As India's digital population surpasses 900 million internet users, the legal framework governing cyber crime has become one of the most critical and rapidly evolving areas of Indian law. The foundational statute is the Information Technology Act, 2000 (IT Act), enacted to give legal recognition to electronic commerce and electronic governance while also addressing cyber crimes. The IT Act was substantially amended in 2008 to address emerging threats, and its provisions have been further supplemented by the Bharatiya Nyaya Sanhita, 2023, which introduces new technology-related offences. Understanding this legal landscape is essential for every Indian citizen, professional, and business operating in the digital domain.
The Information Technology Act, 2000 — Framework and Key Provisions: The IT Act was India's first dedicated cyber legislation, enacted pursuant to the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce, 1996. It provides legal recognition to electronic records and digital signatures (now electronic signatures after the 2008 amendment), establishes the legal infrastructure for e-governance, and defines a range of cyber offences with associated penalties. The Act applies to any offence or contravention committed outside India by any person, irrespective of nationality, if the act or conduct involves a computer, computer system, or computer network located in India (Section 75), giving it extraterritorial reach.
Key Offences Under the IT Act: Section 43 deals with penalties for damage to computer systems — any person who without permission of the owner accesses, downloads, copies, extracts data, introduces any computer contaminant or virus, damages, disrupts, denies access, charges services to another person's account, or destroys information residing in a computer resource is liable to pay compensation up to five crore rupees to the affected person. This is a civil liability provision adjudicated by an Adjudicating Officer appointed under Section 46. Section 65 criminalises tampering with computer source code, punishable with imprisonment up to three years or a fine up to two lakh rupees or both. Section 66 addresses computer-related offences including hacking — if any person, dishonestly or fraudulently, does any act referred to in Section 43, it is punishable with imprisonment up to three years or a fine up to five lakh rupees or both. Section 66B penalises dishonestly receiving stolen computer resources (imprisonment up to three years or fine up to one lakh rupees). Section 66C criminalises identity theft — fraudulently or dishonestly using the electronic signature, password, or any unique identification feature of another person (imprisonment up to three years and fine up to one lakh rupees). Section 66D penalises cheating by personation using a computer resource (imprisonment up to three years and fine up to one lakh rupees). Section 66E addresses violation of privacy by capturing, publishing, or transmitting images of a person's private area without consent (imprisonment up to three years or fine up to two lakh rupees). Section 66F defines and punishes cyber terrorism — acts that threaten the unity, integrity, security, or sovereignty of India or strike terror among the people by denying access to authorised persons, attempting to penetrate a computer resource without authorisation, or introducing a computer contaminant — with imprisonment extending to life imprisonment.
Section 66A — Struck Down by the Supreme Court in Shreya Singhal v. Union of India (2015): Section 66A of the IT Act, inserted by the 2008 amendment, had criminalised the sending of "grossly offensive" or "menacing" messages through a computer resource, as well as messages known to be false but sent for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will. The provision was punishable with imprisonment up to three years and a fine. In the landmark case of Shreya Singhal v. Union of India (2015), the Supreme Court struck down Section 66A as unconstitutional, holding that it violated Article 19(1)(a) (freedom of speech and expression) and Article 21 (right to life and liberty) of the Constitution. The Court observed that the terms "grossly offensive," "menacing," "annoyance," "inconvenience," and "ill will" were vague, undefined, and susceptible to subjective interpretation, creating a chilling effect on free speech. The Court drew a critical distinction between "discussion," "advocacy," and "incitement," holding that only the third category — incitement to imminent lawless action — can be restricted. Despite the Supreme Court striking down Section 66A in 2015, a troubling study by the Internet Freedom Foundation in 2021 revealed that police forces across multiple states continued to register FIRs under the defunct provision, indicating a serious implementation gap between judicial pronouncements and ground-level enforcement.
Section 67, 67A, and 67B — Obscenity and Child Sexual Abuse Material: Section 67 penalises publishing or transmitting obscene material in electronic form (first conviction: imprisonment up to three years and fine up to five lakh rupees; subsequent conviction: imprisonment up to five years and fine up to ten lakh rupees). Section 67A addresses sexually explicit material (first conviction: imprisonment up to five years and fine up to ten lakh rupees; subsequent conviction: imprisonment up to seven years and fine up to ten lakh rupees). Section 67B specifically targets material depicting children in sexually explicit acts, creating, collecting, facilitating, or browsing such material (first conviction: imprisonment up to five years and fine up to ten lakh rupees; subsequent conviction: imprisonment up to seven years and fine up to ten lakh rupees). This provision is complemented by the Protection of Children from Sexual Offences Act, 2012 (POCSO), which addresses the broader spectrum of child sexual abuse.
Intermediary Liability and the IT Rules, 2021: Section 79 of the IT Act provides a safe harbour to intermediaries (platforms like social media companies, internet service providers, and search engines) from liability for third-party content, provided they observe due diligence and comply with government guidelines. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021) impose significant obligations on intermediaries, including appointing a grievance officer, a chief compliance officer, and a nodal contact person for 24x7 coordination with law enforcement. Significant social media intermediaries (those with more than fifty lakh registered users in India) must additionally enable identification of the first originator of a message when required by a court order or by the government, which raised substantial privacy and encryption concerns debated before the courts.
The Digital Personal Data Protection Act, 2023: While not strictly a cyber crime statute, the Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a comprehensive framework for the processing of personal data in India, replacing the earlier patchwork of provisions under Section 43A of the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The DPDP Act establishes the Data Protection Board of India to adjudicate complaints regarding data breaches and non-compliance, and imposes penalties up to Rs. 250 crore for significant data breaches.
Protecting Yourself Online — Practical Guidance: Law Forum India regularly conducts cyber safety awareness sessions for students, professionals, senior citizens, and community groups in Bengaluru. Our practical recommendations include: never share OTPs, passwords, or banking PINs with anyone, including those claiming to be bank officials; enable two-factor authentication on all critical accounts; be wary of unsolicited links in emails, SMS, and WhatsApp messages; regularly update your devices and use reputable antivirus software; report cyber crimes promptly on the National Cyber Crime Reporting Portal (cybercrime.gov.in) or call the cyber crime helpline at 1930; and exercise caution with social media posts, as information shared publicly can be used for identity theft or social engineering attacks.