⚖️ Cyber Laws in India
Complete Bare Act–Based Revision Resource for Bar Exam 2026
📌 Important Note for AIBE Students
Cyber Law in India is not a single statute. It is spread across multiple laws and rules. For AIBE 2026, you must understand four primary frameworks:
The foundational cyber law — covers electronic records, digital signatures, offences, and intermediary liability.
India's new data privacy law — covers consent, data fiduciary obligations, rights of data principals, and penalties.
Replaces the Indian Evidence Act — contains provisions on admissibility and proof of electronic/digital records.
Governs due diligence obligations for platforms, social media, and digital news media.
Laws & Sections — Detailed Study
Short Title, Extent, Commencement & Application
Plain Explanation: The Act is called the Information Technology Act, 2000. It extends to the whole of India. Importantly, it also applies to any offence or contravention committed outside India by any person — provided the act involves a computer, computer system, or computer network located in India.
What Does Not Apply: The Act does NOT apply to documents listed in the First Schedule:
- Negotiable instruments (other than cheques)
- Power of attorney
- Trusts
- Wills and testamentary dispositions
- Contracts for sale/conveyance of immovable property
Key Definitions (Section 2)
Section 2 contains over 25 important definitions. Key ones for AIBE:
| Term | Definition (Simplified) |
|---|---|
| Access (§2a) | Gaining entry into the logical, arithmetical, or memory function resources of a computer/computer system/network |
| Computer (§2i) | Any electronic/magnetic/optical high-speed data processing device performing logic, arithmetic, and memory functions |
| Computer Resource (§2k) | Computer, computer system, computer network, data, computer database, or software |
| Cyber Security (§2nb) | Protecting information, equipment, devices, computers from unauthorized access, use, disclosure, disruption, modification, or destruction |
| Data (§2o) | Any representation of information/knowledge/facts/instructions prepared in formalized manner for processing in a computer |
| Digital Signature (§2p) | Authentication of electronic record by subscriber using asymmetric crypto system (as per Section 3) |
| Electronic Record (§2t) | Data, record, or data generated, image or sound stored, received or sent in electronic form or microfilm or computer generated microfiche |
| Electronic Signature (§2ta) | Authentication of electronic record using technique specified in the Second Schedule; includes digital signature |
| Intermediary (§2w) | Any person who receives, stores, or transmits electronic records on behalf of another; includes ISPs, web-hosting, search engines, online marketplaces, cyber cafes |
| Originator (§2za) | Person who sends, generates, stores, or transmits an electronic message; does NOT include an intermediary |
Authentication of Electronic Records (Digital Signature)
Plain Explanation: A subscriber may authenticate an electronic record by affixing a digital signature. Authentication uses an asymmetric crypto system and a hash function that transforms the original record. Anyone can verify it using the subscriber's public key.
The private key and public key are unique to the subscriber and form a functioning key pair.
Electronic Signature (Section 3A — inserted by 2008 Amendment)
Plain Explanation: A subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique that is (a) considered reliable, and (b) specified in the Second Schedule.
Reliability Criteria:
- Signature creation data is linked to the signatory only
- Was under sole control of the signatory at time of signing
- Any alteration after signing is detectable
- Any alteration to the information after authentication is detectable
Legal Recognition of Electronic Records
Plain Explanation: Where any law requires information to be "in writing" or "in printed/typewritten form," that requirement is satisfied if the information is rendered in electronic form and is accessible for subsequent reference.
Legal Recognition of Electronic Signatures
Plain Explanation: Where any law requires a document to be "signed" or to "bear the signature" of a person, an electronic signature affixed in the prescribed manner satisfies that requirement.
Validity of Contracts Formed Through Electronic Means
Plain Explanation: A contract is NOT unenforceable merely because proposals, acceptances, or revocations were communicated in electronic form or by electronic records.
Attribution, Acknowledgement & Time/Place of Despatch
Section 11 — Attribution: An electronic record is attributed to the originator if: (a) sent by the originator himself; (b) sent by an authorized person; or (c) sent by an automated information system programmed by/on behalf of the originator.
Section 12 — Acknowledgement: If the originator stipulates that the record is binding only on receiving acknowledgement — and no acknowledgement is received — the record is deemed never sent.
Section 13 — Despatch & Receipt:
- Despatch occurs when the record enters a computer resource outside the control of the originator.
- Receipt (if addressee designates a computer resource) occurs when the record enters that designated resource.
- Place of despatch = originator's place of business; Place of receipt = addressee's place of business.
Penalty & Compensation for Damage to Computer, Computer System, etc.
Plain Explanation: If any person without permission of the owner or person in charge of a computer/computer system/computer network does any of the following acts, they shall be liable to pay damages by way of compensation:
- (a) Accesses or secures access to the computer
- (b) Downloads, copies, or extracts any data or database
- (c) Introduces a computer contaminant or virus
- (d) Damages or causes damage to the computer or data
- (e) Disrupts or causes disruption
- (f) Denies or causes denial of access to authorized persons (DoS)
- (g) Assists any person to facilitate unauthorized access
- (h) Charges services to account of another by manipulating the computer
- (i) Destroys, deletes, or alters information in a computer resource
- (j) Steals or destroys computer source code
Nature of Remedy: Section 43 is a civil remedy — it awards compensation, not criminal punishment. The criminal counterpart is Section 66.
Compensation for Failure to Protect Data (Corporate Data Protection)
Plain Explanation: Where a body corporate possessing, dealing with, or handling sensitive personal data or information (SPDI) in a computer resource is negligent in implementing reasonable security practices and procedures, and thereby causes wrongful loss or wrongful gain, it is liable to pay compensation.
Key Definitions:
- Body corporate = any company; includes firm, sole proprietorship, or other association engaged in commercial/professional activities
- Reasonable security practices = security practices designed to protect from unauthorized access, damage, use, modification, disclosure, or impairment
- SPDI = such personal information as may be prescribed by the Central Government
Power to Adjudicate
Plain Explanation: The Central Government appoints an adjudicating officer (not below the rank of Director to GoI or equivalent State officer) to adjudicate contraventions under Chapter IX.
Jurisdiction Limit: Adjudicating officer has jurisdiction only where the claim does not exceed ₹5 crore. Claims above ₹5 crore go to the competent court.
Tampering with Computer Source Documents
Whoever knowingly or intentionally conceals, destroys, or alters any computer source code (required to be kept by law) is punishable with imprisonment up to 3 years or fine up to ₹2 lakh, or both.
Computer Related Offences (Criminal Counterpart of Section 43)
If any person dishonestly or fraudulently does any act referred to in Section 43, they are punishable with imprisonment up to 3 years or fine up to ₹5 lakh, or both.
Key Point: "Dishonestly" (IPC S.24) and "fraudulently" (IPC S.25) as defined in the Indian Penal Code are imported into this section.
Sending Offensive Messages [STRUCK DOWN]
Section 66A provided punishment for sending grossly offensive/menacing messages through computer resources or communication devices.
⚡ Note: Section 66A was STRUCK DOWN by the Supreme Court in Shreya Singhal v. Union of India (2015) as unconstitutional for violating Article 19(1)(a). It is no longer enforceable.
Dishonestly Receiving Stolen Computer Resource or Communication Device
Punishment: Imprisonment up to 3 years or fine up to ₹1 lakh, or both.
Key element: Requires knowledge or reason to believe the resource is stolen.
Identity Theft
Whoever fraudulently or dishonestly makes use of the electronic signature, password, or any other unique identification feature of another person is punishable with imprisonment of either description for a term up to 3 years AND fine up to ₹1 lakh.
Cheating by Personation Using Computer Resource
Whoever by means of any communication device or computer resource cheats by personation shall be punished with imprisonment up to 3 years AND fine up to ₹1 lakh.
Violation of Privacy (Voyeurism/Non-Consensual Recording)
Whoever intentionally or knowingly captures, publishes, or transmits the image of the private area of any person without their consent, under circumstances violating their privacy, shall be punished with imprisonment up to 3 years or fine up to ₹2 lakh, or both.
Key Terms: "Private area" = genitals, pubic area, buttocks, or female breast (naked or undergarment-clad).
Cyber Terrorism
Two types of cyber terrorism under Section 66F:
Type A: Acts done with intent to threaten unity, integrity, security, or sovereignty of India or to strike terror — by (i) denying access to computer resources, (ii) unauthorized penetration/access, or (iii) introducing computer contaminants — that cause or are likely to cause death, injuries, property damage, or disruption of essential services or critical information infrastructure.
Type B: Knowingly or intentionally penetrating/accessing a computer resource without authorization and obtaining restricted information that may be used to cause injury to sovereignty, integrity, security, friendly relations with foreign states, public order, decency/morality, or to benefit a foreign nation.
Punishment: Imprisonment which may extend to life imprisonment.
Obscenity, Sexually Explicit Material & Child Pornography
| Section | Offence | 1st Conviction | 2nd/Subsequent |
|---|---|---|---|
| § 67 | Publishing/transmitting obscene material (lascivious, appeals to prurient interest) | Up to 3 yrs + ₹5 lakh fine | Up to 5 yrs + ₹10 lakh fine |
| § 67A | Publishing/transmitting sexually explicit material | Up to 5 yrs + ₹10 lakh fine | Up to 7 yrs + ₹10 lakh fine |
| § 67B | Child pornography (material depicting children in sexually explicit acts); child = below 18 years | Up to 5 yrs + ₹10 lakh fine | Up to 7 yrs + ₹10 lakh fine |
Power to Issue Directions for Interception / Monitoring / Decryption
Plain Explanation: The Central Government or a State Government (through specially authorized officers) may, for reasons recorded in writing, direct any agency to intercept, monitor, or decrypt any information generated, transmitted, received, or stored in any computer resource — on grounds of:
- Sovereignty or integrity of India
- Defence of India
- Security of the State
- Friendly relations with foreign states
- Public order
- Prevention of incitement to a cognizable offence
- Investigation of any offence
Duty: Subscribers, intermediaries, or persons in charge must provide all facilities and technical assistance when called upon.
Penalty for failure to assist: Imprisonment up to 7 years + fine.
Protected System (Critical Information Infrastructure)
Plain Explanation: The appropriate Government may, by notification, declare any computer resource that directly or indirectly affects Critical Information Infrastructure (CII) as a protected system.
CII Definition: Computer resource the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health, or safety.
Punishment for unauthorized access to protected system: Imprisonment up to 10 years + fine.
National Nodal Agency for CII Protection
The Central Government may designate any Government organization as the national nodal agency for Critical Information Infrastructure Protection. This agency is responsible for all measures including R&D relating to CII protection.
Indian Computer Emergency Response Team (CERT-In)
The Central Government shall appoint an agency called the Indian Computer Emergency Response Team (CERT-In) to serve as the national agency for cyber security incident response.
Functions of CERT-In include:
- Collection, analysis, and dissemination of information on cyber incidents
- Forecast and alerts of cyber security incidents
- Emergency measures for handling cyber security incidents
- Issue guidelines, advisories, vulnerability notes
- Coordination of cyber incident response activities
Penalty for non-compliance: Imprisonment up to 1 year or fine up to ₹1 lakh, or both.
Breach of Confidentiality and Privacy
Any person who, in pursuance of powers conferred under the IT Act, has secured access to any electronic record, book, register, correspondence, information, or document — and discloses such material to any other person without consent — shall be punished with imprisonment up to 2 years or fine up to ₹1 lakh, or both.
Disclosure of Information in Breach of Lawful Contract
Any person including an intermediary who, while providing services under a lawful contract, has secured access to personal information about another person, and — with intent to cause wrongful loss or gain — discloses such material without consent or in breach of contract, shall be punished with imprisonment up to 3 years or fine up to ₹5 lakh, or both.
Offences by Companies
Two-tier liability under Section 85:
(1) General Rule: Where the contravening person is a company, every person who was in charge of and responsible for the company's business at the time of the contravention is guilty — UNLESS they prove the contravention occurred without their knowledge or that they exercised all due diligence to prevent it.
(2) Senior Officer Liability: Where a contravention has been committed with the consent/connivance of, or is attributable to negligence of, any director, manager, secretary, or other officer — such officer is also liable.
Exemption from Liability of Intermediary — Safe Harbour Provision
Plain Explanation: An intermediary shall NOT be liable for any third-party information, data, or communication link made available or hosted by it — IF all the following conditions are satisfied:
Conditions for Safe Harbour:
- (a) The intermediary's function is limited to providing access / storage of information transmitted by third parties
- (b) The intermediary does NOT initiate the transmission, select the receiver, or modify the information
- (c) The intermediary observes due diligence as prescribed
When Safe Harbour is LOST:
- (a) If the intermediary has conspired, abetted, aided, or induced the unlawful act
- (b) Upon receiving actual knowledge or government notice that information on its platform is being used to commit an unlawful act — and the intermediary fails to expeditiously remove or disable access to that material
Power to Block Public Access to Information
Central Government (or authorized officers) may direct any agency or intermediary to block public access to information on grounds similar to Section 69. Penalty for non-compliance by intermediary: imprisonment up to 7 years + fine.
Power to Monitor and Collect Traffic Data for Cyber Security
Central Government may authorize any agency to monitor and collect traffic data from any computer resource for cyber security purposes. Penalty for intermediary non-compliance: imprisonment up to 3 years + fine.
Traffic data = data identifying persons, computer systems, networks, or communication details (origin, destination, route, time, size, duration, type of service).
Compounding of Offences & Bail
Section 77A: A court of competent jurisdiction may compound offences EXCEPT those punishable with life imprisonment or imprisonment exceeding 3 years. Offences affecting socio-economic conditions or committed against a child below 18 or a woman cannot be compounded.
Section 77B: Offences punishable with imprisonment of 3 years and above are cognizable. Offences punishable with exactly 3 years imprisonment are bailable.
Power to Investigate Offences
Notwithstanding the CrPC, a police officer not below the rank of Inspector shall investigate any offence under the IT Act. (This was changed from "Deputy Superintendent of Police" by the 2008 Amendment.)
Power of Police Officer to Enter, Search, and Arrest
A police officer not below the rank of Inspector, or any authorized officer of the Central/State Government, may enter any public place and search and arrest (without warrant) any person reasonably suspected of having committed, committing, or about to commit an offence under the IT Act.
Object & Purpose of DPDP Act, 2023
The Act provides for the processing of digital personal data in a manner that recognizes (a) the right of individuals to protect their personal data, and (b) the need to process personal data for lawful purposes. It strikes a balance between privacy and legitimate use of data.
Applicability:
- Processing of digital personal data within India — where data is collected online or digitized from offline sources
- Processing of digital personal data outside India — if it involves offering goods or services to data principals within India
Not Applicable to:
- Personal data processed for personal or domestic purposes
- Personal data that is made publicly available by the data principal themselves or under any law
| Term | Meaning (Simplified) |
|---|---|
| Personal Data | Any data about an identifiable individual |
| Data Principal | The individual to whom the personal data relates (the person whose data is being processed) |
| Data Fiduciary | Any person who alone or in conjunction with others determines the purpose and means of processing personal data |
| Data Processor | Any person who processes personal data on behalf of a Data Fiduciary |
| Processing | Wholly or partly automated operation on digital personal data — includes collection, storage, use, sharing, transfer, deletion, etc. |
| Consent Manager | A person registered with the Data Protection Board, acting as a single point for data principal to give, manage, review, or withdraw consent |
| Significant Data Fiduciary | A Data Fiduciary or class thereof notified by Central Government based on volume/sensitivity of data processed, national security risk, etc. |
| Data Protection Board | Independent statutory body established by Central Government to adjudicate breaches and impose penalties |
Notice Requirement
Before or at the time of collecting personal data, the Data Fiduciary must provide a clear and plain language notice to the Data Principal about:
- The personal data proposed to be collected
- The purpose of processing
- The manner in which the data principal may exercise their rights
- The manner in which the data principal may make a complaint to the Board
The notice must be in English or any language specified in the Eighth Schedule to the Constitution.
Consent Requirements
Consent must be:
- Free (not coerced)
- Specific (for a specific purpose)
- Informed (after notice)
- Unconditional
- Unambiguous (a clear affirmative action)
Consent can be withdrawn at any time. Withdrawal does not affect the legality of processing done before withdrawal.
When Consent is NOT Required (Legitimate Uses)
Personal data may be processed for certain legitimate uses without consent, such as:
- Processing by the State for providing or issuing subsidies, benefits, services, certificates, licences, or permits
- Processing in the interest of sovereignty, security, or public order
- Processing in response to a medical emergency
- Processing to take measures to provide medical treatment or health services during epidemic, outbreak of disease, or other threats to public health
- Processing required under any law for the time being in force
- Processing for employment-related purposes
General Obligations of Data Fiduciary
- Purpose Limitation: Process data only for the specified purpose for which consent was obtained
- Data Minimization: Collect only data that is necessary for the purpose
- Data Accuracy: Make reasonable efforts to ensure data is accurate and updated
- Storage Limitation: Retain data only as long as necessary; erase it once the purpose is fulfilled
- Security Safeguards: Implement reasonable security safeguards to prevent personal data breach
- Personal Data Breach: Notify the Data Protection Board and each affected Data Principal in the event of a breach
- Grievance Redressal: Provide an effective mechanism for Data Principals to address grievances
Rights of Data Principal
- Right to Access Information: Summary of personal data being processed and details of Data Fiduciaries who have been given access
- Right to Correction & Erasure: Right to correct inaccurate/misleading data; right to erase data no longer needed for the original purpose
- Right to Grievance Redressal: Right to a readily available means for redressal of grievances
- Right to Nominate: Right to nominate another individual to exercise rights on the data principal's behalf in case of death or incapacity
Duties of Data Principal
Along with rights, the DPDP Act uniquely imposes duties on the Data Principal:
- Must not register a false/frivolous grievance or complaint with the Data Fiduciary or Board
- Must not impersonate another person while providing personal data
- Must not suppress any material information while providing personal data for any document, service, or benefit
- Must not provide false particulars
Penalties Under DPDP Act, 2023
| Violation | Maximum Penalty |
|---|---|
| Breach of obligations for Significant Data Fiduciary | Up to ₹250 crore |
| Failure to take security safeguards (leading to breach) | Up to ₹250 crore |
| Failure to notify Data Principal and Board of breach | Up to ₹200 crore |
| Non-fulfilment of obligations regarding children's data | Up to ₹200 crore |
| Non-fulfilment of additional obligations of Significant Data Fiduciary | Up to ₹150 crore |
| Breach of duties by Data Principal | Up to ₹10,000 |
| Any other provision of the Act or Rules | Up to ₹50 crore |
Data Protection Board: An independent body that adjudicates breaches and imposes penalties. It is not a criminal court — penalties are civil in nature. Appeals from Board orders lie to the Appellate Tribunal.
Relevance of Electronic Records
Plain Explanation: Section 61 of BSA provides that all information contained in an electronic record which is printed on paper, stored, recorded, or copied in optical or magnetic media produced by a computer — shall be deemed to be a "document" for the purposes of the Act, and shall be admissible in evidence, subject to the conditions in Section 63.
Key Point: Electronic records are given the same evidentiary status as paper documents under BSA 2023, replacing the earlier provisions in the Indian Evidence Act.
Proof as to Electronic Signature
Plain Explanation: Section 62 deals with the proof of electronic signatures. It provides that an electronic record, digitally signed or authenticated using an electronic signature, is presumed to have been signed by the person whose electronic signature or certificate accompanies it — subject to the presumptions in this section.
Key presumptions:
- The subscriber's electronic signature certificate is genuine
- The subscriber was in control of the signature creation data at the time of signing
- The electronic record was not altered after signing
Admissibility of Electronic Records — Conditions
Plain Explanation: For an electronic record to be admissible as evidence, Section 63 requires a certificate from a person occupying a responsible official position regarding the computer that produced the record. The certificate must state:
- (a) The computer was used regularly to store or process information in activities regularly carried on
- (b) Information was fed into the computer in the ordinary course of such activities
- (c) The computer was operating properly during the relevant period (or any malfunction did not affect the accuracy of the record)
- (d) The information in the electronic record reproduces the information fed into the computer
Important: Under BSA 2023, the certificate requirement has been streamlined compared to the old Section 65B of the Indian Evidence Act. The person giving the certificate need only be in a "responsible official position" — which is broader than the old requirement.
Why Were These Rules Made?
The 2021 Rules replaced the 2011 Intermediary Guidelines. They were introduced to:
- Strengthen accountability of social media intermediaries
- Require faster grievance redressal for users
- Enable tracing of originators of first message in case of serious crimes
- Create an ethical code for digital news portals and OTT platforms
- Address the absence of regulation for powerful Big Tech platforms
Key Definitions Under Rule 2
| Term | Meaning |
|---|---|
| Intermediary | As defined in Section 2(1)(w) of the IT Act — includes social media intermediaries, OTT platforms, and digital news publishers |
| Social Media Intermediary | Intermediary that primarily or solely enables interaction between two or more users and allows creating, uploading, sharing, disseminating, modifying, or accessing information via its services |
| Significant Social Media Intermediary (SSMI) | Social media intermediary having registered users in India above a threshold notified by Central Government (currently 50 lakh users) |
| Grievance Officer | A person designated to receive and address user grievances |
Due Diligence to be Observed by All Intermediaries
Every intermediary must:
- Publish rules, regulations, privacy policy, and user agreement on its platform — in English and each language specified in the Eighth Schedule
- Inform users of: (a) types of content prohibited; (b) suspension/termination consequences; (c) right to file complaint before appropriate authority
- Not knowingly host content that is patently false/misleading, threatens national security, is obscene, or violates any law
- Remove or disable access to unlawful content within 36 hours of court order or government notification
- Act on court orders or government notifications regarding unlawful content
- Retain information for 180 days after user account closure or withdrawal, for investigation purposes
- Provide user information to government/law enforcement upon legally authorized request within 72 hours
- Designate a Grievance Officer and publish contact details
- Grievance Officer must acknowledge a complaint within 24 hours and resolve within 15 days of receipt
Obligations of Significant Social Media Intermediaries (SSMIs)
SSMIs (like Facebook, Twitter/X, YouTube) must comply with additional obligations including:
- Appoint a Chief Compliance Officer (resident in India) responsible for compliance
- Appoint a Nodal Contact Person for 24/7 coordination with law enforcement
- Appoint a Resident Grievance Officer (India-based) to acknowledge complaints within 24 hours and resolve within 15 days
- Publish a monthly compliance report — including number of complaints received, action taken, proactive monitoring done
- For messaging platforms: enable traceability of the first originator of information that is required by court/government order (for offences against sovereignty, rape, CSAM, incitement to violence, etc.)
- Add a visible mark on synthetic/AI-generated content to identify it
- Develop and deploy automated tools to proactively identify child sexual abuse material (CSAM) and certain other unlawful content
Digital Media Ethics Code
Part III of the 2021 Rules governs Publishers of News & Current Affairs Content (digital news portals) and Publishers of Online Curated Content (OTT platforms like Netflix, Amazon Prime).
Three-Tier Grievance Redressal Mechanism:
- Level I: Self-regulation by the publisher (Grievance Officer must address complaint within 15 days)
- Level II: Self-regulatory body constituted by publishers (addresses appeals within 15 days)
- Level III: Oversight mechanism — Inter-Departmental Committee under Ministry of I&B (final tier, can take binding decisions)
Content Classification: OTT platforms must classify content into age-based categories (U, U/A 7+, U/A 13+, U/A 16+, A) and implement access controls for adult content.
Key Reference Tables
Table 1: Cyber Laws Overview
| Law | Year | Main Purpose | Key Sections/Rules | AIBE Importance |
|---|---|---|---|---|
| IT Act | 2000 (Amended 2008) | Legal framework for e-commerce, electronic records, cyber offences, intermediary regulation | §§2, 4, 5, 43, 43A, 65, 66, 66C, 66F, 69, 70, 72, 79, 85 | ⭐⭐⭐ Very High |
| DPDP Act | 2023 | Data privacy — rights of individuals, obligations of organizations processing personal data | Notice, Consent, Rights of Data Principal, Data Protection Board, Penalties | ⭐⭐⭐ Very High |
| BSA | 2023 | Law of evidence; admissibility and proof of electronic records in court | §§61, 62, 63 | ⭐⭐ High |
| IT Rules | 2021 | Due diligence for intermediaries; digital media ethics code; grievance mechanisms | Rules 3, 3A; Compliance timelines; SSMI obligations | ⭐⭐ High |
Table 2: IT Act — Key Offences & Penalties
| Section | Offence | Punishment | Nature |
|---|---|---|---|
| §65 | Tampering with computer source code | Up to 3 yrs + ₹2 lakh | Cognizable |
| §66 | Computer related offences (dishonest/fraudulent acts under §43) | Up to 3 yrs + ₹5 lakh | Cognizable, Bailable |
| §66A | Offensive messages [STRUCK DOWN — Shreya Singhal 2015] | N/A | Not operative |
| §66B | Receiving stolen computer resource | Up to 3 yrs + ₹1 lakh | Cognizable, Bailable |
| §66C | Identity theft | Up to 3 yrs + ₹1 lakh | Cognizable, Bailable |
| §66D | Cheating by personation via computer | Up to 3 yrs + ₹1 lakh | Cognizable, Bailable |
| §66E | Privacy violation (non-consensual image capture/publish) | Up to 3 yrs + ₹2 lakh | Cognizable, Bailable |
| §66F | Cyber terrorism | Life imprisonment | Cognizable, Non-bailable |
| §67 | Obscene material online | 1st: 3 yrs + ₹5L | 2nd+: 5 yrs + ₹10L | Cognizable |
| §67A | Sexually explicit material online | 1st: 5 yrs + ₹10L | 2nd+: 7 yrs + ₹10L | Cognizable |
| §67B | Child pornography online | 1st: 5 yrs + ₹10L | 2nd+: 7 yrs + ₹10L | Cognizable |
| §69 | Failure to assist in interception/monitoring/decryption | Up to 7 yrs + fine | — |
| §70(3) | Unauthorized access to protected system | Up to 10 yrs + fine | Cognizable |
| §72 | Breach of confidentiality by person having IT Act powers | Up to 2 yrs + ₹1 lakh | — |
| §72A | Disclosure of personal info in breach of lawful contract | Up to 3 yrs + ₹5 lakh | — |
Table 3: DPDP Act 2023 — Concepts & Exam Points
| Concept | Description | Key Exam Point |
|---|---|---|
| Data Principal | Individual whose data is being processed | Has rights: access, correction, erasure, nomination |
| Data Fiduciary | Entity determining purpose & means of processing | Has obligations: notice, consent, accuracy, security, breach notification |
| Consent | Free, specific, informed, unconditional, unambiguous, affirmative | Can be withdrawn; withdrawal is prospective only |
| Legitimate Use | Processing without consent for state functions, medical emergencies, employment, etc. | Does NOT mean unlimited processing — data minimization still applies |
| Significant Data Fiduciary | Notified by Central Government based on risk/volume | Additional obligations — DPO, periodic DPIA, audit |
| Data Protection Board | Adjudicatory body — civil, not criminal | Not a court; appeals to Appellate Tribunal; penalties civil in nature |
| Breach Notification | Notify Board AND affected Data Principals of any breach | No statutory time limit specified in the Act itself — to be prescribed by rules |
| Children's Data | Processing data of children requires verifiable parental consent | Children = below 18 years; no behavioral tracking/targeted advertising for children |
Table 4: Electronic Evidence Under BSA 2023
| BSA Section | Legal Effect | Practical Use in Cyber Trials |
|---|---|---|
| §61 (Electronic Records as Documents) |
Electronic records printed/stored/copied from computer are admissible as documents, subject to §63 conditions | Used to admit CCTV footage, call records, emails, WhatsApp chats, banking transaction data as evidence |
| §62 (Proof of Electronic Signature) |
Creates rebuttable presumption that digitally signed records are genuine; presumption that subscriber was in control of signature data | Used in e-contract disputes, digital banking fraud, identity theft cases to establish authenticity |
| §63 (Certificate of Admissibility) |
Certificate from responsible official position is required for computer-generated evidence; conditions: regular use, proper functioning, accurate data reproduction | Required in virtually every cyber crime trial — without this certificate, electronic evidence may be rejected |
Table 5: Key Distinctions for AIBE MCQs
| Concept A | Concept B | Key Distinction |
|---|---|---|
| Hacking / Unauthorized Access (§43/66) | Identity Theft (§66C) | Hacking = unauthorized entry into system. Identity theft = using another person's credentials/signature. Overlap possible but conceptually distinct offences. |
| Identity Theft (§66C) | Cheating by Personation (§66D) | 66C = fraudulent use of another's identification feature (password, e-sig, etc.). 66D = cheating by pretending to be someone else through computer. 66C focuses on stolen credentials; 66D on impersonation act. |
| Obscenity (§67) | Sexually Explicit Content (§67A) | §67 test: does material "deprave and corrupt"? §67A: any sexually explicit act or conduct — no depravity test required. §67A carries heavier penalty. |
| Data Protection Obligation — Data Fiduciary | Intermediary Due Diligence — IT Rules | DPDP Act obligations focus on lawful processing of personal data (consent, purpose, storage). IT Rules obligations focus on content moderation, user grievance, and government requests. Different statutory frameworks; can overlap. |
| Electronic Record | Electronic Evidence | Electronic record = any data in electronic form (§2t, IT Act). Electronic evidence = electronic record used in legal proceedings, subject to BSA §§61-63 admissibility conditions. All electronic evidence is electronic record but not vice versa. |
| Digital Signature (§2p / §3) | Electronic Signature (§2ta / §3A) | Digital Signature: specific — uses only asymmetric crypto + hash function. Electronic Signature: broader — includes digital signature and any other reliable technique in Second Schedule. |
| Section 43 (Civil — Compensation) | Section 66 (Criminal — Imprisonment + Fine) | §43 = civil remedy; no mens rea specified; compensation payable. §66 = criminal; requires dishonesty or fraud; imprisonment + fine. Same acts but different mental element and remedy. |
Table 6: IT Rules 2021 — Critical Timelines for MCQs
| Time Period | Action Required | Who |
|---|---|---|
| 24 hours | Acknowledge user grievance | Grievance Officer |
| 36 hours | Remove/disable access to unlawful content after government/court order | All intermediaries |
| 72 hours | Provide user information to law enforcement upon authorized request | All intermediaries |
| 15 days | Resolve user grievance (from receipt of complaint) | Grievance Officer |
| 24 hours | Remove content depicting nudity/sexual act — upon complaint (for SSMIs) | SSMIs |
| 180 days | Retain user information after account closure for investigation | All intermediaries |
| Monthly | Publish compliance report | SSMIs |
Visual Learning Aids
Flowchart: Indian Cyber Law Framework
Mind Map: Quick Revision of Cyber Laws
🗓️ AIBE 2026 Study Roadmap — Cyber Laws
Week 1: IT Act 2000 — Foundation
Read Chapters I, II, III, IV carefully. Master definitions under §2. Understand §§4, 5, 10A for e-governance and e-contracts. Learn the First Schedule exclusions.
Week 1-2: IT Act — Offences (Chapter XI)
Study Sections 65–85 systematically. Create a penalty table. Remember §66A is struck down. Master the §43 vs §66 distinction. Learn §66F (life imprisonment) separately.
Week 2: IT Act — Intermediary, §§69-70B, §79
Study the safe harbour (§79), interception (§69), blocking (§69A), traffic data (§69B), protected systems (§70), CERT-In (§70B). Note the 7-year vs 10-year penalty structure.
Week 3: DPDP Act 2023
Understand the entire framework: definitions → consent → notice → legitimate uses → fiduciary obligations → principal rights → Board → penalties. Focus on what distinguishes DPDP from GDPR for MCQs.
Week 3: BSA 2023 — §§61–63
Focus exclusively on Sections 61, 62, and 63. Understand the certificate requirement for electronic evidence admissibility. Practice MCQs on e-evidence and compare with old IEA §65B (for conceptual clarity only).
Week 4: IT Rules 2021 + Revision
Study Rule 3 timelines thoroughly. Understand SSMI obligations, traceability, and the three-tier digital media grievance mechanism. Then do a full revision pass of all four laws using the tables in this resource.
Week 5–6: MCQ Practice & Mock Tests
Attempt all 45 MCQs in this resource. Identify weak sections. Re-read bare text for missed questions. Attempt cross-law distinction MCQs. Simulate exam conditions: 15 cyber law questions in 15 minutes.
MCQ Practice — Type 1: Section-Wise (15 Questions)
Direct law and section-based questions
MCQ Practice — Type 2: Argument-wise / Fact-based (15 Questions)
Apply the law to given fact situations
MCQ Practice — Type 3: Statement-wise (15 Questions)
Identify which statement(s) is/are correct or incorrect
Statement I: Under the IT Act, 2000, a contract formed through electronic means is enforceable.
Statement II: A will executed electronically is valid under the IT Act, 2000.
Statement I: Section 43 of the IT Act provides for civil liability (compensation) for unauthorized access to computers.
Statement II: Section 66 of the IT Act provides for criminal liability (imprisonment and fine) for the same acts done dishonestly or fraudulently.
Statement I: Section 66A of the IT Act is currently in force and can be used to prosecute persons sending offensive messages online.
Statement II: Section 66A was struck down as unconstitutional by the Supreme Court in the Shreya Singhal case.
Statement I: Consent under the DPDP Act must be free, specific, informed, unconditional, and unambiguous.
Statement II: Once given, consent under the DPDP Act cannot be withdrawn.
Statement I: Digital signature is a subset of electronic signature under the IT Act.
Statement II: Electronic signature includes any reliable authentication technique listed in the Second Schedule of the IT Act.
Statement I: An intermediary is never liable for third-party content on its platform.
Statement II: An intermediary loses safe harbour if it fails to remove content after receiving actual knowledge that the content is being used to commit an unlawful act.
Statement I: Electronic records printed from a computer are treated as "documents" for evidentiary purposes.
Statement II: A Section 63 certificate is mandatory for the admissibility of all types of evidence, including physical documents.
Statement I: Publishing child pornography (§67B) carries a heavier punishment (5 years on first conviction) than publishing obscene material (§67) (3 years on first conviction).
Statement II: Unauthorized access to a protected system (§70) carries the same punishment as cyber terrorism (§66F).
Statement I: Under IT Rules 2021, all intermediaries must provide user information to law enforcement within 72 hours of a legally authorized request.
Statement II: Only Significant Social Media Intermediaries are required to retain user information for 180 days after account closure.
Statement I: The Data Protection Board is a criminal court and can impose imprisonment for violations.
Statement II: An appeal against an order of the Data Protection Board lies to the Appellate Tribunal.
Statement I: "Company" under Section 85 includes firms and other associations of individuals.
Statement II: Only the company can be held liable; directors cannot be prosecuted separately.
Statement I: The IT Act applies to offences committed outside India if a computer in India is involved.
Statement II: The IT Act applies to all documents including wills, powers of attorney, and trusts.
Statement I: The DPDP Act imposes duties on the Data Principal, not just rights.
Statement II: A Data Principal may file false/frivolous complaints without consequence.
Statement I: The adjudicating officer must be not below the rank of a Director to the Government of India.
Statement II: Civil courts have concurrent jurisdiction with the adjudicating officer for matters adjudicated under the IT Act.
Statement I: OTT platforms must classify content into age-based categories.
Statement II: The three-tier grievance mechanism under IT Rules 2021 applies only to social media platforms, not OTT publishers.
Short-Answer Questions (15 Questions)
Descriptive / Long-Answer Questions (8 Questions)
Answer Key
Quick Revision Cards — 60-Second Memory Aids
§43 vs §66
§43 = Civil compensation (no crime). §66 = Criminal punishment (dishonestly/fraudulently). Same acts — different mental element and remedy.
§66C vs §66D
§66C = Using another's password/e-sig/ID feature (identity theft). §66D = Pretending to be someone else to cheat (personation). 66C = stolen credentials; 66D = impersonation.
§66F = Life
Cyber terrorism under §66F is the only IT Act offence with life imprisonment. All others: max 3–10 years. §70 protected system = 10 years.
First Schedule Exclusions
Wills | Trusts | Power of Attorney | Negotiable instruments (except cheque) | Contracts for immovable property — ALL excluded from IT Act.
Investigation: Inspector
Section 78 — Minimum rank = Inspector (NOT DSP). Changed by 2008 Amendment. §80 — Inspector can also enter public place and arrest without warrant.
§79 Safe Harbour Lost When
1. Intermediary conspired/abetted/aided unlawful act. 2. Received actual knowledge of unlawful content but failed to expeditiously remove it "without vitiating evidence."
Adjudication Limit
§46: Adjudicating officer = ≤ ₹5 crore claims. Court = > ₹5 crore claims. §61: Civil courts BARRED from entertaining IT Act matters adjudicated under the Act.
DPDP Act Consent
Must be: Free | Specific | Informed | Unconditional | Unambiguous. Can be WITHDRAWN (but withdrawal is prospective — doesn't affect past processing).
DPDP Penalties
Breach causing data loss = ₹250 Cr. Failure to notify breach = ₹200 Cr. Children's data violation = ₹200 Cr. Data Principal breach of duties = ₹10,000 only.
BSA §63 Certificate
4 Conditions: (1) Regular use of computer. (2) Info fed in ordinary course. (3) Computer working properly. (4) Record accurately reproduces the input. Replaces old IEA §65B.
IT Rules 2021 Timelines
24h → Acknowledge grievance. 36h → Remove unlawful content (court/govt order). 72h → Give user info to law enforcement. 15 days → Resolve grievance. 180 days → Retain data after closure.
§66A Struck Down
Shreya Singhal v. UOI (2015) — SC declared §66A unconstitutional (Article 19(1)(a) violation). Section exists in statute book but is NOT enforceable. No prosecution after March 24, 2015.
⚠️ Disclaimer: This resource is for educational purposes only and does not constitute legal advice. All content is based on the Bare Act text of the Information Technology Act, 2000 (as amended), Digital Personal Data Protection Act, 2023, Bharatiya Sakshya Adhiniyam, 2023, and IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Please refer to the official Gazette publications for authoritative text. Prepared for AIBE 2026 examination preparation.