data) platform via *99# service.
BHIM was launched by Hon’ble Prime Minister on 30th Dec 2016 and within 10 days, the
BHIM app had 1 crore downloads from Andriod Play Store and over 2 million transactions
across the UPI (Unified Payment Interface) and USSD (Unstructured Supplementary Service
Data) platforms. BHIM is interoperable with other Unified Payment Interface (UPI)
applications, and bank accounts. BHIM is developed by the National Payment Corporation of

122
http://cashlessindia.gov.in/lucky-grahak-yojana-and-digi-dhan-vyapar-yojana.html
114 | New Technology Laws With Special Reference To Cyber Laws
India (NPCI), a not-for-profit company for providing retail payment systems in the country
under guidance from Reserve Bank of India.
BHIM has been designed for quick and secure user on-boarding, sports a best-in-class and
intuitive user interface and makes digital transactions seamless. BHIM has been a huge boon
for merchants who can now accept payments directly into their bank accounts. All users,
including merchants, get a ready to use VPA (virtual payment address) and an exclusive,
ready-to-print QR code upon sign-up123.
E-banking services have revolutionized the way we manage our finances. With the
convenience of being able to access banking services from anywhere with an internet
connection, e-banking has become a popular choice for many individuals and businesses.
The benefits of e banking services are numerous, including the ability to access your account
24/7, lower fees, higher interest rates, and the ability to easily track your spending.
Additionally, many e-banking services now offer advanced features such as budgeting tools
and investment advice, allowing individuals to take control of their finances and make
informed financial decisions.
The evolution of technology has played a major role in the development of e-banking services,
with advancements such as mobile banking, social banking, and digital wallets. The use of
artificial intelligence and machine learning has also helped to improve the customer
experience, personalize banking services and detect fraudulent activities.
There are several types of e banking services available, each offering different features and
benefits. Some common types of e-banking services include online banking, mobile banking,
social banking, and digital wallets.
In summary, e-banking services offer numerous benefits, from convenience to advanced
features and technology. It is important for individuals and businesses to understand the
different types of e-banking services available to them and choose the one that best suits their
needs.
With the continued advancement of technology, we can expect e-banking services to continue
to evolve and revolutionize the way we manage our finances.

123
http://cashlessindia.gov.in/bhim.html
115 | New Technology Laws With Special Reference To Cyber Laws
 CHAPTER 6

ONLINE SECURITIES OFFERINGS

Since the advent of Bitcoin in 2009, the profile of blockchain – a combination of distributed
ledger technology (DLT) with a variety of block-based encryption technologies – has soared.
While there has been a great deal of volatility and speculation in certain virtual assets and
other blockchain-related financing, including a high profile peak in 2018, there is now wide
consensus regarding the value of blockchain and other forms of DLT in finance. While
Facebook’s announcement of Libra was probably the highest profile example, the most
important examples going forward are likely to come as blockchain plays an increasing role in
financial infrastructure such as securities settlement, in monetary and payments systems
through central bank digital currencies, and in the context of liquidity and access to financing
through tokenization, in particular security token offerings. Going forward, the real value of
the underlying technologies of Bitcoin and cryptocurrencies comes in the form of its role in
security, in transparency, in permanence, each of which is essential to financial markets
efficiency, trust and confidence, as well as safety and soundness.
Security Token Offerings (STOs) combine the technology of blockchain with the requirements
of regulated securities markets to support liquidity of assets and wider availability of finance.
STOs are typically the issuance of digital tokens in a blockchain environment in the form of
regulated securities. The blockchain environment enhances securities regulatory objectives of
disclosure, fairness and market integrity and supports innovation and efficiency through
automation and “smart contracts”. In terms of the token aspect, an STO is essentially the
digital representations of ownership of assets (e.g. gold, real estate) or economic rights (e.g. a
share of profits or revenue).
Blockchain technology is at the forefront of the fourth industrial revolution holding the
potential of reshaping and developing industries and sectors at a pace which would have been
unimaginable a few decades ago and the Indian securities market is no exception to this. Out
of the insurmountable use cases of blockchain technology in the securities market, the raising
of capital using security token offerings (STO) for companies is also a use case that can help
in rediscovering the method of financing for listed companies in the Securities and Exchange
Board of India (SEBI) regulated markets. Considering that SEBI already has a Distributed
Ledger Technology (DLT) framework in place, this article aims to analyse the interplay
between STOs with the Indian securities law as well as identify challenges and tackle such
challenges for the creation of a robust legal framework for STOs in India.

116 | New Technology Laws With Special Reference To Cyber Laws

Understanding Security Token Offerings and their Interplay with Securities Law in
India
A security token offering as its name suggests, is an offering of security tokens by issuer
companies through a Distributed Ledger Technology (DLT) (commonly referred to as
blockchain). The offering is made through the issuance of digital tokens known as security
tokens. The distinctive factor of STOs from the traditional initial public offer process is that
the entire process of issuance including pricing, subscription, allocation and the like can
be undertaken on the blockchain itself. Unlike initial coin offerings which have posed
significant threats across jurisdictions including India, STOs are better suited to the current
framework of securities legislation and can be regulated efficiently. Security tokens can be
classified into two types. Securities- based tokens have equity and debt securities as their
underlying. Assets- based tokens have assets such as real estate, infrastructure, oil, minerals,
gold, silver, precious metals or agricultural produce as its underlying asset.
Some of the benefits of security tokens are that it can grant liquidity to illiquid assets, assign
blockchain powered immutability, assign divisibility to a high value asset or security, ensure
immediate settlement of security tokens and funds, increase automated executions and
automated compliances powered by smart contracts. There are several steps to the process of
STOs which includes; firstly, preparation of investor- decks containing information of the
offer and requisite regulatory disclosures; secondly, adequately designing of the security token
offer as per regulatory requirements; thirdly, select the blockchain platform where the security
token offer will be made along with appointment of other financial intermediaries; fourthly,
issue the security token permitting investors to subscribe to such security tokens and
undertake corollary allocation of security tokens to the investors; and fifthly, undertake listing
of such security tokens in the respective exchanges.
Security tokens satisfy the Howey Test which was laid down by the Supreme Court of the
United States of America in S.E.C. v. Howey, (1946) 328 U.S. 293 and the Howey Test has
also been accepted under Indian law by the Allahabad High Court in Paramount Bio- Tech
Industries Ltd. v. Union of India, (2004) All L.J. 2552 for the purposes of determining
whether a particular transaction could be treated as an investment contract and resultantly, a
security. The Howey Test asserts that a transaction must; firstly be, an investment of money or
asset; secondly, there must be a profit expectation from such investment; thirdly, the
investment must be a pooled investment as a common enterprise of the investors; and fourthly,
the profit must be generated from the efforts of a promoter or a third party beyond the
investor’s control. However, it is also noteworthy that the mere recognition on the basis of the
Howey Test would not be sufficient and the definition of security under the Securities
Contracts (Regulation) Act, 1956 must also include such security tokens. Section 2(h) of the
Securities Contracts (Regulation) Act, 1956 includes shares, stocks, bonds, scrips, debentures,
similar marketable securities, derivatives, collective investment scheme units, security
receipts, mutual fund units, Government securities, rights or interests in securities as well as
instruments notified as securities by the Central Government. The definition of ‘security’
under the Securities Contracts (Regulation) Act, 1956 is an inclusive definition and a security
token possesses the characteristics of a derivative since its price is determined by the
underlying real- world securities/assets. Further, it possesses the characteristics of an
117 | New Technology Laws With Special Reference To Cyber Laws
instrument which creates rights as well as interests in real- world securities/assets. It also
possesses characteristics of a collective investment units when the underlying assets are sold
in the form of security tokens after division of such assets into security tokens. But beyond the
mere substantive recognition under the definition of securities, the absence of a procedural
mechanism and operational provisions regulating security tokens would result in the
substantive recognition to be otiose.
India has not enacted any special legislation for the regulation of virtual currencies
(“VCs”). However, it has contemporised various statutes like the Companies Act, 2013,
necessitating the reporting of virtual digital assets (“VDAs”) in an effort to reflect the
emerging dynamics of the financial landscape. It has also broadened the scope of the
Prevention of Money Laundering Act, 2002 (“PMLA”) by incorporating transactions related
to VDAs, including various exchanges, transfers, and administrative measures associated with
VDAs, as well as covering participation in, and the provision of, financial services linked to
an issuer’s offering and sale of a VDA. Alongside this, India’s income tax laws have
undergone significant modifications to include the taxation of VDAs, thereby recognising the
fiscal implications of the burgeoning VC market.
In India, VDAs have gained substantial recognition on the legal front, further legitimising the
industry. Enforcement actions under existing tax laws have been initiated, and anti-money
laundering (“AML”) laws have been expanded to encompass the burgeoning Web3/VDA
industry. The concerted effort of financial and regulatory authorities worldwide mirrors the
evolving significance and acceptance of the VDA industry.
In contrast, the stance of the government towards VDAs, which was to become clearer once
the proposed bill titled The Cryptocurrency and Regulation of Official Digital Currency Bill,
2021 became available to the public, is still awaited. Public statements made by high-ranking
government officials indicate the replacement of a domestic-facing law regulating VDAs in
favour of a globally aligned, internationally synchronised one. India, as the G20 president, is
leading the global crypto regulation discussions with the International Monetary Fund and
other stakeholders, while addressing different views from emerging and developed
economies. In this regard, the Indian government has released a note entitled the Presidency
Note as an input for a Roadmap on Establishing a Global Framework for Crypto Assets for
consideration of the G20 members.
To understand the current attitude of the Indian government, we must look at all the
contemporaneous actions taken by it through its various ministries, departments, and
representatives.
The National Strategy on Blockchain
n December 2021, an updated version of the National Strategy on Blockchain was
released.This strategy advocates the development of a national blockchain infrastructure,
geographically distributed throughout the country, in an attempt to create infrastructure for
providing “blockchain as a service”.

118 | New Technology Laws With Special Reference To Cyber Laws

RBI on macro-financial risks
On 28th June 2023, the Reserve Bank of India (“RBI”), in a chapter of its report titled Chapter
III: Regulatory Initiatives in the Financial Sector addressed the risks associated with
VDAs. These include: consumer protection; investor safety; market integrity; financial
stability; and challenges specific to Emerging Markets and Developing Economies
(“EMDEs”), such as monetary sovereignty and “cryptoisation”. To tackle these risks, three
main policy approaches have been proposed: (i) prohibition; (ii) containment; and (iii)
regulation. RBI noted that a globally coordinated effort would be necessary to evaluate these
risks, especially the macroeconomic challenges like loss of monetary control and local
currency volatility that disproportionately affect EMDEs compared to advanced
economies. As part of India’s G20 presidency, a key objective seems to be to establish a
global regulatory framework for unbacked cryptoassets, stablecoins, and Decentralised
Finance (“DeFi”).
CERT Guidelines
On 28th April 2022, the Indian Computer Emergency Response Team (“CERT-In”), operating
under the Ministry of Electronics and Information Technology (“MeitY”), issued Directions
under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to
information security practices, procedure, prevention, response and reporting of cyber
incidents for Safe & Trusted Internet. These Directions were issued to augment and
strengthen cybersecurity in India, requiring service providers, intermediaries, data centres,
bodies corporate and government organisations to mandatorily report all cybersecurity
incidents to CERT-In. The Directions directly impact the blockchain, VDA and Web3
industry, as all “attacks or malicious/suspicious activities affecting systems/ servers/ networks/
software/ applications related to … Blockchain, virtual assets, virtual asset exchanges,
custodian wallets … ” have to be mandatorily reported within six hours of knowledge of such
incident. Further, all virtual asset service providers, virtual asset exchange providers and
custodian wallet providers are required to mandatorily maintain all information obtained as
part of Know-Your-Customer (“KYC”) procedures and records of financial transactions for a
period of five years.
Central Bank Digital Currency (“CBDC”)
RBI has been a consistent proponent of creating India’s CBDC called the e-Rupee, a vision
now realised with the successful initiation of the Rupee CBDC pilot. This endeavour is
bolstered by an enabling legal framework, achieved through amendments to the Reserve Bank
of India Act, 1934. It has broadened the definition of “bank note” to encompass bank notes
issued by RBI in both physical and digital forms, paving the way for RBI to issue its own
CBDC.
Currently, 10 banks are participating in the wholesale CBDC pilot, and 13 banks are part of
the retail pilot. Both of these initiatives have demonstrated promising results, allowing for the
testing of various technical architectures, design choices, and use cases. As of 30th June 2023,
the retail pilot had exceeded 1 million users and more than 262,000 merchants, underscoring
the potential of this digital form of currency to spur innovation and efficiency.

119 | New Technology Laws With Special Reference To Cyber Laws

Prevention of money laundering
The purpose of the PMLA and the Prevention of Money-laundering (Maintenance of Records)
Rules, 2005 (“Rules”) is to prevent money laundering activities, provide for confiscation of
property derived from money laundering, and bring the persons involved in money laundering
to justice.
The Ministry of Finance, through a notification dated 7th March 2023 (“PMLA
Notification”), brought every entity involved in the transaction of VDAs (including
exchanges, custodians and wallet providers) under the purview of the PMLA and Rules. This
gives authorities greater power to monitor and reconstruct encrypted transactions, including
transfers outside of India. Such entities have also been brought under the purview of the
reporting requirements under the PMLA and Rules, which are discussed in the reporting
section below.
Notably, the PMLA only extends to the territory of India, hence it may be presumed that
foreign cryptocurrency exchanges offering their services in India would not fall within the
purview of the PMLA Notification.
Taxation
The most significant development for the blockchain, Web3 and VDA industry was the
amendment of the Income Tax Act, 1961 (“IT Act”), which introduced an income taxation
regime for “VDAs”, a term defined by the said regulation.
Broadly, these amendments introduced: (a) the definition of the phrase “Virtual Digital
Asset”, which includes non-fungible tokens (“NFTs”), while excluding closed-system
instruments like gift cards or vouchers, mileage points, reward points or loyalty cards, and
subscriptions to websites, platforms or applications; (b) a 30% tax on income from the transfer
of a VDA; (c) a withholding tax on the transfer of VDAs from one entity to another; (d)
treatment of VDAs that are received as gifts; (e) guidelines for VDA Exchanges
(“Exchanges”) on how to effect the amendments to the IT Act; and (f) guidelines for peer-to-
peer (“P2P”) transactions.
For more details on the implications of the amendments to the IT Act, please see the
“Taxation” section below.
Digital lending
RBI, through its Working Group on Digital Lending including Lending through Online
Platforms and Mobile Apps, in recommendations titled Recommendations of the Working
group on Digital Lending – Implementation, raised concern regarding the operation of
unregulated entities carrying out the activity of digital lending, and called for specific
legislative and institutional interventions to be enacted by the government to curb lending
activity being carried out by unregulated entities.

120 | New Technology Laws With Special Reference To Cyber Laws

Legal Challenges
There are multi- faceted legal challenges in respect to security tokens under the Indian
securities law. The first challenge pertains to determining the nature of the security token.
Although a security token can possess characteristics of several securities, the inherent
characteristics of the security token make it more likely to be attributable to derivatives.
However, Section 18A of the Securities Contracts (Regulation) Act, 1956 specifically requires
derivative contracts to be traded in a recognised stock exchange as well as be settled on the
clearing houses of such recognised stock exchanges as per its rules and bye- laws. This leads
to the second challenge pertaining to the non- tradability of security tokens on recognised
stock exchanges since security tokens have to be traded on exchanges that are powered by
blockchain, in the absence of which it risks the loss of its essential characteristics.
Furthermore, the third challenge which emanates from a security token being treated as a
derivative is that its settlement takes place instantaneously on the blockchain as per the
automated self- executing parameters of the smart contract as opposed to the requirement of
settlement by the clearing house of recognised stock exchanges as per its rules and bye- laws.
Needless to say, the rules and bye- laws of all recognised stock exchanges in India do not have
the requisite rules for governing the settlement of security tokens.
The third legal challenge faced in context with security tokens is that there are specific
intermediaries involved in STOs beyond the regular securities market intermediaries that aid
the effective execution on the blockchain. These include the blockchain platform hosting the
security tokens offering, blockchain miners and smart contract developers.
The fourth legal challenge pertains to the ineffectiveness of blockchain dispute resolution
mechanisms such as blockchain arbitrations to resolve disputes arising out of smart contracts
as such mechanisms undermine the principles of natural justice and the rule of law by not
affording a fair and reasonable opportunity of being heard since blockchain arbitrations are
based upon the voting system of jurors in the blockchain.
The fifth legal challenge is the absence of compliance and regulatory requirements pertaining
to issue of offer documents, disclosures pertaining to the issuer company, rights and
obligations of the issuer company as well as the investors, KYC verification requirements and
the like.
Impending contemporaneous legislation
Presently, the government is in the process of taking steps towards overhauling the entire legal
architecture regulating the internet, big data, cybersecurity, telecommunication and data
protection, and is accordingly introducing a fresh set of frameworks, policies and
statutes. The overhaul of these laws and regulations, when complete, is likely to foster a
positive environment for digital-first businesses in India. Such foundational laws in the
pipeline today are as follows:
a. Draft National Data Governance Framework Policy ] – This draft policy was
published by the MeitY in May 2022, replacing the previous India Data Accessibility
and Use Policy. The draft policy is intended to set up a framework for modernising
how the government collects and handles data. This will ultimately lead to the

121 | New Technology Laws With Special Reference To Cyber Laws

 creation of repositories of anonymised, non-private data sets, which would be useful
for India’s AI and blockchain ecosystem.
b. Draft National Cyber Security Strategy – This policy has been drafted by the
National Security Council Secretariat with a view to comprehensively addressing all
current and future national cybersecurity issues.
c. Data Protection Act – After the withdrawal of the Data Protection Bill, 2019, the
government indicated that said Bill was being reworked comprehensively and was
tabled before parliament in August 2023. It was then reintroduced as the Digital
Personal Data Protection Act, 2023, which has been swiftly enacted by the Indian
government.
d. Proposed Digital India Act – As part of the larger overhaul and streamlining of the
legal architecture applicable to the information technology industry as a whole, the
Digital India Act has been proposed to harmonise existing laws, regulate emerging
technologies such as AI, and incorporate industry input on blockchain and Web 3.0
regulations to protect digital citizens.
These impending pieces of legislation would need be kept in mind by any Web3, blockchain
or cryptocurrency business when operating in India.
Law surrounding Exchanges
Exchanges are the gateway for most retail VDA investors, creators, and enthusiasts to interact
with the global VDA markets and ecosystem. They act as vital on- and off-ramps and, as
such, tend to interact with a large number of entities, regulators, and businesses. Some key
developments in law and enforcement that have impacted how Exchanges conduct business
are as follows:
a. the term “Exchange” is now defined as “…any person that operates an application or
platform for transferring of VDAs, which matches buy and sell trades and executes
the same on its application or platform”, as per a circular issued by the Central Board
of Direct Taxes (“CBDT”);
b. the new tax regime for VDAs places certain obligations on Exchanges, which will
now need to comply with a number of taxation provisions as specified in the IT Act,
government notifications and CBDT circulars. The taxation regime pertaining to
Exchanges is discussed elaborately in the “Taxation” section of this chapter; and
c. over the past year, some Exchanges have been investigated for allegedly assisting
foreign firms in laundering their money via private cryptocurrencies. The cross-
border transactions, taking place through Exchanges, are being heavily scrutinised by
authorities such as the ED.
Potential Way Forward
As the substratum of STOs is the blockchain technology, it is necessary that a regulatory
sandbox framework is introduced for testing the integration of the current Indian securities
market framework with blockchain technology and for the purposes of testing the offer and

122 | New Technology Laws With Special Reference To Cyber Laws

listing process of security tokens. In the past, SEBI has introduced fintech regulatory
sandboxes and several cohorts of successful testing of new technologies had taken place under
the sandbox framework. Implementing a regulatory sandbox framework for STOs and
blockchain technology will enable SEBI, issuer companies and securities market
intermediaries to identify the operational advantages and difficulties, enabling a robust
regulatory framework for STOs. Another necessary step is issuance of clarifications on the
nature of security tokens as derivatives alongwith substantive, operational and procedural
provisions for on- chain listing, clearing and settlement. For this to occur, simultaneous
inclusion in the rules and bye- laws of clearing corporations as well as stock exchanges will
have to be made to accommodate such parallel listing and clearing processes to occur under
off- chain and on- chain. So far, SEBI has introduced the DLT framework for monitoring and
recording of charge for non- convertible securities and it has showcased the immense potential
generated through its adoption. In addition to the regular compliance and disclosure
requirements pertaining to offer documents, rights and obligations, KYC verification and the
like, it is necessary that blockchain intermediaries involved in the STO process must also be
regulated which include the blockchain platform hosting the STO, smart contract developer
and blockchain miners.
Another key aspect is the dispute resolution mechanism. The blockchain arbitration
mechanism suffers from several infirmities making it unsuitable for dispute resolution in most
jurisdictions because the opportunity to present grievances and evidence is minimal for the
disputants. No opportunity exists for the disputants to address their counter- claims and the
interaction between the disputants and the jurors is unreasonably limited. The process of juror
selection is linked to the amount of deposit which can be made by such juror to the blockchain
platform, risking the lack of independence and resultantly, biased decisions. Furthermore, the
decision is made by juror voting which may not always comprise of subject- matter experts,
often compromising the quality of decision- making. Seen from the Indian perspective, the
blockchain arbitration mechanism is not only violative of principles of natural justice but also
significantly undermines the rule of law. Therefore, the current structure of the grievance
redressal mechanism of SEBI which is known as SEBI Complaints Redress System
(SCORES) as well as stock exchange arbitrations for dispute resolution can be integrated to
the blockchain with the help of ‘blockchain oracles’ that permit inbound and outbound flow of
information from and to the blockchain. Needless to say, a tender may have to be issued by
SEBI in order to create a panel of entities that can provide such blockchain oracle service to
SEBI for streamlining and integrating its dispute resolution method with the blockchain.
SEBI’s Regulatory Framework for Online Bond Trading Platform
On 21 July, 2022, the Securities and Exchange Board of India (“SEBI”) issued a consultation
paper (“Consultation Paper”) proposing a regulatory framework to govern online bond
trading platforms (“Bond Platforms”). This comes at a time when India has witnessed a
transformation in the number of retail investors participating in the bond market. The financial
years 2020 and 2021 saw an addition of approximately sixty million retail investors within the
economy. According to SEBI, the surge is primarily linked to the ease with which retail
investors can now subscribe to securities through the platform markets. The Bond Platform
marketplace has been recently developed to provide retail investors opportunities to invest in
123 | New Technology Laws With Special Reference To Cyber Laws
listed and/or unlisted debt securities of companies bearing fixed rates of return within fixed
time periods (“Bonds“) without approaching a broker and engaging in what may seem an
arduous process of registration or subscription.
At present, under the Companies Act, 2013, bonds are primarily issued through a public
issuance or on a private placement basis. Public issues are made through the online
mechanism of the relevant stock exchange and depository. Privately placed dematerialized
issuances are mandatorily made through the Electronic Book Provider Platform (“EBP
Platform”) of either the National Stock Exchange or the Bombay Stock Exchange, if (a) the
issuer is in existence for three years or more and where the issue size is of Rs.100 crore or
more; and (b) the issuer is in existence for less than three years, irrespective of the issue size.
Furthermore, under the SEBI (Issue and Listing of Non-Convertible Securities) Regulations,
2021, only Qualified Institutional Buyers (“QIBs”) and Non-QIBs, including arrangers who
the relevant issuer has authorized, are permitted to invest in debt securities issued on the EBP
Platform. In contrast, Bond Platforms provide an avenue for most issuers, irrespective of their
period of incorporation and issue size, to offer retail investors the opportunity to subscribe to
debt securities issued by them. SEBI notes that the ease of the process of investment in bonds
through such platforms led to an increase in the participation in the bond market from several
non-institutional investors. However, these Bond Platforms are currently unregulated; hence,
the Consultation Paper makes a case for its regulation.
In light of the same, this post seeks to analyze the Consultation Paper and the proposed
regulatory framework of the SEBI.
Recommendations and Analysis
The primary rationale behind SEBI’s proposal for the regulation of online bond platforms
is inter alia four-fold: (a) absence of standard requirements on know your client Know Your
Customer (“KYC”) norms; (b) ambiguity in redressing investor grievances; (c) conflict of
interest, product offerings, information availability and possible mis-selling of issuers; and (d)
concerns regarding deemed public issuances.
SEBI states that while these Bond Platforms operate similarly to organized avenues for
trading, which bring together buyers (particularly non-institutional investors) and sellers
(which most often are the platform providers themselves), they do not come under any
regulatory purview. However, the applicability of existing regulations such as the SEBI
(Merchant Banker) Regulations, 1992 (“Merchant Banker Regulations”), SEBI (Investment
Advisers) Regulations, 2013 (“Investment Advisers Regulations”), and the SEBI (Research
Analysts) Regulations, 2014 (“Research Analysts Regulations”) are not discussed in the
Consultation Paper. This becomes important to note, as these regulations also mandate that the
service provider would have to obtain registration; depending on the applicability of the
regulations based on the services provided, it is possible that the services provided by the
Bond Platforms could also be brought under the purview of these regulations.
SEBI has proposed alternatives to the current scenario in the Consultation Paper, one of them
being that it would be mandatory for Bond Platforms to register themselves as stock-brokers
with SEBI under the SEBI (Stock Broker) Regulations, 1992 (“Stock Broker Regulations”)

124 | New Technology Laws With Special Reference To Cyber Laws

or is run by SEBI registered brokers (debt segment). The rationale is based on the view that
these Bond Platforms primarily act as facilitators, as they are used to facilitate transactions by
investors registered on their websites. Further, by ensuring that SEBI regulates these Bond
Platforms, the non-institutional investor confidence would be enhanced. By mandating that
these Bond Platforms are registered are stock-brokers, and thereby having the transactions
routed through the trading platform of the exchanges, among other benefits, it provides (i) an
exit opportunity for investors, (ii) a risk management and surveillance mechanism, and (iii)
investors with a well-defined framework for addressing their grievances. These streamlined
processes, which would be implemented as a result of the registration, are particularly
important for investors, as they would prevent the ambiguity arising from a multitude of Bond
Platforms having their own policies and grievance mechanisms in place. Further, the net worth
and deposit requirements prescribed for stock-brokers would ensure that the Bond Platforms
are stable and would provide for the implementation of standard KYC requirements for
registering investors and issuers on the Bond Platforms.
However, proposing such an alternative without simultaneously amending other existing
regulations which may apply to Bond Platforms may lead to issues in the interpretation and
applicability of the law. By ascertaining that the Bond Platform would require to be registered
as stock-brokers, one of the possible implications is that regulations such as the merchant
Banker Regulations, Investment Advisers Regulations, and the Research Analyst Regulations
(depending on the services provided by the relevant Bond Platform) are not applicable to
them. This could lead to a scenario whereby, although the Bond Platforms engage in a
multitude of services, they would still not come under the relevant regulatory purview, as their
registration as a stock-broker would be considered compliance with the law. Such a scenario
would then frustrate the purpose of proposing this alternative framework.
SEBI further proposes that only listed debt would be eligible to be subscribed through a Bond
Platform. This is a welcome recommendation as it resolves the conundrum of deemed public
issuances. Currently, under the Companies Act, a private placement of Bonds can only be
made to two hundred prospective allottees. A breach of this threshold would make the private
placement a deemed public issuance (“DPI”), thereby triggering other provisions within the
Companies Act and rules thereunder that govern DPIs. SEBI noted that by virtue of offering
unlisted Bonds issued on a private placement basis for investment on the Bond Platforms, it
automatically resulted in a DPI as several Bonds were down sold to more than two hundred
investors, thereby violating norms of a DPI. In order to mitigate the risk of a DPI, especially in
cases where Bonds are sold to more than two hundred investors, SEBI recommends that Bond
Platforms must offer only listed debt securities for purchase/sale to their registered users. This
recommendation not only curtails the possible contravention of the Act but also ensures that
issuers mandatorily comply with the pre-requisites of a public issue of securities, thereby
eliminating the risk of an ex-post contravention of the Act. Be that as it may, several
commentators believe that the ban on unlisted debt securities could stifle the market’s growth
as trades would need to be settled via routes that today are not commonly used.

125 | New Technology Laws With Special Reference To Cyber Laws

Over-The-Counter Exchange of India (OTCEI)
The Over-The-Counter Exchange of India (OTCEI) is an electronic stock exchange based in
India that consists of small- and medium-sized firms aiming to gain access to overseas capital
markets, including electronic exchanges in the U.S. such as the NASDAQ. There is no
central place of exchange, and all trading occurs through electronic networks.
The OTCEI is based in Mumbai, India, and operates solely over a computer network. The
exchange is recognized by India's Securities Contract Regulation Act, meaning
all listed stocks on the OTCEI benefit equally as other listed securities on other exchanges in
India.
The exchange was established in 1990 to provide investors and companies with an additional
way to trade and issue securities. It arose primarily from small companies in India finding it
difficult to raise capital through mainstream national stock exchanges because they could not
fulfill the stringent requirements to be listed on them.
The OTCEI has rules that are not as rigid as the national exchanges, allowing small
companies to gain access to the capital they need to grow. The objective is that once they
grow to a certain level and are able to meet the requirements to be listed on the national stock
exchanges, they will make the switch over and leave the OTCEI behind.
Thanks to advances in technology that have yielded improvements in electronic trading
platforms, the differences between traditional exchanges and over-the-counter (OTC)
networks are no longer vast, greatly benefiting the small- and medium-sized companies.
Features
The OTCEI has some special features that make it a unique exchange in India as well as a
growth catalyst for small- to medium-sized companies. The following are some of its unique
features:
• Stock Restrictions: Stocks that are listed on other exchanges will not be listed on the
OTCEI and, conversely, stocks listed on the OTCEI will not be listed on other
exchanges.
• Minimum Capital Requirements: The requirement for the minimum
issued equity capital is 30 lakh rupees, which is approximately $40,000.
• Large Company Restrictions: Companies with issued equity capital of more than
25 crore rupees ($3.3 million) are not allowed to be listed.
• Member Base Capital Requirement: Members must maintain a base capital of 4
lakh rupees ($5,277) to continue to be listed on the exchange.
Over-The-Counter Exchange of India (OTCEI) Listing Requirements
The OTCEI makes it easier for small- to mid-cap sized companies to be listed, although there
are still some requirements that companies must meet before being allowed to be listed.
Stipulations include acquiring sponsorship from members of the OTCEI and having
two market makers. In addition, once a company is listed, it cannot be delisted for at least

126 | New Technology Laws With Special Reference To Cyber Laws

three years, and a certain percentage of issued equity capital needs to be kept by promoters
for a minimum of three years. This percentage is 20%.
Over-The-Counter Exchange of India (OTCEI) Transactions
The transactions on the OTCEI revolve around the dealers. Dealers operate in a few
capacities, the two most important being as a broker and as a market maker. As a broker, the
dealer transacts on behalf of buyers and sellers. As a market maker, the dealer has to ensure
the availability of the shares for transaction purposes as well as to ensure that the price
remains reasonable through supply and demand levels.
In addition to the dealers, the OTCEI also has custodians. The custodian, or settler, is the
individual that performs the multitude of administrative tasks necessary for the proper
functioning of the OTCEI. These tasks include validating and storing documents as well as
facilitating daily clearing transactions.
Finally, the last group of players consists of the registrars and transfer agents, who are
responsible for making sure the correct transfer and allotment of shares take place.
The main laws and regulations governing the securities market in India are as follows:
Securities and Exchange Board of India (SEBI) Act: The SEBI Act is the primary legislation
that governs the securities market in India. It establishes SEBI as the primary regulator of the
securities market and provides it with the power to make rules and regulations for the
protection of investors and the orderly functioning of the securities market.

Securities Contract (Regulation) Act (SCRA):

The SCRA is a federal law that regulates the trading of securities in India. It provides for the
regulation of securities contracts, including the prohibition of insider trading and the
regulation of stock exchanges and brokers.
Companies Act:
The Companies Act governs the incorporation, operation, and management of companies in
India. It provides for the regulation of securities offerings by companies, including the
requirement for companies to disclose material information to investors and to file annual
reports with the MCA.
Depositories Act:
The Depositories Act provides for the establishment and regulation of depository participants,
who act as intermediaries between investors and the depository, and for the regulation of the
depository system in India. The depository system is designed to provide a secure and efficient
means of holding and trading securities in India.
Prevention of Money Laundering Act:
The Prevention of Money Laundering Act (PMLA) is a federal law that provides for the
regulation of money laundering and the financing of terrorism in India. The PMLA requires
entities engaged in securities transactions, including brokers and depository participants, to
comply with anti-money laundering regulations and to report suspicious transactions to the
127 | New Technology Laws With Special Reference To Cyber Laws
authorities.
In addition to these laws, SEBI has issued a number of regulations and guidelines that apply to
the securities market in India, including regulations on insider trading, market manipulation,
and disclosure of material information by companies.
The main regulatory bodies that oversee the securities market in India are SEBI, the MCA,
and the Ministry of Finance. SEBI is responsible for regulating the securities market,
including the issuance of securities by companies and the trading of securities on stock
exchanges. The MCA is responsible for the incorporation and regulation of companies in
India, including the issuance of securities by companies. The Ministry of Finance is
responsible for the overall regulation of the financial sector in India, including the securities
market.
Overall, regulating the security market is important for maintaining the integrity of the market,
protecting the interests of investors, promoting capital formation, and fostering competition.
The specific regulations and laws that apply to the security market vary from country to
country, but the underlying objectives of regulation are typically similar. To be an effective
player in the securities market in India, it is important to have a good understanding of these
laws and regulations and to comply with them.

128 | New Technology Laws With Special Reference To Cyber Laws

 CHAPTER 7

COMMERCE AND INTELLECTUAL

PROPERTY ISSUES

Introduction Intellectual Property Rights (IPR) have become an essential component in

generating and implementing ideas translated into knowledge and technology to promote
innovation and economic success. The goal of competition law 124 is to prohibit businesses
from abusing their market dominance by developing, increasing, or retaining it in ways that
stifle competition without providing economic advantages. 125 The efficient operation of the
marketplace necessitates the application of both intellectual property and competition law. IP
laws on one hand grant exclusive rights to the original work and help in getting remuneration
as well, and on the other hand, competition law ensures that businesses do not stifle
competition or abuse market power in anti-competitive ways.126 It is essential to highlight that
intellectual property impacts a company’s commercial growth. With the help of
commercialization, an IPR can get promoted and profit can be earned out of it. Unfair
competition in the intellectual property field is addressed in several multilateral agreement
transactions involving intellectual property. In India, laws govern trade restrictions, patents,
and competition. This study will help us understand the critical components of IPR
commercialization, how it is linked with competition, and critical business concerns.
What is IPR?
Intellectual Property (IP) refers to the creation of particular works which is tangible. 127 A few
examples of IP are symbols, names, images, literary work, artistic works, designs, and so
on. 128 Exclusive rights to the creation of the original work are granted under intellectual
property rights. The rights include prohibiting others from unauthorized use, reproduction, or
selling of such work; it also provides an opportunity to get remunerated out of such work by
legal means and grant license of that work. These rights can be either possessed by an
individual or a corporation.6 IPR has a significant impact on a country’s economic
development as it helps in promoting a good level of competition and encourages industrial

124
The Competition Act, 2002 (Act 12 of 2000)
125
S. Jain “Competition and Intellectual Property Rights: Interface and Interdependence in Indian
Context”, available at: http://dx.doi.org/10.2139/ssrn.3677720
126
L. Jajpura, B. Singh, et.al., “An Introduction to Intellectual Property Rights and their Importance in
Indian Context”, 22 Journal of Intellectual Property Rights 32 (2017)
127
Ibid
128
R.M.K. Alam and M.N. Newaz, “Intellectual Property Rights Commercialization: Impact on
Strategic Competition”, 8(3) Business and Management Review 22 (2016)
129 | New Technology Laws With Special Reference To Cyber Laws
and economic growth. There are several benefits of IPR when it comes to its nature. It is
tangible, which means it protects the ideas, creation, information, and many other similar
forms from getting used in an unauthorized manner and making it available to use
commercially, and getting remuneration out of such IP. In legal terminology, Intellectual
Property is an asset of the original creator which means it consists of property rights, which
can be used in any way by the creator, subjected to a specific condition.129 The creator has the
right to sue in case of unauthorized use under IPR. As the technology is growing at an
incredible pace, several alterations, and new terminologies are being added to broaden the
scope of IPR.
Two classification modes are used to determine the scope of IPR concerning copyright
property and industrial property. 130 Copyright property covers the original literary, dramatic,
musical, artistic works, cinematograph films, music and audio-visual works, whereas;
industrial property includes patents, trademarks, industrial designs, geographical indications,
etc. 131 IPR creates a balance between the interest of the public and the creator of work and
opens the door to opportunities is increasing, the market value of such work, making that idea
into an asset that can give remuneration in return, differentiation from one product to another
is done more easily through it. It is pertinent to note that different IPRs have different benefits
and qualities. The essence of IP in India is well established at all levels i.e Statutory,
Administrative and Judicial. India in its meeting with World Trade Organization had ratified
an agreement which is in relation to Trade Aspects of Intellectual Property Rights (TRIPS)
which was enforced on 1st January 1995. As per the agreement, there shall be minimum
standards for the protection and enforcement of intellectual property rights in member
countries which are required to promote the effective and adequate protection of intellectual
property rights with a view to reducing distortions and impediments to international trade. The
main pillars of Intellectual Property law are copyrights, patents and trademarks and these three
pillars are governed and described fully under the respective statutes which are Indian
Copyrights Act 1957, The Patents Act 1970 and The Trademarks Act 1999.
The types of IPR are mentioned below:
Copyright
These are the rights given to creators for their works in the artistic and literary fields. As stated
earlier, IPR can be owned by an organization and an individual as well, similarly, copyright
can also be held either individually or by an organization. 132 Copyrights by law are not
generally required to be registered, but the option for writing it is open for the creator.
Therefore, even if the work is not registered, it is protected by copyright law.

129
WIPO, What is Intellectual Property? (WIPO, 2020) 2
130
Supra note 3. 9 “Scope of Intellectual Property Rights: Everything You Need to Know”, available at:
https://www.upcounsel.com/scope-of-intellectual-property-rights
131
Y. Bhatia, “Intellectual Property Rights and The Digital World”, 1(3) International Journal of Legal
Science & Legal Innovation 1-6 (2019)
132
E. Verkey, Intellectual Property: Law and Practice 18 (Eastern Book Company, Lucknow, 2015)
130 | New Technology Laws With Special Reference To Cyber Laws
Trademark
It is a sign created on a product or service to make it distinguishable from the other options
available. It helps maintain good quality, standardization, and uniqueness. These rights are
granted for a certain period but are extendable as per the requirements by paying off the
renewal charges. These rights are valid only in the country where it is filed.
Patent
It is a right granted for a specific product or service invention for its uniqueness to do
something. To obtain a patent, one must demonstrate that the invention is one-of a-kind. A
patent gives the right to the creator, to choose how others can use such creation. The term for
which a patent is granted in India is 20 years, different countries have different tenures for
granting a patent
Trade Secrets
This consists of confidential information and can be sold or licensed. Unfair trade practices
would be considered if such information was disclosed in a way that was not by sound
business practices. Unless the trade secret is revealed in the public domain, it can last for the
entire period
Geographical Indications
These are the indicators that states from where the product originates. It includes the name of
the place. Generally, the period of such registration lasts up to 10 years, which is extendable as
per the conditions of the section.133
Industrial Designs
It consists of aspects of a product’s appearance which are not covered under patents. It is to be
noted that the creation has to be unique and no other composition similar has to be available in
the market.134 The nature of Industrial Design should be aesthetics, not utility. The tenure of
such a right last up to 10 years.
Importance of Intellectual Property in E-Commerce
Intellectual property law protects against disclosure of trade secrets which further signifies
protection against unfair competition. This makes the intellectual property an asset which is
more valuable than owning a tangible asset. This is most clearly visible in the field of
technology and the digital economy. If there was no intellectual property practices and statutes
governing the functioning of IP laws, there would have been no new creation of works and
hard work of someone could be stolen and it would have spread around the world without
paying any cost to its creator for his labor on the invention135.

133
E. Narasimhulu, A.A. Hindustan, et.al., “Need of Intellectual Property Rights in India and Other
Developing Countries: A Novel Approach for Global Recognition and Economic Development”, 5(2)
National Journal of Advanced Research 18 (2019).
134
WIPO, “Industrial Designs”
135
Ajeet Khurana, Intellectual Property in Ecommrce: Your Greatest Asset, THE BALANCE
(28.02.2017), www.balance.com/intellectual-property-in-ecommerce-your-greatest-asset-1141708
131 | New Technology Laws With Special Reference To Cyber Laws
 1. Safeguarding your own intellectual property
One of the common mistake committed by the owner of the intellectual property owner is to
reveal the intellectual property prior to filing for protection of that property. Similarly, in
many countries making trade secrets public automatically dissolves any protection.
2. Violating someone else’s intellectual property
As E-commerce websites who are in the business of buying and selling of products often
infringes the intellectual property laws by portraying the description of products and showing
their images. There are several essentials which must be followed for not infringing the IP
laws are as follows:
• It must be your own creation
• Permission granted by the creator to use.
• It must be under the ambit of public domain
• It is covered under fair use.
Elements granted protection in Intellectual Property
There are several parts of websites which are vested with the protection of different kinds of
Intellectual Property.
• E-Commerce systems, search engines or other technical Internet tools is
granted protection under Patents or utility models.
• Software includes the text-based HTML code which are used in websites and it is
vested with a shield under Copyrights Act or patents law, depending upon
national law.
• Website design is protected under copyright.
• All the website content in the form of written material, photographs, graphics,
music and videos are protected under Copyrights.
• Databases can be protected by copyright or by sui generis database laws.
• Business Names, Logos, Product names, domain names and other
signs posted on the website are covered under Trademarks.
• Computer generated Graphic Symbols, displays, graphic user interfaces
(GUIs) & even webpages are protected under Industrial Design Law.
• Hidden Aspect of a website like (confidential graphics, source code, object code,
algorithms, algorithms, programs or other technical descriptions, data flow charts,
logic flow charts, user manuals, data structures and database contents) are
protected under Trade Law Secrets.136
What is the Commercialization of IPR?

WIPO, Intellectual Property and E-Commerce: How to Take Care of Your Business’Website,
136

www.wipo.int/export/sites/www/sme/en/documents/pdf/business_website.pdf
132 | New Technology Laws With Special Reference To Cyber Laws
Commercialization in simple words refers to introducing new products or services in the
market. Around the world, several rules and regulations are made to ensure that Intellectual
Property is commercialized and protected. The main motive of the commercialization of IPR
is to encourage people to bring new ideas and creations into the market and make it
marketable and profitable.137
Tools Involved in the Commercialization The owner can make money from their IP rights by
selling them, assigning them, or engaging in various licensing agreements. 138 IPR serves a
critical role as the legal vehicle through which information is transferred or contractual
relationships are formed. Internally, knowledge can also be used, in which case IP laws serve
to prevent clone competition. There are two main legal paths via which IP owners can
monetize their work: 139
i. Assignment of Intellectual Property
ii. Licensing of Intellectual Property
Assignment
An assignment is a type of direct sale of IP in which the owner transfers their property to
another company in exchange for an advanced payment. It is a legal instrument that transfers
IP ownership from one person to another. A formal assignment is frequently used to transfer
IP ownership. Moreover, an IPR can be transferred in its entirety or part and it is pertinent to
note that assigning IP owners should always be done in writing through a legal agreement.
Without a written instrument, many IPRs cannot be legitimately transferred.
Assignment agreements are crucial in IPR because they allow intellectual property owners to
transfer their intellectual property for Commercial benefits, guaranteeing that the intellectual
property may be used for profit. They make use of and utilize the developed IP by allowing
the purchaser or assignee to benefit from the assignment rights. These assignment agreements
give rise to legal and equitable rights in law and may generate difficulties if they are not
carefully worded as required by law.
In addition to abiding by the Rules, to avoid ambiguity, it is crucial to ensure that the
agreement clearly defines to whom ownership is vested. The assignment must be lawful, and it
must specify the length of time for which the individual will be the IP owner. In the event of a
future IP ownership dispute, this would serve as a safeguard. When IP rights are sold, the
ownership of the IP is legally transferred to the new owners.140 This is because IP legal rights
are granted on a country-by-country basis. If the seller (the “transferor”) is assigned, the IP
that benefits the seller (the “transferor”) is a sales agreement, and the commercialization
process is completed. An assignment’s lump sum payment must be regarded as a purchase
price.
In addition, the owner must consider the following criteria:

137
Ibid
138
KPPB Law, “Assignments and Licensing of Intellectual Property,
139
Ibid
140
S. Ambadipudi and S. Srikanth, “Transfer of Intellectual Property: A Primer”, available at:
https://www.mondaq.com/india/trademark/961790/transfer-of-intellectual-property--a-primer
133 | New Technology Laws With Special Reference To Cyber Laws
i. All expenses, including direct and indirect research and development expenditures,
materials, any outsourcing, and IP protection costs;
ii. A component of gain; and
iii. The technology’s or IP’s potential market worth.
Licensing
Licensing IPR instead of selling them through one or more licensing agreements is a common
technique of commercialization. This indicates that the owner has given authority to another
party to use IP under the agreed-upon terms. The license might be a suitable choice if the
owner lacks the resources or skills to develop and sell the product or service. In general, the
licensee (the IP owner) requires each licensee to pay the licensee a percentage of their
outstanding number of sales at regular periods. “Property rights” are the terms that describe
these payments141
Assignment agreements transfer ownership of IP from the assignor to the assignee, whereas
license agreements only allow the licensee to use the IP for a set length of time. For any
licensing agreement, several variables can be negotiated, including:
i. If the licensee agrees to the supplementary license,
ii. If the licensee’s rights are confined to that licensee or are not exclusive,
iii. What “territory” (as in any country/country) is relevant?
iv. What constraints (if any) exist in the fields of IP application (i.e., uses)?
v. What (if any) constraints exist on exploitation techniques (commercialization, production,
R&D)?
vi. What are the time restrictions (maturity criteria) that apply?
vii. What sums should be paid by the licensee (if any)?
viii. What is the royalty rate, and what are the terms and circumstances for other concessions?
The licensee achieves quick company development with minimal capital expenditure by
utilizing this, Tool. The licensee’s capacity to use IP, on the other hand, is dwindling
Competition Law and IPR
Competition law and IPR manage the market in two primary areas, consumer welfare and
technology transfer. Competition law is controlled by the Competition Act, 2002. The rapid
growth of the commercial environment has led to a great impact when it comes to the linkage
of IPR and Competition law and made common goals of both the laws. Although both the
laws are different, IPR grant exclusive rights to the owner of the work, and on the other hand,
competition law prohibits such practices which may decrease the competitive environment and

141
Obhan and Associates, “The Dos and Don’ts of Licensing Intellectual Property in India”, available
at: https://www.mondaq.com/india/trademark/800938/the-dos-and-don39ts-of-licensing-
intellectualproperty-in-india
134 | New Technology Laws With Special Reference To Cyber Laws
advocates for protecting the general interest of the consumer. 142 Section 3(5)(i) of the
Competition Act, 2002 deals with IPR in Competition Law. Competition law keeps consumer
welfare the utmost priority and focuses on limiting the monopoly in the market, IP Laws give
priority to the rights of creators and grant exclusive rights to them but these are not extended
to grant a status of monopoly to the creator. If the IPR holder engages in any anti-competitive
behavior or activity, it will be held liable under competition law.143
IPR assists consumers in choosing diverse choices among goods and services by making its
appearance distinct and different from the rest of the accessible products, while competition
law maintains healthy competition. Therefore, we can say that both laws ensure competition in
the situation of commercial environments. But the word “competition” in both laws is used in
a different context in IP laws, it is used for competition among innovators or creators and in
competition law, it is used to encourage competition and put an end to unfair trade practices.
Moreover, it can be concluded that IPR are mere rights that are provided and Competition
Law is a regulatory body. It is pertinent to note that competition law creates a balance between
the choice of the consumer and the production of such goods and services.
Confidentiality Issues and Its Maintenance
IPR is termed as a valuable asset. As previously stated, many types of IPR exist to give
suitable protection for such IP. It nowadays consists of confidential business data, trade secrets
and crucial business relationships.144 Due to the nature of such information, it needs to be
secured from the competitors as such information can be a valuable asset for them too, due to
these many reasons trade secrets are considered very important. In simpler terms, a trade
secret is something that is going on inside the organization that should not be shared with the
outside world, it can be licensed or sold.145
Disclosure and departure are considered as the two main sources by which confidential
information may get leaked. Disclosure means that through accidental or deliberate disclosure
by corporate officials, trade secrets can be leaked to competitors or third parties, either
knowingly or unknowingly.146
Departure refers to a situation when executives or key staff from the company exit, which may
lead to sensitive business information leaks. Once the employee exits, he has the right to use
skills and knowledge that he has acquired in the due course of time of employment for his

142
H. Stakheyeva, “Intellectual Property and Competition Law: Understanding the Interplay”, in A.
Bharadwaj, V. H. Devaiah, et.al., (eds), Multi-dimensional Approaches Towards New Technology 3
(Springer, 2018).
143
Sanjana, “Analyzing The Intersection of Competition Law and IPR”, available at:
https://www.mondaq.com/india/trademark/1117244/analyzing-the-intersection-of-competition-lawand-
ipr
144
C.N. Saha and S. Bhattacharya, “Intellectual Property Rights: An Overview and Implications in
Pharmaceutical Industry”, 2(2) Journal of Advanced Pharmaceutical Technology & Research 89 (2011).
145
M. Noroozi, L. Zahedi, et.al., “Challenges of Confidentiality in Clinical Settings: Compilation of an
Ethical Guideline”, 47(6) Iranian Journal of Public Health 875-883 (2018)
146
WIPO, “Trade Secrets”, available at:
https://www.wipo.int/export/sites/www/sme/en/documents/pdf/ip_panorama_4_learning_points.pdf
135 | New Technology Laws With Special Reference To Cyber Laws
living. But it is essential to note that he is not entitled to use such confidential information
unless authorized by the employer.
Employee Confidentiality
To safeguard from the threats of getting the confidential data leaked, the employer must
provide employment agreements and get it signed by the employees. This agreement can be
signed by the existing employees as well but they cannot be compelled or forced to sign such
agreement. Under this agreement, the clauses related to confidentiality must be appropriately
mentioned, in which the terms and conditions of disclosure or non-disclosure must be
provided keeping in mind the confidential information. 147 It is important to remember that
after signing such an agreement, the employee must not discuss any information with anyone
during or outside of work. The course of employment refers to situations when an employee
comes up with an inventive idea while working on the job, the employer might claim it if it
was already stated in the contract and the employee had agreed to it. An employer, on the
other hand, cannot claim ownership of such IP that is generated outside of the scope of
employment. The type of agreement that is to be provided, may depend upon the nature of the
disclosure of such confidential information. While there is no formal rule in India that governs
confidential information and trade secrets, it is vital to note that a person can be held
contractually liable for leaking sensitive information. Moreover, agreements of these kinds are
always advised to be in written format. The acknowledgments that are to be mentioned in a
well framed agreement are:
i. The information is confidential; the disclosure is provided in confidence to the recipient; the
recipient will not reveal the information to others or use it for their benefit without the prior
permission of the information’s owner; and
ii. Unauthorized disclosure of information may result in loss and damage to the information’s
owner, for which the recipient will be held accountable.
The clauses which can be added to make it a well draft are the Assignment clause, Disclosure
clause, and Power of Attorney Clause.
Restrictive Practices under IP Licensing
The word “restrictive practice” refers to illegal methods taken by companies to improve their
market position. These tactics can stifle or affect competition in a specific market regarding
IPRs. Antitrust and competition laws regulate such corporate activities and ban them when it
is proven that they distort or hinder competition in a particular market.148
Unfair competition is recognized by the Paris Convention for the Protection of Industrial
Property, which encompasses not only IP violation but also any other conduct that disrupts a
person’s commercial relationships. The Paris Convention has a wide specification that any act
of competition in industrial and commercial affairs that is opposed to honest practices
constitutes unfair competition. These articles declare that the cornerstone of fair competition is

147
“Employee Confidentiality & The Rules”, available at:
https://businessadvice.co.uk/legaladvice/employee-confidentiality-the-rules/
148
WIPO, Successful Technology Licensing: IP Asset Management Series (WIPO, 2015), 41.
136 | New Technology Laws With Special Reference To Cyber Laws
honest practices or good morals, and they define three types of conduct that are considered to
be normally illegal in international trade and must thus be forbidden. 149
Kinds of Restrictive Practices
As previously stated, competition authorities can always remedy restrictive trade practices
disguised as intellectual property licensing. Some of the most common restrictive techniques
employed in intellectual property license agreements are listed below.
Representation Arrangements and Exclusive Sales
Such tactics restrict the licensee company’s ability not just to organize its distribution system,
but also to engage in exclusive sales or representative contracts with any third party other than
the licensor or a licensor-designated party. To put it another way, the licensee firm is
hampered and reliant on the licensor’s distribution channels.
Grant-back Provisions
The grant-back clauses allow the licensor to receive technical information and improvements.
These rules allow the licensee corporation to provide any invention or improvement made in
the imported technology to the technology licensor at no cost. The grant-back clauses are
categorized as exclusive, nonexclusive, and unilateral.
Restrictions on Field of Use, Volume, or Territory
Restrictions on the field of use allow the licensor to limit the use of the technology or reserve
some applications for self-exploitation or third-party exploitation. Minimum production
standards or maximum output are two examples of volume limits practices. Higher royalties
may be paid beyond a particular production limit, or produced items in a defined container
with a certain weight which may be used to regulate production output. As a result, such
production constraints may prohibit the licensee business from manufacturing enough to
export.
Price Fixing
A Price-Fixing clause in an IP license refers to the practice of the licensor reserving the right
to set the sale or resale price of a product made using imported technology. The price-fixing
provisions may cover the price fixed by the licensor on items produced using transferred
technology. Horizontal pricing cartels involving numerous technology providers or recipients
may likewise be involved in price-fixing.
Export Restrictions
Export restrictions may include limitations or prohibitions on the export of items made with
the transferred technology. These requirements impose restrictions on the export of such items
to certain markets, as well as permission to export to specific markets and the necessity of
prior export approval. The limitations that have a direct impact include a total ban on goods
exports. The licensor may put limits on the licensee, such as prohibiting or allowing export to

149
Paris Convention for the Protection of Industrial Property, 1883, art. 10
137 | New Technology Laws With Special Reference To Cyber Laws
one or more designated countries or locations. Exporting just certain items may be prohibited
or permitted under certain limitations.
Tie-in Arrangements
The licensee must get raw materials, replacement parts, and intermediate goods for use with
licensed technology exclusively from the licensor or its nominees, according to tie-in terms in
intellectual property licensing. These provisions also require the licensee to use the licensor’s
staff. The primary motivation for the licensor's employment of tie-in clauses appears to be to
maintain an exclusive right to provide essential processed or semi-processed materials,
maintain quality control, and increase their profit margin.
Non-Competition Clauses
In intellectual property licensing, the non-competition provision restricts the licensee's ability
to engage in agreements to use or acquire competitive technologies or goods that are not
provided or designated by the technology supplier. These provisions have an impact on the
acquiring company’s capacity to compete directly or indirectly. Some non-competition
provisions, which may have an immediate impact, require the licensee business to refrain from
manufacturing or selling competitive goods or from acquiring competing technology. Non-
competition provisions, which may have an indirect impact, obligate the licensee not to
collaborate with competitor businesses or pay higher royalties if it sells or makes competitive
goods.
Restrictions on R&D
The licensee’s research and development policies and activities are usually restricted under
such constraints. The employment of such provisions impacts the licensee’s technical
development potential, either directly or indirectly. Such constraints also limit a licensee’s
ability to conduct its research and development programs. These prohibitions also apply to
provisions that compete directly with the licensor’s research and development efforts.
Restrictions after Expiry of Arrangements
Such tactics restrict the licensee company’s ability not just to organize its distribution system,
but also to engage in exclusive sales or representative contracts with any third party other than
the licensor or a licensor-designated party. To put it another way, the licensee firm is
hampered and reliant on the licensor's distribution channels.
Restrictions after the expiry of Industrial Property Rights
When a patent term expires under an intellectual property licensing agreement, the knowledge
and innovation protected by the patent become public domain, and any interested party can
utilize the patent without restriction. When a technology provider imposes any limitation after
the period of intellectual property rights has expired, the restriction is judged to be a restrictive
trade practice.

138 | New Technology Laws With Special Reference To Cyber Laws

Auditing of IP
IP audit is a systematic examination of a company’s IP that it owns, uses, or acquires to assess
and manage risk, correct errors, and apply best practices in IP asset management 150.
IP audit assists a company in creating or updating an inventory of its IP assets, as well as
analyzing the following:
i. How the IP assets are used or underused?
ii. Whether the business’s IP assets are held by the firm or by third parties?
iii. Whether these IP assets infringe upon others’ rights or others infringe upon these rights?
iv. What measures must be done about each IP asset, or a portfolio of such assets, to support
the company’s relevant business goals?
It may be beneficial for the lawyer to begin by giving management and key staff a broad
review of IP and finding strategies to protect and strengthen a company’s current IP rights.
The IP audit then transfers IP-related information from firm management in charge of
research, development, sales, and marketing. Any important personnel who develop or are
familiar with the company’s technology are also encouraged to participate. Discussions can
begin with a review of the company’s IP portfolio and competitive position in the marketplace
for firms with advanced IP expertise, followed by a more detailed investigation of IP problems
of special concern for companies with advanced IP knowledge. The most thorough audits
include monetary worth estimations for IP and procedures and extensive suggestions for
dealing with IP in the future.
Types of IP Audit
IP audits are divided into three categories:
i. General-purpose IP audits
ii. Event-driven IP audits
iii. Limited purpose targeted IP audits
General-purpose IP audits A general-purpose IP audit can be performed at various times, such
as when the firm is forming or when new policies or marketing strategies are being
implemented. In this approach, the general-purpose IP audit is more appropriate in all
situations. The results will help the company to get a better direction and approach, in case the
company is new or planning major re-organization.
Event-driven IP audits
The scope of an event-driven IP audit is often substantially narrower than that of a broad or
general-purpose IP audit. Furthermore, the nature and scope of an audit are determined by the
event in question, as well as the time and resources available to do it. An event-driven IP audit

150
M. Nemana, “Intellectual Property Audit”, available at:
https://www.mondaq.com/india/trademark/593644/intellectual-property-audit
139 | New Technology Laws With Special Reference To Cyber Laws
is commonly dubbed “IP due diligence” 151 when done to analyze, as objectively as feasible,
the worth and risk of all or a part of a target company’s IP assets. Later in the session, “IP due
diligence” is covered.
Limited purpose targeted IP audits
A limited purpose audit has a significantly smaller scope than the other two categories and is
carried out on a tighter timeline. These audits are usually conducted on a case-by-case basis.
They are usually employed to support a legal stance or the value of a piece of IP.
Who Conducts an IP Audit?
The question of who should perform such an audit has no hard and fast rules. Nevertheless, for
an audit to be effective, it should be conducted by a team that comprises IP experts and
representatives from key technical areas of the organization as needed. The IP audit team
should have a basic understanding of the product lines, the relevant business environment, and
the company’s future aspirations so that the audit remains focused on IP assets with the
greatest economic value.152
External expertise may or may not be included in the audit team. If it does, then all external
members of the audit team and all internal audit team members should sign non-disclosure
agreements before beginning an IP audit.
Preparation of an IP Audit
Clarity towards the Purpose
Before an IP audit can begin, everyone involved must clearly understand why the audit is
being undertaken. The circumstances that lead to an audit and the form and scope of the audit
are all influenced by the reason for the audit. Furthermore, the amount of time and money
available for performing an audit will impact how the audit is handled and the final result.
Background Research
Once the purpose of the audit and the resources available to carry it out are apparent, one of
the most important steps in performing the audit is to learn about the organization, what it
does, and where it wants to go. It is a prerequisite for drafting an audit plan, which will serve
as the audit’s foundation.
Putting Together a Plan for IP Audits
After conducting the essential background research, the audit strategy must be prepared. This
will outline the audit plan’s aim, scope, duration, budget, and who will be accountable for
certain aspects of the audit. In general, it will cover the following areas:

151
A. Damodaran, “IP Asset Management, IP Audit and Due Diligence”, 18, available at:
https://www.wipo.int/edocs/mdocs/sme/en/wipo_smes_bwn_13/wipo_smes_bwn_13_14_damodaran.
pdf
152
S. Chaturvedi, “Importance of Intellectual Property Audits for Corporates”, The Economic Times
Nov. 13, 2021, available at: https://economictimes.indiatimes.com/news/how-to/importance-of-
intellectualproperty-audits-for-corporates/articleshow/87679108.cms?from=mdr
140 | New Technology Laws With Special Reference To Cyber Laws
i. The specific areas of the business to be covered, such as divisions, lines of business,
affiliated or non-affiliated agency operations;
ii. The audit scope, such as only registered assets or a broader scope;
iii. The audit timetable;
iv. The responsible individual for each part of the audit;
v. The layout of the final audit report to be produced.
Conducting an IP Audit
Begin with a thorough checklist
A typical IP audit begins with a thorough checklist that is customized for the kind and scale of
the company’s operation, applicable IP laws of the relevant countries, the audit’s desired
purpose(s), and the audit’s expected outcome(s). Using a checklist reduces the odds of missing
one or more important phases in the process. The relevant section of the thorough checklist
should be given to each member of the audit team. The audit team should gather, examine, and
arrange data to generate a thorough, companywide IP audit report that reflects the whole
development and decision-making process for each of the company’s products and operations.
Examining various contracts and agreements
Identifying and assessing the sufficiency of relevant clauses in all agreements that impact IP
protection is an important aspect of an IP audit.153 The following agreements may be included,
Licensing agreements; Assignment agreements; Employment and Independent Contractor
Agreements; Joint Venture & Collaboration agreements; R & D Grants; other agreements;
Technology transfer agreements; Design and Development agreements; Settlement
agreements; Franchise agreements; Royalty agreements; Marketing agreements;
Distribution/Distributorship agreements; and Sales representative agreements.
Auditing IP Assets
This level consists of four phases:
i. Identifying and documenting IP assets;
ii. Determining ownership and legal status of IP assets;
iii. Detecting IP rights violation; and
iv. Taking the appropriate procedures to create and preserve IP assets.
Procedure Post IP Audit
Applying the recommendations of an IP audit. Assess and examine if the company’s IP assets
are achieving its strategic objectives, and if not, what should be done to alter that, at this point,
one technique that might be useful is to divide the IP inventory results into three groups:

153
S. Ambadipudi and S. Srikanth, “Drafting Intellectual Property Rights Transfer Agreements - Part
II”, available at: https://www.mondaq.com/india/trademark/974154/drafting-intellectual-property-
rightstransfer-agreements--part-ii
141 | New Technology Laws With Special Reference To Cyber Laws
Group 1: Techniques, inventions, and ideas critical to your products and services, as well as
the markets one has chosen to serve.
Group 2: Intellectual assets that have tremendous promise but are not essential to one’s
business.
Group 3: ‘Assets’ that, on the whole, appear to be of little value to one’s organization or
anybody else.
Building IP Value
Dynamic IP asset managers have utilized IP audits to increase business value in a variety of
ways.43 The following are some of the most prevalent methods:
i. Increasing the value of IP assets.
ii. Increasing the value of existing intellectual property assets.
iii. Lowering the expense of third-party intellectual property disputes.
iv. Using IP assets to create value from product marketplaces.
v. Developing non-core revenue sources.
vi. Increasing income by licensing key business assets. vii. Increasing the value of corporate
deals
viii. Lowering the cost of inactive IP assets.
ix. Getting tax deductions for donating IP assets.
x. Lowering the cost of new product development (product clearance).
xi. Assessing an acquisition or investment target's intellectual property assets (due diligence).
xii. Evaluating the direction and strength of the company.
xiii. Identifying previously untapped business potential.
xiv. Finding new business opportunities
Due Diligence of IPR in a Corporate Transaction
IP due diligence is part of a bigger due diligence audit to assess a company’s viability. Before
purchasing or investing in a target company’s IP portfolio, the financial, commercial, and
legal benefits and risks are assessed. In simple words, IP due diligence provides in-depth
insight into the risk and value of intangible assets. Therefore, IP due diligence is important as
it maximizes the valuation of these kinds of assets, helps in maintaining and boosting the
balance sheet of the business or company, and also reduces the chance of risks involved by
revealing such issues.154 Generally, IP due diligence is conducted in many situations some of
which are as follows:

154
S. Katarki and A.V. Thakur, “Intellectual Property Due Diligence”, available at:
https://www.mondaq.com/india/trademark/448686/intellectual-property-due-diligence
142 | New Technology Laws With Special Reference To Cyber Laws
Mergers and Acquisition
In a planned acquisition or sale of IP, an IP audit provides a foundation for evaluating the risk
and value of applicable IP assets.
Financial transactions
Before engaging in a financial transaction involving IP, such as an initial public offering or
private placement of shares, substantial stock acquisition, or before acquiring a security
interest in IP, IP due diligence is critical, as all of these have an impact on IP ownership
Purchasing or selling a corporate division, or transferring Intellectual Property
IP due diligence ensures that the transfer or assignment fits the respective business objectives
of both parties when conducted separately by both.
Introduction of a new product or service in the market
It helps in addressing any potential infringement or freedom to operate issues associated with
the introduction of such a product or service.
IP Licensing
IP due diligence helps in making sure that no similar license exists, necessary rights are given
and the scope and extent of such license are maintained.
How IP due diligence is conducted?
To get the most effective results, more time is required in this procedure and the involvement
of professionals in this field. Each transaction is unique, the requirements of conducting IP
due diligence depend on case-to-case bases due to the uniqueness of transactions.49 There is a
need to set up a proper team of professionals to conduct this test, a checklist of essential terms
and clauses must be prepared beforehand with good research and knowledge. A proper
verification test has to be performed to safeguard any discrepancies that may arise. Some basic
requirements that are generally required to be involved are:
Identifying IP assets
The assets are intangible; it is essential to identify the kind of asset.
Check for IP ownership and existence
Several questions concerning ownership and existence must be asked to determine IP asset
transferability and available rights.
Awareness of the appropriate territory and terms
There is a need to check the validity or tenure of the rights available and identify the type of
territory limitations
Third-Party claims
Make sure there are not any third-party claims, as at times third parties may get many benefits
out of it unknowingly.

143 | New Technology Laws With Special Reference To Cyber Laws

The protection of IPR is a great concern. It has to be made sure that the right laws are enforced
on IP. Registering and protecting IPR is both expensive and timeconsuming. These
procedures, however, are critical in nature because they set the groundwork for IPR
commercialization. Most intelligent businesses understand the need to safeguard confidential
data, trade secrets, and know-how. However, preserving and securing confidential information
receives scant attention. According to research, many organizations are unaware that their
most valuable intellectual assets are walking out of their front doors and over the street to rival
competitors. They must acknowledge this fact and take steps to safeguard the company’s most
significant strategic assets. As a result, it is necessary to comprehend all the advantages and
disadvantages of IPR and competition legislation.

144 | New Technology Laws With Special Reference To Cyber Laws

 CHAPTER-8

BROADCASTING
With rapidly changing technologies, and increasing business investments, the broadcast sector
has become the site of contention between various interests – broadcast companies, the
government, public interest groups, community radio and television channels, and an
increasingly diverse audience that has been broadly categorized as ‘the public.’ An important
aspect of this tussle is the legal regulation of both existing and emerging technologies. This
compilation attempts to examine the existing legal framework that applies to various broadcast
technologies that are currently in use in India155.
The statutory basis of government monopoly of the broadcast sector, which was widespread
until the emergence of satellite television in the 1990s, can be traced to the 123 year-old
Indian Telegraph Act of 1885. The Act states that the Central Government has the exclusive
privilege of establishing, maintaining, and working telegraphs within India.
The Act and its subsequent amendments define telegraph broadly to include most modern
communication devices irrespective of their underlying technology. 156 Judicial decisions have
also held that the term ‘telegraph’ includes the term telephone, television, radio, wireless,
mobile and video equipment. 157 The Act authorizes the Central Government to take temporary
possession of a telegraph in cases involving public emergencies or public safety.
Section 5(2) enables the government to lawfully intercept telegraph messages on certain
grounds. These include India’s sovereignty and integrity, state security, friendly relations with
foreign states, public order, and preventing the commission of an offence. 158 The Act
empowers the government to revoke a telegraph license for breach of any terms and
conditions or for a default in making license-fee payments.159
Though the Telegraph Act does not explicitly define ‘telecommunications service’ and
‘broadcasting service’, the Telecom Regulatory Authority of India Act, 1997, defines
communication service in s 2(1)(k) as:
“Service of any description (including electronic mail, voice mail, data services, audiotext
services, video-text services, radio paging, and cellular mobile telephones services) which is
made available to users by means of an transmission or reception of signals, writing, images,

155
Vikram Raghavan, Communications Law in India, New Delhi: Lexis Nexis Butterworths, 2007
156
“.any appliance, instrument, material, or apparatus used or capable of use for transmission or
reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, visual, or
other electromagnetic emissions, radio waves or Hertzian waves, galvanic, or magnetic waves”
157
Section 3(1AA). However the physical possession of radio and wireless equipment is regulated by
the Indian Wireless Telegraphy Act, 1933
158
Section 5 (2)
159
Section 8
145 | New Technology Laws With Special Reference To Cyber Laws
and sounds or intelligence of any nature, by wire, radio, visual or any other electronic means
but shall not include broadcasting services.”
Though this section expressly excludes ‘broadcasting’ from this definition, the directive
authorizes the government to notify broadcasting services to be a telecommunication
service. 160 This notification gave TRAI the authority to regulate broadcasting and cable
services in India. The license required for broadcasting (the Wireless Operating License) is
given by the Wireless Planning and Coordination Committee (WPC) Wing of the Ministry of
Communication and Information and Technology, while the Ministry of Information and
Broadcasting (MIB) gives a Grant of Permission Agreement.
Most radio and television services are also regulated by the Indian Wireless Telegraphy Act
(No 17 of 1933), as they constitute ‘wireless communications’. Section 2(2) and Section 3
regulate wireless communication by requiring users of various types of wireless equipment to
obtain wireless licenses for possessing and using the equipment. These licenses are granted by
the WPC (Wireless Planning & Coordination Authority) Wing of the Department of
Telecommunications (DoT) Therefore, to offer most kinds of broadcasting services, a
broadcasting company must obtain two types of licenses: • A Grant of Permission (GOPA) to
offer broadcast services issued by the Ministry of Information and Broadcasting under the
Telegraph Act • A wireless operating license from the WPC (Wireless Planning &
Coordination Authority) Wing of the Ministry of Communication and Information
Technology under the Wireless Telegraphy Act
RADIO SERVICES:
Terrestrial radio services can be divided into two main categories: AM radio that uses medium
or short wave frequency bands, and FM that uses VHF frequencies in the 88 MHz to 108 MHz
band. AM radio is offered only by AIR while FM radio, which works on line-of-sight
principles and can be clearly received within a local area, is offered by both AIR and private
channels.
FM Radio
AIR began FM broadcasts in Madras on 23 July 1977. FM radio was opened to private players
in 1999. The Ministry of Information and Broadcasting invited bids for licenses to operate 140
FM stations in 40 cities. In March 2000, the government short-listed 29 applicants for licenses
to operate 101 FM radio stations. Upon further screening, the government issued letters of
intent to 93 stations. Ultimately, FM licenses were granted to 16 companies to operate 37
channels. The initial FM radio licenses were valid for ten years and licensees were required to
submit performance bank guarantees equivalent to a year’s license fee to ensure that they
carried out their license obligation.
Second Round of FM Licenses
Many of the FM stations that were licensed were financially unsuccessful and could not meet
the license fee requirements. They soon demanded a reduction in license fee and change in the

160
Ministry of Communications, ‘Broadcasting Services and Cable Services Notified as
Telecommunication Service’, S044 (E), Fno13-1/2004-Restg, 9 January 2004.
146 | New Technology Laws With Special Reference To Cyber Laws
prevailing licensing network. The MIB then constituted the Radio Broadcast Policy
Committee under the chairmanship of Amit Mitra, Secretary General, FICCI, on 24 July 2003
to make recommendations for Phase II of FM licensing, and to “study the desirability and
implications of making modifications in the licensing regime of Phase I licenses. The
committee called for revisions to the prevailing license fee structure for FM licenses, and
recommended the introduction of an annual revenue sharing arrangement that would require
FM licensees to pay 4 per cent of their gross revenue as license fees. It also proposed
restructuring existing licenses and restricting the licensees’ liability for their original license-
fee payments.161 The second round of allocation of licenses concluded in early 2006162.
TRAI took over regulatory responsibilities for broadcasting in January 2004. Its first set of
recommendations to the government, sent in August 2004, proposed a migration package that
would enable existing FM licensees to substitute their fixed fee terms with a more flexible
revenue sharing formula. It also suggested relaxing the strict restrictions on multiple
ownership that prevented FM licensees from owning more than one frequency in a city. It
proposed a cap of 25 per cent on the total number of frequencies held by a single license
across the country. It made detailed recommendations regarding foreign investment in FM
radio. It suggested removing restrictions on news and current affairs programmes.
In July 2005, the government accepted most of TRAI’s recommendations and framed a new
policy for FM licenses. The main features of this policy were:
• Two-round selection process for 336 channels in 90 cities
• Requirement that applicants be registered in India
• Prohibition of control by persons convicted of certain offences.
• Prohibition of application by subsidiary of applicant company
• Prohibition of application by companies with same management
• Prohibition of application by companies of the same group or otherwise
interconnected companies
• Prohibition of application by religious bodies or companies controlled by/associated
with them
• Prohibition of application by political bodies or companies controlled by/associated
with them
• Prohibition of application by advertising agencies or companies controlled
by/associated with them
• Prohibition of application by Trusts, Societies, Non-Profit Organizations or
companies controlled by/associated with them

161
The Amit Mitra Committee Report was sent to TRAI on 12 February 2004 for its recommendations.
Private FM players also submitted their recommendations to TRAI on 24 February 2004.
162
The full list of operational FM stations is available at http://mib.nic.in/fm/fmmainpg.htm
147 | New Technology Laws With Special Reference To Cyber Laws
 • Permission granted for ten years
Under the policy
• Applicants are allowed to run one channel per city provided the total number of
channels allocated to the entity is within the overall ceiling of 15% of all allocated
channels in the country.
• Licensees cannot outsource, through any long-term production or procurement
arrangement, more than 50% of the total content, and not more than 25% of the total
content can be outsourced to a single content-provider.
• Licensees cannot hire or lease more than 50% of broadcast equipment on longterm
basis
• Licensees cannot enter into any borrowing or lending arrangement with other
permission holders or entities other than recognized financial institutions, which may
restrict its management or creative discretion to procure or broadcast content
Foreign Investment:
Total foreign investment is permitted to the extent of not more than 20% of the paid up equity
in the entity holding permission for a radio channel. Foreign investment includes Foreign
Direct Investment (FDI) as defined by RBI, and FDI by OCBs/NRIs/PIOs etc. Portfolio
Investments by Foreign Institutional Investors (FIIs) (within limits prescribed by RBI) and
borrowings, if these carry conversion options. The permission is subject to the following
conditions:
• One Indian individual or company owns more than 50% of the paid up equity
excluding the equity held by banks and other lending institutions.
• The majority shareholder exercises management control over the applicant entity.
• Has only Resident Indians as Directors on the Board.
• All key executive officers of the applicant entity are resident Indians.
No permission holder shall be permitted to change the ownership pattern of the company
through transfer of shares of the major shareholders to any new shareholders without the
written permission of the Ministry of Information & Broadcasting. The permission is granted
for a period of five years from the date of its operationalisation, subject to the condition that
the new shareholders conform to all the prescribed eligibility criteria.
3rd Phase of Private FM Radio Broadcasting
TRAI released its Recommendations on the 3rd Phase of Private FM Radio Broadcasting on
22 February 2008. Details of the recommendations are available in the accompanying
document on recent TRAI recommendations.163

163
Telecom Regulatory Authority of India (TRAI) Draft Recommendations on 3rd Phase of Private FM
Radio Broadcasting , February 22, 2008
148 | New Technology Laws With Special Reference To Cyber Laws
Satellite Radio
Satellite radio relies on satellite signals, instead of FM/AM frequencies, for radio
transmission. These services are in a nascent stage in India. Recognising the potential for
satellite radio services, TRAI issued comprehensive recommendations in June 2005.
TRAI Recommendations
TRAI has indicated that satellite radio services would be complementary to FM services,
rather than competitive. TRAI suggested that there be no separation between carriage and
content in satellite-radio licenses. There should be common rules of subscription and
broadcast-type services. All India Radio (AIR)’s programme and advertisement codes should
apply to satellite radio. There should be no ban on news and current affairs programmes.
Licenses should be permitted to establish terrestrial repeaters to rebroadcast their signals for
better reception. Given the high capital-intensity of the medium and limited number of global
players, 100% foreign investment should be permitted in satellite radio services. Licenses
should be issued for ten years. There should be no license fee, unless there is excessive
demand for available spectrum. If satellite radio licenses are permitted to use terrestrial
repeaters, a revenue share of 4 per cent can be imposed as a license fee. No specific
transmission standards should be prescribed. A satellite radio licensee should be free to decide
on the preferred transmission technology subject to the licensor’s approval. Satellite radio
licensees should offer to their subscribers the option of blocking unwanted channels.
Satellite Radio Policy
Meanwhile, satellite radio had already entered the country - like cable TV - on the basis of a
license issued by the Ministry of Telecommunications. WorldSpace began operations in 2000
and, because satellite radio services were then unregulated, it became by default the only
private radio broadcaster in the country to offer news and current affairs channels. In May
2008 TRAI opened up its draft Satellite Radio Policy164 for comments (with a deadline of less
than two weeks). It included a section relating to news channels which, if accepted and
implemented, could mean the end of news and current affairs on nongovernmental radio.
The relevant section of the draft Satellite Radio policy states:
5.1 Satellite radio service provider shall be able to carry only the following types of radio
channels on its service:
(i) Non-News and Current Affairs radio channels registered with Government of India as per
provisions contained in Part-II of these Guidelines.
(ii) The news broadcast of All India Radio (AIR) as mutually agreed between the service
provider/radio channel and AIR.
(iii) Channels of Prasar Bharati as provided in paras 5.13 and 5.14
This is despite the fact that TRAI's Recommendations on Phase III of FM Radio licensing –
issued in February 2008 – had already stated that "FM Radio broadcasters may be permitted to
broadcast news taking content from AIR, Doordarshan (DD), authorized TV news channels,

164
http://www.trai.gov.in/trai/upload/PressReleases/574/draft19may08.pdf
149 | New Technology Laws With Special Reference To Cyber Laws
United News of India (UNI), Press Trust of India (PTI) and any other authorized news agency
without any substantive change in the content. No other source of news is permitted at
present." While even this formulation was fairly restrictive, the new policy seeks to restrict
news and current affairs on private radio channels to programmes produced by the state
broadcaster, All India Radio. Critics believe that such a move could have major implications
for both private FM and community radio in the country.
PRASAR BHARATI (BROADCASTING CORPORATION OF INDIA) ACT, 1990
The introduction of the Prasar Bharati Bill in Parliament in May 1979 was the direct result of
the recommendations of the B. G. Verghese Committee set up in 1977 after the Internal
Emergency declared by the then Prime Minister Indira Gandhi (1975-77). The Bill was
allowed to lapse after the Janata Party government elected to form the government after the
Emergency collapsed and the Congress Party returned to power
The victory of the National Front government in 1989 saw the revival of the Prasar Bharati
Bill in a somewhat modified form; the Bill was passed by Parliament and received presidential
assent on September 12, 1990. The Prasar Bharati Act provided for the formation of an
autonomous Broadcasting Corporation that would manage Doordarshan and AIR, discharging
all powers previously held by the Information and Broadcasting Ministry. The Corporation
would inherit the capital assets of Doordarshan and AIR and would be managed by a 15-
member Prasar Bharati Board, including the Directors-General of the two organisations and
two representatives from amongst the employees. The Chair and other members of the Board
would be appointed on the recommendations of the selection committee headed by the Vice
President. A fifteenmember Broadcasting Council would address public complaints.
The primary duty of the Broadcasting Corporation was to ‘organize and conduct public
broadcasting services to inform, educate, and entertain the public’ and to ensure ‘a balanced
development’ of broadcasting of radio and television.165 The Corporation was to be guided by
a set of objectives while discharging its functions. These include:
• Upholding the unity and integrity of the country and the values enshrined in the
Constitution
• Safeguarding the citizen’s right to be informed freely, truthfully and objectively on all
matters of public interest, national or international, and presenting a fair and balanced
flow of information including contrasting views without advocating any opinion or
ideology of its own
• Paying special attention to the fields of education and spread of literacy, agriculture,
rural development, environment, health and family welfare and science and
technology.
• Providing adequate coverage to the diverse cultures and languages of the various
regions of the country by broadcasting appropriate programmes.

165
Section 12, The Prasar Bharati Act, 1990
150 | New Technology Laws With Special Reference To Cyber Laws
• Providing adequate coverage to sports and games so as to encourage healthy
competition and the spirit of sportsmanship.
• Providing appropriate programmes keeping in view the special needs of youth.
• Informing and stimulating the national consciousness with regard to the status and
problems of women and paying special attention to the upliftment of women.
• Promoting social justice and combating exploitation, inequality and such evils as
untouchability and advancing the welfare of the weaker sections of the society.
• Safeguarding the rights of the working classes and advancing their welfare
• Serving the rural and weaker sections of the people and those residing in border
regions, backward or remote areas.
• Providing suitable programmes keeping in view the special needs of the minorities
and tribal communities.
• Taking special steps to protect the interests of children, the blind, the aged, the
handicapped and other vulnerable sections of the people.
• Promoting national integration by broadcasting in a manner that facilitates
communication in the languages in India; and facilitating the distribution of regional
broadcasting services in every State in the languages of that State.
• Providing comprehensive broadcast coverage through the choice of appropriate
technology and the best utilisation of the broadcast frequencies available and ensuring
high quality reception.
• Promoting research and development activities in order to ensure that radio and
television broadcast technology are constantly updated.
• Expanding broadcasting facilities by establishing additional channels of transmission
at various levels.
• Ensuring that broadcasting is conducted as a public service to provide and produce
programmes.
• Establishing a system for the gathering of news for radio and television.
• Negotiating for the purchase of, or otherwise acquiring, programmes and rights or
privileges in respect of sports and other events, films, serials, occasions, meetings,
functions or incidents of public interest, for broadcasting and establishing procedures
for the allocation of such programmes, rights or privileges to the services.
• Establishing and maintaining a library or libraries of radio, television and other
materials. Conducting or commissioning, from time to time, programmes, audience
research, market or technical service, which may be released to such persons and in
such manner and subject to such terms and conditions as the Corporation may think
fit.

151 | New Technology Laws With Special Reference To Cyber Laws

 Though the Broadcasting Corporation was supposed to be independent, Section 23 of the
Act gave the Central Government the power to issue to the Corporation directions to
broadcast or not to make a broadcast, if it deemed it necessary in the interests of the
sovereignty, unity and integrity of India, or the security of the State, or the preservation of
public order. Another provision that curtailed the autonomy of the Corporation was
Section 13, which provided for the constitution of a 22-member Parliamentary Committee
to oversee the working of the Corporation. The National Front government (with VP
Singh as Prime Minister) fell before the Act could be notified.
However the legislation got a fresh lease of life when the Supreme Court, on 9 February
1995, in the Cricket Association of Bengal case,21 directed the Government to set up an
independent broadcasting authority that would give access to all interests and groups. In
September 1997, then Information and Broadcasting Minister Jaipal Reddy announced
that the Act would be notified. The United Front government introduced changes in two
main categories. It scrapped Section 13 of the 1990 Act that had provided for a
Parliamentary Committee to oversee the working of the Board. Other amendments
removed the Government’s power to stipulate advertisement airtime and provided for the
transfer of the assets of Doordarshan and Akashvani to the Corporation for a perpetual
lease of a token Re 1 a year.
The second sets of amendments were broadly meant to seek to reconcile the Prasar Bharati
Act with planned legislation on private broadcasters. It replaced the Broadcasting Council
provided for in the Prasar Bharati Act with the Broadcasting Authority of India, that
would govern private broadcasters when the then pending Broadcasting Bill 1997 was
enacted.166
The United Front government appointed SS Gill as the Chief Executive of the
Corporation, amending the statutory qualifications for the designated head of Prasar
Bharati. But early general elections in 1998 saw the formation of a new BJP-led
government. The BJP had opposed Gill’s appointment as violative of the stipulated age
limit. When Gill refused to resign, the BJP government allowed the presidential ordinance
amending the Prasar Bharati Act to lapse, and then removed him from office saying he did
not satisfy the qualifications required under the Act. The government also removed other
members of the Prasar Bharati from their posts. These actions were challenged in the
Delhi High Court, which declined to interfere on the ground that it was a policy matter167.
The Central Government introduced the Prasar Bharati (Broadcasting Corporation of
India) Amendment Bill, 2008 in Parliament, amending the Prasar Bharati Act to reduce
the tenure of the Corporation’s Chairman from six to three years. The move is seen to be
aimed at easing out the current Prasar Bharati Chairman, MV Kamath. An upper age limit
of 70 years was also introduced for the position of Chairman. The I&B Minister said these
changes would help bring diversity of experience at the top level for the benefit of the
organisation. The I&B Minister, Priya Ranjan Dasmunsi, pointed out in the statement of

166
Praveen Swami, “Public Service Broadcasting?”, Frontline, Vol 14, No 23, November 15-28, 1997
167
Rajendra Yadav v Union of India AIR 2000 Del 229. Also See Supra note 2 at 81-82.
152 | New Technology Laws With Special Reference To Cyber Laws
 objects and reasons that it was felt necessary to rationalise such matters “in order to inject
sectoral experience to rejuvenate Prasar Bharati and its Board.”168
Regulation of Cable Television
The sudden emergence of cable television and cable networks in the early 1990s caught the
Indian government unprepared. The DoT initially responded with new regulations targeting
the fledgling networks, requiring all users and dealers of satellite equipment to obtain special
operating licenses for their equipment. Users and dealers were specifically prohibited from
engaging in commercial distribution of programmes downloaded from satellites. To obtain
these licenses, users had to undertake that they would not use their equipment to establish
unauthorized networks.
The government’s action against cable television networks was unsuccessfully challenged by
cable operators before various high courts. Despite this, the growth of these networks
continued, especially in urban areas. The Government appointed a committee which
recommended that the censors should clear all programmes transmitted through cable
networks. It also suggested that cable networks should be prohibited from directly relaying
programmes received from satellites. The government, however, did not accept these
recommendations
Shiv Cable v State of Rajasthan169
The reality of cable networks was tested in Shiv Cable TV System v. State of Rajasthan. 28
The case arose from a district administration’s order directing the local police to halt cable TV
networks because the cable operators lacked the necessary licenses. The affected operators
challenged the district administration’s order in the Rajasthan High Court on the ground that
there was no law that required them to obtain licenses for their networks. They argued that the
district administration’s actions violated their fundamental right to carry on a trade and
business. The state government told the high court that the cable operators had to obtain
licenses under the Telegraph Act and the Wireless Telegraphy Act to legally operate their
networks.
The High Court agreed with the government’s arguments. It explained that cable networks
typically comprise two elements:
1) A dish antenna to receive programmes transmitted by satellites.
2) A cable network to physically distribute these programmes to subscribers.

168
Bill on Prasar Bharati Act Tabled in Lok Sabha”, The Hindu, March 11, 2008,
http://www.thehindubusinessline.com/2008/03/11/stories/2008031151891000.htm and “Content Code
for TV channels soon: Dasmunsi”, The Hindu 18 March 2008,
http://www.hindu.com/2008/03/18/stories/2008031859431300.htm , “Prasar Bharati Amendment Bill
Passed”, The Hindu 19 March 2008, http://www.hindu.com/2008/03/19/stories/2008031960131300.htm
Prasar Bharati has been functioning in name, without measuring up to the objectives underlying the act.
The PB Act has implemented only partially. For instance, neither the assets nor the staff of AIR/DD
have been transferred to the Corporation. The staff are still government servants under ‘deemed
deputation’ to Prasar Bharati.
169
AIR 193 Raj 197.
153 | New Technology Laws With Special Reference To Cyber Laws
The Court said that since a cable operator’s dish antenna was capable of receiving transient
images of fixed and moving objects from satellites, the dish antenna constituted.
a wireless telegraph apparatus under the Wireless Telegraphy Act. It held that unless covered
by an exemption, the dish antenna required a wireless license for its operation.
The Court held that lines and cables in a cable network were covered by the definition of a
‘telegraph line’ under the Telegraph Act, and the cable operators had to obtain statutory
licenses in order for their dish antennas to download programmes from satellites and to
transmit these downloaded programmes through their networks to customers.
Despite this, the High Court set aside the impugned orders of the district administration as
they were made without jurisdiction. It held that under the Telegraph Act and the Wireless
Telegraphy Act, only the Director General of Posts and Telegraphs, a Central Government
official, was competent to take the actions in question. The High Court noted that the
government had not framed any rules or guidelines to regulate cable networks. Noting that an
outright prohibition on cable networks was difficult because they had already grown deep
roots in several areas, the high court called on the government to establish a licensing system
to regulate cable networks.
This decision prompted the government to promulgate an ordinance in 1994 that provided a
legal basis to regulate cable networks. The ordinance was later ratified by Parliament and
passed as the Cable Networks Act, 1995. This legislation was amended in 2003 to require
cable subscribers to use conditional access systems to receive premium channels. The
government’s New Telecom Policy, 1999 sought to align the cable industry closer to the
market for telecom services. 170 It classified cable operators as access providers along with
fixed and cellular licensees. It allowed cable operators to provide last mile links, switched
services, and one-way entertainment services in their respective service areas. Cable operators
were allowed to directly interconnect with other service providers within their service area and
share infrastructure with them. The government decided not to allow cable operators to
provide two-way communications as it would amount to their offering fixed services. But the
policy gave cable operators the option to obtain a separate fixed license for this purpose.
The Cable Networks Act, 1995
The principal purpose of the Cable Networks Act was to introduce regulatory certainty to the
cable market that had emerged in the early 1990s. The statement of objects and reasons
declared that cable TV constituted a ‘cultural invasion’ as cable programmes were
predominantly Western and alien to Indian culture and way of life. It declared that the lack of
regulation had resulted in undesirable programmes and advertisements being shown to Indian
viewers without any censorship. Section 3 of the Act mandates that a cable television network
can be operated only by a registered cable operator. The registering authority is any authority
so notified by the Central Government.

170
Ministry of Communications, New Telecom Policy 1999, 26 March 1999.
154 | New Technology Laws With Special Reference To Cyber Laws
‘Cable television network’ is defined in Section 2 c) as: Any system consisting of a set of
closed transmission paths and associated signal generation, control and distribution equipment
designed to provide cable service for reception by multiple subscribers.
In order to register, an entity could be - an Indian citizen - an association of individuals whose
members are Indian citizens - a company in which not less than 51 per cent of paid up equity
share capital is held by Indian citizens.
If the registering authority refuses to register an applicant, it must record its reasons for doing
so and inform the applicant accordingly
Statutory Violations and Offences:
The Cable Networks Act empowers and authorizes a government officer to seize a cable
operator’s equipment if the officer has reason to believe that the cable operator is functioning
without proper registration. The seized equipment cannot be retained for a period exceeding
ten days from the date of seizure, unless a local District Judge, within whose jurisdiction the
seizure has been made, approves continued retention of the seized equipment.
A first time violation under the statute can result in an imprisonment term that extends up to
two years or a fine up to Rs. 1000 or both. Every subsequent offence is punishable with
imprisonment for a term up to five years and a fine that may extend to Rs. 5000. The Act says
that if a company commits an offence under the statute, the company and any person in
charge, or responsible for its business, shall be deemed guilty, proceeded against and punished
accordingly. If a company commits an offence with the consent, connivance, or attributable
negligence of a director, manager, secretary, or other officer, these officers are deemed guilty,
along with the company, and they can be prosecuted, and punished accordingly.
Cable Television Network Rules, 1994:
The Rules were enacted under the Cable Television Networks (Regulation) Ordinance, 1994.
The Programme Code of the Cable Television Network Rules lays down restrictions on the
content of both programmes and advertisements that can be shown on cable TV. These
restrictions are laid down in Section 6 of the Rules.
No programme can be shown that:
• ƒ Offends against good taste or decency ƒ
• Contains criticism of friendly countries ƒ
• Contains attack on religions or communities or visuals or words contemptuous of
religious groups or which promote communal attitudes (sic) ƒ
• Contains anything obscene, defamatory, deliberate, false and suggestive innuendos
and half truths ƒ
• Is likely to encourage or incite violence or contains anything against maintenance of
law and order or which promote anti-national attitudes ƒ
• Contains anything amounting to contempt of court ƒ

155 | New Technology Laws With Special Reference To Cyber Laws

 • Contains aspersions against the integrity of the President and Judiciary ƒ Contains
anything affecting the integrity of the Nation ƒ
• Criticises, maligns or slanders any individual in person or certain groups, segments of
social, public and moral life of the country ƒ
• Encourages superstition or blind belief ƒ
• Denigrates women through the depiction in any manner of the figure of a woman, her
form or body or any part thereof in such a way as to have the effect of being indecent,
or derogatory to women, or is likely to deprave, corrupt or injure public morality or
morals ƒ
• Denigrates children ƒ
• Contains visuals or words which reflect a slandering, ironical and snobbish attitude in
the portrayal of certain ethnic, linguistic and regional groups ƒ
• Is not suitable for unrestricted public exhibition
The Rules say that the cable operator should strive to carry programmes in his cable service
that project women in a positive, leadership role of sobriety, moral and character building
qualities. They say that care should be taken to ensure that programmes meant for children do
not contain any bad language or explicit scenes of violence. Programmes unsuitable for
children must not be carried in the cable service at times when the largest numbers of children
are viewing.
Restrictions on Advertisements
The Advertising Code in the Cable Network Rules says that all advertising carried in the cable
service have to conform to the laws of the country and should not offend morality, decency
and religious susceptibilities of the subscribers. The code says that no advertisement shall be
permitted which:
• Derides any race, caste, colour, creed and nationality
• Is against any provision of the Constitution of India
• Tends to incite people to crime, cause disorder or violence, or breach of law or
glorifies violence or obscenity in any way
• Presents criminality as desirable
• Exploits the national emblem, or any part of the Constitution, or the person or
personality of a national leader or a State dignitary
• In its depiction of women violates constitutional guarantees to all citizens
• Projects a derogatory image of women. The Rules say that women should not be
portrayed in a manner that emphasises passive, submissive qualities and encourages
them to play a subordinate, secondary role in the family and society. The cable
operator is supposed to ensure that, in the programmes carried in his cable service, the

156 | New Technology Laws With Special Reference To Cyber Laws

 portrayal of the female form is “tasteful and aesthetic, and is within the well-
established norms of good taste and decency”
• Exploits social evils like dowry, child marriage
• Promotes directly or indirectly the production, sale or consumption of cigarettes,
tobacco products, wine, alcohol, liquor or other intoxicants, infant milk substitutes,
feeding bottle or infant food.
The Rules prohibit advertisements that
• Are wholly or mainly of a religious or political nature or directed towards any
religious or political end
• Contain references that hurt religious sentiments
• Contain references that are likely to lead the public to infer that the product
advertised or any of its ingredients has some special or miraculous or supernatural
property or quality, which is difficult of being proved
• Contain pictures and audible matter of the advertisement that are excessively loud
• Endanger the safety of children or creates in them any interest in unhealthy practices
or shows them begging or in an undignified or indecent manner
• Contain indecent, vulgar, suggestive, repulsive or offensive themes or treatment 171
• Contain advertisements that violate the standards of practice for advertising agencies
as approved by the Advertising Agencies Association of India, Bombay, from time to
time
All advertisements should be clearly distinguishable from the programme and should not in
any manner interfere with the programme – for example, the use of lower part of screen to
carry captions, static or moving, alongside the programme.
In March 2008, the Central Government amended the Cable Television Network Rules
through a gazette notification to ban ‘surrogate advertisements” to prevent tobacco and liquor
brands from sidestepping the law. According to the notification, no advertisement that permits
“directly or indirectly sale or consumption of cigarettes, tobacco products, wine, alcohol,
liquor or other intoxicants.”172

171
Political and religious groups are banned from owning FM channels, but apparently, they are
allowed to own TV channels. The eligibility criteria are listed in the Uplinking and Downlinking
Guidelines.
172
This amendment is aimed at removing the leeway given to cigarette and liquor companies in a 2006
amendment that allowed advertisements that shared a brand name or logo with any tobacco or liquor
product with several caveats. No reference, direct or indirect, could be made to the prohibited products
in any form, and the “story board” or visual could depict only the product being advertised”. Besides
allowing nuanced references, the “relaxed regime” mandated that advertisements could not use certain
colours, layout presentations or situations associated with the prohibited products. The Government had
relaxed its rules in view of the blatant violation of the ban on tobacco and liquor advertisements by
which companies that launched new products like soda and glasses to circumvent the Advertising Code
157 | New Technology Laws With Special Reference To Cyber Laws
Indecent Representation of Women Act
include specific provisions relating to the representation of women on television, in May 2008
the National Commission for Women initiated a process seeking to modify the Indecent
Representation of Women (Prohibition) Act, 1986 on the ground that its scope needed to be
widened to include the expanded electronic media and cyberspace.38 The amendments,
apparently proposed by the Ministry of Women & Child Development, Government of India,
were posted on the NCW website for comment and seminars were held in different cities to
discuss the proposals.173 The main recommendations comprise amendment of Section 1 of the
Act to make the definition of ‘derogatory representation of women’ wider and increase in the
punishment prescribed for violations.174
Use of Conditional Access Systems in Cable Networks:
In December 2002, Parliament enacted an amendment to the Cable Networks Act requiring
consumers to use ‘addressable systems’ to access premium and pay channels through cable
networks.175
Addressable systems are also called ‘conditional access systems’ (CAS) or ‘set-top boxes.’
The amendment provided that cable subscribers receive a basic package of channels that had
to include a mixture of entertainment, information, and educational programmes. The
government may fix the total number of free-to-air channel to be included, and the maximum
amount that cable operators may charge subscribers in the basic service tier.176
Following a 2003 Amendment, the Central Government announced a series of measures to
implement the CAS framework, including a 2003 notification that required cable operators in
Chennai, Mumbai, Delhi and Kolkata to transmit pay channels only though addressable
systems.177 Operators were given six months to procure the necessary equipment to implement
this requirement. Through a separate notification, the government ordered cable operators to
offer a minimum of 30 free-to-air channels in a basic package to be priced at Rs. 72.178 The
Government also amended the Cable Network Rules to regulate rentals and security deposits
for set-top boxes.
While broadcasters and Multi-Service Operators (MSOs) welcomed the introduction of CAS
framework, consumers were outraged at the prospect of paying special rates for premium

of the Cable Television Network Rules. See “Government Bans Surrogate Advertisements,” The Hindu,
March 18 2008, http://www.hindu.com/2008/03/18/stories/2008031854721300.htm
173
Existing Provisions and Amended provisions of the Indecent Representation of Women (Prohibition)
Act, 1986: http://ncw.nic.in/Comments/Indecent_representation.pdf
174
‘Indecent Proposals’ for a critique of the NCW’s proposal to modify the 21-year-old law:
http://infochangeindia.org/200806257188/Women/Analysis/Indecent-proposals.html
175
Cable Networks (Amendment) Act (No 2 of 2003) published in the Official Gazette on 1 January
2003.
176
Telecom Regulatory Authority of India (TRAI) Draft Recommendations on Restructuring of Cable
TV Services, July 15, 2008,
177
Ministry of Information and Broadcasting, ‘Notification on Addressable Systems’, Gazette of India,
14 January 2003
178
Ministry of Information and Broadcasting, ‘Notification on Free-to-Air Channels’, Gazette of India,
7 May 2003
158 | New Technology Laws With Special Reference To Cyber Laws
channels. Local cable operators were also upset as they feared loss of revenue from cable
subscribers who would elect to receive only the basic package of free-to-air channels.
The government was thus forced to announce an indefinite delay in the introduction of CAS in
Delhi. Soon the matter was taken to the Delhi High Court [Jay Polychem v Union of India
(2004) IV AD 249 (Del)]. In December 2003, the Delhi High Court ordered the introduction
of the CAS framework in Delhi on a trial basis for three months.179
In January 2004, the Government referred the matter to TRAI. For this purpose the
government issued a notification under section 11(1) (d) of the Telecom Regulatory Authority
of India Act entrusting additional regulatory functions to the Authority. In a separate
notification, the government revised the definition of ‘telecommunication service’ in Section 2
(1) (k) of the TRAI Act to include broadcasting and cable services within this definition. This
meant that TRAI could now regulate broadcasting and cable service as telecommunication
services and the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) could
adjudicate upon disputes relating to this service.
Following TRAI’s recommendations, the Central Government suspended the notification of
the CAS framework in February 2004. However, the matter did not end here. A single judge
of the Madras High Court stayed the government’s suspension notification in March 2004.
This was followed by the Delhi Court ordering the government to reintroduce the CAS
framework within four weeks. The Central Government then issued amendments to the Cable
Network Rules in the metro areas. 180
The amendments established a detailed regulatory scheme to reintroduce the CAS framework
in areas notified by the Central Government. Rule 11(5) of the Cable Network Rules prohibits
MSOs from offering cable services in the notified areas without the Central Government’s
permission. The Ministry of Information and Broadcasting may grant or refuse permission
after taking into account factors like the MSO’s operational area, the number of subscribers
and local operators in the area, commercial arrangements with broadcasters and cable
operators, financial strength, management capability, security clearance, the MSO’s ability to
supply and maintain adequate set top boxes.181
Every broadcaster is required to declare whether each of its channels is either pay or free to
air, and the maximum retail price of each of the ‘pay channels.’ If TRAI believes that the
declared price for a channel is too high, it may revise the price of the channel. It has the option
of fixing retail price ceiling for all pay channels.
Rule 9 of the Cable Network Rules empowers TRAI to take decisions regarding:
• ƒ Standard interconnection and distribution agreements to be used for pay and freeto-
air channels between broadcasters and MSOs, and MSOs and cable operators ƒ

179
Consumer Coordination Council v Union of India CWP No 8993-8994 of 2003 (Del, 26 December
2003).
180
Telecom Regulatory Authority of India (TRAI) Draft Recommendations on Restructuring of Cable
TV Services, July 15, 2008,
181
Ministry of Information and Broadcasting, Cable Television Networks (Second Amendment) Rules
2006.
159 | New Technology Laws With Special Reference To Cyber Laws
 • Ceilings for security deposits and monthly rentals charged for set-top boxes ƒ
• Tariffs for the basic service tiers of cable services and minimum number of freeto-air
channels ƒ
• Quality of service standards182
TRAI released comprehensive recommendations on broadcasting and cable services in
October 2004. It recommended that there should be no regulation on advertisements in free-to-
air and pay channels. But it proposed a suitable amendment to the Cable Networks Act to
enable the government to regulate advertisements, if necessary. It called for strengthening the
functions of authorized officers under the Cable Networks Act and recommended that they be
made responsible for registering cable operators. Based on a detailed study of various cable
technologies, TRAI suggested that the government consider ‘traps’ as an alternative to set top
boxes for distribution of cable channel. Traps were cheaper than set-top boxes, and could be
used as a transitory arrangement.
TRAI proposed three alternative models for the future regulation of the cable industry. The
first model did not envisage a mandatory CAS framework. The second would use the system
of traps as a mandatory arrangement, and the third envisages a mandatory arrangement with
CAS.
TRAI Recommendations on Restructuring of Cable TV Services, July 2008
In July 2008 TRAI issued draft recommendations relating to the restructuring of Cable TV
services in order to “ensure effective licensing compliance, attract investment, facilitate new
value added services and encourage digitisation.”48 It provided a deadline of only a week for
comments on the draft.
The most significant recommendations propose the replacement of the present system of
registration for Local Cable TV operators (LCOs) with a licensing framework, and the
creation of a separate licensing provision for Multi-System Operators (MSOs), thus
recognising them as separate entities from local cable TV operators.
The recommendations also include changes in the licensing authorities, the geographical
boundaries of service areas permitted under such licenses, the duration of licenses, the
documents to be submitted along with applications for licenses, the entry fee and
administrative cess to be levied, the time frame for the grant of licenses, procedures for
renewal as well as termination/cancellation/suspension of licenses, mechanisms for the

182
7 Since the MIB grants uplinking permission, all the technical parameters are specified by the MIB
in its uplinking guidelines. But the oversight of the channel on technical parameters is undertaken by
TRAI, since this is the body that has jurisdiction over spectrum allocation decisions. Oversight of the
channels on content issues is undertaken by the MIB, though there is no law that empowers them to do
this – other than the content code, which is applicable to the cable operators and not to the channels. But
the provisions of the law are broad enough to allow a district magistrate to bully a local cable operator
into doing his bidding, for any real or perceived violation of the content code. So there is a multiplicity
of controlling bodies, with unclear jurisdictions. And a part of the problem is that they’re always
engaged in mutual jealousies and bureaucratic turf battles
160 | New Technology Laws With Special Reference To Cyber Laws
redressal of subscriber complaints, responsibility for violations of rules and regulations
relating to content, and technology (e.g., digitisation vs. analog transmission).
The154-page document includes a preface and introduction that provides an interesting useful
condensed history of the advent and growth of cable television in India, with the latest data
available on the subject.
Film Certification under the Cinematograph Act
The Cable Network Rules and the Uplinking and Downlinking Guidelines require cable
operators and broadcasters to comply with the Cinematograph Act in determining their
programme content. The Central Board for Film Certification (CBFC) certifies films based on
the Cinematograph Act framework. Films are certified as ‘U” (unrestricted exhibition), UA
(parental supervision), A (restricted supervision), depending on the content. The grounds for
denial of certification are laid down in Section 5 (B) (1): “the film or any part of it is against
the interests of the security of the State, friendly relations with foreign States, public order,
decency or morality, or involves defamation or contempt of court or is likely to incite the
commission of any offence.”
INFORMATION TECHNOLOGY ACT 2000
The Information Technology Act was enacted in 2000 to deal with a number of issues that
arose from the increasing use of the Internet in commercial transactions, and to bring this
emerging technology into the scope of the law. While the Act was not aimed at regulating the
broadcast sector, it will have an impact on the content of broadcast service providers that use
the Internet to broadcast material. Also, with an increasing number of broadcasters using
websites to telecast material (webcasting), the Information Technology Act has become
relevant to the broadcast sector.
The provision in the IT Act that would be most relevant to broadcasters is Section 67, which
deals with “publishing of information which is obscene in electronic form.” The section seeks
to punish “Whoever publishes or transmits or causes to be published in electronic form, any
material which is lascivious or appeals to the prurient interest or if its effect is such as to tend
to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to
read, see or hear the matter contained or embodied in it.” The punishment for a first time
offence is imprisonment of up to five years, and fine of up to one lakh rupees, and for a second
or subsequent conviction, with imprisonment of up to ten years and a fine of up to two lakh
rupees.
This restriction on content is similar to the restrictions laid down by the Indian Penal Code,
and the ‘Hicklin test’183 that has been adopted by Indian courts. It remains to be seen how this
provision will be applied in practice.

183
The 1868 English case R v. Hicklin or the Hicklin test which defined obscenity as matter which had
the tendency :“to deprave and corrupt those whose minds are open to such immoral influences and into
whose hands a publication of this sort might fall. … it is quite certain that it would suggest to the minds
of the young of either sex, or even to persons of more advanced years, thoughts of most impure and
libidinous character”
161 | New Technology Laws With Special Reference To Cyber Laws
It is significant that the proposed Broadcast Bill 2007 defines ‘broadcasting’ widely so that it
is possible to interpret it to include Internet technology. The Act defines “Multi System
Operator (MSO)” to mean “any person who manages and operates a multi-system cable
television network to provide a cable television service to multiple subscribers, which may or
may not include other value added services including telecommunications and Internet.”
Regulation of Competition
A serious implication of convergence is the possibility of an increase in media holdings, which
may have several adverse consequences on competition within media markets. Media
monopoly could significantly affect the kind of information flows that a free media makes
possible. In the US context serious anti-trust concerns have been expressed over the kinds of
mergers and acquisitions that have taken place in the media field.
Uplinking Guidelines (December 2005)
The Ministry of Information and Broadcasting initially permitted the uplinking of television
programmes in 1998, but only through the facilities of the then public sector Vidhesh Sanchar
Nigam Ltd. (VSNL). In March 1999, Indian broadcasters were authorized to use their own
uplinking facilities through the C band without having to rely exclusively on VSNL. A few
months later, a group of ministers recommended that the government further liberalise
uplinking rules to ensure that television channels were properly regulated. 184
In July 2000, the Ministry notified the “Guidelines for Uplinking from India”. This was
followed by “Guidelines for Uplinking of News and Current Affairs TV Channels from India”
in March 2003, (amended in August 2003), “Guidelines for use of Satellite News Gathering
(SNG)/Digital Satellite News Gathering (DSNG)” in May 2003 and addendum dated 1.4.2005
to the Uplinking Guidelines. On 20 October 2005 the Government further amended the March
2003 guidelines.
In order to gather all this into one set of guidelines, the Government notified the consolidated
Uplinking Guidelines, in supercession of all previous guidelines. That came into effect from 2
December 2005 and is applicable to all existing channels.
The Guidelines classify uplinking into three categories:
1) Companies that provide uplinking facilities, such as hubs and teleports. These can only
transmit television channels that have been authorized by the MIB

According to the Indian Supreme Court, there are 3 aspects to the obscenity test: - the material is
offensive to decency and modesty and has the effect of depraving and corrupting - having regard to
community mores, the text is without a preponderant social purpose or profit - the material is not
redeemed by artistic merit or literary defence. The Court has thus moved away from the primary focus
Hicklin on the effect of depraving and corrupting , and has added that obscenity also includes concerns
of decency and modesty. A piece of work, would thus be offensive if it involved treating sex in a way
that appealed to ‘the carnal sides of human nature’ or had such a tendency. The Court held that such
treatment of sex was offensive to modesty and decency, ‘as judged by national standards, and
considered likely to pander to lascivious, prurient, or sexually precocious minds.’
184
Ibid
162 | New Technology Laws With Special Reference To Cyber Laws
2) Television channels that use uplinking facilities (including that cover news and current
affairs)
3) News agencies channels that use uplinking facilities (including that cover news and current
affairs)
General Terms and Conditions:
The company should be registered in India. Once the applicant is found to be eligible, the
application is sent for security clearance to the Ministry of Home Affairs, and for further
clearance to the Department of Space.
Uplinking is allowed in the C band and the Ku Band. Uplinking in the C band is allowed for
both Indian and foreign satellites, but the government gives preferential treatment for
proposals involving use of Indian satellites. This band cannot be used for DTH services
without obtaining a separate license.
An entity engaged in uplinking must comply with the programme and advertising codes issued
under the Cable Television Regulation Act and Rules framed under the Act.
It must retain a record of uplinked materials for a 90-day period, and produce these to
government agencies on request. It must allow these agencies to inspect its facilities and
furnish necessary information to the Ministry of Information and Broadcasting from time to
time. The company has to provide, at its own cost, facilities to the Ministry or any other
government agency for monitoring of programmes. It has to comply with terms and conditions
of the Wireless Operational License issued by the WPC Wing, DoT.
The Ministry has the right to suspend the company’s permission for a specified period in
public interest or in the interest of national security. The Ministry’s permission is needed
before any changes are made to the CEO/ Board of Directors
Offences and Penalties:
If a channel/teleport/SNG/DSNG found to be disseminating objectionable or unauthorized
content, messages, or communication inconsistent with the public interest or national security
or failing to comply with the directions issued by the Ministry of Information and
Broadcasting, the permission granted can be revoked and the company disqualified to hold
any such permission for a period of five years.
Permission for setting up of up linking hubs/teleports
Foreign equity holding in an applicant company has to be less than 50 per cent. Applicant
companies are also required to pay processing fee of Rs. 10,000 and, after being held eligible,
the applicant company must pay a permission fee at the rate of Rs. five lakhs per teleport.
DTH GUIDELINES
Direct-to-Home (DTH) Broadcasting Service refers to the distribution of multi-channel TV
programmes in Ku Band by using a satellite system to provide TV signals direct to
subscribers' premises without passing through an intermediary such as cable operator. While
the Central Government had initially banned DTH services in India, it legalized them after a

163 | New Technology Laws With Special Reference To Cyber Laws

high level group of ministers studied the matter. Subsequently, the Central Government passed
guidelines regulating DTH in India63 and withdrew the prohibition on the reception and
distribution of television signal in Ku Band.185
Eligibility Criteria:
The applicant company has to be registered in India. The total foreign equity holding in the
company should not exceed 49%; the FDI component in this foreign equity should not exceed
20%. The applicant company must have Indian Management Control with the majority
representatives on the board as well as the Chief Executive of the company being resident
Indians186.
Cross-ownership restrictions:
Broadcasting companies and cable network companies cannot collectively own more than
20% of the total equity of applicant company at any time during the license period. Similarly,
the applicant company cannot have more than 20% equity share in a broadcasting and/or cable
network company.
Period of license:
License will be valid for a period of 10 years from the date of issue of wireless operational
license by the Wireless Planning and Coordination Wing of the Ministry of Communications.
However, the license can be cancelled/suspended by the Licensor at any time in the interest of
the Union of India.
Fee:
The applicant has to pay an annual fee equivalent to 10% of its gross revenue as reflected in
the audited accounts of the Company for that particular financial year -- within one month of
the end of that financial year. In addition, the applicant has to pay the license fee and royalty
for the spectrum used, as prescribed by Wireless Planning & Coordination Authority (WPC),
under the Department of Telecommunications.
Content Regulation/Prohibition/Monitoring
The applicant cannot carry any channels prohibited by the Ministry of Information &
Broadcasting. The applicant has to ensure that its facilities are not used for transmitting any
objectionable or obscene content, messages or communication inconsistent with the laws of
India. The use of the facility or service for anti-national activities would be construed as an
offence punishable under the Indian Penal Code and applicable laws and it will result in the
immediate termination of the License
The Ministry of Information and Broadcasting reserves the right to prohibit the transmission
or reception of programmes in the interest of national security or in the event of
emergency/war or similar type of situation. Regardless of any agreement between the
applicant and the content providers, the applicant has to stop the transmission of TV channels

185
Guidelines for Obtaining License for Providing Direct-To-Home (DTH) Broadcasting Service in
India,
186
Notification No. GSR 18 (E) dated 9 January, 2001 of the Department of Telecommunications.
164 | New Technology Laws With Special Reference To Cyber Laws
or any content, as and when directed to do so by the Ministry of Information and Broadcasting
or any other designated lawful authority.
The applicant has to provide the necessary facility for continuous monitoring of the DTH
broadcasting service at its own cost. The applicant must maintain the recordings of
programmes and advertisements carried on the platform for a period of 90 days from the date
of broadcast and produce the same to the Ministry of Information and Broadcasting, or its
authorised representative, as and when required.
The applicant cannot use any equipment which are identified as unlawful and/or render
network security vulnerable. All foreign personnel likely to be deployed by way of
appointment, contract, consultancy, etc., by the applicant for installation, maintenance and
operation of its services must obtain security clearance from the Government of India prior to
their deployment.
Bringing OTT platforms under government control
The OTT platform in India is regulated less as compared to its offline counterparts like films
and television. This gives the platforms creative freedom which allows the platforms to cater
to the needs of the masses with films brought to the platform from all across the globe. OTTs
do not have any special regulations or legislations in terms of foreign programmes and Indian
content. There is no discrimination and the same codes and rules are applicable throughout in
terms of content regulation of the programmes.
According to a national survey, the online content industry has an estimated value of INR
4000 crores with a viewership of more than 17 crores from OTT platforms alone and all of
these are regulated with little or no scrutiny. The Supreme Court issued a notice to the Centre
in October 2020 to the Centre by way of a PIL where the petitioners demanded the creation of
an autonomous regulatory system for online content. Over the years, the judicial approach has
been such that online content would not fall under the ambit of the Cinematography Act, 1952.
In parallel, several OTT platforms and operators like Hostar, Netflix are increasingly adopting
self-regulation codes.
Currently, the Electronic Media Monitoring Centre, which was set up in 2008, is entrusted
with the work of monitoring content on TV. It puts out reports on violations of the Programme
Code.
Foreign productions
The entry of foreign and private broadcasters was a result of liberalization in the 1990s. There
was a huge surge in the number of channels. Entrepreneurs set up small cable TV networks
and began broadcasting local video channels including music videos within neighbourhoods.
Satellite television and the launch of channels by CNN, Zee and STAR led to the birth of
national multi-system operators (MSOs) and local cable operators (LCOs)
Foreign investment in the TV industry is subject to sector caps and the regulatory guidelines
as may be prescribed from time to time. India has entered into film co-production treaties with
the United Kingdom, Italy, Brazil, Germany, France and New Zealand. The Ministry of

165 | New Technology Laws With Special Reference To Cyber Laws

Information and Broadcasting is the body that is responsible for creating, administering laws,
rules and regulations relating to information, broadcasting of films and press.
It also regulates international co-operation in films, broadcasting and its foreign counterparts
on behalf of the government of India. The programs should not be in violation of the Program
Code issued under the provisions of the Cable Television Network (Regulation) Act, 1995.
The Indian Broadcasting Foundation laid down its “Content Code and Certification Rules,
2011” which provide for a BSP (Broadcast Service Provider) to ensure that all programmes
are self-certified by each broadcaster as:
1) Generally Accessible; ‘G’
2) Restricted Access; ‘R’
The former can be aired at all times while the latter has a window from 11pm to 5am. It is the
duty of the Broadcast Service Provider to obtain prior certification from the Central Board of
Film Certification for all films, including foreign films, music videos, albums, trailers, etc and
shall broadcast them on television or radio only after such certification.
There are not any specific legislation as such which talk about regulation of foreign-produced
programmes and the same is governed by the regulations and codes prescribed by the
domestic legislation. The Ministry of Information and Broadcasting along with The Telecom
Regulatory Authority of India regulate the content of such programmes.
The Cable Television Networks (Regulation) Act of 1995 made the Rules introduced in 1994
binding on all cable networks which are either downlinked to or uplinked from, India, which
include foreign programs as well.

166 | New Technology Laws With Special Reference To Cyber Laws

 CHAPTER 9

GENETIC AND MEDICAL

TECHNOLOGIES
The increased use of biotechnology for numerous categories of common products
(pharmaceuticals, foods, agricultural chemicals, etc.) has an ever increasing impact on our
society. In the medical/pharmaceutical field, biotechnology signifies a drastic change in the
approach to drug discovery, research and development, diagnosis, and disease management.
The basis of replication, transcription, translation, recombinant DNA technology, and
production of altered genes are defined. Examples of biopharmaceuticals, i.e., enzymes or
regulators of enzyme activity, hormones or hormone-like growth factors, cytokines, vaccines,
monoclonal antibodies, and gene transfer in humans are discussed.
What are Genetic Technologies?
Genetic technology has been emerging in the form of genetic testing. This means that there are
tests that identify the variant of a gene one has inherited. They have a variety of uses which
include diagnosis of rare diseases and services that are commercial that would provide the
medical history and human history of the families. But the rapidly developing field is the
analysis of the DNA (Deoxyribose Nucleic Acid) which is being conducted on a large
number of people to improve their lifespan187.
Genes are the biological functional units of cells, of all living organisms. The human genome
has been decoded further since the past decade, and this has begun to influence our biology
and technology in elementary. There’s a birth of many difficult ethical issues, as a result of
these Genetic Technologies such as in fields of genome, robotics, nanotechnology, synthetic
biology and neuro-technology. These issues are expected to become the core foundation of the
legal and lethal forces of the government and will also, help non-governmental organizations
in the future.
The study of genomes that is basically the totality of all information of genes of an organism
has acquired enormous importance in the present day and a more important field is Genetic
Engineering, also known as Genetic manipulation or Genetic modification. India is a signatory
of the Cartagena Protocol on Biosafety. However, it is yet to be included in the national
regulations of the country. However, the biggest question of debate here is the future of these
new technologies and the procedure of dealing with it.
The traditional plant breeding process is a time-consuming process, they are more certainly
unable to cope with the changing environment, climate and water supply. Thus, the Gene

187
https://onlinelibrary.wiley.com/doi/abs/10.1111/j.1467-8519.2007.00564.x
167 | New Technology Laws With Special Reference To Cyber Laws
modification or alteration technologies are relatively fast processes, they facilitate easy
replication and mass production of the crops and plants. No one can deny the risks caused by
these advanced technologies but, amidst this technological revolution, scientists have found
their way, to empower the plants with the desired traits as per the location188.
Categories of Genetic Technologies
Three main categories have been recognized regarding the concern of the application of
genetic technology. These are:
• Human Cloning
Human cloning refers to the formation or the creation of the human embryos or genetically
modified human children who are identical to their living and dead parents. There have been
even more categories of human cloning technologies189. These are:
1. Research cloning- It means that the embryos of humans are used for the purpose
of experiments. The clonal human embryo shall be used for this purpose. This
form of cloning is also known as Somatic Cell Nuclear Transfer (SCNT). In the
case of SCNT a nucleus, which is in the form of a Somatic cell (which could be a
muscle cell or a skin cell), gets transferred to a female egg from which the genetic
cloning material was removed. Towards the end of the process, the clonal embryo
gets produced.
2. Reproductive cloning- It means that a clonal embryo is created, but it is not used
for experimental purposes. The clonal embryo obtained in this case will be used
for implantation into a woman’s womb and brought to the terms as a human
child. Embryonic stem cell cloning research, involves research cloning. Thus, it
must be considered since it does not involve any sort of modification or trait
selection of genes.
• Gene Trait Selection
This form of trait selection refers to the selection of the eggs, sperm, or embryos that contain
the genes that have been associated with certain traits. In the said process, the desired sperm,
eggs, or even embryos that carry the interest are used to create the child of the humans.
However, in the current process, the genetic selection may be used for non-medical related or
medical-related purposes. For example: In the case where medically-related genetic selection
takes place, also known as Preimplantation Genetic Diagnosis (PGD) and a single set of
zygotes which were created through in-vitro fertilization are tested for the genes which cause
cystic fibrosis or any other disease and only those zygotes which are free from those diseases
or cysts are allowed to initiate a pregnancy.
• Human Genetic Modification
The genetic modification of human beings can take place potentially at the therapeutic level or
even at enhancement levels. At the therapeutic level, it can be seen that the illness or the

188
https://www.researchgate.net/publication/326501205_Regulation_of_emerging_gene_technologies
189
http://dbtindia.gov.in/sites/default/files/Draft_Regulatory_Framework_Genome_Editing
168 | New Technology Laws With Special Reference To Cyber Laws
deficiency in a person gets cured. At the level of enhancement, the condition of the health of a
person is known to get better than the average person. The genetic modification can either be
done at somatic or germline levels. The modifications made at the germline level can be
passed on to all the succeeding generations. Therefore, in the area of human genetic
modifications, there are four possibilities that tend to exist namely, the somatic therapy, the
somatic enhancement, the germline therapy, and the germline enhancement.
• Somatic Therapy- It is a way by which the good genes of a person are
transferred to the cells of the body to improve the rate of recovery if a person is
said to suffer from diseases such as immunodeficiency or any cysts that have
been formed inside his body. It is considered to be ethical and acceptable and has
been used to treat patients with leukaemia.
• Somatic Enhancement- It is a way by which a new gene is inserted into the
muscle of the person or the person’s lung tissues. The person is generally an
athlete who is indulged in various sports activities to increase their respiratory
capacity. Although these kinds of enhancement have not been carried out in
humans to date. This has been considered as unethical as it could render changes
into the human body and produce new forms of inequality.
• Germline Therapy- In this kind of therapy, it is practically possible to insert the
healthy genes into the embryo that has the genes which contain the diseases such
as cystic fibrosis. But, these techniques are still being developed and have not
been tried on human beings as of yet. This therapy has been widely appreciated as
it helps people recover from diseases without altering their functions.
• Germline Enhancement- In this kind of process, genetic modification, like the
somatic enhancement is attempted in the muscle cell or the cells of the lungs at an
early stage when the embryo has just been developing. This improves the
respiratory functions of the body in the child that results from the mutated
embryo. The process would be similar to that of the somatic enhancement.
However, it has been suggested that the children born out of this might have extra
cognitive behavioural traits that would make them distinct from the regular
human species causing them to have emerged as a new-subspecies of homo
sapiens that cannot breed with the general human beings. Thus, this treatment is
generally viewed as a very dangerous form of treatment as it would result in the
mutation and alteration of human beings, though making them potentially
stronger, but also a civil threat. Changing the nature and form of human beings
may have such consequences that can not be predicted at this stage.
Significance on Development
The research and studies on the Genes or the genome data have anticipated that the decoding
of the human genome and by gaining detailed knowledge about them, there’s a possibility for
new advances and avenues in biotechnology and the world of medicine. The UNESCO
International Bioethics Committee had its committee established, to draft the regulations

169 | New Technology Laws With Special Reference To Cyber Laws

and guidelines on the human genome.190 It is an international declaration on human genetics,
its meetings reflect the basis of obtaining this international support and the time analysis of
when they worked independently.
Genetic tests and technology is slowly emerging as an essential component in the
biotechnology and healthcare sector. They are establishing as the means, to find the treatment
to the difficult diagnoses and detect the persons, who are vulnerable to risks before even
actually suffering from the disease. By using the genome-editing or altering process
technology, the need is to correctly mutate the human embryos, so that they can possess the
genes from their parents. 191
Within a very short span of time, the Genome Editing Technology has increased its potential
application areas, in a wide range of sectors. The increasing research and experiments in this
field have been successful, in understanding the basis of biology, under the strict oversight
monitoring and ethical training in some countries. The basic pair modification of genes is
combining it with a foreign gene insertion. As a consequence, the product of this
modification/alteration may have many undetectable traits, when compared to its parent
mutant. These traits are usually dependent on the nature-identical mutant gene. So, this current
nucleus used for gene experiments are not completely error-free but, it may achieve some off-
target goals in the meanwhile as well.
Application Areas of Genetics Technologies
The main categories of application of the Genetic Technologies are Human Cloning, the
process of creation of genetically identical human children or embryos from their dead or
living parents. The Genetic Trait Selection, which refers to the special selection of sperm,
embryos, eggs that embrace the genes of, which they are related or associated with. Whereas
the alter, manipulation, or change of the genes in body cells of a living human is known
as Genetic Modification.
The world has a special consensus over this Genetic Technological advancement. The issues
of these applications have gained their places in the headlines of many newspapers and
magazines, from the past few decades now. The identifying, sequencing of these genes
influences the vast amount of gene data that has been in circulation as the ‘genomics
revolution’. This offer to promise, the improving development in living organisms and human
health.
The techniques like Genome Editing Technology has increased the productivity of the
agricultural sector and advances its yielding. The results, to meet the constantly rising demand
for food security and food availability, by constantly protecting the biotic traits of it. This
diversity is also reflected in the government’s long term plans for advanced technology,
toward protecting the scientific benefit of this knowledge.
The judicious use of advanced genome technology has variedly increased its application areas.
Other application areas of the Genetic Technology are microbial technology, livestock

190
https://academic.oup.com/jlb/article/6/1/1/5489401
191
http://bch.cbd.int/protocol/
170 | New Technology Laws With Special Reference To Cyber Laws
breeding, improved crop, and plant protection, human and animal health care, bio-economy,
and agricultural sector. The new and advanced Genetic Technology promises humankind, its
security, and protection against the various infectious and non-infectious diseases.
Impact
The rapid growth and influential impact of Genetic Technologies, have made it of primary
importance. Therefore, the leading leaders of the world have to pay their recognition, to the
advanced development in this field. They further promote it, to face the standing challenges
with new technologies, in the modern world in the areas of interests like law, policies, history,
and ethics. This makes it an important oversight in both national and international degrees.
Although, some countries have already embraced the available, comprehensive policies of
their government on the much-debated Genetic Technologies. But, most of them still remain
undecided on this matter. The recent boom in technology has improved the accuracy of
genetic analysis, trait testing, and modification, but eventually led to the reduced cost of these
areas. The wide interests and diversity have minimized the privacy goals for these genetic
data. The ways in which these genetic data are admitted and held have made it difficult, to
develop a proper genetic privacy policy for an individual’s safety.
On one hand, the legality of these gene technology patents is at the debate, as to the isolation
of certain genes just amounts to ‘discovery’ and not ‘invention’, so it can’t be patentable. But,
other statements to this debate include the presence of a purified gene, which is ‘invention’
and not ‘discovery’. The Government of India has its compliance, with the rules and
provisions of the International treaties and agreements like Cartagena Protocol. It also
proposed the enactment of the National Biotechnology Regulatory Authority
through the Biotechnology Regulatory Authority of India (BRAI) Bill, 2013. However, in
the past few years, it has suffered great opposition from farmers and many NGO’s.
Legal Aspect
India did have a systematic and structured regulation regarding the framework of the genetic
technology for the biosafety of the individuals and the researchers and still has an ongoing
approach for it. There is also a structured framework for the biosafety of genetically modified
organisms (also known as GMO) who are not human beings. India was one of the first few
countries to introduce development in the field of biosafety regulatory systems for genetically
modified individuals back in 1989. The main rules for all the activities related to the biosafety
of the GMOs are mentioned in the Environment (Protection) Act, 1986. There have also been
other rules and regulations that have been applicable to such genetically mutated organisms.
In India, genetically modified organisms (GMO’s) come under the regulation of the Ministry
of Environment, Forest and Climate Change and is notified under the rules of the. The
patentability of genes is still a matter of debate in the country but, the Indian Patent Office that
grants the patents has understood the different standards for patents of a nucleotide sequences.
The Genome Technology have inferences to the International treaties and agreements, like
the Cartagena Protocol on Biosafety to the Convention of Biological Diversity. The Gene
Patents under Section 3(c) of the Patents Act, 1970 includes the patenting for the discovery of

171 | New Technology Laws With Special Reference To Cyber Laws

any substance, whether living or non-living in nature. As per Section 3(j) states that the plants
and animals as a whole unit are not patentable.
Other such applicable laws are: The Biological Diversity Act, 2002; Seed Act,
1966; Protection of Plant Varieties and Farmers Rights, 2001; Food Safety and Standards Act,
2006; Disaster Management Act, 2005; The Unlawful Activities (Prevention) Act,
1967; Weapons of Mass Destruction and Their Delivery System Act, 2005.
Rules of Genetic Technology, 1989
In India, the Ministry of Environment, Forest and Climate Change had introduced the
Environment Protection Act in 1986 as a legislation that provides a holistic framework to all
the laws regarding the environment. After that, a series of rules were made to address the issue
related to genetic technology.
They introduced the rules for the manufacture, import, export, use, and storage of hazardous
microorganisms, organisms or cells that have been genetically engineered. The power has
been given by Regulation of Genome Engineering Technologies in India. They apply to any
product, foodstuffs, substances, etc of which the cells, organisms, or the tissues hereof form
the part. The new gene technologies apart from genetic engineering have also been included.
There have been six competent authorities that have been notified under these Rules to look
into the matters related to gene technology. These are:
1. Recombinant DNA Advisory Committee (RDAC)- This committee takes note
of the developments in the field of biotechnology at the national and international
levels. The RDAC is an advisory committee that has been instituted to give
recommendations from time to time on safety regulations and had prepared
guidelines for the biosafety of the GMOs.
2. Institutional Biosafety Committee (IBSC)- It has been mandated that each of
the institutions that intend to carry out research-related activities that involve
mutation or manipulation of any living organism be it the plants, animals, or
human beings and even the microorganisms. They should constitute the ISBC.
3. Review Committee on Genetic Manipulation (RCGM)- It functions as a body
that monitors the safety-related aspect of the research that includes the on-going
research on projects that are hazardous microorganisms. RCGM has also been
mandated to bring out the specific procedure for the regulatory process with
respect to the activities that take place. The RCGM includes representatives from
all the departments of all the scientific institutions in the country.
4. Genetic Engineering Appraisal Committee (GEAC)- It is an Apex committee
that functions and has its representatives from the concerned agencies and
experts. It is responsible for the acceptance and approval of the activities that
involve large scale use of hazardous organisms and the products that are
recombinant in the research field and the industrial production from the angle of
the environment.

172 | New Technology Laws With Special Reference To Cyber Laws

 5. State Biotechnology Coordination Committee (SBCC)- This committee has
been constituted in all the States where there is research and the applications of
the GMOs are underway. SBCC has been headed by the Chief Secretary of the
State and has the responsibility of monitoring the research.
6. District Level Committee (DMC)- This committee is held at the district level, as
the name suggests. DLCs have been constituted in those districts where the
research projects take place. It takes place wherever it is required to monitor the
regulations related to safety and installation that have been engaged in the use of
the GMOs or the hazardous microorganisms. Every DLC is headed by a District
Collector along with the officers who are concerned with the public health,
environment, pollution control, etc.m at the district level.
The mechanism to interact between two committees have also been provided under the Rules
of 1989. All the IBSCs have been required to review each application and then submit their
reports to the RCGM. Post that, the RCGM will review the application and state its
recommendations for the large-scale events, activities, the field trials, and the release of the
environment to the GEAC. The DLCs are also required to submit their reports to the SBCC or
the GEAC.
In addition to that, various committees, as well as the sub-committees, and also expert
committees have been formed by the RCGM and the GEAC on the basis of the cases they
administer and each case is a part of a different sub-committee or even an expert committee.
Such committees constitute experts from various disciplines who are a part of the public sector
institutions to prepare and even review the guidelines and the biosafety data. Committees such
as the Central Compliance Committees have also been set up for the monitoring of the
confined field trials on the basis of each case192.
The GEAC supervises the implementation of the terms and conditions which have been laid
down in the connection with the approvals accorded by it. It may carry out these supervisions
with the help of SBCC, DLC, or even any other person who has been authorized by law. The
SBCC/DLC may take suitable measures against the person who fails to comply with the rules
and regulations and can also incur the expenses from the person responsible193.
Diamond v. Chakrabarty (1980) 447 U.S. 303
Facts: – The plaintiff, Chakrabarty was a microbiologist and he sought to patent a live micro-
organism, which was manmade.
Issue: – This particular human-made, genetically engineered bacterium had the capability of
breaking down components of crude oil. So, does this no natural possession makes it
significant value research? Can a live man-made micro-organism bacterium be patented?
Rule: – The United States Code (U.S.C.), Section 101 mentioning Inventions that are
patentable under Chapter 10 stating the patentability of inventions. The rules under the Plant
Patent Act, 1930 and the Plant Protection Act, 1970.

192
AM, A. (2009). Journal of Medical Ethics and History of Medicine.
193
Ahuja, V. (n.d.). Regulation of emerging gene technologies in India.
173 | New Technology Laws With Special Reference To Cyber Laws
Application: – The requirement of Article 27(1) of TRIPS agreement, which states that the
inventions always need to involve an inventive step. Which essentially means an additional
fact or knowledge, to the previously known data. It is a pre-requisite if one needs legal
protection of the investment that consumed a lot of time and effort.
Conclusion: – The U.S. Supreme Court held that there is a distinction between the existence of
living organisms in nature and the isolated organisms in nature, probably because of human
intervention. This isolation makes the information and data of the gene unique and available in
a way, that is not natural in nature, thus it should be considered an improved product. It was
held that any live, micro-organism whether man-made is a subject matter and hence,
constitutes as a matter within the statute. [6]
Harjinder Kaur and Ors. v. State of Punjab (2012)
Facts: – The respondent had an illicit relationship with the petitioner. When the petitioner
denied the physical relations with him and his friends, the respondent blackmailed him. The
respondent also tried attempting rape on the petitioner. The petitioner complained to the Police
Commissioner, Ludhiana but no action was taken in the response. Then, a direction was
released that there was no proper investigation of the case was conducted. There were no
blood grouping tests done, the DNA test of the respondent, and the child was ordered. It was
alleged that one of the friends of the respondent was posted in the near police station as well.
Issue: – Relevance of DNA testing? Whether reporters are allowed to see the court hearing?
Difference between DNA sampling and DNA profile?
Rule: – Article 20(3), Article 21 (Right to Life) of the Indian Constitution. Section
53(A), Section 182 of the Criminal Procedure Code (CPC), 1973. Section 112 of the Indian
Evidence Act, 1872. Section 452, 354, 380, and 149 of the Indian Penal Code, 1860.
Application: – Article 21 of the Indian Constitution states the right to life for individuals, it
has always considered DNA tests as a violation. Facilitation of DNA testing guaranteed by the
CPC, to prove the case in favor of the accused or otherwise.
The respondent didn’t deny being the biological father of the child of the petitioner. He neither
denied having physical contact with the mother of the child, the petitioner. The results of DNA
testing were with an accuracy of 99.99%, confirming the paternity relation with the child.
Police relied on the DNA testing results for this case and hence, turned out successful. Within
30 days of order receipt, the child and the respondent were sent for this testing in a laboratory.
The Court held that adequate time was given, to the respondents to file the reply, of the
petition against him. The matching of the DNA profiles is an essential tool to link people with
their criminal acts of injustice.
Dimensions of Genetic Privacy
The concept of ‘privacy’ has evolved over a period of time. But, there’s a question as to who,
we could trust our genetic information and how they will hold and use it, still remains in
question as well. There is a continuous debate, on whether the international guidelines on
genetic technologies are justified or not. The international approaches, to the shared genetics

174 | New Technology Laws With Special Reference To Cyber Laws

technology and biological heritage, are the sole reasons for the preserved common interests
and protect humanity in the world.
Researchers have found that individuals are more comfortable in sharing their genetic data and
information with physicians rather than researchers of any institution. There is a widely
distorted ratio that varies, in the number of people who are concerned about their genetic data
and its privacy. Informational privacy is particularly, a very important aspect of the
dimensions of genetic privacy. The significant concepts of this dimension are security,
anonymity, and confidentiality.
There is a different definition of how individuals define ‘privacy’. The scholars believe that
the law does not provide much privacy and according to the beliefs of the people as well. The
most controversial debate of all is to keep the genetic data and information as another sort of
health information. The most important information is about the DNA and its potential use
and implications for family members. This genetic information is also used in criminal justice
by the statutory provisions.
The DNA profiles have success rates in solving many criminal cases with the help of forensic
experts. Besides genetic identification, the behavioral study of these genes is used in various
stages of criminal justice. Nowadays, genetic information is a major part of admission into
many educational institutions and even for employment. A lot of health information provides
us, with oversight of the genetic health of the individual.
Medical technologies and laws
India’s medical device market according to the recent data, is US$6 Billion approximately and
is considered as Asia’s 4th biggest sector/market. The market is considered to be providing
and giving lavishing business opportunities for multi-national and for local investors as well.
In the 1990s, medical technologies were mainly composed of local investors or domestic
businessmen. Certainly, after India started getting exposure to new markets in 1991, it
changed the whole scenario. The development of devices seemed to be given an advantage to
the global markets.
In today’s scenario, Indian medical services and technology market is suppressed by
international organisations which can be proved by the data, which say that 80% of the market
is working on imported goods. On the other hand, the local investors try to focus on initiating
low budget technologies so they could meet the demands. It is shocking to see that still more
than 60% of medical technologies India’s market is being exported just because the market is
in the hands of multinational companies. Many international companies have now set their
roots in the Indian market. The motive of these companies is just to promote imported goods.
Some international companies have put their hands on domestic or local investors and created
advanced technologies like Netherland-based Royal Philips Electronics, developer of General
X-Ray and Alpha X-Ray Technologies, developer of cardiovascular X-Ray systems.
According to the data of Foreign Direct Investment (FDI), the inflow of Indian market has
increased, which shows the dominance of global investors. According to stats, there has been a
receiving of RS. 9,712 crore by the medical technology market in 2000-2017. The FDI inflow
in 2014 & 2015 was 133.96 Million and 160.24 Million, accordingly. It is further noticed that

175 | New Technology Laws With Special Reference To Cyber Laws

FDI inflow in 2016 increased by 300%, i.e., $439.01 Million. In 2020, it has increased to RS.
13,048.80 Crore( approx. $ 2,129.50).
Earlier there has been a loophole in the Indian medical industry as many of the devices had no
regulation to follow. There was no government ruling or any instructions about the devices.
Then, The Medical Device Rule, 2017 came into force to overcome the loopholes of
legislative procedure.
Statutory provisions and laws
Under the Drugs and Cosmetics Act, 1940, The Medical Device Rule, 2017 was issued. This
was to manage or regulate certain categories of situations like as follows:
1. The devices used for internal and external use for diagnosis, mitigation, treatment
or prevention of the disorder in humans as well as animals which the government
has been notifying and specifying under the DCA. Certain categories have
already been recognized.
2. Certain substances/devices which used to affect the function or structure of
humans, those as well have been recognised by the government under the DCA.
Such substances can be intrauterine, condoms, disinfectants, insecticides, etc.,
3. Substances used in surgeries like surgical (dressing, bandages, staples, sutures,
ligatures), blood and blood components bags.
4. Devices used in vitro diagnosis.
In these categories, devices/substances mentioned under (1) & (2) are those who have been
recognised by the government and mentioned in Annexure A naming “Notified Medical
Devices”. Although, the categories mentioned above come under the ambit of MDR.
Medical technologies are divided into different sections on the basis of growing risk under
MDR. However, MDR & DCA have several purposes mentioned below:
1. To maintain the export-import, distribution, manufacturing and market of notified
medical devices.
2. To maintain the allocation of devices mentioned in MDR to consumers.
3. To maintain or regulate the medical equipment under the Indian market.
However, it is thought that the government seems to be very selective about recognising the
devices. Concisely, if a device has not been rectified by the government through DCA then it
will not be regulated by MDR. The clarification of this has been made by the Central
Licensing Authority. The government contains the power to release the notification about new
medical technologies, and those will further be regulated under DCA and MDR.
Governing authorities
The state and central governments are answerable for enforcement of the Act. The CDSCO
which stands for Central Drugs Standard Control Organization is led by the DCGI which
stands for Drugs Controller General of India is permanently answerable for the acts of state

176 | New Technology Laws With Special Reference To Cyber Laws

drug licensing authorities, implementation of policies and affirming uniformity in the whole of
India. The division of accountability is mentioned below:
DCGI (Central Licensing Authority)
The DCGI has certain other duties to perform other than cooperation with state authorities,
which is mentioned below:
1. Investigation and consent of investigational medical technologies,
2. Manufacturing of class (1) & (2) which mentioned above,
3. Manages imports of all substances/devices mentioned above,
4. Acceptance of new devices in vitro diagnosis and evaluation of their
performance.
State Drug Controller (State Licensing Authority)
The Drug controlling state authority is accountable for two other matters, mentioned below:
• Manufacturing of substances mentioned under (1) & (2)
• Providing license for sales, offers of sale, open market or allocation of medical
devices by private organizations.
Manufacturing of substances mentioned under (1) & (2)
The business person or investor is required to acquire a separate license for different
manufacturing locations and for different manufacturing products in that location. The
manufacturing license for substance (1) & (2) and substance (3) & (4) will be provided by
state and central, respectively. According to the act, “ ‘manufacturing’ consists of any process
for making, altering, finishing, packing, labelling, breaking up or otherwise treating or
adopting any drug with a view to its sale or allocation.” It does not include the packaging at
the selling stage.
Providing license for sales, offers of sale, open market or allocation of medical devices by
private organizations
The provisions of NMD are consented by the central government as well as the state. The
functions of manufacture, importing, distributive functions and other medical equipment
required permissions or say licenses. But in special cases like importing and manufacturing of
new NMD, there is a need for a license from central as well as state, from their licensing
authority. The MDR had mentioned the proper formats in which the application can be made
by applicants for licenses. It has also mentioned the application form for regulatory bodies.
Imports of a medical device in India
Now the big question is how the imports work in India. Imports of medical equipment
are more complicated than other provisions of licensing and permissions mentioned above,
and there are some additional steps to it. The importing of all goods be it medical, or others
are completely controlled by the import and export policy. Now if a business person wants to
import goods in India, then he/she needs to get an Importer and Exporter code number by the

177 | New Technology Laws With Special Reference To Cyber Laws

Director-General of Foreign Trade (DGFT). The number will be printed on the documents
attached with goods for clearance. For this number, an application will be given to the Joint
Director of Foreign Trade of that particular jurisdiction. Details of the bank are mandatory.
The imports of NMD in India, as mentioned above, require an import license or permission
from DCGI. The foreign manufacturer will be making an application for itself for a
registration certificate if he/she is having a wholesale license for any purchase or distribution
of NMD or if he/she is an agent authorized in India then they should have valid permission.
When the condition comes where the foreign manufacturer does not have a valid Indian whole
license, then they tend to contact the third party to make the sale.
Now there is one other condition to manufacturers in India which is that their authorisation
must be by a power of attorney. The leftover documents required for import, which
distinguishes with the class of medical technology tends to import, includes:
1. Certificate of free sale by the country’s national regulatory authority.
2. Certified copy of quality management system issued by authority of the state for
the manufacturing site.
Laws related to trademarks
The next important concept is trademarked, now when it comes to trademarks, then Indian
Trademark law is being protected under both statutory and common law. India’s first
legislation related to trademarks was the Trade and Merchandise Marks Act, 1940. This
particular act was repealed further and came with changes as the Trade and Merchandise
Marks, Act, 1958. The act then again was considered by legislation in 1999 to do certain
changes and came with compliance of TRIPS, and then it evolved as the Trade and
Merchandise Act, 1999. It initiated the registration of three-dimensional marks and service
marks.
In India, there is a quite reliable classification of goods and services. The schedule in the rules
incorporated in TM act, 1999 contains the classification. Class 10 is covering all the medical
devices, whereas the medical & veterinary services and cosmetics are defined under class-44.
The scientific and technological related programs and research is covered under class-42.
There is a procedure in the act which allows the searching of a trademark. In this manner, a
person can reliably search the conflicting trademarks before applying it. It was known as the
concept of “well-known trademark”.
The trademark which has been registered is expected to fulfil some conditions. The act is
having provisions/grounds through which either absolutely or relatively a trademark can be
refused. The provisions of TM Act, 1999 certainly go hand in hand with UK Trademark act,
1994. The trademark is applicable if no products had been sold under applied trademark yet.
Every ten years, the applicant should go through the renewal process. Foreign manufacturers,
as mentioned above, can apply for a trademark with a permitted license from the authority.
The concept of a well-known trademark is initiated to prohibit or stop the application of a
mark that is hardly a reproductive or a copy of an already existing trademark. The trademark
which is used without registration is protected under common law but not under any statutory

178 | New Technology Laws With Special Reference To Cyber Laws

provisions. In the case of Milmet Oftho Industries v. Allergan Inc, and many other cases the
court said that imitation of international names is not acceptable even if the goods are
different. Certain companies like IBM, Apple, Microsoft had gone through trademark laws.
Control of government over the pricing of NMD
An order called Drug prices control order, 2013, which lies under essential commodities act,
1955 controls all the regulations or prices of NMD. There is a list in DPCO of certain NMD
that are listed as essentials for our country. Till date, the list is containing condoms, IUDs and
stents (coronary). The device having recognition is known as ‘scheduled formulation’, and
those who are not yet recognised are known as ‘non-scheduled formulations’. The national
pharmaceutical pricing authority is there to control the prices of these goods. The NPPA uses
the following ways for controlled pricing:
1. NPPA determines the cost of NMD, which is the average manufacturing and
lending cost. The margin of profit of manufacturers and importers is to be marked
around 50-75% by NPPA.
2. If the margin had already been fixed by NPPA, then the manufacturer cannot
surpass the limit to the retailers. The margin goes for 8-16% for the
retailer. Because the NPPA determines the pricing.
3. If the request has been made to treat an importer, as a distributor, to market
authority holders in India, then that can also be done.
4. The patients are supposed to carry the charge/invoice of their medical treatment
even if they had paid a few amounts or paid from some ‘insurance’.
Salient features of Medical Device Rule, 2017
Earlier in this article, we have talked about how in India have implemented the Medical
Device Rule, to maintain NMD. Although not more of the population knows about the
development. To understand the role of the implementation made by the legislature, we need
to understand the history of medical technologies before MDR. Earlier NMD was only all
about the ‘drugs’. This application had certain issues to it194.
In practicality, the manufacturers are supposed to have a vacuum kind of room to prevent or to
control the side effects of several chemicals or pharmaceuticals, which can be considered as a
danger to health. NMD also implements the same to safeguard the health of every
manufacturer. That procedure is mandatory, irrespective of the fact that the chemicals used are
totally safe for health and are not risky in anyways. The MDR itself defines the age of the drug
as five years. Now, what happens if a drug’s age is ten years? So, that drug as well needs to go
for an assurance check and will be fetched off from the markets in 5 years. This resulted in
great benefits as every drug a consumer is taking is well checked and furnished from above.
To make the difference between medical technologies and drugs/pharmaceuticals, the MDR
was created. Certain classes are mentioned as follows:

194
VEALE, JAMES R. “Characterization of Medical Devices.” Food, Drug, Cosmetic Law Journal,
vol. 35, no. 10, 1980, pp. 588–593. JSTOR, www.jstor.org/stable/26658823.
179 | New Technology Laws With Special Reference To Cyber Laws
 1. Low (Class A)
2. Low Moderate (Class B)
3. Moderate-High (Class C)
4. High (Class D)
The first schedule of Medical Device Rule, 2017 mentions the four different types of classes.
However, in other countries, the manufacturers and importers have the freedom to make a
distinction of products on their own end just to register themselves. But in India, the situation
is another way around; herein, importers are supposed to go with the classifications made by
Drugs Controller General of India (DCGI).
There can be many examples to the above situation but to mention one, as follows: So, the
medical device category of Class A & B can be imported, on the free sale certificate
irrespective of the fact that either they have certified safety or performing data or just a
clinical investigation of origin country, from unregulated jurisdiction. In the case of Class C &
D, the import can only be done after justifying the safety and productiveness by clinical
investigation in India195.
The Indian legal system is being massive support to the Indian medical device market
repeatedly. We have already seen the laws and principles guarding the medical market and
how vast, exhaustive they are. Although the difficulties of doing medical business in India can
be outright by the percentage of growth, it is having. The main concern in 2020 can only be
certain policies of government and control of pricing. The NMD policy can gain the
confidence of the business persons in the market to fulfil a long term goal of ‘Make in India’.
However, the medical market of India is giving greater exposure to business persons, investors
and stakeholder, a lot than before, irrespective of the odds.

195
Lee-Makiyama, Hosuk, and Lisa Brandt. Addressing Regulatory Divergences in the Medical
Devices Sector. European Centre for International Political Economy,
2016, www.jstor.org/stable/resrep23963.
180 | New Technology Laws With Special Reference To Cyber Laws
 CHAPTER 10

E-PHARMACY & TECHNOLOGIES

INTRODUCTION
The e-commerce industry has reached the zenith of growth in India. The increasing use of
smart phones and tablets and the easy accessibility of internet through broadband, 3G, 4G etc.
has added advantage to the e-commerce business in India. As the industry is open to a wide
arena of market, it serves the interests of the consumers conveniently and efficiently. One of
the recent innovation of the industry in the health sector, which is still in the nascent stage is e-
pharmacy. E-pharmacy or online selling of medicines, help the patients and the consumers get
their medicines delivered at their doorsteps without having to leave their home. As the patients
suffering from chronic diseases depends on the medicines for the rest of his life, the retailers
sometimes due to shortage of medicines fail to satisfy the interests of the patient, which makes
the patient to run from one pharmacy to another. In that scenario, e-pharmacy acts as a better
available option to the patients and the consumers which makes the medicines readily
available. Though the business of e-pharmacy is a favorable one, yet it is challenged by
regulatory issues in India.
The question of legality of online pharmacies has arisen with respect to the sale of prescribed
drugs. In the absence of any prescribed rules, the owners of the online pharmacy adopt the
rules framed for retail pharmacies in India. The selling of drugs in India is regulated by the
Drugs and Cosmetics Act, 1940 and the Drugs and Cosmetics Rules, 1945.The Drugs and
Cosmetics Act makes no difference between the selling of goods online and through brick-
and-mortar retail stores. The Pharmacy Practice Regulations, 2015, also does not define “e-
pharmacy”. A number of complaints has been filed by the Food and Drugs Administrations
(FDA’s) of various states against the online pharmacies for selling prescribed drug, which is
dealt in detail in this paper. Realizing the need for constituting guidelines for online
pharmacies, the Drug Controller General (I) has appointed Federation of Indian Chambers of
Commerce and Industry (FICCI) as the nodal agency to consolidate the laws relating to e-
pharmacy in India. The Federation of Indian Chambers of Commerce and Industry (FICCI) on
25th July 2016, has come up with a comprehensive guidelines to self-regulate the conduct of
e-pharmacy business in India. It is an attempt by the industry to adhere to the highest
professional standards and to have proper safeguards so as to ensure that consumer’s health
and safety is not compromised. However, the All India Organization of Chemists and
Druggist, an apex body in sale and distribution of medicines, called for a nationwide strike on
November 23, demanding action from the Central government against the illegal sale of drugs
online. This paper discussed about the various issues and challenges with respect to online
pharmacies in India.

181 | New Technology Laws With Special Reference To Cyber Laws

E-Pharmacy: Meaning
The blooming of the e-commerce business2 in India has given birth to one of the innovative
practice of selling medicines online. The online sale of medicines in India is still in the
budding stage. E-pharmacy means selling of medicines online which differs from the
traditional brick and mortar retail stores which demands the physical presence of the
customers. E-pharmacy no doubt is more convenient to the consumers yet one should also
look into the regulatory norms for the selling of drugs online, as it is directly related to the
health of the consumers. Many e-tailers such as Pharma Easy, Mera pharmacy, Medicare, 3G
Chemist, Net meds and many more are carrying on the business of delivering the medicines to
the doorsteps of the consumers. Let us now discuss whether the online pharmacy business
conforms to the regulatory norm as laid down in the statute books of India.
There is a vast difference between the sale of common consumer goods and drugs/medicines.
Patients or consumer are not in a state to select a drug of his/her choice; which is possible in
case of other goods. Basically there is no much more difference between the online and offline
pharmacies. Both models pose similarities in operations but most noted difference between the
two is the delivery of drugs to the end users. Online stores are operated via the internet in
contrast to the offline stores. Three types of models of e-pharmacies exist in India organized,
non-organized and illegal.
Models of E-pharmacy
Organized e-pharmacy
There are two models which operate in this category.
• The market place model, where a technology company connects neighborhoods
licensed pharmacies to the end user;
• The inventory based model, where e-pharmacy is the online service of an offline
licensed pharmacy
Non-organized e-pharmacy
In this model prescription medicines are ordered without any validated prescription. There is
no check on the genuineness of the order due to absence of qualified pharmacists. Also,
improper record keeping and no audit is a major area of concern.
Illegal international trade through e-pharmacy
In this model, drugs are shipped across the international borders without any prescription and
approval from the concerned authorities. This is generally used to order cheaper version of
drugs like Viagra. E-pharmacies market is $18 billion and will grow to $55 billion by 2020.
Industry experts estimate the market to be generating 3,000-4,000 orders on a daily basis
Remarkable growth has been observed during the last five years. Investors are willing to fund
the e-pharmacies because they knew this model is potential enough to revolutionize the
pharmaceutical industry. This model shows promised and prominent growth in the Indian
market when there is condition of recession across the globe.

182 | New Technology Laws With Special Reference To Cyber Laws

Types of Medicines
Drugs could be classified by various ways. As per Indian system of Medicines-Ayurvedic
drugs, Siddha drugs, Unani drugs, Homoeopathic drugs and allopathic drugs. It can be also
classified by level of control-Prescription drugs and over-the-counter drugs. Based on nature
of origin-synthetic or natural (Herbal drugs, Phytopharmaceuticals, Biotechnology products).
Drugs could be miscellaneously classified-Orphan drugs, Ethical drugs, Generic drugs,
Lifestyle drugs, Diagnostics, Neutraceuticals, Personal Care Products, etc. All type of drugs
should be brought under the regulatory scanner being sold online than only emphasis on
allopathic drugs. The main concerns linked to e-pharmacies in modern medicines are chances
of drug abuse, misuse, resistance, addiction due to pain killers, CNS depressants, etc. So,
doctors need to check whether the drug being prescribed is as per patients’ requirement or not?
Special precautions should be taken in case of fixed dose combination.
There is wave of opposition for e-pharmacies in India by offline pharmacists. But
unfortunately they are also not practicing well their functions. 2ffline pharmacists don’t check
prescription properly and retain 1 copy of prescription. Sometimes they deliver and sell
medicines without prescription. Even otherwise how much control over prescription in case of
offline pharmacies? As per rules one registered pharmacist is required to run pharmacy. But
many pharmacies run by incompetent staff and owner. One pharmacist serve at more than one
pharmacy store or sell licence to other pharmacy stores for money. All these could be solved
in case of e-pharmacies as transparency is there. The problem of doctor’s bad handwriting
could be solved by e-prescription. Online model could be proved as much more beneficiary to
patients. Very expensive products like Biological products used for cancer. If drugs are
available online, then commission is less and patient gets benefit. Patients can do comparative
evaluation in e-pharmacy to find cheaper drugs. Patients can choose e-pharmacy which gives
cheaper drugs.
Before discussing about e-pharmacies regulation, let’s have a look at some basic fundamentals
which help to understand regulatory mechanism easily.
Regulatory Framework to Govern E-Pharmacy in India: Issues and Challenges
Where the consumers have shifted from ‘offline’ to ‘online’ mode of markets, the pre-colonial
laws in India falls short to deal with the recent development of e-pharmacy concept in India.
While the e-commerce business comes under the domain of the Information Technology Act,
2000, the legislations governing the sale of drugs in India comes within the ambit of the Drugs
and Cosmetics Act, 1940, The Drugs and Cosmetic Rules, 1945, The Pharmacist Act 1948,
The Indian Medical Act, 1956. However, the legislations mentioned neither permits nor
prohibits online sale of medicines in India.
Status of Online Pharmacy
Part VI of the Drugs and Cosmetics Rule, 1945, contains the requirements for ‘Sale of Drugs
Other Than Homeopathic Medicines’. The issuing of license is done under two broad
headings, namely, prescription drugs and non-prescription drugs. The license has to be taken
separately for the both the categories. The prescription drugs are those drugs, which are listed
in Schedule H, which is titled as Prescription Drugs. In accordance with Rule 65(9)(a)4 , such

183 | New Technology Laws With Special Reference To Cyber Laws

drugs can be sold only on the basis of a prescription issued by a Registered Medical
Practitioner as defined in Rule 2(ee) of the Drugs and Cosmetic Rules, 1945. The same rule
applies to Schedule X drugs. Schedule X drugs also includes narcotic and psychotropic
substances-based drugs. In terms of Rule 123, drugs listed in Schedule K do not need a license
for sale if sold by shop other than a chemist’s shop which is a non-prescription drug. Thus,
medicines can be sold only by a registered pharmacy that has retail license either online or
offline as the rules does not specifically permits nor prohibit online pharmacies. Also, the
circular issued by the Drugs Controller General of India (DCGI) mentions that the Rules make
no difference between the conventional and over the internet sale/distribution of drugs. Only a
strict compliance of the rules is the need of the hour in both cases. Thus, selling of online
medicines is not illegal in India under the present Drugs and Cosmetics Act and Drugs and
Cosmetics Rules. It will be considered illegal only when it acts in contravention of the Rules.
Online Pharmacies: Issues and Challenges
No doubt the concept of e-pharmacy looks very convenient and easy, it surely has certain risks
involved with it. The selling on drugs online faces some serious issues and challenges. Some
of them are discussed below:
Inter-State Sale of Drugs: Rules related to shipping medicines from one state of India to
another aren’t clear. Every state has a Drug Department that grants license for certain
medicines to be sold within a state. There is a possibility that, certain medicines valid in one
state might not have license in another. Hence, there is ambiguity regarding shipping of
medicines from one state to another. Suppose, ‘A’ who is a resident of Bengaluru places an
order for ‘X’ medicine through an e-pharmacy website. The medicine is shipped from the
State of Andhra Pradesh and is delivered to the consumer. However, it comes to the notice that
the medicine ‘X’ is not a licensed drug in the State of Karnataka thereby violating the rules as
provided under ‘The D&C Act’. As the e-commerce business in India is operated freely from
one State to another, it will be very difficult for one to keep a close monitor on the source
from where drugs are delivered to the consumers. . Such an instance has already been
registered by Mumbai Food and Drug Administration (FDA) which is discussed in the
subsequent paragraphs.
Taking Money Prior to Delivery: There is ambiguity in the Indian law whether a pharmacy
is allowed to take money prior to delivery of medicines. Certain provisions of the law
mandate, money to be collected from the customer only after medicines are physically handed
over to the customer. The various payment options provided by the e-pharmacy websites such
as Credit/ Debit payment, payment via mobile wallets etc on placing an order will surely raise
questions of contravening the Rules as provided.
Selling Scheduled Drugs: online selling of drugs poses a serious risk of selling Schedule X
and Schedule H medicines to customers. Drugs which fall within the two schedules shall not
be delivered to customers without prescription and is a crime. Proper customer record needs to
be maintained including name of the patient, doctor and address for every Schedule H and
Schedule X medicines sold by the pharmacy. A single prescription can be used for multiple
delivery of drugs through different e-pharmacy websites. A proper regulatory framework is
the need of the hour to deal with this complicated issue as this may rise the percentage of drug
184 | New Technology Laws With Special Reference To Cyber Laws
abuse in India. Another important issues which needs proper regulation is the selling of drugs
to minors. It will be very difficult to trace the authenticity of the prescription when it is
uploaded in the websites for online purchase of drug.
Selling Drugs without a Registered Medical Practitioner
The Drugs and Cosmetics Act and the Drugs and Cosmetics Rule makes it very clear that the
drugs are to be sold only after the supervision of a registered medical practitioner (RMP). 8 In
case of online orders of drugs it will be very difficult to check whether they have appointed a
RMP to monitor the drugs which is delivered to the customers.
Cases Registered Against E-Pharmacy Websites
A number of websites dealing with the sale of drug online are found contravening the
provisions of the present law in India. Some of the instances are discussed in the subsequent
paragraphs.
A complaint was made by Swadesh Seva Santha, an NGO against Myra Medicines, an e-
pharmacy app for clandestine selling of Schedule H drugs and other banned medicines under
the Drugs and Cosmetics Act,1940, Drugs and Cosmetics Rules 1945, the Narcotic Drugs and
Psychotropic Substances Act, 1985 and Food and Drug Administration regulations, in the state
of Karnataka, without a valid prescription signed by a registered medical practitioner.
Following the complaint, the Drug Controller of Karnataka has registered a case against the e-
pharmacy. The plot to catch them red-handed was planted by the members of the NGO by
placing orders through Myra Medicines app. To the utter surprise of the members Myra
delivered all orders including banned medicines like Corex, Schedule H medicines like
Moxikind CV 625mg, Jalra M 50/500mg, Daonil 5mg and Nuro kind 500 mcg without a valid
prescription. This instance poses a serious question on the health of the consumer, where
taking the drug on a regular basis may lead to serious side effect. Also, the selling of drug
without the identity and age of the patient will result in the high rise of drug abuse in the
country. However, the ill-effect which will cause by the use of banned drugs is not within the
ambit of this paper.
Another similar instance happened in the state of Mumbai. The drug arm of state Food and
Drug Administration has filed a FIR against two online medical stores for selling medicines
online to patients on basis of the prescription uploaded by the consumers. An FDA inspector
posing as a customer bought medicines from Mera Pharmacy- an online portal. The inspector
bought painkillers which were delivered to his residence from Gujarat. Similarly in the second
case, a woman on behalf of FDA, posing as a customer bought medicines from Chemist
Global which was delivered to her residence from Delhi. As discussed earlier in the paper,
drugs supplied from one state and sold in another are barred by the Drugs and Cosmetic Rules.
In both the cases, the medicines were being supplied to patients in Mumbai from outside
Maharashtra which is a clear violation of the Rules. It is pertinent to mention here the
important observation made by BR Masal “What if the patient uploads a fake prescription on
the website? They can also use a valid prescription on several websites to buy medicines in
bulk, which are then abused, such as sleeping tablets.”This is a serious concern where one
prescription can lead to multiple orders online. This issue needs to be dealt in an appropriate
manner. Two public interest litigations, one in the year 2015 and 2016 in Bombay and Madras
185 | New Technology Laws With Special Reference To Cyber Laws
High Court respectively, against the illegal delivery of Schedule H drugs without prescription
and cash memos. The Bombay High Court directed the state government to take necessary
steps to prevent unauthorized sale of drugs online. The Madras High Court also issued notice
to the Centre on the PIL seeking to ban websites from selling scheduled medicines online in
violation of Drugs and Cosmetic Rules.
Present Scenario
To tackle the menace of online sale of drug in India, the Drugs Consultative Committee, the
advisory arm of the Drug Controller General of India (DCGI), in July 2015 constituted a seven
member sub-committee under the Chairmanship of Maharashtra Food and Drug
Administration (FDA) Commissioner Harshadeep Kamble. In the meanwhile, The Federation
of Indian Chambers of Commerce and Industry (FICCI) - an apex business organization has
developed a white paper e-pharmacy in India-Last mile access of medicines’. It is a Self-
regulation Code of Conduct for the E-pharmacy sector which was released in the presence of
Government dignitaries and the concerned stakeholders on 21st November, 2016, FICCI, New
Delhi. In the absence of the concrete law on the subject the association binds themselves by
the code of conduct. Thereafter, the sub-committee after inviting comments and suggestions
from general public, submitted the following draft recommendations to DCC:
• Creation of a national portal to act as the nodal platform for transacting and
monitoring online sale of drugs and necessity of evolving a mechanism to register e-
pharmacies.
• Sale of drugs through e-prescription
• Audit trial to prevent drug abuse and linking prescriptions to Aadhaar Card.
• Geographical restrictions for operation of e-pharmacies
• The existing licencees involved in retail sale of drugs could also register on the
national portal for carrying out online sale of drugs
• Certain categories of drugs viz. the narcotic and psychotropic drugs, tranquilisers,
habit forming drugs and Schedule X drugs that are prone to being abused or misused
be excluded from sale through e-pharmacies
• All matters relating to sale of drugs including through online will continue to be
regulated in accordance with the provisions of the Drugs and Cosmetics Rules, 1945
as amended from time to time
Legislative Control of Online Pharmacies
Presently, these online pharmacies or e-pharmacy portals operate on the marketplace or
inventory model in compliance with The Information Technology Act, 2000 and the e-
commerce guidelines of the Government of India, with registered pharmacies or chemists as
channel partners of these portals and the source of the medicines.
While the brick and mortar “Chemist” as we generally refer to these shops, are regulated by
The Drugs and Cosmetics Act, 1940 and the Rules framed there under (the “Act”), the Act
does not explicitly regulate the online pharmacies. The Government of India has by
186 | New Technology Laws With Special Reference To Cyber Laws
Notification dated August 28, 2018 proposed the Draft Drugs and Cosmetics Amendment
Rules, 2018 (Draft Rules) to include provisions for regulation of the online pharmacies/e
pharmacies, by including a new Part VIB in the extant Drugs and Cosmetics Rules, 1945.
First we will understand drug regulation of India. Currently regulatory powers have been
distributed between the centre and the state governments. Central Government is responsible
for licensing of drug imports and the state governments are responsible for the manufacture,
sale and distribution of drugs. Central Government exercises regulatory control over drugs by
New Delhi based Central Drugs Control Organisation headed by the Drugs Controller General
India. State authorities’ exercises regulatory control over drugs by state based Drugs Control
Administration headed by the State Drugs Controllers. Every state has its own Drugs Control
Administration.
The laws governing Pharmacies in India are derived from Drugs and Cosmetics Act, 1940;
Drugs and Cosmetics Rules, 1945; Pharmacy Act, 1948; Indian Medical Act, 1956 and Code
of Ethics Regulations, 2002, etc. All laws were written before the era of computer has been
started. So, basically there are no laws related to internet and ecommerce. The Information
Technology Act, 2000 governs all activities and issues related to internet. When e-pharmacies
regulation is concerned, there is lack of accurately and unambiguously stated laws and clear-
cut guidelines to regulate, control and monitor e-pharmacies. For ensuring efficient and
legitimate running of e-pharmacies, it is a need of the hour to make hassle free rules for e-
pharmacies.
A brick and mortar Chemist is required to have a drug license issued by the Licensing
Authority, for dispensation of drugs with the mandatory requirement of a Registered
Pharmacist who is a person registered under the Pharmacy Act, 1948, or a matriculate or
equivalent with four years’ experience of selling drugs, or a degree holder form a recognized
University who has one year’s experience of dealing in drugs. The need of a Registered
Pharmacist arises only when the Chemist is a pharmacy engaged in compounding medicines
against a prescription. The Draft Rules purport to impose similar conditions on the E-
pharmacies.
Under the Draft Rules, an E-pharmacy means the business of distribution or sale, stock,
exhibit or offer for sale of drugs through web portal or any other electronic mode. E-pharmacy
portal is defined as a web or electronic portal established and maintained by the E-pharmacy
registration holder to conduct the business of e-pharmacy.
The E-pharmacy portal is to be established in India and the data generated or mirrored through
the portal is prohibited from being sent or stored by any means outside India. Every person
who intends to operate the E-pharmacy, including an individual, HUF, Company, Partnership,
LLP is required to apply for registration with the Licensing Authority to sell, stock, exhibit, or
offer for sale drugs through E-pharmacy. The conditions for registration are:
1. Compliance with the provisions of The Information Technology Act, 2000.
2. Cash or credit memo to be generated through the portal and should reflect:
a) serial number and date,

187 | New Technology Laws With Special Reference To Cyber Laws

b) the name, address and sale license number of the licensee dispensing the drugs,
c) the name, quantity, batch no., date of expiry and name of manufacturer of the drug
dispensed.
d) name and address of the e-pharmacy registration holder along with signature/digital
signature of the Registered Pharmacist In charge.
The registration would be for a period of three years, renewable within three months of expiry.
The E-pharmacy is prohibited from dealing with narcotic and psychotropic drugs referred to in
the Narcotic Drugs and Psychotropic Substances Act, 1985, Tranquilizers and Drugs specified
in Schedule 10 of the Drugs & Cosmetics Rules, 1945.
The obligations of the E-pharmacy registration holder for operating the E-pharmacy portal are:
1. Orders for retail sale received through e-pharmacy portal.
2. Dispensation of drugs against prescription of a registered medical practitioner received from
the customer through the portal.
3. Details of drugs dispensed including patient details to be maintained on the portal.
4. Portal to disclose:
a) registration certificate.
b) constitution of the registration holder.
c) logo, if any, of the portal.
d) types of drugs offered for sale and availability.
e) supply channels or vendor lists.
f) details of registered medical practitioner, if any.
g) name and registration details of Registered Pharmacist who validates the prescription
before dispensing the drugs.
h) details of the logistic service provider.
i) return policy of dispensed drugs.
j) Contact details of the E-pharmacy – email, landline and mobile numbers, address.
k) Procedure for submitting grievances on the portal and redressal mechanism
5. Facility for customer support and grievances redressal available for at least 12 hours every
day for all 7 days of the week.
6. Details of the patient to be kept confidential and not disclosed to any other person except
the Central or State Government.
The Registered Pharmacist is under an obligation to verify the details of the patients,
registered medical practitioner issuing the prescription and then to arrange to dispense the
drugs in accordance with the prescriptions. The E-pharmacy registration holder who has
received the prescription on the portal shall dispense and make arrangements for supply of
188 | New Technology Laws With Special Reference To Cyber Laws
drugs from any retail or wholesale licensed premises under the Drugs & Cosmetics Act, 1940.
The Licensing Authority shall have powers to monitor the information on the E-pharmacy
portal periodically as well as physically inspect every two years, the premises from where the
E-pharmacy business is being conducted.
The Draft Rules have given the public a forty five days window for objections/suggestions
which would be considered by the Central Government, after which the same would be re-
notified in the Official Gazette and become effective.
A Brief Comparison of Online Pharmacy and Offline Pharmacy
Online versus offline pharmacy
Online pharmacy Offline pharmacy
Ease of use and doorstep delivery of medicines Physical movement is needed to procure
within a short time. Beneficial to geriatric and medication
physically disabled groups with chronic
medication196.
Offer better pricing with added discounts Medicines are sold at MRP price
Offer a wide range of medicines and services Limited range of products and stock
because they integrate several retail pharmacies unavailability is a common problem.
into a single platform Customers have to visit several stores to
purchase the desired item
E-pharmacy does not have its legislation and Offline pharmacies have a rigid regulatory
follows the offline regulatory framework framework for the production and sale of
drugs across the nation
Since patients have to provide personal Customers do not have to provide any
information such as their contact number, personal information at the time of
address, and disease profile, data security can be purchase
a problem
Since a network of pharmacies is integrated into Due to increasing competition amongst
one platform, working capital and overhead brick-and-mortar stores, offline pharmacies
costs are reduced, thereby increasing margins suffer from poor industry margins
E-pharmacies are growing at a steady pace. At The stability of the retail pharmacy
present, there are 250 online organizations, and industry is uncertain because it is highly
the expected market growth is at a CAGR of fragmented, and there is tremendous
63% and reaches $3.6 billion in 2022 pressure for price control and is hence
facing stagnant growth
Apart from the sale of medicines, E-pharmacies Offline pharmacies only deal with the sale
also provide value-added services such as E- of medicines

196
Importance of E-Pharmacies for a Digital India:Benefits and Future.
189 | New Technology Laws With Special Reference To Cyber Laws
consultation, E-diagnostic services, information
about medications and diseases, and health
insurance services

Rules and Acts

Drugs and Cosmetics Act, 1940
• Section 18 (c) of the Drugs and Cosmetics Act prohibits manufacture and sale of any
drug without a license. As per the Section 18 (c) of Drugs and Cosmetics Act, 1940 to
be read with Rule 65, only a licensed retailer is entitled for the sale of drugs and that
too on the basis of prescription of a doctor only.
• Section 27 of Drugs and Cosmetics Act has provisions for penalty for manufacture,
sale, etc., of drugs in the form of imprisonment and monetary fine. It very clearly
states in subsection “b (ii) without a valid licence as required under clause (c) of
section 18”.
• Section 10 of the Drugs and Cosmetics Act prohibits import of any drug that is not of
standard quality, any misbranded, adulterated or spurious drug or any drug for
requires a license for import. It also does not permit import of “any drug which by
means of any statement, design or device accompanying it or by any other means,
purports or claims to cure or alleviate any disease.” Imported medicines may be fake,
mis-labelled and unsafe.
• Нe Drugs and Cosmetics Act, 1940, and the Drugs and Cosmetics Rules, 1945, have
clear guidelines on the sale of Schedule H and Schedule X drugs, which are
‘restrictive drugs’ and can be sold only on the prescription of a registered medication
practitioner. Schedule X drugs include narcotics and psychotropic substances.
Chances of drug abuse and addiction are higher with these drugs. Нey also require
meticulous storage and dispensing records. Нe prescription has to be in duplicate, one
copy of which is to be retained by the licensed pharmacist for 2 years.
Drugs and Cosmetics Rules, 1945
• Rule 65 of Drugs and Cosmetics Rules, 1945 stipulates sale of drug under the
supervision of a registered pharmacist which also involves signing of the bill and
stamping of the prescription by the pharmacist and the doctor. Rule 65 of Drugs and
Cosmetics Rules, 1945 prescribes the procedure to be adopted by the medical stores
while selling the prescription drugs and under which the prescription from the
registered medical practitioner is necessary for sale of Schedule H drugs under the
Act.
• Schedule H1 of the Drugs and Cosmetics Rules, 1945 mandates a licensed pharmacist
to maintain a separate register for sale of drugs that are specified in Schedule H1 with
details of the patient, doctor and the name of the drug/s including quantity; it is to be
kept for three years and is open to inspection by regulatory authorities Schedule H1

190 | New Technology Laws With Special Reference To Cyber Laws

 mainly includes potent antibiotics, habit forming painkillers and anti-anxiety drugs
that induce sleep.
• Schedule H1 drugs are also required to have special labelling, with symbol Rx in red
to be clearly displayed on the leі top corner of the label and a box warning with a red
border-“It is dangerous to take this preparation except in accordance with the medical
advice. Not to be sold by retail without the prescription of a registered medical
practitioner.”
• The objective of Schedule H1 was primarily to check the indiscriminate use of
antibiotics in India, in view of the rising incidence of multi-drug resistant bacteria, a
serious public health issue worldwide. Easy access to antibiotics via e-pharmacies will
defeat this very purpose.
Indian Medical Council Act, 1956 and code of ethics regulations, 2002
• Regulation 5.3 of MCI Code of Ethics stipulates that pharmacists and doctors should
work together. If e-pharmacies are allowed, then this relationship will be lost.
• Regulation 7.14 of MCI Code of Ethics 2002, also does not allow a registered medical
practitioner to disclose the secrets of a patient that he/she may have been learnt in the
exercise of his/her profession. Declaration (g) given to doctors at the time of
registration states: I will respect the secrets which are confined in me.
• Regulation 6.4 of MCI Code of Ethics prohibits from giving or receiving any rebates
or commissions. E-pharmacies may provide rebates and commissions to doctors to
provide prescriptions on the basis of online information that has been filled by the
patient. This way doctors will be vulnerable to malpractice suits
• Not only doctors, Pharmacists too have a role in ethical dispensing of prescription
medicines. Safe and effective use of medicines is a complementary effort and
subsequent amendments have some provisions in it that are of relevance to the
pharmacists.
• Regulation 1.9 of MCI Code of Medical Ethics Regulations, 2002 requires all doctors
to abide by the laws of country that regulate the practice of medicine. Neither the
doctor nor the pharmacist should be a party to helping others evade these laws
• Regulation 7.19 of MCI Code of Medical Ethics Regulations, 2002 does not allow
doctors to use touts or agents for procuring patients. So, a pharmacist should not
indulge in such activities
Narcotic Drugs and Psychotropic Substances Act, 1985
There is chance of misuse of unmonitored and uncontrolled sale of narcotic drugs listed under
the Narcotic Drug and Psychotropic Substances Act, 1985.
Drugs and Magic Remedies (Objectionable Advertisement) Act, 1954
The Drug and Magic Remedies (Objectionable Advertisement) Act and Rules 1954 mentions
a list of ailments for which no advertising is permitted. It also prohibits false or misleading

191 | New Technology Laws With Special Reference To Cyber Laws

advertisements that end up making wrong claims. Indian population is being increasingly
exposed to advertising for prescription drugs despite legal prohibitions.
Section 3: Prohibition of Advertisement of Certain Drugs for Treatment of Certain Diseases
and Disorders
Section 4: Prohibition of Misleading Advertisements Relating to Drugs
The Pharmacy Act, 1948
According to Subsection 1 of section 42 of Indian Pharmacy Act 1948, “no person other than a
registered pharmacist shall compound, prepare, mix, or dispense any medicine on the
prescription of a medical practitioner.” Section 42 (2) also states, “whoever contravenes the
provisions of sub-section (1) shall be punishable with imprisonment for a term which may
extend to six months, or with fine not exceeding one thousand rupees or with both.”
Information Technology Act, 2000
The Information Technology Act 2000 governs some of the legal issues pertaining to online
dealings but it is silent on the aspect of e-pharmacy. As a result, illegal e-pharmacies have
been increasing in India.
There is no legislation specific to data privacy in India as yet. The laws that deal with data
protection or privacy in India are Section 43A of the Information Technology Act, 2000 and
the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules 2011.
There is a proposed Privacy (Protection) Bill, 2013 (“Bill”), which focuses on the protection
of personal and sensitive personal data of persons. If passed and enacted, it will override all
existing provisions directly or remotely related to privacy under section 3, which provides that
“no person shall collect, store, process, disclose or otherwise handle any personal data of
another person except in accordance with the provisions of this Act and any rules made there
under.
There is ambiguity in the Indian law whether a pharmacy is allowed to take money prior to
delivery of medicines. Certain provisions of the law mandate, money to be collected from the
customer only after medicines are physically handed over to the customer.
Pharmacy Practice Regulations, 2015
It appears that electronic prescriptions should be valid especially in the light of the Pharmacy
Practice Regulations of 2015 declared by Pharmacy Council of India in January 2015. In these
regulations, “Prescription” is defined by regulation 2. (j) “Prescription” means a written or
electronic direction from a Registered Medical Practitioner or other properly licensed
practitioners such as Dentist, Veterinarian, etc. to a Pharmacist to compound and dispense a
specific type and quantity of preparation or prefabricated drug to a patient.12 On basis of
existing regulations it appears that a scanned copy of prescription will be perfectly considered
as a valid prescription. However, whether such electronic prescriptions can be used to buy
medicine from e-pharmacies has been questioned.

192 | New Technology Laws With Special Reference To Cyber Laws

Good Distribution Services
The drug distribution is currently being regulated at the state level by the health departments
for detecting such cases and taking action. FDA officials, however, pinpoint that there is a
need for a proper regulatory mechanism for e-pharmacy. This will help, according to the drug
regulators, in curbing the currently prevalent illegal practice of irrational use of drugs through
self-medication, more so, as it has become a global phenomenon.
Techno- legal requirements
Online pharmacies operating in India are abided to follow certain techno legal requirements of
Indian laws which they fail to comply with are as below:
• Privacy
• Data protection
• Encryption
• Cyber law due diligence
• Internet intermediary obligations
• Cloud computing
In absence of knowledge of cyber law due diligence requirements and Internet intermediary
liabilities some e-pharmacies stores, websites and individuals breach the provisions of
Information Technology Act, 2000.
E-pharmacies operate assuming that offline medico-legal requirements can be used for online
requirements, which is actually misbelieving as both have different legalities and array of
questions. If they follow it will lead to chain of legal consequences and liabilities. Strict
adherence to compliance with Indian laws is required for successful operation of any e-
pharmacy.
Government’s move towards the issue
Sale of medicines through e-pharmacies has been banned by the Drugs Controller General of
India (DCGI) on 30th December, 2015. All the drug control administrations of state
governments and union territories are informed to take necessary action against the
epharmacies selling medicines as pending submission of the report prepared by the expert
committee to the Centre. Нe Drugs Controller General of India (DCGI) emphasized to keep
eye on the online sale of medicines to stop breaching rules and regulations. Hence all e-
pharmacies operating in India are under the regulatory scanner.
Drugs Consultative Committee had constituted a seven-member subcommittee to study the
issue of sale of drugs on the internet and associated risks and concerns. Sub-committee review
recommendations to formulate guidelines on the use of information technology in e-pharmacy
and authorize its legal validity.
Federation of Indian Chambers of Commerce and Industry (FICCI) has been appointed as
nodal agency by the Drugs Controller General of India (DCGI) to consolidate and frame

193 | New Technology Laws With Special Reference To Cyber Laws

guidelines for online sales of medicines through e-commerce channels in June, 2015. To
oppose central government’s move to regularize sale of medicines through the internet, All
India Organization of Chemists and Druggists (AIOCD) went on one day’s strike in October,
2015.
Indian Medical Association (IMA) wrote a white paper which shows that Indian Medical
Association (IMA) strongly oppose e-pharmacies. But objection of white paper could be
improved if concerned authorities study it in detail and proper steps will be taken. Traditional
pharmacies owners also oppose online model. So, concerned authorities should think about
existing models interest and benefit while draіing new rules for online model. It would not
hurt business of existing model’s players. New model will be such that it integrate and
augment the business of existing model rather than harming it. It should open horizon of new
opportunities for the existing model. Both models should be operated, worked and regulated in
harmonized and synchronised manner. It would be served as a platform to bridge the gaps of
existing offline pharmacies and connect the patients with existing offline pharmacies.
Glimpses of federation of Indian chambers of commerce and industry (FICCI) report
Earlier there was shaky and cloudy regulatory regime for e-pharmacy model in absence of
well-defined laws. If this persists for long time, unregulated e-pharmacy may be proved as
dangerous trend in future. To overcome this situation, regulatory authorities have started to
frame laws and guidelines for the same. Sub-committee is ready to release a report of
recommendations to regulate e-pharmacies after extensive deliberations with experts, industry
persons and stake holders. As per S. Eswara Reddy (Joint Drugs Controller-CDSCO), This
report will mainly accept online pharmacies only with respect to e-prescriptions.”
They emphasize on e-prescriptions and recommended a standardized format for these
prescriptions. They defined terms related to online medicine retail, including e-prescriptions,
online pharmacies, and Over-the-Counter (OTC) drugs. The report has suggested amendments
to drug rules and a “negative list” which specifies drugs prohibited to sell to ensure the safe
running of online pharmacies. It has suggested integrating AADHAR Number into the overall
e-pharmacy framework to make the retail process more transparent.
What should do to improve regulation?
Design a website for checking legality of e-pharmacy. Make guidelines for consumers for
safely accessing e-pharmacies and explains how to buy medicines safely from e-pharmacies.
6pecific and clear-cut rules should be made for selling, prescribing, dispensing, and delivering
prescription drugs through e-pharmacies.
List of illegal and blacklisted e-pharmacies should be provided to help out consumers and stop
them using such fake websites. Government should make a common logo for legally operating
epharmacies to distinguish them from illegal one. Make guidelines for online drugs
importation and re-importation for legislators and consumers. It is mandatory for e-pharmacies
dealing with online drugs importation and re-importation to be registered and to get licence for
the same from regulating body. As the power of drug regulation is distributed between Central
and State government, role of Central government and State government should be well
defined. E-pharmacies’ should not use the data generated from online business for commercial

194 | New Technology Laws With Special Reference To Cyber Laws

purpose. Using public-private tie-ups leveraging characteristics of internet based technologies
and engaging private sector service providers can be the basis of an encyclopaedic policy to
address this planetary public health concern.
Government schemes like National Rural Health Mission can aid in promoting proper
procedures to acquire drugs, prevent self medication through campaigns on television, radios
and social media Watch should be kept on importation of banned drugs through e-pharmacies
outside India which don’t come under Indian jurisdiction.
Each and every activity and transactions made through e-pharmacies must be under regulatory
scanner to prevent it from underworld and smuggling.
E-pharmacy must establish its server in India as if it is outside the boundaries of India, it is
difficult to control and regulate it. To ensure efficient running of e-pharmacies great
compliance and strict adherence to laws is required. So, regularly check whether e-pharmacies
follow it or not.
Advantages
• Time saving
• Money saving
• 24/7 access possible
• Convenience increased
• Easy accessibility to medicines
• Increased availability of medicines
• Refund possible
• Easy comparison of medicines in terms of cost
• Increased consumer information and information exchange
• Privacy
• Fast distribution
• Increased choice as wider variety of medicines available.
• Convenient for some patients and old age people who can’t leave their home.
• Delivery of medicines at desired place at desired time possible
Disadvantages
• Chances of drug resistance
• Chances of drug interaction
• Chances of drug abuse
• Chances of drug misuse
• Chances of misdiagnosis
195 | New Technology Laws With Special Reference To Cyber Laws
• Promote self-medication
• Purity and quality of drugs not assured
• Financial privacy issues
• Medical privacy is a major concern
• Electronic health records security and privacy concerns
• Easy availability of illegal substances
• Encourage direct to consumer advertising of prescription drugs which is illegal
• Risks associated with online purchasing of drugs
• Sale of drugs without prescription by some e-pharmacies which lead to harmful
consequences
• Online prescription without consulting a doctor
• Doctor’s prescription may not be honoured
• Doctor- Pharmacist- Patient: this trio trust evaporates
• Affect business of offline pharmacists
• Access to illiterate and poor population difficult
• Authentication of physicians and pharmacist online is unclear
• Labeling and packaging related issues
• Tough to distinguish between legitimate and illegitimate websites for e-pharmacy
• No control on purchasing drugs by minors from e-pharmacies
• Tough to transport temperature sensitive drugs
Challenges
• Absence of concrete laws for e-pharmacies in India
• To take money before delivery of drugs/medicines is questionable
• Selling or shipment of drugs to minors
• Reach of technology driven model to illiterate people due to lack of knowledge about
internet
• Speed of internet
• Prescription related issues
• Legality of electronic signature
• Identity and reliability of legal e-pharmacy
• Protection of consumer rights
• Security and confidentiality of information exchanged
196 | New Technology Laws With Special Reference To Cyber Laws
• Security of financial transactions
• Regulatory control over e-pharmacies operating outside the jurisdiction of India
• Unclear laws on inter-state transfer of drugs/medicines.
• Drug importation and re-importation issue
From the above discussion it can be concluded that operation of e-pharmacy websites and
selling of online drugs in India is not illegal. It comes well within the purview of the Drugs
and Cosmetics Act and Drugs and Cosmetics Rules. The only cause of concern for the online
pharmacies is to abide by law on the subject. From the draft recommendation of the
subcommittee it is clear that selling of narcotics, tranquillizers, Schedule X drugs which are
prone to be misused are to be kept out of the reach from the e-pharmacy sellers. E-pharmacy
makes the medicines readily available to customers without much hazard. This also comes
with the disadvantage as the customers can experiment self-medication which could adversely
affect their health. Also, as the customers do not personally inspect the medicines before
buying, there is a chance that wrong medicine from the same manufacturer get delivered. The
need of the hour is to see if the recommendations given by the sub-committee are incorporated
into the legislation by the method of amendment, bringing an end to the battle between offline
pharmacies and online pharmacies. It will also encourage patients to self-report the medical
history. E-pharmacy may be proved as dangerous trend in future if not regulated properly.
Regulatory authorities and government of India should think about existing pharmacy system
and pharmacists while framing the rules for e-pharmacies. Patients’ safety and quality of drug
should paramount whilst framing rules.

197 | New Technology Laws With Special Reference To Cyber Laws