Decoding the Cyber Legal Framework of India

Published On: 28th January, 2024

Authored By: Soumya Lenka
University Law College, Utkal University


A significant change has occurred in the environment of our quickly changing planet. We live in the Information Age, where the ability to learn and the spread of information are the main factors influencing the development of our society [1]. The world is now more connected than ever before[2]. The digital economy and the internet provide enormous potential, but they also make illegal conduct easier. Cybercrime is a growing concern to countries at all levels of development and affects both, buyers and sellers. While 156 countries (80 percent) have enacted cybercrime legislation, the pattern varies by region: Europe has the highest adoption rate (91 percent) and Africa has the lowest (72 percent). Law enforcement organizations and prosecutors have a serious problem in light of the changing cybercrime landscape and the ensuing skills deficits, particularly in cross-border enforcement.[3]

Cybercrime Legislation around the world

Laws pertaining to computer, internet, information, communications, and technology offenses are all included in the category of cybercrime law[4]. The digital world has become very vulnerable and hence the world has responded with many cyber legislations to deal with the same.

The Convention on Cybercrime or the Budapest Convention is the first international treaty that seeks to address the issue of Cyber Crime. The United States of America, Canada, Japan, and South Africa actively participated in the Council of Europe’s drafting of it. It is the only international agreement on this matter that is legally binding. It became operative on July 1st, 2004. The convention was formed with the aim of harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It acts as a guideline for any state developing national legislation against cybercrime. India has not adopted the convention and declined to ratify it as it was not a participant in its drafting. India is also concerned with the sovereignty issue that may arise due to data sharing with foreign law enforcement agencies.[5] Further more and more countries have come up with their own cyber legislations like The United States of America’s Cybersecurity Information Sharing Act (CISA) and United States Code Framework for Improving Critical Infrastructure Cybersecurity Version 1.1; Brazil’s Internet Act stipulates that connection and application providers must comply with certain security standards when storing personal data and private communications.

Canada’s Personal Information Protection and Electronic Documents Act establishes two central cybersecurity obligations for private sector organizations in Canada. The PIPEDA requires organizations to notify the regulator and affected individuals of certain cybersecurity incidents, and adopt appropriate security safeguards: Australia’s Privacy Principles (‘APPs ‘) under the Privacy Act 1988 contain information security obligations and Cybercrime Act 2001.

China has two main laws governing cybercrimes: the Cybersecurity Law 2016, and the Data Security Law of the People’s Republic of China which came into effect in September 2021.[6]

Cybercrime Legislation in India

With more than 560 million internet users, India is the world’s second-largest online market. ranked only behind China. According to the latest National Crime Records Bureau (NCRB) data, a total of 27,248 cases of cybercrime were registered in India in 2018. There are several legislations that deal with cybercrimes which are as follows-

[A]Indian Penal Code

  • Forgery (Section 464)
  • Forgery pre-planned for cheating (Section 468)
  • False documentation (Section 465)
  • Presenting a forged document as genuine (Section 471)
  • Reputation damage (Section 469)

Though these sections independently do not cover cybercrimes as such because when IPC was enacted there was no concept of cybercrimes but when read in combination with the provisions of IT Act, they hold relevance.[7]

[B]The Information Technology Act, 2000(with 2008 amendment)

The Indian Parliament proposed the Information Technology Act, of 2000, usually referred to as the IT Act, which was reported on October 17, 2000. This Information Technology Act is based on the United Nations Model Law on Electronic Commerce 1996 (UNCITRAL Model). It was further amended in 2008. It is India’s most significant law pertaining to e-commerce and cybercrime.

Relevant Sections –

  • Section 43 of the act states that any act of destroying, altering, or stealing a computer system/network or deleting data with malicious intentions without authorization from the owner of the computer is liable for the payment to be made to the owner as compensation for damages. According to Section 43A, any business entity handling sensitive data that neglects to put reasonable security measures in place and results in the death of another person shall also be held accountable as a guilty party and must pay damages to the harmed party.
  • Section 66 states that the hacking of a Computer System with malicious intentions like fraud will be punished with 3 years imprisonment or a fine of Rs.5,00,000 or both.
  • Section 66 B, C, and D states that fraud or dishonesty using or transmitting information or identity theft is punishable with 3 years’ imprisonment or Rs. 1,00,000 fine or both.
  • Section 66E states that violation of privacy by transmitting an image of a private area is punishable by 3 years imprisonment or 2,00,000 fine or both.
  • Section 66 F states that Cyber Terrorism affecting the unity, integrity, security, and sovereignty of India through digital mediums is liable for life imprisonment.
  • Section 67 states that publishing obscene information or pornography or transmission of obscene content in public is liable for imprisonment up to 5 years or a fine of Rs. 10,00,000 or both.[8]
  • Section 70 mandates the identification and protection of vital information systems to ensure the continuity of essential services and protect national interests.

[C]IT rules

The Information Technology Act of 2000, which gives Internet trade legal legitimacy, is the source of the authority for the IT Rules. Firstly, came the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. But it was replaced by the Information Technology (Intermediary Guidelines And Digital Media Ethics Code) Rules 2021.

[C.1] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021.

Salient features

  • Due Diligence to Be Followed by Intermediaries: The Rules prescribe due diligence that must be followed by intermediaries, including social media intermediaries. The safe harbour provisions will not apply to the intermediary if they fail to exercise due diligence.
  • Grievance Redressal Mechanism: The Rules seek to establish a grievance redressal mechanism for receiving and resolving complaints from the users or victims.
  • Ensuring Online Safety and Dignity of Users, Especially Women Users: Within 24 hours after receiving complaints, intermediaries are required to take down or limit access to any content that exposes a person’s private parts, depicts that person in full or partial nudity, engages in sexual activity, or is in the nature of impersonation, including altered photos.
  • Voluntary User Verification Mechanism: Users who wish to verify their accounts voluntarily shall be provided an appropriate mechanism to verify their accounts and provided with a demonstrable and visible mark of verification. 
  • Removal of Unlawful Information: An intermediary upon receiving actual knowledge in the form of an order by a court or being notified by the Appropriate Govt. or its agencies through an authorized officer should not host or publish any information about matters pertaining to the interests of India’s sovereignty and integrity, public order, cordial relations with other nations, etc. that is forbidden by any law. [9]

[D]The Digital Personal Data Protection Act, 2023

The enactment establishes a dedicated legal framework in India, marking a significant milestone—India’s first-ever privacy Act aimed at safeguarding the personal data of citizens. It draws attention to the significance of the Indian Data Protection Board, its main features, and the responsibilities and rights of both individuals and businesses.[10]


  • Only Applies to Digital Personal Data – The DPDP Act, 2023 only applies to personal data, whether collected in digital form or non-digital data, which is digitized subsequently.
  • Overseas Applicability – Only when digital personal data processed outside of India is linked to an activity involving the provision of goods or services to data subjects (or data principals) in India does the DPDP Act come into play.

Data Protection Principles: The DPDP Act encompasses the subsequent fundamental principles:

  • Purpose Limitation – Personal data should only be processed for a lawful purpose for which the data principal has given her consent and in accordance with the DPDP Act; and
  • Collection Limitation – Only such personal data should be collected which is necessary.

Consent & Notice:

  • Affirmative Consent –Consent has to be provided by a clear affirmative action that is without any ambiguity, and signifies the data principal’s agreement for processing of her personal data for the specified purpose.
  • Notice – A notice needs to be provided to the data principal, along with or preceding every request for consent, informing the data principal about the personal data and the proposed purpose of processing; and how she can use her rights to change her mind, use the grievance process, and file a complaint with the Data Protection Board (‘DPB’).
  • Legitimate Uses (for processing without consent) – The legitimate purposes for which a data fiduciary may process a data principal’s personal data without that principal’s consent include those for which the data principal has voluntarily shared personal information without objecting to such processing; processing for employment purposes; handling medical emergencies; carrying out legal obligations; the State providing the data principal with services or benefits; and complying with court orders or judgments.[11]

Where India Lags behind

India’s position on the Global Cybersecurity Index (GSI) dropped from 23rd in 2017 to 47th in the most recent GCI, 2018, indicating a need for upgrading. and improvisation in the security domain. This is something alarming. There are many reasons for India lagging behind which are as follows-

  • Profit-Friendly Infrastructure Mindset: Post liberalization, the Information Technology (IT), electricity, and telecom sectors have witnessed large investments by the private sector. Regulating frameworks’ insufficient attention to cyberattack preparedness and recovery, however, is concerning. Profits are the main priority for all operators, and they do not want to spend money on infrastructure that will not bring them money.
  • Absence of Separate Procedural Code: There is no separate procedural code for the investigation of cyber or computer-related offenses.
  • Trans-National Nature of Cyber Attacks: Most cybercrimes are transnational in nature. Not only is gathering evidence from overseas regions a challenging procedure, but it also takes time.
  • Expanding Digital Ecosystem: In the last couple of years, India has traversed on the path of digitalizing its various economic factors and has carved a niche for itself successfully. As a result of the impending digitalization of society and the likelihood of online transactions, consumer and citizen data will increasingly be stored digitally, making India a haven for prospective hackers and cybercriminals.
  • Limited Expertise and Authority: Although most State cyber labs are capable of analyzing hard disks and mobile phones, they are yet to be recognized as ‘Examiners of Electronic Evidence’ (by the central government). They are unable to offer professional advice on electronic data till then.


In this digital age, cyberspace is not confined to a single location; rather, it encompasses the entire planet. Because of this, cybercrime is growing daily throughout all nations, including India. The biggest challenge relating to cybercrime being is its dynamic nature because of the ongoing evolution of digital technology. As a result, new cybercrime methods and techniques should come into practice. There is absolutely no doubt that India has progressed a lot but it also holds true that we lag behind Europe, the United States, and many others in our cybersecurity framework and that is something that India has to work on and evolve.


[1] Shiksha Ratan Aman Kumar, Navigating the information era: Where knowledge drives progress, TIMES OF IN DIA,(Dec. 16, 2023, 10:30 PM)

[2]THREATCOP, (last visited Dec.16, 2023).

[3]UNCTAD, (last visited Dec.16, 2023).

[4] MICHALSONS, (last visited Dec. 16,2023).

[5] THE LAW BRIGADE, (last visited Dec. 16, 2023).

[6] Supra note 4, at 1.

[7]LEGALSERVICEINDIA, (last visited Dec. 16, 2023)

[8]GEEKSFORGEEKS, (last visited Dec.16, 2023)

[9] PIB, (last visited Dec. 16, 2023).

[10]DELOITTE, (last visited Dec. 16, 2023).

[11] AZB, (last visited Dec.16, 2023).

Leave a Comment

Your email address will not be published. Required fields are marked *