The Organisation for Economic Cooperation and Development (OECD) defines E-Commerce as a new way of doing

business, defined as transactions that take place over networks that use non-proprietary protocols established
through an open standard-setting process, such as the Internet. E-commerce is a method of conducting business
electronically rather than through traditional physical means. This includes all internet-based retail activities such as
purchasing goods, receiving services, delivery, payment facilitation, and supply chain and service management.

Some of the e-commerce activities include the following:

 Paying different taxes

 Ticketing over the internet
 Products sold or purchased online
 Online payments
 Online customer support
 Online accounting software
 Examples of e-commerce are online retailers like Flipkart, Amazon, Paytm mall, and Myntra, sellers of digital
goods like online services, ebooks, etc.

Meaning of E-Business

E-business refers to performing all types of business activities through the internet. It includes activities like customer
education, procurement of goods/raw materials, supply activities, selling and buying products, making monetary
transactions, etc., over the internet. Websites, Apps, Enterprise Resource Planning (ERP), Customer Relationship
Management (CRM), etc., are required for e-business. The e-business activities include the following:

 Supply chain management

 Setting up online stores
 Customer education
 Email marketing
 Monetary business transactions
 Online commercial transactions (selling and buying products)
 Examples of e-business are e-commerce companies and their different internal business activities, classified site,
auction site, software and hardware developer site, etc.

E-Commerce Laws And Regulations

Regulatory

 Foreign Direct Investment Policy

 Further, the Foreign Exchange Management Act, 1999 Companies Act, 2013
 Payment and Settlement Act, 2007 and other RBI regulations on payment mechanisms
 Labelling and Packaging
 Legal Metrology Act, 2009 read with Legal Metrology (Packaged Commodity) Rules, 2011
 Sales, Shipping, Refunds and Returns
 Moreover, Regulations prescribed by the relevant ministry/state regulations

Technology & Data Protection

 Information Technology Act, 2000

 Additionally, Information Technology (Intermediaries Guidelines) Rules, 2011
 Information Technology Act, 2000 (IT Act) and General Data Protection Regulations (GDPR).
 Consumer Protection Act, 1986

Tax

 Income Tax Act, 1961

 Double Taxation Avoidance Agreement
 Good and Services Tax
Legal

 Indian Contract Act, 1872

 Indian Copyright Act, 1957
 The Patents Act, 1970
 Intellectual Property Issues
 Labour laws

Difference Between E-Commerce and E-Business

E-commerce refers to conducting online transactions, while e-business encompasses all the business services and
activities operated utilising the web.

Types of E-Commerce

 Business-to-Business (B2B)
 Business-to-Consumer (B2C)
 Consumer-to-Consumer (C2C)
 Consumer-to-Business (C2B)
 Business-to-Administration (B2A)
 Consumer-to-Administration (C2A)

Business-to-Business (B2B)

A B2B model of business involves the conduct of trade between two or more businesses/companies. The channels of
such trade generally include conventional wholesalers and producers who are dealing with retailers.

Business-to-Consumer (B2C)

Business-to-Consumer model of business deals with the retail aspects of e-commerce, i.e. the sale of goods and/or
services to the end consumer through digital means. After the placement of such orders, the company/agent
receiving the order will then deliver the same to the consumer in a convenient time-span. Some of the businesses
operating in this channel include well-known players like Amazon, Flipkart, etc. This mode of purchase has proved to
be beneficial to the consumers when compared to the traditional method, as they are endowed with access to
helpful contents which may guide their purchases appropriately.

Consumer-to-Consumer (C2C)

This business model is leveraged by a consumer for selling used goods and/or services to other consumers through
the digital medium. The transactions here are pursued through a platform provided by a third party, the likes of
which include OLX, Quickr, etc

Consumer-to-Business (C2B)

A C2B model is the exact reversal of a B2C model. While the latter is serviced to the consumer by a business, the C2B
model provides the end consumers with an opportunity to sell their products/services to companies. The method is
popular in crowdsourcing based projects, the nature of which typically includes logo designing, sale of royalty-free
photographs/media/design elements, and so on

Business-to-Administration (B2A)

This model enables online dealings between companies and public administration, i.e. the Government by enabling
the exchange of information through central websites. Electronic invoicing, Online tax payment, Tax filing systems.

Consumer-to-administration (C2A)

This model allows consumers to electronically interact with the government. Examples of C2A include - Scheduling
appointments, obtaining passport, aadhaar card, other licenses

ADVANTAGES OF E-COMMERCE
  Advantages to Organizations
 Advantages to Consumers
 Advantages to Society

ADVANTAGES TO ORGANIZATIONS

 Using e-commerce, organizations can expand their market to national and international markets with minimum
capital investment. An organization can easily locate more customers, best suppliers, and suitable business
partners across the globe
 E-commerce helps organizations to reduce the cost to create process, distribute, retrieve and manage the paper-
based information by digitizing the information.
 E-commerce improves the brand image of the company.
 E-commerce helps organization to provide better customer services.
 E-commerce helps to simplify the business processes and makes them faster and efficient.
 E-commerce reduces the paper work.

ADVANTAGES TO CUSTOMERS

 It provides 24x7 support. Customers can enquire about a product or service and place orders anytime, anywhere
from any location.
 E-commerce application provides users with more options and quicker delivery of products.
 E-commerce application provides users with more options to compare and select the cheaper and better options.
 A customer can put review comments about a product and can see what others are buying, or see the review
comments of other customers before making a final purchase.
 E-commerce provides options of virtual auctions.
 It provides readily available information. A customer can see the relevant detailed information within seconds,
rather than waiting for days or weeks

ADVANTAGES TO SOCIETY

 Customers need not travel to shop a product, thus less traffic on road and low air pollution.
 E-commerce helps in reducing the cost of products, so less affluent people can also afford the products.
 E-commerce has enabled rural areas to access services and products, which are otherwise not available to them.
 E-commerce helps the government to deliver public services such as healthcare, education, social services at a
reduced cost and in an improved manner

DISADVANTAGES OF E-COMMERCE

 There can be lack of system security, reliability or standards owing to poor implementation of e-commerce.
 The software development industry is still evolving and keeps changing rapidly.
 In many countries, network bandwidth might cause an issue
 There could be software/hardware compatibility issues, as some e-commerce software may be incompatible with
some operating system or any other component.
 Users may not trust the site being an unknown faceless seller. Such mistrust makes it difficult to convince
traditional users to switch from physical stores to online/virtual stores.
 It is difficult to ensure the security or privacy on online transactions.
 Internet access is still not cheaper and is inconvenient to use for many potential customers, for example, those
living in remote villages.

Types of E-commerce Revenue Models

Dropshipping - Often considered one of the easier forms of e-commerce, dropshipping allows a company to create a
digital storefront, sell goods, and then rely on a supplier to take it from there. The e-commerce company collects
payment from the buyer, after which it passes the order to the dropshipper. This supplier manages inventory,
oversees the warehousing of goods, packages the orders, and delivers the product to the purchaser.
White Labeling - In white-label e-commerce, the seller doesn't manufacture the product but buys an existing product
from the manufacturer or another supplier and repackages it under its own brand for resale to the ultimate
consumer.

Private Labeling - Similar to white labeling, private labeling involves selling a product made by another manufacturer.
In private labeling however, the seller may have more control over the actual product, such as having it made to
particular specifications. Store brands are an example of private labeling.

Wholesaling - Wholesalers serve the buyers of large numbers of a particular item or many smaller buyers of that
item. A more capital-intensive approach to e-commerce, wholesaling can entail maintaining and warehousing
significant quantities of inventory.

Subscription- E-commerce companies can also leverage repeat orders or loyal customers by implementing
subscription services. The consumer places an order once and receives their goods at a fixed cadence, such as every
month. Common subscription e-commerce products include meal prep services, pet food, fashion boxes, and health
and grooming products.

UNCITRAL Model Law on Electronic Commerce

 the UNCITRAL Model Law of E-commerce was adopted by the United Nations Commission on International Trade
Law on June 12, 1996. The Additional Article 5 Bis was adopted in 1998.
 The Model Law on Electronic Commerce (MLEC) purports to enable and facilitate commerce conducted using
electronic means by providing national legislators with a set of internationally acceptable rules aimed at
removing legal obstacles and increasing legal predictability for electronic commerce. In particular, it is intended
to overcome obstacles arising from statutory provisions that may not be varied contractually by providing equal
treatment to paper-based and electronic information. Such equal treatment is essential for enabling the use of
paperless communication, thus fostering efficiency in international trade.
 The MLEC was the first legislative text to adopt the fundamental principles of non-discrimination, technological
neutrality and functional equivalence that are widely regarded as the founding elements of modern electronic
commerce law. The principle of non-discrimination ensures that a document would not be denied legal effect,
validity or enforceability solely on the grounds that it is in electronic form. The principle of technological
neutrality mandates the adoption of provisions that are neutral with respect to technology used. In light of the
rapid technological advances, neutral rules aim at accommodating any future development without further
legislative work.

HISTORY OF MODEL LAW

● In 1984, “The Commission on International Trade Law” at its seventeenth session took into its notice a report of
the Secretary-General regarding legal aspects of data processing.

● The report of year 1984 entitled “Legal Value of Electronic Records” identified several legal issues related to the
legal value of computer records and the requirement of written authentication, general conditions, liability, bills of
lading, etc

● In 1985, a report by the Secretariat noted that the legal obstacles to the use of computers in international trade
arose due to the requirement of written and signed documents. After this, the Commission adopted a
recommendation to review the legal requirements of written form of trade documents and transactions, handwritten
signature and authentication requirements, written form of the documents being submitted to the government, and
the requirement of such provisions relating to the written form of documents as a condition for enforceability, etc.

● In 1988, the Commission proposed to delve deep into the concern to provide for legal principles necessary for the
formation of international commercial agreements by way of electronic means.

● After perusal of the reports regarding “Preliminary study of legal issues related to the formation of contracts by
electronic means” and “Electronic data interchange” it was concluded that problems existed due to the following of
local laws by different parties, which prevented uniformity and functionality in the legal perspective and practices.
Principles of Model law on e-commerce:

 The principle of non-discrimination– It ensures that any document would not be denied its legal validity, effect,
and enforceability solely on the basis that it is in electronic form.
 The principle of technological neutrality– It mandates the adoption of such provisions that are neutral with
respect to the technology used. This will further enhance the pace up of international monetary transactions
with the advancement in technology.
 The functional equivalence principle- Functional equivalence, as the name suggests, is equal treatment to all on
the service front. It means both the transactions, traditional as well as technological, that means, paper bound
and electronic cannot be challenged on their validity or effectiveness.
 technology neutrality means that technical standards designed to limit negative externalities (e.g. radio
interference, pollution, safety) should describe the result to be achieved, but should leave companies free to
adopt whatever technology is most appropriate to achieve the result
 technology neutrality means that regulators should refrain from using regulations as a means to push the market
toward a particular structure that the regulators consider optimal. In a highly dynamic market, regulators should
not try to pick technological winners

Part II of the Model law

 contracts of carriage of goods

 include furnishing the marks, number, quantity, or weight of goods
 stating or declaring the nature or value of goods
 issuing a receipt for goods
 confirmation that the goods have been loaded
 notifying a party of terms and conditions of the contract
 providing instructions to a carrier,
 claiming delivery of goods,
 authorising the release of goods,
 giving notice of loss of goods,
 giving notice about the damage to goods,
 giving any other notice or statement in connection with the performance of the contract,
 undertaking to convey goods to a named person or a person authorised to claim shipment,
 granting, acquiring, renouncing, surrendering, transferring or negotiating any of the rights in goods,
 obtaining or giving rights and obligations under the Contract.

Objectives of UNCITRAL Model law on electronic commerce

 To enable and provide help in popularity of commercial transactions using electronic means;
 To provide different countries with a set of rules which are accepted internationally to remove all hurdles in its
execution;
 To enhance legal predictability for commerce using electronic means;
 To overcome any obstacle in domestic laws regarding commercial transactions to provide equal treatment to
both paper bound and paperless transactions. This will enhance efficiency in international trade.

Article 6. Writing

(1) Where the law requires information to be in writing, that requirement is met by a data message if the information
contained therein is accessible so as to be usable for subsequent reference.

Khoury v. Tomlinson (2016)

Article 7. Signature

● Where the law requires a signature of a person, that requirement is met in relation to a data message if:

(a) a method is used to identify that person and to indicate that person’s approval of the information contained in the
data message; and
(b) that method is as reliable as was appropriate for the purpose for which the data message was generated or
communicated, in the light of all the circumstances, including any relevant agreement.

Trimex International FZE Ltd. v. Vedanta Aluminium Ltd." (2010)

● Indian Supreme Court recognized the legal validity of electronic contracts executed with digital signatures,
essentially establishing that digital signatures hold the same legal weight as handwritten signatures for
authentication and enforceability purposes; this significantly solidified the acceptance of e-signatures in India's e-
commerce landscape.

Important definitions –

 “Data message” refers to any information that is generated, transmitted, received, or stored by any mode of
electronic or optical communication or any mode of communication similar to electronic or optical
communication. Which includes email, electronic data interchange, telecopy, telex, etc.
 “Electronic Data Interchange” as the name suggests is any exchange among computer devices under an agreed
standard for information exchange.
 “Originator” means who transmits data for the first time. It cannot be any intermediary. It can be any person
who has generated or sent the information prior to storage.
 “Addressee” means who has been sent the message or information or data packet. It is that person who will
receive the information to store. Again, it cannot be any intermediary.
 “Intermediary” is any person on behalf of either the originator or the addressee who sends, stores, and receives
data for further use. Or he may provide other data services concerning that data message.
 “Information System” is any system to generate, transmit/send, store, receive or process the data message.

What is a domain name?

A domain name is your website name. A domain, for example: www.yourdomain.com is a unique internet address,
under which the services, for example: websites, e-mail, FTP server, are available on the Internet. The domain name
is unique and uses it to refer to a specific resource on the Internet. The domain name translates the hard-to
remember IP address, indicating the location of the server and its contents, such as webpages, for a friendly and
easy-to-remember name.

● For example, the domain name „wwwmybestwebpages.com” points to the IP address „216.51.51.51”. Generally,
it’s easier to remember a name rather than a long string of numbers.

For example, you can use the domain to:

 launching a website, giving it a unique address, for example: www.mybestwebsite.com

 launching additional websites using subdomains, for example: www.blog.mybestwebsite.com
 creating unique addresses of e-mail boxes operating in your domain, for example: [email protected]
 redirecting the domain address to other websites or social profiles, e.g. Facebook.
 In non-technical language, we can compare the domain address to the address of residence. The domain is the
same as the street name and house number. It accurately indicates the location of a specific place. It is a unique
address for each user.

Information Technology Act, 2000

 The Information Technology Act of 2000 was the first e commerce law enacted by the Indian government. The
primary goal of this law was to give effect to the UNCITRAL Model Law on Electronic Commerce(E Commerce
Law), which was published in 1996.
 The main objective of the Information Technology Act,2000 is to provide legal recognition to E-Commerce
transactions. It also lays down procedure for networking operations and for civil wrongs and offences but with no
express provision in regard to the validity of online contracts. It establishes the legality of the e-commerce
transaction if the offer and acceptance are made through a ‘reasonable’ mode which includes:
 Acceptance by Conduct, by pressing ‘Accept’ or ‘Submit’ button to an offer.
 By doing payment for a particular good or service being provided.
 By mailing directly to the offeror.
 legal legitimacy to transactions made over the internet
 allow for the transmission of electronic data through electronic methods of communication (e-commerce).
 regulatory framework and specifies penalties for cybercrime and other offences
 allows the Centre to block public access to an intermediary in the interest of sovereignty and integrity of India,
defence of India, security of the State.
 classifying electronic records and documents the same as physical records and documents.
 Words like “digital signature,” “electronic form,” “secure electronic record, ” and “information” were all inserted
into the IT Act to make them part of the evidentiary mechanism.
 create a secure path for digital records and electronic signatures, which become a major concern as the use of
electronic media had increased dramatically.
 This Act not only covers electronic commerce but also covers any other matter ancillary regarding the regulation
of information technology, data interchange, electronic record, digital signature, data protection, or any other
matter that may arise with the passage of time or in the near future or otherwise.

REGULATORY

 A procedure for the appointment of adjudicating officers for holding inquiries under the Act is finalized
 Provision for establishing a Cyber Regulatory Appellant Tribunal under the Act. S.48 Further, this tribunal will
handle all appeals made against the order of the Controller or Adjudicating Officer.
 An appeal against the order of the Cyber Appellant Tribunal is possible only in the High Court
 Provision for the appointment of the Controller of Certifying Authorities (CCA) to license and regulate the
working of Certifying Authorities. The Controller to act as a repository of all digital signatures.
 Provisions for the constitution of a Cyber Regulations Advisory Committee to advise the Central Government and
Controller.

ADJUDICATING OFFICER . S46.

 Officer who should not be less than the rank of a Director to the Government of India or an equivalent officer of
a state government as an adjudicating officer who shall adjudicate whether any person has committed a
contravention of any of the provisions of this Act.
 the adjudicating officer is vested with the power of a civil court to adjudicate any matter before it.
IT Act Notification No. 240
 Ministry of Communications and Information Technology, it has been declared that the Secretary of the
Department of Information technology of each of the states or union territories are not normally below the rank
of Director and also possess the required qualification as mandated by the central government; therefore, the
Secretary of Department of Information Technology of each of the states or of union territory shall serve as an
adjudicating officer.

FUNCTIONS

 The adjudicating officer shall exercise jurisdiction in respect of the contraventions in relation to Chapter IX of the
IT Act.
 To issue notices together with all the documents to all the necessary parties to the proceedings, fixing a date and
time for further proceedings.
 On the date so fixed, the person to whom the notice has been issued about the contravention alleged to have
been committed shall be explained by the adjudicating officer about the contravention alleged to have been
committed in relation to any of the provisions of this Act.
 Suppose the person who is alleged to have committed the contravention, pleads guilty. In that case, it shall be
recorded by the adjudicating officer, and penalty might be imposed upon him or award such compensation as
deemed fit in accordance with the provisions of this Act, rules, regulations, order, or directions made thereunder.
 On the basis of the submissions made, the adjudicating officer shall form an opinion that there is sufficient cause
to hold an enquiry or dismiss the matter or may get the matter investigated.
 If any person or persons fails, neglects, or refuses to appear, or present himself before the adjudicating officer, he
shall proceed with the inquiry in the absence of such person or persons after recording the reasons for doing so.
 The adjudicating officer shall fix a date and time for the production of documents (including electronic records)
or evidence.
 To hear and decide every application, as far as possible, in four months and the whole matter in six months.
 In the Indian National Congress (I) v. Institute of Social Welfare, it was held by the Supreme Court - where law
requires that an authority before arriving at a decision must make an enquiry, such a requirement of law makes
the authority a quasi-judicial authority.

CYBER APPELLATE TRIBUNAL (CAT)

 CAT serves as a specialized forum for settling cyber-related disputes, ensuring that citizens have access to fair and
impartial proceedings
 The CAT operates independently and has the authority to summon and examine witnesses, require the
production of relevant documents, and make decisions based on the principles of natural justice
 It was introduced under Section 48 of the Information Technology (Amendment) Act of 2006
 The central government appoints the members of the CAT by notification in the Official Gazette.
 The members of the CAT are appointed for a period of three years, but they are eligible for reappointment.

QUALIFICATIONS

 The CAT is headed by a chairperson, who is typically a retired judge from the Supreme Court or a High Court.
 In addition to the chairperson, the CAT includes expert members who possess knowledge in fields such as
information technology, cybersecurity, and law. These experts act as the backbone of the tribunal, bringing
technical insight and specialized legal expertise to the table.
 The person must be a citizen of India.
 The person should have served as a judge of a high court, if not possible than held a position equivalent to that
of secretary to the government of India, or held a similar role in the central or state government for at least
seven years.
 The person must possess experience in information technology law or practice.
 Summoning and questioning witnesses
 Demanding document production
 Receiving evidence through affidavits
 Issuing commissions for witness examinations
 Reviewing its own decisions

M/S Gujarat Petrosynthese Ltd and Rajendra Prasad Yadav v. Union of India (2014)- In this case, the petitioners
demanded the appointment of a chairperson to the Cyber Appellate Tribunal so that cases can be disposed of quickly
and someone can keep a check on the workings of CAT. The respondents submitted that a chairperson would be
appointed soon. The Court ordered the appointment of the chairperson and must see this as a matter of urgency and
take into account Section 53 of the Act.

CONTROLLER OF CERTIFYING AUTHORITIES

 The CCA is a government-appointed body established under the Information Technology Act, 2000. It acts as the
regulatory and supervisory authority for all Certifying Authorities (CAs) operating in India. Think of it as the
gatekeeper of the e-signature ecosystem, ensuring its security, reliability, and compliance.
 A Certifying Authority (CA) is a licensed entity that issues digital signature certificates (DSCs) under the
Information Technology Act, 2000. These certificates are used to authenticate users electronically.
 National Informatics Center (NIC), IDRBT Certifying Authority, SafeScrypt CA Services, Sify Communications Ltd,
and Code Solutions CA

CYBER REGULATIONS ADVISORY COMMITTEE (CRAC)

 The Cyber Regulations Advisory Committee (CRAC) is a committee established by the Information Technology Act
of 2000. The committee advises the Central Government and the Controller on matters related to the Act.
Includes A chairperson and Other official and non-official members
 The Minister of Information Technology
 The Secretary of the Legislative Department
 The Secretary of the Department of Electronics and Information Technology
 The Secretary of the Department of Telecommunications
 The Secretary of the Department of Law and Justice
 The Secretary of the Ministry of Commerce
 The Secretary of the Ministry of Home Affairs
 The Secretary of the Ministry of Defence

SECTION 43

 Section 43 of Chapter IX of the IT Act, 2000 outlines various actions for which a penalty is imposed if done
without permission from the person in charge of the computer system.
 Access information from the system
 Download or copy data with proper authorisation
 Introduce virus or other malicious software into the system
 Cause damage to a computer network or database
 Prevent an authorised user from accessing the system
 Assist others in breaching the provisions of the law
 Charge someone for services they have not utilised
 Alter or remove information to reduce its value or cause harm
 Steal the code that makes a computer program work

SEC 66 PUNISHMENT. - BARE ACT

computer - means any electronic, magnetic, optical or other high-speed data processing device or system which
performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and
includes all input, output, processing, storage, computer software or communication facilities which are connected
or related to the computer in a computer system or computer network;

Syed Asifuddin and Ors. Vs. The State of Andhra Pradesh & Anr

● Tata Indicom employees were arrested for manipulation of the electronic source code programmed into cell
phones that were exclusively franchised to Reliance Infocomm. The court held that such manipulation amounted to
tampering with computer source code as envisaged by section 65 of the Information Technology Act, 2000.

● The IT Amendment Bill of 2006 defined "communication devices" to include mobile phones, PDAs, and other
devices that can send or receive text, video, audio, or images.

SECTION OFFENCE PENALTY

 Section 65 Tampering with documents stored within a computer system - Imprisonment of 3 years or a fine of Rs.
2 lakhs or both
 Section 66 Offences associated with computers or any act outlined in Section 43 - Imprisonment of 3 years or a
fine that extends to Rs. 5 lakhs or both
 Section 66B Dishonestly receiving a stolen computer source or device - Imprisonment for 3 years or a fine of Rs. 1
lakh or both
 Section 66C Identity theft Imprisonment of 3 years or a fine of Rs.1 lakh or both
 Section 66D Cheating by personation Either imprisonment for 3 years or a fine of Rs. 1 lakh or both
 Section 66E Invading privacy Either imprisonment up to 3 years or a fine of Rs. 2 lakhs or both
 Section 66F Cyber terrorism Life imprisonment
 Section 67 Sending explicit or obscene material in electronic form Imprisonment of 5 years and a fine of Rs. 10
lakhs
 Section 67A Sending material containing sexually explicit acts through electronic means Imprisonment of 7 years
and a fine of Rs. 10 lakhs
 Section 67B Depicting children in sexually explicit form and sharing such material through electronic mode -
Imprisonment of 7 years and a fine of Rs. 10 lakhs
 Section 67C Failure to preserve and retain the information by intermediaries Imprisonment for 3 years and a fine

AMENDMENTS BROUGHT IN THE INFORMATION TECHNOLOGY ACT,2000

 The first schedule contains the amendments in the Penal Code. It has widened the scope of the term “document”
to bring within its ambit electronic documents.
 The second schedule deals with amendments to the India Evidence Act. It pertains to the inclusion of electronic
document in the definition of evidence.
 The fourth schedule amends the Reserve Bank of India Act. It pertains to the regulation of fund transfer through
electronic means between the banks or between the banks and other financial institution.
 Section 4 (Legal Recognition of Electronic Records):Electronic records (e.g., emails, online agreements, digital
invoices) are legally valid. It ensures that e-commerce transactions are enforceable under Indian law.
 Section 5 (Legal Recognition of Digital Signatures): Digital signatures are legally recognized, ensuring
authentication and integrity in online transactions.
 Section 43A (Compensation for Data Breach):Companies handling sensitive data (e.g., payment details) must
ensure its security. If data is leaked due to negligence, the company is liable for compensation.
 Section 72A (Unauthorized Disclosure of Personal Information):E- commerce platforms cannot misuse personal
information. Violators can face penalties, ensuring consumer privacy.
 The Digital Personal Data Protection Act, 2023 (notified but not yet enforced) will regulate data protection more
comprehensively
 Section 3 (Digital Signature & Electronic Signature): Recognizes digital signatures for secure transactions.
 Certifying Authorities (CAs): Organizations like e-Mudhra, NSDL e-Gov, and Sify issue digital certificates for
authentication.
 Section 79 (Safe Harbor Protection): Intermediaries are not liable for third- party content unless they fail to act
after receiving notice of illegal content.
 Example: If a seller on Amazon sells counterfeit goods, Amazon is not liable unless it fails to remove the listing
after being notified.

INTERMEDIARY GUIDELINES (2021):

● E-commerce platforms must:

 Appoint grievance officers.

 Provide mechanisms for user complaints.
 Ensure due diligence in hosting third-party content.

Section 75 (Extraterritorial Jurisdiction): The IT Act applies even if an offense is committed outside India, provided
the computer resource is located in India.

Jurisdictional Challenges:

 Different legal frameworks apply in different countries (e.g., GDPR in Europe, CCPA in the U.S.).
 Cross-border enforcement of judgments is complicated due to varying legal systems.

The Consumer Protection (E-Commerce) Rules, 2020 supplement the IT Act to safeguard consumer rights in online
transactions.

Key Provisions:

 Mandatory Information Disclosure: Platforms must disclose seller details, terms, refund policies, etc.
 Prohibition of Unfair Trade Practices: Platforms cannot manipulate search rankings or mislead consumers.
 Grievance Redressal Mechanism: Platforms must resolve complaints within one month.

Relevant Case Laws:

● Amazon Seller Services Pvt. Ltd. v. Amway India Enterprises (2019): The Delhi High Court held that e-commerce
platforms cannot engage in deep discounting or unfair business practices.

IT (INTERMEDIARIES GUIDELINES AND DIGITAL MEDIA ETHICS CODE) RULE, 2021

The Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 was introduced by
the Government of India so as to make various intermediaries including social media to act in a manner consistent
with the international scenario as contemplated by the UNCITRAL Model law on e-commerce. UNCITRAL Model law
has suggested a dispute redressal method. So, it has come up with due diligence by various intermediaries’ viz., social
media intermediary, significant social media intermediary, and online gaming intermediary. The intermediary shall
publish on its social media platform, the rules and regulations, privacy policy, and user agreement either in English
language or any of the languages of the Eighth Schedule of the Constitution of India.

Consumer Protection Act, 2019 read with Consumer Protection (e-commerce law) Rules, 2020

This law protects the consumer requirements from store-bought goods to online-ordered goods. Consumer
Protection Act, 2019 establishes a Central Consumer Protection Authority (CCPA) in addition to the existing consumer
grievance redressal mechanism. Consumer Protection (e- commerce) rules, 2020 govern online electronic interfaces
for e-commerce that are referred to as “Platform” which include any website, any fragment or part of the website, or
any mobile application or web application.

CONSUMER PROTECTION (E-COMMERCE) RULES , 2019.

General Conditions for carrying out e-Commerce business

 It shall be a registered legal entity under the laws of India;

 It shall submit a self-declaration to this Department stating that it is in compliance with these Guidelines;
 The promoter or key management personnel should not have been convicted of any criminal offence punishable
with imprisonment in last 5 years by any Court of competent jurisdiction;
 It shall comply with the provisions of Information Technology (Intermediaries guidelines) Rules, 2011.
 Payments for sale may be facilitated by the e-Commerce entity in conformity with the guidelines of the Reserve
Bank of India
 Details about the sellers supplying the goods and services, including identity of their business, legal name,
principal geographic address, name of website, e-mail address, contact details, including clarification of their
business identity, the products they sell, and how they can be contacted by customers shall be displayed in the
web site.

Liabilities of Sellers.

Any seller selling or advertising his products or services through an e-Commerce platform shall, -

 have prior written contract with the respective e-Commerce entity in order to undertake or solicit such sale or
offer;
 provide all information required to be provided either by law or by any other mandatory regime for disclosing
contractual information and compliance with that regime will be treated as sufficient;
 display single-figure total and break up price for the goods or service, that includes all compulsory charges such
as delivery, postage, taxes and handling and conveyance charges;
 comply with mandatory display requirements as per Legal Metrology (amendment) rules 2017 for pre-packaged
commodities
 Provide fair and reasonable, delivery terms, or to directly reference the shipping policy.
 Be responsible for any warranty/guarantee obligation of goods and services sold.
 Be upfront about how exchange, returns and refund process works, and who bares the costs of return shipping.

FOREIGN EXCHANGE MANAGEMENT ACT, 1999

Foreign Exchange Management Act, 1999 provides a legal framework for E-Commerce activities across borders. It
governs transactions in international trade that cross national borders. It governs rules regarding currency
conversion, and electronic payments gateways that deal with transactions in international scenarios.

COMPANIES ACT, 2013

The Companies Act, 2013 provides for a framework for incorporation of companies. E-commerce essentially requires
the formation of companies to carry on mercantile transactions. It also provides for punishment for fraud, false
statements, false evidence, repeated default, and wrongful withholding of property.

PAYMENT AND SETTLEMENT SYSTEMS ACT,2007

● The Payment and Settlement Systems Act, 2007 discusses payment systems. It discusses the regulation and
supervision of payment systems in India and appoints the Reserve Bank of India as an authority for all payment-
related operations, and transactions. Under the Act the “payment system” has been defined as a system that enables
payment to be effected between a payer and a beneficiary, involving clearing, payment, or settlement service either
any of them or all of them. “Payment System” does not include a stock exchange.

● Further, the “payment system” includes the software, apps, and payment gateways that enable credit card, debit
card, smart card operations, money transfer operations, or similar operations. It means it governs any platform
providing for money transfers

THE LEGAL METROLOGY ACT, 2009

The Legal Metrology Act, 2009 along with Legal Metrology (Packaged Commodity) Rules 2011 make it mandatory for
any e-commerce platform to display information about the product. The product description should provide for its
weight and other measurements as per the units of measurement suggested in the Act.

What are the challenges before the UNCITRAL model law?

Loopholes in Information Technology Act, 2000

E-CONTRACTS

 An electronic contract (e-contract) is a legally binding agreement created and signed in an electronic form,
offering the same enforceability as traditional paper contracts. It involves electronic communication methods,
such as email or online forms, for negotiation, signing, and enforcement.
 The primary difference between electronic and traditional contracts is their format and execution. Traditional
contracts require physical paperwork and handwritten signatures, often needing in-person interactions or mail
exchanges. Electronic contracts streamline this by allowing drafting, signing, and managing online.
 Electronic contracts are legally binding and enforceable when properly managed. Despite their digital nature, the
legal framework for e-contracts is robust, ensuring that digital contracts and e-signatures hold the same legal
weight as traditional contracts.
 An electronic contract is valid if it meets the same legal requirements as a paper contract: offer, acceptance,
intention to create legal relations, and consideration.

Certain agreements cannot be signed electronically.

Agreements that often cannot be signed electronically include wills, trusts, and documents for adoption, divorce, and
court orders. Some real estate transfers and notarised documents also require physical signatures, depending on
jurisdiction.

Key Elements

 Offer and Acceptance: An e-contract, like a traditional contract, must include a clear offer and acceptance. This
can be facilitated through email exchanges, digital forms, or online platforms where parties agree to terms
electronically.
 Consideration: Consideration in e-contracts refers to the value exchanged between parties, such as monetary
payments, services, or goods. It is essential for the contract's enforceability.
 Capacity and Consent: All parties involved in an e-contract must have the legal capacity and give informed
consent. Digital platforms often include verification processes to ensure that parties are of legal age and fully
understand the contract terms.
 Legality: The contract’s subject matter must be legal for the agreement to be enforceable. Contracts violating
legal requirements, such as those involving illegal activities or prohibited terms, are void and unenforceable.
FORMATION OF A CONTRACT AND THE POSTAL ACCEPTANCE/MAILBOX RULE

Issue of when and where the contract is formally made or concluded ?

The general rule is that contract is made when acceptance is communicated from the offeree to the proposer/offeror.
Accordingly, there is no contract where the acceptance is not communicated to the proposer, the reason being that it
would be unfair to hold proposer by an acceptance of which he has no knowledge. The location of the formation is
decided according to where the offeror receives notification of the acceptance. However, there is well-known
exception which was made to facilitate contracting between the parties at a distance- The postal acceptance rule.

Mailbox rule

● The postal acceptance or mailbox rule was first established in the case of the court of Adams v Lindsell - when the
court had to decide the moment of contract formation by post. The court found that parties when communicating
acceptance by post were not sure at the precise time the acceptance had been communicated. As postal
communication is subject to delay, the parties could not be simultaneously aware of the communication. This created
a number of problems and has led to a formulation of the rule. This rule as accepted in the common law legal
systems is: “Where the circumstances are such that it must have been within the contemplation of the parties that,
according to the ordinary usages of mankind, the post might be used as a means of communicating the acceptance
of an offer, the acceptance is complete as soon as it is posted”.

● best solution in determining the time that the parties reach consensus ad item and it was felt, that at the time of
posting the letter, there would be a greater chance of a ‘meeting of minds’ occurring than at the later time when the
letter was delivered.

● it can be argued that if electronic contracting is similar to contracting by post then the postal rule should be applied
to electronic acceptances like emails

● Email is considered to be a non-instantaneous method of communication and therefore subject to delay.

Contracting by email has been considered as the digital equivalent of the postal system. According to the difficulties
with the transmission of email, delays, failure of networks, hacking by third parties or incorrect email addresses of
intended recipients, may delay or prevent the delivery of an email

P.R. Transport Agency vs. Union of India & others

● The defendant, Bharat Coal Ltd held an e-auction for coal in different lots. P.R. Transport Agency’s (PRTA) bid was
accepted for 4000 metric tons of coal from Dobari Colliery. The acceptance letter was issued on 19th July 2005 by e-
mail to PRTA’s e-mail address. Acting upon this acceptance, PRTA deposited the full amount of Rs. 81.12 lakh through
a cheque in favour of BCC. This cheque was accepted and encashed by BCC. BCC did not deliver the coal to PRTA.
Instead it e-mailed PRTA saying that the sale as well as the e-auction in favour of PRTA stood cancelled “due to some
technical and unavoidable reasons”.

● The only reason for this cancellation was that there was some other person whose bid for the same coal was
slightly higher than that of PRTA. Due to some flaw in the computer or its programme or feeding of data the higher
bid had not been considered earlier. This communication was challenged by PRTA in the High Court of Allahabad.
Bharat Coal Ltd. objected to the “territorial jurisdiction” of the Allahabad High Court on the grounds that no part of
the cause of action had arisen within U.P.

● The court held that contracts made by other communication devices are complete when and where the acceptance
is received. However, this principle can apply only where the transmitting terminal and the receiving terminal are at
fixed points. In case of e-mail, the data (in this case acceptance) can be transmitted from any where by the e-mail
account holder. It goes to the memory of a ‘server’ which may be located anywhere and can be retrieved by the
addressee account holder from anywhere in the world. Therefore, there is no fixed point either of transmission or of
receipt. Section 13 of the Information Technology Act has covered this difficulty of “no fixed point either of
transmission or of receipt”. According to this section “...an electronic record is deemed to be received at the place
where the addressee has his place of business.” The acceptance of the tender will be deemed to be received by PRTA
at the places where it has place of business. In this case, the place of business is located in U.P. and hence Allahabad
High Court was held to have jurisdiction.
Cause of Action – Sec 20

TYPES OF ELECTRONIC CONTRACTS

 Browse wrap Agreements: Browse wrap agreements are website or app notices stating that users agree to the
terms simply by using the site or app. For instance, when you browse online, you might see a small text that says,
"By using this website, you agree to our terms and conditions." This means your use of the site constitutes
acceptance of the terms.
 Clickwrap Agreements: Clickwrap agreements require users to click “I accept” to agree to the terms, making
them highly enforceable. For example, when you download a new app on your computer, you're often prompted
with a message asking you to accept the terms and conditions. Ex.2 - Microsoft Office, users must accept the
terms and conditions by clicking "I Agree."
 Scroll wrap Agreements: A scroll wrap agreement is an extension of a clickwrap agreement. Before clicking the
clickwrap, the consumer needs to scroll down to the terms and conditions. It's similar to a click-wrap agreement,
but with a scroll-down step. The user is presented with the entire agreement, often in a separate window. The
user is instructed to scroll down to the bottom of the agreement. The user is given the opportunity to read the
terms and conditions before agreeing to them.
 Sign-in Wrap Agreements: Sign-in wrap agreements collect acceptance when users sign in to use a product or
service. Notice alongside the sign-in button stating, "By signing in, you agree to our terms of service." Your act of
signing in serves as acceptance of the terms.
 Shrink wrap Agreements: Shrink wrap agreements include terms enclosed in a product’s packaging, with
acceptance occurring when the package is opened. This type of agreement is often used in software. A Shrink
Wrap Agreement is a type of contract commonly used in software licensing, where the terms and conditions are
enclosed within the product’s packaging. The term “Shrink Wrap” can be understood as the plastic wrap used to
seal the product, which prevents tampering until the package is opened. In this model, the act of opening the
package is considered the buyer’s acceptance of the licensing terms specified within, even if they have not yet
had a chance to review them. Shrink Wrap Agreements are characterized by “implied consent.” This means that
by engaging with the product, such as opening the packaging or installing the software, the buyer is deemed to
agree to the terms laid out inside.
 Email Contracts: Agreements formed via email communication, where offer and acceptance are exchanged
through emails. For example, a freelancer and a client agree on project terms through email correspondence.
 Mobile Contracts: Agreements made through mobile applications, often seen in ride-sharing services like Uber or
food delivery apps like DoorDash, where users agree to terms of service through the app interface.
 Web-based Forms: Online forms that require users to fill out and submit, often used in applications for services,
registrations, or subscriptions. For instance, when signing up for a new online service, users must complete a
form agreeing to the service's terms and privacy policy.
 Smart Contracts - Self-executing contracts where terms are written into code and executed automatically on
blockchain networks. – ex A cryptocurrency transaction on Ethereum where payment is released only when
predefined conditions are met.
 Digital Signature Contracts - EDI (Electronic Data Interchange) Contracts - A retailer automatically ordering stock
from a supplier through an integrated EDI system.

ADVANTAGES OF ELECTRONIC CONTRACTS

 Faster Time to Sign: E-contracts can be sent and signed quickly, reducing turnaround times and eliminating the
delays associated with physical contracts.
 Version Control: Digital platforms allow for simultaneous updates for all parties, preventing confusion from
multiple drafts.
 Better Security: Electronic contracts are less vulnerable to threats like theft, forgery, and damage. Advanced
security measures ensure that contracts are protected from unauthorized access and tampering.
 Cost Savings: E-contracts eliminate the costs associated with printing, mailing, and storing physical documents,
resulting in significant savings.
 Environmental Impact: Reducing paper usage through e-contracts contributes to sustainability efforts.
 Accessibility: Electronic contracts can be created and signed using a variety of digital tools and platforms,
accommodating different needs and preferences.

CHALLENGES

 Managing Amendments and Updates: Amending e-contracts requires clear processes to track and consent to
changes by all parties. Digital platforms often provide tools for seamless amendments and version control.
 Dealing with Privacy and Tampering: Ensuring the privacy and security of e-contracts is paramount. Encryption,
secure storage, and robust access controls are essential to prevent tampering and unauthorized access.
 Handling Disputes and Legality Issues: Disputes can arise over the authenticity of digital signatures or the consent
of parties. Clear legal frameworks and digital audit trails help address these issues, ensuring that e-contracts are
enforceable and reliable.

E-Contracts – Extent of Detail - The extent of detail in electronic contracts (e-contracts) depends on various factors,
including the nature of the contract, applicable laws, industry standards, and the parties' interests.

 Essential Elements (Bare Minimum)

 Clauses for Legal Certainty
 Industry-Specific Detailing
 Execution & Legal Recognition

Essential Elements

 Offer & Acceptance: Clear proposal and unambiguous acceptance, often confirmed via digital signatures or "click-
wrap" agreements.
 Consideration: The exchange of value (money, goods, services).
 Capacity of Parties: Legal competence to enter into a contract.
 Legality of Purpose: The contract must not violate laws

Legal Certainty

 Scope of Services/Products: Precise description of what is being offered.

 Payment Terms: Price, method, schedule, taxes, penalties for late payment.
 Intellectual Property (IP) Rights: If software, content, or proprietary elements are involved.
 Confidentiality & Data Protection: Compliance with privacy laws (e.g., GDPR, IT Act 2000 in India).
 Dispute Resolution Mechanisms: Arbitration, mediation, or jurisdiction clauses.
 Termination & Breach Consequences: Conditions under which the contract can end.
 Force Majeure: Protection against unforeseen events affecting performance.
 Governing Law & Jurisdiction: Which country's laws apply.

Industry-Specific

 E-commerce Contracts: Return policies, refund terms, warranties.

 Software Licensing: Usage restrictions, liability disclaimers.
 Financial Contracts: Regulatory compliance, risk disclosures.
 Employment/Service Contracts: Work obligations, NDAs, indemnities.

Digital Execution & Legal Recognition

 Clickwrap Agreements: Users actively agree by clicking "I Agree.“

 Browsewrap Agreements: Implicit consent by using a website.
 Smart Contracts: Self-executing contracts on blockchain.
 E-signatures & Authentication: Legally valid under laws like ESIGN Act (US), eIDAS (EU), IT Act (India).

Identity of contracting parties

In the realm of electronic commerce, the identity of contracting parties is a pivotal aspect of electronic contracts (e-
contracts). Ensuring that parties are accurately identified is essential for the validity, enforceability, and security of
these digital agreements.
Challenges in Verifying Identity in E-Contracts

 Absence of Physical Interaction: Traditional contracts often involve face-to- face meetings, allowing parties to
verify identities through personal interaction. E-contracts, however, are executed in virtual environments,
eliminating direct personal verification.
 Digital Impersonation and Fraud: The digital landscape is susceptible to impersonation, where malicious actors
may present false credentials or hijack legitimate identities to enter into contracts.
 Jurisdictional Variations: Different countries have varying standards and regulations for digital identity
verification, leading to complexities in cross- border e-contracts.
 Technological Limitations: Not all users have access to advanced identity verification tools, and technological
disparities can hinder the implementation of uniform verification standards.

Frameworks and Solutions

 Electronic Signatures and Digital Certificates: Many jurisdictions recognize electronic signatures as legally binding,
provided they meet specific criteria. Digital certificates issued by trusted Certificate Authorities (CAs) can
authenticate a party's identity, ensuring that the signatory is indeed who they claim to be.
 Multi-Factor Authentication (MFA): Implementing MFA enhances security by requiring multiple forms of
verification, such as passwords combined with biometric data or one-time codes, thereby reducing the risk of
unauthorized access.
 Blockchain and Distributed Ledger Technologies: These technologies offer decentralized methods for identity
verification, where each party's identity can be validated through a secure, immutable ledger.
 Legal Recognition and Standards: International frameworks, such as the UNCITRAL Model Law on Electronic
Commerce, provide guidelines for the recognition of electronic signatures and the validity of e-contracts,
promoting uniformity across jurisdictions.

BREACH OF E-CONTRACTS

 A breach of contract occurs when a party fails to fulfill their obligations as stipulated in the agreement. In the
context of e-contracts, breaches manifest similarly to traditional contracts but present distinct challenges due to
their digital nature.
 Formation and Evidence: Traditional contracts often involve physical documents and signatures, providing
tangible evidence. E-contracts rely on electronic records and digital signatures, which can raise questions about
authenticity and consent.
 Jurisdictional Issues: E-contracts can be executed across different legal jurisdictions, complicating the
determination of applicable laws and dispute resolution forums.
 Security Concerns: The digital nature of e-contracts makes them susceptible to cyber threats, such as hacking or
unauthorized alterations, which can lead to breaches.
 LIC India v. Consumer Education and Research Centre (1995): Although predating the widespread use of e-
contracts, this case is pertinent as the Supreme Court recognized the validity of contracts formed through
electronic means, emphasizing that the mode of communication does not undermine the enforceability of a
contract.
 Specht v. Netscape Communications Corp. (2002, USA): This U.S. case addressed the enforceability of online
contracts where users were not explicitly made aware of the terms. The Court ruled that for an e-contract to be
binding, users must have reasonable notice of the terms and must manifest assent to them. This case
underscored the necessity of clear communication and consent in online agreements.
 Ryanair Ltd. v. Billigfluege.de GmbH (2010, European Union): The European Court of Justice dealt with the
unauthorized extraction of flight data from Ryanair's website by another company. The Court upheld the
enforceability of website terms of use, ruling that users who access a website with restrictive terms are bound by
those terms, even in the absence of explicit consent. This case highlights the importance of clearly stated terms
in e-contracts and their binding nature on users.
 Register.com, Inc. v. Verio, Inc. (2004): The Second Circuit ruled that repeated use of a website with posted terms
of service constitutes acceptance of those terms, highlighting the enforceability of browse-wrap agreements in
certain circumstances.
 eBay International AG v. Creative Festival Entertainment Pty Ltd. (2006): The Federal Court of Australia examined
the enforceability of online terms and conditions, ruling that users are bound by terms if they have reasonable
notice and an opportunity to review them before acceptance.

Lassana Diarra v. FIFA (2024) In a landmark judgment on October 4, 2024, the Court of Justice of the European
Union (CJEU) addressed critical issues regarding FIFA's transfer regulations in the case of Lassana Diarra v. FIFA (Case
C-650/22). This ruling has significant implications for the governance of professional football within the European
Union.

Shri Shakti Credit Society v. Shree Shakti Property 2020 - A property transaction was agreed upon through a series of
electronic communications. One party later denied the validity of the contract, arguing that there was no physical
agreement. Held: The Supreme Court reaffirmed that electronic contracts executed through emails, WhatsApp, and
other digital platforms are legally binding under the Information Technology Act, 2000. Thus strengthened the
position of digital contracts in Indian jurisprudence.

Lalitha v. The State of Tamil Nadu 2022 - A dispute arose regarding the enforceability of an agreement executed via

WhatsApp messages. Held: The Madras High Court ruled that electronic communications such as WhatsApp
messages can serve as evidence of a contract, provided they establish offer and acceptance. Expanded the scope of
electronic contracts beyond emails to instant messaging platforms like WhatsApp.

ELECTRONIC SIGNATURE

 A digital signature is a cryptographic technique used to validate the authenticity and integrity of digital messages,
documents, or software. It provides a way for the recipient to verify that the sender is who they claim to be and
that the content has not been altered since it was signed.
 Section 2(1)(p) of the Information Technology Act, 2000 (India): "Digital Signature" means authentication of any
electronic record by a subscriber by means of an electronic method or procedure in accordance with the
provisions of Section 3.
 Information Technology (Certifying Authorities) Rules, 2000;
 Digital Signature (End Entity) Rules, 2015; and
 Information Technology (Use of Electronic Records and Digital Signature) Rules, 2004.
 The IT Act distinguishes between electronic signatures and certificate-based digital signatures, but both have the
same status as handwritten signatures under Indian law. Digital signatures are preferred for certain government
transactions such as e-filing with the Ministry of Corporate Affairs, and goods and service tax filings.
 Each Digital Signature is enabled using a Digital Signature Certificate and contains a unique private and public key
pair that serves as the identity of an individual.
 Certification Agencies are appointed by the office of the Controller of Certifying Authority (CCA) to issue Digital
Signature Certificate (DSC) as per Sec 35 of IT Act, 2000.
 Who gives Digital signature:
 Digital signatures are typically issued by a trusted third-party organization known as a Certificate Authority (CA).
These entities verify the identity of individuals or organizations applying for digital signatures and issue digital
certificates, which contain the public key and other identifying information.
 Section 24(1) of the Information Technology (Certifying Authorities) Rules, 2000 (India): No person shall issue a
Digital Signature Certificate unless he has been granted a license to do so by the Controller.

Procedure for issuance of DSC - Section 35

 Any person may make an application to the Certifying Authority for the issue of a [electronic signature]
Certificate in such form as may be prescribed by the Central Government.
 Every such application shall be accompanied by such fee not exceeding twenty-five thousand rupees as may be
prescribed by the Central Government, to be paid to the Certifying Authority
 Every such application shall be accompanied by a certification practice statement
 On receipt of an application under sub-section , the Certifying Authority may, after consideration of the
certification practice statement and after making such enquiries as it may deem fit, grant the [electronic
signature] Certificate or for reasons to be recorded in writing, reject the application
 no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause
against the proposed rejection.

Section 23. Digital Signature Certificate - The Certifying Authority shall, for issuing the Digital Signature Certificates,
while complying with the provisions of section 35 of the Act, also comply with the following, namely:-

 the Digital Signature Certificate shall be issued only after a Digital Signature Certificate application in the form
provided by the Certifying Authority has been submitted by the subscriber to the Certifying Authority and the
same has been approved by it:
 no interim Digital Signature Certificate shall be issued;
 the Digital Signature Certificate shall be generated by the Certifying Authority upon receipt of an authorised and
validated request for:- (i) new Digital Signature Certificates; (ii) Digital Signature Certificates renewal;
 the Certifying Authority shall provide a reasonable opportunity for the subscriber to verify the contents of the
Digital Signature Certificate before it is accepted;

Validity of DSC

 The DSCs are typically issued with one year validity and two-year validity. These are renewable on expiry of the
period of initial issue.
 Class 1 Certificate: issued to individuals/private subscribers. These certificates confirm that user's name (or alias)
and E-mail address
 Class 2 Certificate: issued for both business personnel and private individuals use.
 Class 3 Certificate: issued to individuals as well as organizations. As these are high assurance certificates,
primarily intended for e-commerce applications, they shall be issued to individuals only on their personal
(physical) appearance before the Certifying Authorities.

State of Maharashtra v. Dr. Praful B. Desai (2003). In this case, the Supreme Court of India upheld the validity of
digital signatures and electronic records under the Information Technology Act, 2000. The court emphasized the
importance of digital signatures in facilitating electronic transactions and recognized them as legally valid means of
authentication. This judgment played a significant role in establishing the legal framework for electronic commerce in
India and set a precedent for the acceptance of digital signatures in legal proceedings.

The case of United States v. John Hancock Mutual Life Insurance Co. (1978) is a landmark case in the United States
concerning the legal validity of electronic signatures. The court ruled that electronic signatures could satisfy the
signature requirement under the Electronic Signatures in Global and National Commerce Act (ESIGN Act) if they meet
certain criteria, including being “attributable to a person” and “logically associated with the record.”

CERTIFYING AUTHORITIES

(CAs) play a crucial role in the ecosystem of e-commerce by ensuring the security, authenticity, and integrity of
electronic transactions. In the digital world, where physical verification is not possible, the need for a trusted third
party to authenticate and verify identities is paramount. Certifying Authorities fulfill this role by issuing digital
certificates, thereby enabling secure electronic communications and transactions. In India, the legal foundation for
Certifying Authorities is provided under the Information Technology Act, 2000. This Act recognizes the use of digital
signatures and establishes the framework for the regulation of Certifying Authorities. Under the Act, the Controller of
Certifying Authorities (CCA) is the regulatory body responsible for licensing and overseeing CAs.

FUNCTIONS OF CERTIFYING AUTHORITIES

 Issuance of Digital Certificates: CAs issue digital certificates that verify the identity of individuals and
organizations engaged in electronic transactions.
 Authentication of Digital Signatures: They authenticate digital signatures to ensure that electronic documents
have not been tampered with and genuinely originate from the stated sender.
 Maintaining Certificate Repositories: CAs maintain online repositories of digital certificates, making it easy to
verify the authenticity of any certificate.
 Revocation of Certificates: In case of compromised security or misuse, CAs have the authority to revoke digital
certificates.
 Compliance and Audits: CAs must adhere to legal and regulatory requirements and undergo regular audits to
maintain trust and security.

CHAPTER VI REGULATION OF CERTIFYING AUTHORITIES

17. Appointment of Controller and other officers -

The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifying Authorities for
the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy
Controllers [, Assistant Controllers, other officers and employees] as it deems fit.

The Controller shall discharge his functions under this Act subject to the general control and directions of the Central
Government.

The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant
Controllers other officers and employees shall be such as may be prescribed by the Central Government.

18. Functions of Controller

 exercising supervision over the activities of the Certifying Authorities;

 certifying public keys of the Certifying Authorities;
 laying down the standards to be maintained by the Certifying Authorities;
 specifying the qualifications and experience which employees of the Certifying Authority should possess;
 (specifying the conditions subject to which the Certifying Authorities shall conduct their business;
 specifying the contents of written, printed or visual materials and advertisements that may be distributed or
used in respect of a [electronic signature] Certificate and the public key;
 specifying the form and content of a [electronic signature] Certificate and the key;
 specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;
 specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid
to them; maintaining a data base containing the disclosure record of every Certifying Authority containing such
particulars as may be specified by regulations, which shall be accessible to public.

Section 19. Recognition of foreign Certifying Authorities

Specifies the terms and conditions for the recognition of foreign certifying authorities. It allows the CCA to recognize
digital certificates issued by foreign entities, provided they adhere to equivalent security and authenticity standards
as those mandated in India.

22. Application for licence.—(1) Every application for issue of a licence shall be in such form as may be prescribed by
the Central Government. (2) Every application for issue of a licence shall be accompanied by— (a) a certification
practice statement; (b) a statement including the procedures with respect to identification of the applicant; (c)
payment of such fees, not exceeding twenty-five thousand rupees as may be prescribed by the Central Government;
(d) such other documents, as may be prescribed by the Central Government.

30. Certifying Authority to follow certain procedures.—

Every Certifying Authority shall,—

 make use of hardware, software and procedures that are secure from intrusion and misuse;
 provide a reasonable level of reliability in its services which are reasonably suited to the performance of
intended functions;
 adhere to security procedures to ensure that the secrecy and privacy of the [electronic signatures] are assured
 be the repository of all electronic signature Certificates issued under this Act;
 publish information regarding its practices, electronic signature Certificates and current status of such
certificates; and
 observe such other standards as may be specified by regulations

LICENSE FOR CA
● For operating as a licensed Certifying Authority under the IT Act, 2000 an application has to be made to the
Controller of Certifying Authorities as stipulated under Section 21 of the IT Act. The application form for grant of
license prescribed under Sec. 10 of the IT Act has to be submitted to the Controller of Certifying Authorities. Before
submitting the application however, the applicant is expected to have the entire infrastructure - technical, physical,
procedural and manpower - in place. On receipt of the application and after examination of the same along with the
supporting documents, CCA will depute an empanelled auditor based on whose audit report a decision will be taken
on whether a license can be granted to the applicant to operate as a Certifying Authority under the IT Act 2000.

● In case non-compliances to the requirements of the IT Act, its Rules & Regulations are observed during the audit,
the applicant will be required to take corrective action and be subject to audit once again for further examination for
grant of licence.

SUSPENSION OF LICENSE OF CA

 If CA fails to maintain acceptable standards

 If CA fails to follow terms and conditions
 If CA contravenes any provisions of IT Act
 If CA makes any false statement in relation to the issue or renewal of license issued by CCA
 No CA whose licence has been suspended shall issue any ESC (Electronic Signature Certificate i.e Digital
Signature Certificate) during such suspension.

POWERS OF CCA

 Authorize in writing, the deputy or the assistant controller or any officer to exercise any of his powers
 Investigate any contravention of the act
 Can instructs CA or any of its employee to follow the provisions of this act
 Can direct any agency of the government to take action against any wrong information transmitted through any
computer resource
 Power to make regulations for fulfilling the purpose of the act Central Government - Appoints Controller of
Certifying Authorities (CCA) - Gives licence and regulates Certifying Authorities (CA) - Certifying Authorities (CA)
issues Electronic Signature Certificate (ESC) i.e Digital Signature Certificate to subscribers/ owners CA, IA, LA
 The term “Issuing Authority” is not a specific legal term defined under the IT Act, 2000 but is often used to refer
more generally to entities responsible for issuing documents, licenses, or credentials — not limited to digital
certificates.
 In the context of the IT Act, it may sometimes overlap with the CA, but it also refer to authorities issuing
electronic records, licenses, or approvals.
 In scope Broader than just digital signatures — it can refer to any official body issuing electronic documents.

FEATURE CERTIFYING AUTHORITY (CA) LISTING AUTHORITY

 Primary Function Issue, manage, and revoke digital certificates.

 Maintain a directory of issued certificates.
 Legal Status Defined under IT Act, 2000 (Section 17).
 Not specifically defined, more of an operational role.
 Powers Full authority to authenticate and certify digital identities.
 No authority to issue or authenticate certificates.
 Example eMudhra, Sify, NIC, etc. Online repositories of issued DSCs.

Smt. Asha S. Kumari v. Union of India: In this case, the court emphasized the legal sanctity of digital signatures
certified by a CA. It reinforced the importance of maintaining trust in electronic transactions, highlighting the need
for proper oversight and regulation by the CCA.

State of Tamil Nadu v. Rajendra Kumar: This case recognized the role of digital certificates in preventing fraud in
online transactions. The court held that digital signatures and certificates issued by recognized CAs have the same
legal validity as handwritten signatures, making them critical for secure e-commerce operations.

IMPORTANCE IN E-COMMERCE
Certifying Authorities are indispensable for the safe conduct of e-commerce activities. Their services ensure:

 Data Security: By encrypting communications, they prevent unauthorized access and data breaches.
 Identity Verification: Digital certificates confirm the legitimacy of parties involved in online transactions.
 Legal Validity: Digital signatures certified by CAs are legally recognized, ensuring enforceability of electronic
contracts.
 Consumer Trust: Secure transactions foster confidence among consumers in the e-commerce ecosystem.

CHALLENGES

Despite their importance, CAs face several challenges:

 Cybersecurity Threats: Constant evolution of cyber threats necessitates robust security measures.
 Cost of Certification: Obtaining and maintaining digital certificates can be costly for small businesses.
 Cross-border Recognition: Digital certificates may not always be recognized internationally, posing barriers to
global e-commerce

CONTENTS OF ELECTRONIC SIGNATURE

Signer’s Identification:

 Name of the person signing

 Email address or phone number (for verification)
 Digital certificate (if using advanced or qualified e-signatures)

Signature Data:

 The actual electronic representation of the signature (typed name, digital mark, scanned image, or cryptographic
key)
 Timestamp of when the signature was applied

Authentication Information:

 Method of signer verification (password, OTP, biometric data, etc.)

 IP address or device information of the signer

Document Integrity Proof:

 Hash value or checksum of the signed document (to detect any post-signing alteration)
 Encryption details (if applicable)

Legal Consent and Intent:

 A declaration that the signer intends to sign the document electronically

 Agreement to the terms of the document and use of e-signatures
 Certification Authority Details (For Digital Signatures):
 Issuer of the digital certificate
 Validity period of the certificate
 Serial number of the certificate

Issue of Digital signature; Before the issue of the digital signature certificate, the certifying authority shall;

 Confirm that the user’s name does not appear in its list of compromised users;
 Comply with the procedure as defined in his clarification practice statement including verification of
identification and/or employment;
 Comply with all privacy requirements;
 Obtain consent of the person requesting the Digital Signature Certificate, that the details of such Digital Signature
Certificate can be published on a directory service.

Grant, Revocation and withdrawal of ESC

● A Digital Signature Certificate (DSC) may be suspended by the Certifying Authority (CA) if (a) the subscriber of the
DSC or anyone on his/her behalf requests for a suspension (b) it is of the opinion that such a suspension would be in
the public interest – Section 37 of the IT Act.

● A DSC may be revoked by the CA if (a) the subscriber of the DSC or anyone on his/her behalf requests for a
revocation (b) the subscriber dies or becomes insolvent (c) the subscriber (where such subscriber is a firm/company)
is dissolved or wound up. Section 38 of the IT Act.

36. REPRESENTATIONS UPON ISSUANCE OF DIGITAL SIGNATURE CERTIFICATE.

A Certifying Authority while issuing a Digital Signature Certificate shall certify that—

(a) it has complied with the provisions of this Act and the rules and regulations made thereunder;

(b) it has published the Digital Signature Certificate or otherwise made it available to such person relying on it and
the subscriber has accepted it;

(c) the subscriber holds the private key corresponding to the public key, listed in the Digital Signature Certificate; 1
[(ca) the subscriber holds a private key which is capable of creating a digital signature; (cb) the public key to be listed
in the certificate can be used to verify a digital signature affixed by the private key held by the subscriber;]

(d) the subscriber's public key and private key constitute a functioning key pair;

(e) the information contained in the Digital Signature Certificate is accurate; and

(f) it has no knowledge of any material fact, which if it had been included in the Digital Signature Certificate would
adversely affect the reliability of the representations in clauses (a) to (d).

37. SUSPENSION OF DIGITAL SIGNATURE CERTIFICATE

● Certifying Authority which has issued a Digital Signature Certificate may suspend such Digital Signature Certificate,–

(a) on receipt of a request to that effect from– (i) the subscriber listed in the Digital Signature Certificate; or (ii) any
person duly authorised to act on behalf of that subscriber;

(b) if it is of opinion that the Digital Signature Certificate should be suspended in public interest.

(2) A Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless the subscriber has
been given an opportunity of being heard in the matter.

(3) On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the
same to the subscriber.

● The onus is on the certifying authority to communicate to the subscriber on the suspension of his digital signature
certificate. Merely listing the suspended certificates in the certificate revocation list and publishing in the repository
of the certifying authority is not enough. Even the subscriber has a right to be informed about the suspension of his
digital signature certificate. More so, as suspension of certificate does not affect any underlying contractual
obligations created between the certifying authority and the subscriber under the CPS.

38. REVOCATION OF DIGITAL SIGNATURE CERTIFICATE

● A Certifying Authority may revoke a Digital Signature Certificate issued by it– (a) where the subscriber or any other
person authorised by him makes a request to that effect; or (b) upon the death of the subscriber; or (c) upon the
dissolution of the firm or winding up of the company where the subscriber is a firm or a company.

(3) A Digital Signature Certificate shall not be revoked unless the subscriber has been given an opportunity of being
heard in the matter. (4) On revocation of a Digital Signature Certificate under this section, the Certifying Authority
shall communicate the same to the subscriber

39. NOTICE OF SUSPENSION OR REVOCATION.

1) Where a Digital Signature Certificate is suspended or revoked under section 37 or section 38, the Certifying
Authority shall publish a notice of such suspension or revocation, as the case may be, in the repository specified in
the Digital Signature Certificate for publication of such notice.

WITHDRAWAL OF ESC

 Withdrawal generally refers to the voluntary cancellation of the certificate by the holder. It’s different from
revocation in that there’s typically no issue of compromise or misuse — the user may simply not need the
certificate anymore.
 V. Kumar vs. R. Natarajan (2021): This case, adjudicated by the Madras High Court, involved disputes where the
authenticity and validity of digital signatures were questioned. The court examined the compliance of digital
signatures with the IT Act's provisions, emphasizing the importance of adherence to legal requirements for
electronic signatures to be considered valid.

INDIA - EU

In the EU, the management of electronic signatures is regulated by the eIDAS (electronic identification,
authentication, and trust services )Regulation (EU) No 910/2014, which standardizes electronic identification and
trust services across member states.

• Issuance (Grant) of Qualified Certificates for Electronic Signatures:

• Application: Applicants submit necessary identification documents to a Qualified Trust Service Provider (QTSP).
• Verification: The QTSP conducts identity verification following the standards set by eIDAS.
• Issuance: After successful verification, the QTSP issues a Qualified Certificate, which is recognized across all EU
member states.

Beginnings of PKI (1995-2002)

 The first wave of PKI included only a small number of certificates, which had a high value and were used only in
very specific cases.
 The biggest use case for PKI during this time was to issue certificates to eCommerce websites, which could then
display the lock icon in the browser to give consumers the confidence they were visiting the right website and
that there was a secure connection when sharing credit card information to make a purchase.
 Some large organizations rolled out PKI, but these projects typically spanned two years and millions of dollars
only to result in a handful of certificates actually being issued, leaving a lot of unfulfilled potential.
 During this time, nearly all certificates got purchased from public vendors and couldcost thousands of dollars.
This created a revenue stream for these vendors that guaranteed they would monitor certificate expirations and
alert recipients accordingly.

Enterprise PKI Emerges (2003-2010)

● The early 2000s saw the rise of the mobile workforce, when almost all employees received laptops and the ability
to work remotely became commonplace.

● In response, organizations identified PKI as the best way to authenticate their newly mobile workforces.
Specifically, they began to put certificates on employee laptops (and any other devices like mobile phones) to verify
that devices connecting to the network or accessing assets from outside the office were indeed employee devices
and had the right antivirus software required to access those systems.

● During this time, enterprise-issued certificates became like corporate ID badges

● While this approach to PKI allowed enterprises to solve important problems around authenticating a mobile
workforce and encrypting internal systems, it also created a new set of challenges around ensuring a healthy
program.

● First, organizations needed to put a lot of effort into designing robust and secure PKIs that adhered to best
practices. Second, they needed to find ways to properly track their PKIs to ensure certificates didn’t expire and/or
that they weren’t compromised and needed to be revoked. To stem these challenges, most organizations introduced
PKI management programs led in-house by employees with relevant expertise.

New Uses and Growing Pains (2011-Today)

 The third wave of PKI, which we’re still experiencing today, includes several new uses around the Internet of
Things (IoT) and some growing pains with scaling PKI along the way.
 Today, organizations issue millions of certificates to authenticate a fully mobile, multi-device workforce. Beyond
employee devices, organizations also have to manage embedded certificates in all sorts of cloud systems. Finally,
the rise of the IoT has led to millions of new connected devices, each of which needs to be secured,
authenticated, and able to get firmware updates. All of these connections make PKI more important than ever
and have led to enormous growth in this space.
 Specifically, today’s connected digital world creates PKI management challenges around getting certificates
where they need to go, ensuring certificates are properly vetted and mapped, and monitoring already-issued
certificates.

PUBLIC KEY INFRASTRUCTURE

 Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique
digital identities for users, devices and applications and secure end-to-end communications.
 PKI security first emerged in the 1990s to help govern encryption keys through the issuance and management of
digital certificates. These PKI certificates verify the owner of a private key and the authenticity of that
relationship going forward to help maintain security. The certificates are akin to a driver’s license or passport for
the digital world.

Symmetric Encryption

 Symmetric encryption is a simple cryptographic algorithm by today’s standards,

 With symmetric encryption, a message that gets typed in plain text goes through mathematical permutations to
become encrypted. The encrypted message is difficult to break because the same plain text letter does not
always come out the same in the encrypted message
 To both encrypt and decrypt the message, you need the same key, hence the name symmetric encryption. While
decrypting messages is exceedingly difficult without the key, the fact that the same key must be used to encrypt
and decrypt the message carries significant risk. That’s because if the distribution channel used to share the key
gets compromised, the whole system for secure messages is broken.

Asymmetric Encryption

 Asymmetric encryption, or asymmetrical cryptography, solves the exchange problem that plagued symmetric
encryption. It does so by creating two different cryptographic keys (hence the name asymmetric encryption) — a
private key and a public key.
 With asymmetric encryption, a message still goes through mathematical permutations to become encrypted but
requires a private key to decrypt and a public key (which can be shared with anyone) to encrypt a message.
 ‘A’ wants to send a private message to ‘B’, so he uses B’s public key to generate encrypted cipher text that only
B’s private key can decrypt.
 Asymmetric encryption also makes it possible to take other actions that are harder to do with symmetric
encryption, like digital signatures, which work as follows:
 B can send a message to A and encrypt a signature at the end using his private key.
 When A receives the message, he can use B’s public key to verify two things:
1. B, or someone with B’s private key, sent the message
2. The message was not modified in transit, because if it does get modified the verification will fail

THE ROLE OF DIGITAL CERTIFICATES IN PKI

 PKI governs encryption keys by issuing and managing digital certificates Digital certificates are also called PKI
certificates.
 Is an electronic equivalent of a driver’s license or passport
 Contains information about an individual or entity
 Is issued from a trusted third party
 Is tamper-resistant
 Contains information that can prove its authenticity
 Can be traced back to the issuer
 Has an expiration date
 Is presented to someone (or something) for validation of PKI

AUTHENTICATION

Authentication solutions are the key function of PKI in enterprise security. PKI authentication is the process of
verifying the identity or entities and involves the use of digital certificates and cryptographic keys to establish trust
and authenticate the participants in a communication or transaction. This means that the recipient of this data can
assure that the sender or source is authentic, and they are who they claim to be. PKI authentication enhances
security, privacy, and trust in digital communications and transactions. It mitigates the risks of identity fraud, data
breaches, and unauthorized access while providing a scalable and interoperable solution for secure authentication.

ENHANCED DATA SECURITY

PKI secures data by encrypting it until it reaches the authorized recipient. This is done with the sender’s private key
and remains that way until it is received by the recipient’s public key which is then used to decrypt the information.
This allows enterprises to be able to ensure data privacy for clients and prospects, as well as internally for employees
by preventing malicious third parties from reading the data that is being processed. PKI enhances data security by
protecting against various threats, providing secure mobile communication, centralized certificate management,
securing cloud services and IoT (Internet of Things) communication, and enabling secure document signing. These
capabilities contribute to maintaining the confidentiality, integrity, and authenticity of data across a wide range of
applications and environments.

GREATER EFFICIENCY

PKI offers a range of efficiencies that enhance security and streamline operations. With simplified key management
and automation, PKI eliminates the complexities of manual processes by providing a centralized framework for
generating, distributing, and revoking digital certificates. This efficient method of key maintenance prevents the risk
of data losses through over-complicated management processes as well as reducing the potential for opportunists to
take advantage of overlooked gaps in the system and launch a cyber-attack.

STREAMLINED ACCESS CONTROL

Access control is critical to business security and PKI offers a user-friendly solution for access management. PKI is
based on unique identities making it easy for managers to control access permissions for each individual user or
device.

GREATER SCALABILITY

PKI offers flexible scalability for a diverse range of business security needs. This means that it can secure data for any
number of users, applications, and devices. This is especially useful for enterprises looking to scale to meet
expanding demand without sacrificing efficiency or compromising security.

LOW-COST SECURITY

While the initial cost and impact on infrastructure to set up and incorporate PKI can seem a significant one,
integrating PKI into business security saves on much greater costs further down the line. Streamlining certificate
management using PKI automation solutions means that the costs following the initial set up are only attributable to
renewal. What is more, PKI can save enterprises the cost of fines, legal fees, and business losses that can come from
security breaches or mismanagement, therefore the business operational and security benefits far outweigh the
initial investment.

 Identity theft/spoofing
 Data tampering
 Unauthorized access
 Credential phishing attacks

REMEDIES FOR BREACH

 Compensation for Loss or Damage (Section 73): This section entitles the aggrieved party to receive compensation
for any loss or damage caused by the breach, which naturally arose in the usual course of things or which the
parties knew, at the time of contract formation, to be likely to result from the breach.
 Illustration: If Party A contracts to deliver goods to Party B on a specific date, and fails to do so, causing Party B to
incur additional costs to procure the goods elsewhere, Party B can claim those additional costs as damages.
 Compensation for Breach of Contract with Penalty Stipulation (Section 74): When a contract specifies a sum to be
paid in case of breach, or includes any other penalty clause, the aggrieved party is entitled to reasonable
compensation not exceeding the stipulated amount, regardless of actual loss or damage.
 Illustration: If a software development contract includes a clause that imposes a ₹50,000 penalty for delayed
delivery, and the developer delays, the client can claim up to ₹50,000 without proving actual loss.
 Right to Rescind Contract (Section 39): If a party to a contract refuses to perform, or disables itself from
performing, its promise in its entirety, the other party may rescind the contract and claim compensation for any
loss sustained due to the non-performance.
 Illustration: If Party A agrees to develop a website for Party B, but after receiving payment, refuses to start the
project, Party B can cancel the contract and seek compensation for any losses incurred.

Remedies under the Specific Relief Act, 1963

 Beyond monetary compensation, the Specific Relief Act provides equitable remedies:
 Specific Performance (Sections 10-14): Courts may direct the defaulting party to fulfill their contractual
obligations, especially when monetary compensation is inadequate.
 Illustration: If a unique piece of digital artwork is sold via an e-contract and the seller refuses to deliver, the buyer
may seek a court order compelling the seller to complete the transaction.
 Injunctions (Sections 36-42): Courts can issue orders restraining a party from committing a breach (prohibitory
injunction) or requiring specific acts to prevent a breach (mandatory injunction).
 Illustration: If a software developer threatens to share proprietary code with competitors in violation of a non-
disclosure agreement, the original owner can seek an injunction to prevent this disclosure.

Punishments and Penalties under the Information Technology Act, 2000

● Penalty for Breach of Confidentiality and Privacy (Section 72): Any person who, in the course of exercising powers
under the Act, secures access to any electronic record, information, or document without consent and discloses it to
another person shall be punished with imprisonment up to two years, or a fine up to ₹1 lakh, or both Illustration: If
an IT professional accesses confidential customer data without authorization and shares it with a third party, they can
face imprisonment and/or a fine under this section.

● Punishment for Disclosure of Information in Breach of Lawful Contract (Section 72A): If a service provider, during
the course of providing services under a lawful contract, gains access to material containing personal information and
discloses it without consent, intending or knowing it could cause wrongful loss or gain, they shall be punished with
imprisonment up to three years, or a fine up to ₹5 lakh, or both. Illustration: A mobile app developer who shares
users' personal data with advertisers without user consent can be penalized under this provision.

● Digital signatures are created using asymmetric cryptography, also known as public-key cryptography. The process
involves generating a pair of cryptographic keys: a private key and a public key. The private key is kept secret and
known only to the signer, while the public key is shared with others. The digital signature is created by applying a
mathematical algorithm to the content being signed and the signer's private key.

● When a digital signature is created, it is attached to the digital document or message. To verify the signature, the
recipient uses the signer's public key to decrypt the signature and compare it to a computed value based on the
original content. If the two values matches, the signature is considered valid, indicating that the document has not
been altered and was indeed signed by the holder of the private key.