Information Technology Act, 2000

The Information Technology Act, 2000 (Act No. 21 of 2000) is the foundational statute of Indian cyberspace law, enacted by Parliament on 9 June 2000 and brought into force on 17 October 2000. Its drafting responded directly to the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce, adopted by UN General Assembly Resolution 51/162 of 30 January 1997, which recommended that member states give legal recognition to transactions conducted by electronic means. The Act's stated objects are to provide legal recognition for transactions carried out through electronic data interchange, to facilitate electronic filing of documents with government agencies, and to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934. It extends to the whole of India and, under Section 1(2) read with Section 75, applies extraterritorially to offences committed outside India if they involve a computer, computer system, or network located within India.

Procedurally, the Act establishes a multi-tier architecture for trust and adjudication. Chapter II originally legalised digital signatures based on asymmetric cryptography, later broadened to "electronic signatures" by the 2008 amendment to achieve technological neutrality. Chapter VI creates the office of the Controller of Certifying Authorities (CCA), which licenses and supervises Certifying Authorities that issue Electronic Signature Certificates under Sections 21 to 35. For dispute resolution, Section 46 empowers the Central Government to appoint Adjudicating Officers—of rank not below a Director to the Government of India or equivalent state officer—to adjudicate contraventions where the claim for injury or damage does not exceed five crore rupees; claims above that threshold lie before competent civil courts. Appeals against an Adjudicating Officer originally went to the Cyber Appellate Tribunal, whose functions were merged into the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) by the Finance Act, 2017.

The Act's penal and regulatory mechanics expanded substantially through the Information Technology (Amendment) Act, 2008, which took effect on 27 October 2009 following the deficiencies exposed by the 26 November 2008 Mumbai attacks. The amendment inserted Section 66F (cyber terrorism, punishable by life imprisonment), Section 66E (violation of privacy), Section 67A and 67B (sexually explicit material and child pornography), Section 69 (interception, monitoring, and decryption powers), Section 69A (blocking of public access to information), and Section 79 (the safe harbour provision granting intermediaries conditional immunity from liability for third-party content). Section 70B designated the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for incident response. Section 43A introduced compensation liability for body corporates that fail to protect sensitive personal data, operationalised through the 2011 Reasonable Security Practices Rules.

Contemporary enforcement runs through several Delhi-based authorities. The Ministry of Electronics and Information Technology (MeitY) issues subordinate rules, most consequentially the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which impose due-diligence obligations, grievance-officer requirements, and traceability mandates on significant social media intermediaries. Blocking orders under Section 69A are processed by a committee under the 2009 Blocking Rules; in June 2020 the Government invoked this provision to ban 59 Chinese mobile applications, including TikTok and WeChat, citing sovereignty and integrity of India. CERT-In's April 2022 directions mandated reporting of specified cyber incidents within six hours and prescribed log-retention obligations on data centres and VPN providers.

The Act must be distinguished from adjacent instruments. It is not a data-protection statute in the European sense; the standalone Digital Personal Data Protection Act, 2023 now governs personal-data processing, displacing the narrow Section 43A regime. The IT Act differs from the Indian Penal Code (now the Bharatiya Nyaya Sanhita, 2023) in that it addresses computer-specific offences and electronic evidence rather than general criminality, though prosecutions frequently invoke both. It is also distinct from the Telecommunications Act, 2023, which governs network infrastructure and spectrum rather than content and electronic records.

Controversy has centred on free-expression provisions. Section 66A, which criminalised "grossly offensive" or "menacing" online messages, was struck down in its entirety by the Supreme Court in Shreya Singhal v. Union of India (24 March 2015) as violative of Article 19(1)(a) of the Constitution and unconstitutionally vague; the same judgment upheld Section 69A while reading down intermediary obligations under Section 79 to require actual knowledge via court or government order. Despite the ruling, lower courts continued registering cases under Section 66A for years, prompting further Supreme Court directions in 2019 and 2021. The 2021 Rules face ongoing constitutional challenges in multiple High Courts, with WhatsApp contending that the traceability mandate breaks end-to-end encryption and infringes privacy recognised in K.S. Puttaswamy v. Union of India (2017).

For the working practitioner—whether a UPSC aspirant preparing General Studies Paper III on internal security, a desk officer drafting takedown requests, or a policy analyst tracking platform regulation—the IT Act remains the operative spine of India's digital governance. Mastery requires holding three layers simultaneously: the 2000 parent Act, the 2008 penal expansion, and the proliferating subordinate rules of 2009, 2011, and 2021. Its blocking and interception powers, intermediary obligations, and the unresolved tension between Section 69A secrecy and transparency norms make it central to debates on digital sovereignty, surveillance, and the regulation of transnational platforms operating within Indian jurisdiction.