A.P.LEGAL SERVICES PVT. LTD.

A.P.LEGAL SERVICES PVT. LTD.                LEGAL EMPOWERMENT THROUGH PROFESSIONAL EXCELLENCE                 SEND YOUR OPINIONS AND VIEWS AT let@aplegalservices.com.



	THE INFORMATION TECHNOLOGY BILL, 1999 GIST OF THE IT BILL Introduction PART I PRELIMINARY PART II ELECTRONIC RECORDS AND DIGITAL SIGNATURES PART III ELECTRONIC RECORDS PART IV SECURE ELECTRONIC RECORDS AND SECURE DIGITAL SIGNATURE PART V REGULATION OF CERTIFYING AUTHORITIES PART VI DIGITAL SIGNATURE CERTIFICATES PART VII DUTIES OF SUBSCRIBERS PART VIII PENALTIES AND ADJUDICATION PART IX CYBER REGULATIONS PART X COMPUTER CRIME PART XI NETWORK SERVICE PROVIDERS NOT TO BE LIABLE IN CERTAIN CASES PART XII PART XIII MISCELLANEOUS : AMMENDMENTS PART I AMENDMENTS TO THE INDIAN PENAL CODE, 1860 PART II AMENDMENTS TO THE INDIAN EVIDENCE ACT 1872 PART III AMENDMENT TO THE BANKER’S BOOK EVIDENCE ACT , 1891 PART IV AMENDMENTS TO THE RESERVE BANK OF INDIA ACT, 1934



	THE INFORMATION TECHNOLOGY BILL, 1999 A Bill to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and for matters connected therewith or incidental thereto; Whereas the General Assembly of the United Nations by resolution A/RES/51/162 dated 30^th January 1997 has adopted the Model law on Electronic Commerce adopted by the United Nations Commission on International Trade Law ; AND Whereas the said resolution recommends inter alia that all States give favourable consideration to the said Model Law when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper based methods of communication and storage of information; AND Whereas it is considered necessary to give effect to the said resolution and to promote efficient delivery of Government services by means of reliable electronic records; BE it enacted by Parliament in the Fiftieth Year of the Republic of India as follows:- Back to Index



	PART I PRELIMINARY Short title, extent, commencement and application 1. (1) This Act may be called as the Information Technology Act , 1999. (2) It shall extend to whole of India. (3) It shall come into force on such date as the Central Government may, by notification, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the commencement of that provision. (4) Nothing in this Act shall apply to a,- (a) "negotiable instrument" as defined in section 13 of the Negotiable Instruments Act, 1881; "power-of-attorney" as defined in section 1A of the Powers-of-Attorney Act, 1882; "trust" as defined in section 3 of the Indian Trusts Act, 1882; "will" as defined in clause (h) of section (2) of the Indian Succession Act, 1925 including any testamentary disposition by whatever name called; (e) any contract for the sale or the conveyance of immovable property or any interest in such property. 1. any such document or transaction as may be notified by the Central Government. 2. Definitions:- In this Act, unless the context otherwise requires,- (1) "access "with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network; (2) "addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary; (3) "affixing digital signature" with its grammatical variations and cognate expressions means affixing any symbol to an electronic record or adoption of any methodology or procedure by a person for the purpose of authenticating a record by means of electronic or digital methods; (4) "appropriate Government" means as respects any matter ,- enumerated in List II of the Seventh Schedule to the Constitution; relating to any State law enacted under List III of the Seventh Schedule to the Constitution, the State Government and in any other case, the Central Government; (5) "asymmetric crypto system" means a system capable of generating a secure key pair, consisting of a private key for creating a digital signature, and a public key to verify the digital signature; (6) "Certifying Authority" means a person who has been granted a license to issue a Digital Signature Certificate under section sub-section (3) of section 22 ; (7) "certification practice statement" means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Digital Signature Certificates; (8) "computer" means an electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network; (9) "computer data base" means a representation of information, knowledge, facts, concepts or instructions in text, image, sound, video that are being prepared or have been prepared in a formalised manner or are or have been produced by a computer, computer system or computer network; and are intended for use in a computer, computer system or computer network; (10) "computer network" means the interconnection of one or more computers through,- (i) the use of satellite, microwave, link, or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained. (11) "computer resource" means computer, computer system, computer network, data, computer database or software; (12) "computer security system" includes a software programme or computer device that is intended to protect the confidentiality and secrecy of data and information stored in or accessible through the computer system; and displays a conspicuous warning to a user that the user is entering a secure system or requires a person seeking access to knowingly respond by use of an authorised code to the programme or device in order to gain access. (13) "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, or more of which contain computer programmes, electronic instructions, input data, and output data, that performs functions including, but not limited to, logic, arithmetic, data storage and retrieval, communication, and control; (14) "Controller" means the Controller of Certifying Authorities appointed under sub-section (1) section 18; (15) "damage" means to destroy, alter, disrupt, delete, add, modify or rearrange any computer resource by any means. (16) "data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed, or has been processed in a computer system or computer network, and may be in any form, including computer printouts, magnetic, optical, storage media, punched cards, punched tapes, or stored internally in the memory of the computer; (17) "digital signature" means a signature affixed in an electronic form consisting of transformation of an electronic record using an asymmetric crypto system and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can determine whether the transformation was created using the private key that corresponds to the signer’s public key; and whether the initial electronic record has been altered since the transformation was made; (18) "Digital Signature Certificate" means a Digital Signature Certificate issued under sub-section (4) of section 38; (19) "electronic form" with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory or similar device ; (20) "electronic record" means data, record or data generated, image or sound stored, received or sent in an electronic form in any media, magnetic, optical, like disc, tape or sound track; (21) "function" includes logic, control, arithmetical process, deletion, storage and retrieval and communication or telecommunication to or from or within a computer; (22) "hash function" means an algorithm mapping or translating one sequence of bits into another, generally smaller, set (the hash result) such that a record yields the same hash result every time the algorithm is executed using the same record as input; it is computationally infeasible that a record can be derived or reconstituted from the harsh result produced by the algorithm; and it is computationally infeasible that two records can be found that produce the same hash result using the algorithm; (23) "information" includes data, text, images, sound, codes, computer programmes, software and databases; (24) intermediary with respect to any particular electronic message means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message; (25) "key pair", in an asymmetric crypto system, means a private key and its mathematically related public key, having the property that the public key can verify a digital signature that the private key creates; (26) "law " includes any Act enacted by the Parliament or the State Legislature, Ordinances promulgated by the President or the Governor as the case may be, Regulations made the President under article 240, Bills enacted as President‘s Acts under clause(a) of article 357 and includes rules, regulations, bye-laws and orders issued or made thereunder; (27) originator means a person who sends ,generates, stores or transmits any electronic message; or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary; (28) "private key" means the key of a key pair used to create a digital signature; (29)"public key" means the key of a key pair used to verify a digital signature; (30)"security procedure" means the security procedure prescribed by the Central Government for the purpose of verifying a digital signature; (31) "signed " with its grammatical variations and cognate expressions, shall with reference to a person means affixing of his handwritten signature or any mark on any document and the expression "signature" shall be construed accordingly; (32) "subscriber" means a person in whose name the Digital Signature Certificate is issued ; (33) "verify "in relation to a digital signature, record or public key, with its grammatical variations and cognate expressions means to determine accurately,- (a) that the digital signature was created using the private key corresponding to the public key listed in the Digital Signature Certificate; and (b) the electronic record has not been altered since it was affixed with the digital signature. 2. Any reference in this Act to any enactment or any provision thereof shall ,in relation to an area in which such enactment or such provision is not in force, be construed as a reference to the corresponding law or the relevant provision of the corresponding law, if any, in force in that area. Back to Index



	PART II ELECTRONIC RECORDS AND DIGITAL SIGNATURES Legal recognition of electronic records 3. Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is,- (a) rendered or made available in an electronic form ;and (b) accessible so as to be usable for a subsequent reference. Legal Recognition of Digital Signatures 4. Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government. Use of electronic records and digital signatures in the Government and its agencies 5. (1) Where any law provides for,- the filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government ; the creation, retention or preservation of records; the issue or grant of any license, permit, sanction or approval by whatever name called; (d) the receipt or payment in a particular manner, then notwithstanding anything contained in law for the time being in force, such requirement shall be deemed to have been satisfied, if such filing, creation, retention, preservation, issue, grant, receipt, or payment as the case may be is effected by means of such electronic form as may be prescribed by the appropriate Government. (2) The appropriate Government may for the purposes of sub-section (1) by rules prescribe,- the manner and format in which such electronic records shall be filed, created, retained or issued; (b) the manner or method of payment of any fee or charges corresponding to those specified for paper documents by electronic means. Retention of electronic records 6. Where any law provides that documents, records or information be retained for any specific period, then that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form if the following conditions are satisfied namely:- (a) the information contained therein remains accessible so as to be usable for subsequent reference, (b) the electronic record is retained in the format in which it was originally generated, sent or received, or in a format, which can be demonstrated to represent accurately the information originally generated, sent or received; (c) details which will facilitate the identification of the origin, destination, date and time of despatch or receipt of such electronic record is available in the electronic record: Provided this clause does not apply to information that is automatically generated solely for the purpose of enabling a record to be despatched or received . (2) Nothing in this section shall apply to any law that expressly provides for the retention of documents, records or information in the form of electronic records; Publication of rules, regulation, etc. in electronic form Where any law provides that any rule, regulation, order, bye law, notification or any other matter shall be published in the Official Gazette, then such requirement shall be deemed to have been satisfied if such rule, regulation, order, bye law, notification or other matter is published in an electronic form: Provided that where an Official Gazette is published both in printed as well as in the electronic form, the date of publication shall be deemed to be the date of that Official Gazette which was first published in any form. Sections 5, 6 and 7 not to confer right to insist document should be accepted in electronic form 8. Nothing contained in sections 5, 6 or 7 shall confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government, should accept, issue, create, retain, preserve, any document in the form of electronic records or effect any monetary transaction in the electronic form. Rules relating to digital signature 9. The Central Government may for the purposes of this Act, by rules prescribe ,- (a) the type of digital signature; the manner and format in which the digital signature shall be affixed; the manner or procedure which facilitates identification of the person affixing the digital signature; (d) control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and (e) any other matter which is necessary to give legal effect to digital signature Back to Index



	PART III ELECTRONIC RECORDS Attribution of electronic records 10. An electronic record shall be attributed to the originator,- (a) if it was sent by the originator himself; (b) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or (c) by an information system programmed by or on behalf of the originator to operate automatically. Acknowledgment of receipt 11. (1) The provisions of this section shall apply where the originator has requested the addressee before sending an electronic record, that receipt of the electronic record shall be acknowledged. (2) Where the originator has not agreed with the addressee that the acknowledgment be given in a particular form or by a particular method, an acknowledgment may be given by - (a) any communication by the addressee, automated or otherwise; or (b) any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received. (3) Where the originator has stipulated that the electronic record shall be binding only on receipt of acknowledgment of such electronic record by him ,then unless acknowledgment has been so received, the electronic record shall be deemed to have been never sent by the sender. (4) Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgment, and the acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed to within a reasonable time, then the originator may give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if no acknowledgment is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as though it has never been sent. Time and place of despatch and receipt of electronic record 12. (1) Save as otherwise agreed to between the originator and the addressee, the despatch of an electronic record occurs when it enters an information system outside the control of the originator. (2) Save as otherwise agreed between the originator and the addressee, the time of receipt of an electronic record shall be determined as follows, namely:- (a) if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs (i) at the time when the electronic record enters the designated information system; or (ii) if the electronic record is sent to an information system of the addressee that is not the designated information system at the time when the electronic record is retrieved by the addressee; (b) if the addressee has not designated an information system along with specified timings, if any ,receipt occurs when the electronic record enters the information system of the addressee. (3) Save as otherwise agreed between the originator and the addressee, an electronic record is deemed to be despatched at the place where the originator has its place of business, and is deemed to be received at the place where the addressee has its place of business. (4) The provisions of subsection (2) shall apply notwithstanding that the place where the information system is located may be different from the place where the electronic record is deemed to have been received under subsection (3). (5) For the purposes of this section,- (a) if the originator or the addressee has more than one place of business, the principal place of business, shall be the place of business ; (b) if the originator or the addressee does not have a place of business, his usual place of residence shall be deemed to be the place of business; (c) "usual place of residence" in relation to a body corporate, means the place where it is registered. Back to Index



	PART IV SECURE ELECTRONIC RECORDS AND SECURE DIGITAL SIGNATURE Secure electronic record 13. Where the security procedure has been applied to an electronic record at a specific point of time , then such record shall be deemed to be a secure electronic record from such point of time to the time of verification. Secure digital signature 14. If, by application of a security procedure agreed to by the parties concerned, it can be verified that an digital signature, at the time it was affixed, was- (a) unique to the person using it; capable of identifying such person; created in a manner or using a means under the exclusive control of the person using it and is linked to the electronic record to which it relates in a manner such that if the record was changed the digital signature would be invalidated, then such signature shall be deemed to be a secure digital signature. Security procedure 15. The Central Government shall for the purposes of sections 13 and 14, prescribe security procedure having regard to commercial circumstances including - (a) the nature of the transaction; (b) the volume of similar transactions; (c) the availability of alternatives; (d) the cost of alternative procedures; and (e) the procedures in general use for similar types of transactions or communications. Secure digital signature 16. Where any portion of an electronic record is affixed with a digital signature, then that digital signature shall be deemed to be a secure digital signature with respect to such portion of the record, if the digital signature can be verified. Secure electronic record 17. Any portion of an electronic record wherein the digital signature is affixed shall be a secure electronic record if the digital signature is deemed to be a secure digital signature. Back to Index



	PART V REGULATION OF CERTIFYING AUTHORITIES Appointment of Controller and other officers 18. (1) The Central government may by notification in the Official Gazette appoint a Controller of Certifying Authorities for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers as it deem fit. (2) The Controller shall discharge his functions under this Act subject to the general control and directions of the Central Government. (3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. Functions of Controller 19. The Controller may perform all or any of the following functions, namely:- (a) exercise supervision over the activities of Certifying Authorities; (b) lay down the standards to be maintained by Certifying Authorities; (c) specify the qualifications and experience which employees of the Certifying Authority should possess; (d) specify the conditions subject to which the certifying authority shall conduct its business; (e) specify the content of written, printed or visual material and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the key; (f) specify the form and content of a Digital Signature Certificate and the key; (g) specify the form and manner in which accounts shall be maintained by the Certifying Authorities; (h) specify the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them; (i) facilitate the establishment of any electronic system by the Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems; (j) specify the manner in which a Certifying Authority shall conducts his dealings with his subscribers; (k) resolve the conflict of interests involving the Certifying Authority and its subscribers; (l) lay down the duties of a holder of a license to his subscribers with respect to Digital Signature Certificates; (m) maintain a database containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public. Recognition of foreign Certifying Authorities 20. The Controller may with the previous approval of the Central Government, by notification in the Official Gazette, recognise any Certifying Authority authorised to issue a Digital Signature Certificate in a country outside India, subject to such conditions and restrictions as it may by regulations deem fit to impose. Controller to act as repository 21. (1) The Controller shall be the repository of all Digital Signature Certificates issued under this Act. (2) The Controller shall ,- (a) utilise computer security systems; (b) utilise hardware, software and procedures that are reasonably secure from intrusion and misuse; (c) adhere to security procedures to ensure that the secrecy and privacy of the digital signature are assured; (d) satisfy such other standards as may be prescribed by the Central Government. to ensure that the secrecy and security of the digital signature are assured. (3) The Controller shall maintain a computerised database of all public keys . (4) The Controller shall make available the public keys to any person who makes a request to this effect for the purposes of verifying a digital signature. License to issue Digital Signature Certificates 22. (1) Subject to the provisions of sub-section (2) any person may make an application, to the Controller,- (a) in such form; (b) along with the payment of such fees, not exceeding twenty-five thousand rupees; and (c) such other documents; as may be prescribed by the Central Government, for a license to issue Digital Signature Certificates. (2) No license shall be issued under sub-section(1) unless the applicant fulfills such requirements with respect to qualification, expertise, manpower, financial resources and other infrastructure facilities , which are necessary to issue Digital Signature Certificates as may be prescribed by the Central Government. (3) The Controller may, on receipt of an application under sub-section (1) after considering the documents accompanying the application and such other factors as he deems fit grant the license or reject the application: Provided that no application shall be rejected under this sub-section unless the applicant has been given a reasonable opportunity of presenting his case. (4) A license granted under this section shall be,- (a) valid for such period; (b) subject to such terms and conditions, as may be specified by regulations. Application for license 23. Every application for the issue of a license shall be accompanied by a,- certification practice statement; (b) statement including the procedures with respect to identification of the applicant. Renewal of license 24. An application for renewal of a license shall be,- (a) in such form ; (b) accompanied by such fees, not exceeding five thousand rupees, as may be prescribed by the Central Government and shall be made not less than forty-five days before the date of expiry of the period of validity of the Digital Signature Certificate. Procedure for rejection of license 25. No application for the renewal of a license shall be rejected unless - (a) the holder of such license has been given a reasonable opportunity of presenting his case; and (b) the Controller is satisfied that - (i) the application for such renewal has been made after the expiry of the period specified therefor: Provided that an application for the renewal of the license made after the expiry of the specified period may be entertained on payment of such late fees, not exceeding one thousand rupees, as may be prescribed; (ii) any statement made by the applicant at the time of issue or renewal of the license was incorrect or false in material particulars; (iii) the applicant has contravened any terms or conditions of the license or any provisions of this Act, or any rule or order made thereunder; Suspension of license 26. (1) The Controller may, if he has reasonable cause to believe that a Certifying Authority,- (a) has made a statement in, or in relation to, any application for the issue or renewal of a license, which is incorrect or false in material particulars; or (b) has contravened any provisions of this Act, rule, regulation or order made thereunder suspend such license pending the completion of any inquiry ordered by him: Provided that no license shall be suspended for a period exceeding ten days unless the Certifying Authority thereof has been given a reasonable opportunity of showing cause against the proposed action. (2) The Controller may, if he is satisfied after making such inquiry as he may think fit that a Certifying Authority has,- (a) made a statement in, or in relation to, any application for the issue or renewal of the license, which is incorrect or false in material particulars; (b) failed to comply with the terms and conditions subject to which the license was granted; (c) failed to maintain the standards specified under clause (b) of section 19; (d) has contravened any has contravened any provisions of this Act, rule, regulation or order made thereunder revoke the license: Provided that no license shall be revoked unless the Certifying Authority thereof has been given a reasonable opportunity of showing cause against the proposed action. (3) No Certifying Authority whose license has been suspended shall issue any Digital Signature Certificate during such suspension . Notice of suspension or revocation of license 27. (1) Where a license of a certifying authority is suspended or revoked ,the Controller shall publish a signed notice of the suspension or revocation as the case may be in the database maintained by him. (2) Where one or more repositories are specified, the Controller shall publish the signed notices of the suspension or revocation as the case may be, in all such repositories. Power to delegate 28. The Controller may in writing authorise the Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller under this Part. Power of the Controller to give directions 29. (1) The Controller may by order direct a Certifying Authority or any employee of such Authority to take such measures or stop carrying on such activities as are specified in the order if they are necessary to ensure - compliance with the provisions of this Act or any regulations made thereunder. (2) Any person who fails to comply with any order under sub-section (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding rupees two lakhs or to imprisonment for a term not exceeding 3 years or to both. Directions to deposit private key 30. (1) If the Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of a cognizable offence for reasons to be recorded in writing, by order, direct any agency of appropriate Government to intercept any information transmitted through the computer resource. (2) The subscriber shall when called upon by any agency which has been directed under sub-section (1), extend all facilities and technical assistance to decrypt the information. (3) Any person who fails to assist under sub-section (2) shall be punished with an imprisonment for a term, which may extend to seven years. Power to investigate contraventions 31. (1) The Controller or any officer authorised by him in this behalf shall take up for investigation contravention of the provisions of this Act, rules or regulation made thereunder. (2) The Controller or any officer authorised by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act. Access to computers and data 32. (1) Without prejudice to the provisions of sub-section (2) of section 30 the Controller or any person authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made thereunder has been committed, have access to any computer system, any apparatus, data or any other material connected with such system for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (2) For the purposes of sub-section (1) the Controller or any person authorised by him may by order, direct any person having charge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary. Certifying Authority to follow certain procedures 33. Every Certifying Authority shall, - (a) utilise computer security systems; (b) utilise hardware, software, and procedures that are reasonably secure from intrusion and misuse; (c) provide a reasonable level of reliability in its services which are reasonably suited for performing intended functions; and (d) adhere to security procedures to ensure that the secrecy and privacy of the digital signature are assured; (e) satisfy such other standards as may be specified by regulations. Certifying Authority to ensure compliance of the Act, etc. 34. Every Certifying Authority shall ensure that every person employed by him complies, in the course of his employment, with the provisions of this Act or any rule, regulation or order made thereunder. Display of license 35. Every Certifying Authority shall display his license at a conspicuous place of the premises in which he carries on his business. Surrender of license 36. Every Certifying Authority whose license is suspended or revoked shall immediately after such suspension or revocation, surrender the license to the Controller. Disclosure 37. (1) Every Certifying Authority shall disclose - (a) its Digital Signature Certificate which contains the public key corresponding to the private key used by that Certifying Authority to digitally sign another Digital Signature Certificate ; (b) any certification practice statement relevant thereto; (c) notice of the revocation or suspension of its Certifying Authority certificate if any; and (d) any other fact that materially and adversely affects either the reliability of a Digital Signature Certificate, which that Authority has issued, or the Authority’s ability to perform its services. (2) Where in the opinion of the Certifying Authority any event has occurred or any situation has arisen which may materially and adversely affects the integrity of its computer system or the conditions subject to which its Digital Signature Certificate was granted,then, the Certifying Authority shall - (a) use reasonable efforts to notify any person who is likely to be affected by that occurrence; or (b) act in accordance with procedures specified in its certification practice statement to deal with such event or situation. Back to Index



	PART VI DIGITAL SIGNATURE CERTIFICATES Certifying authority to issue digital signature certificate 38. (1) Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may be prescribed by the Central Government. (2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand as may be prescribed by the Central Government, to be paid to the Certifying Authority: Provided that while prescribing fees under sub-section (2) different fees may be prescribed for different classes of applicants. (3) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars as may be specified by regulations. (4) On receipt of an application under sub-section (1) and after consideration of the certification statement or the other statement under sub-section (3) making such inquiries as it may deem fit, the Certifying Authority may grant the Digital Signature Certificate or for reasons to be recorded in writing reject the application: Provided that no Digital Signature Certificate shall be granted unless the Certifying authority is satisfied that the - (a) applicant holds the private key corresponding to the public key to be listed in the Digital Signature Certificate; (b) applicant holds a private key , which is capable of creating a digital signature, (c) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant. Representations upon issuance of Digital Signature Certificate 39. A Certifying Authority while issuing a Digital Signature Certificate shall certify that - (a) it has complied with the provisions of this Act, rules and regulations made thereunder; (b) if it has published the Digital Signature Certificate or otherwise made it available to such person relying so that the subscriber has accepted it; (c) the subscriber identified in the Digital Signature Certificate holds the private key corresponding to the public key, listed in the Digital Signature Certificate; (d) the subscriber’s public key and private key constitute a functioning key pair; (e) if the accuracy of any information in the Digital Signature Certificate is not confirmed then a statement to that effect; and (f) it has no knowledge of any material fact, which if it had been included in the Digital Signature Certificate would adversely affect the reliability of the representations in clauses (a) to (d). Suspension of Digital Signature Certificate 40. The Certifying Authority which has issued a Digital Signature Certificate may suspend that Digital Signature Certificate,- (a) on receipt of a request to that effect from a person whom the Certifying authority reasonably believes to be - (i) the subscriber listed in the Digital Signature Certificate; or (ii) the person duly authorised to act on behalf of that subscriber if it is of opinion that the Digital Signature Certificate should be suspended in public interest: Provided that no such certificate shall be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter. Revocation of Digital Signature Certificate 41. (1) A Certifying Authority may revoke a Digital Signature Certificate issued by it,- (a) where the subscriber or any person authorised by him makes a request to that effect; (b) upon the death of the subscriber; or (c) upon the dissolution of the firm or company, where the subscriber is a firm or a company. (2) Without prejudice to the provisions of sub-section (1) a Certifying Authority may revoke a Digital Signature Certificate which has been issued by it any time , if it is of opinion that,- (a) a material fact represented in the Digital Signature Certificate is false; (b) a requirement for issuance of the Digital Signature Certificate was not satisfied; (c) the Certifying Authority’s private key or security system was compromised in a manner materially affecting the Digital Signature Certificate’s reliability; the subscriber is declared insolvent or dead or where a subscriber is a firm or a company which has been dissolved, wound-up or otherwise ceased to exist. Provided that no such certificate shall be revoked unless the subscriber has been given an opportunity of being heard in the matter. (3) On revocation of a Digital Signature Certificate under this section the Certifying Authority shall communicate the same to the subscriber. Notice of suspension or revocation 42. (1) Where a Digital Signature Certificate is suspended or revoked by a Certifying Authority, the Certifying Authority shall publish a signed notice of the suspension or revocation as the case may be in the repository specified in the Digital Signature Certificate for publication of such notice. (2) Where one or more repositories are specified, the Certifying Authority shall publish the signed notices of the suspension or revocation as the case may be, in all such repositories. Back to Index



	PART VII DUTIES OF SUBSCRIBERS Generating key pair 43.(1) If the subscriber generates the key pair whose public key is to be listed in a Digital Signature Certificate issued by a Certifying Authority and accepted by the subscriber, the subscriber shall generate that key pair using a secure system. (2) This section shall not apply to a subscriber who generates the key pair using a system approved by the Certifying Authority. Acceptance o f Digital Signature Certificate 44. (1) A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorises the publication of a Digital Signature Certificate; (i) to one or more persons; or (ii) in a repository; or otherwise demonstrates his approval of the Digital Signature Certificate . (2) By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that ,- (a) the subscriber rightfully holds the private key corresponding to the public key listed in the Digital Signature Certificate; (b) all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true; and (c) all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true. Control of private key 45. (1) Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure to a person not authorised to create the subscriber’s digital signature. (2) If the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised the subscriber shall communicate the same without any delay to the Certifying Authority . (3) The Certifying Authority shall on receipt of a communication under sub-section (2) suspend the Digital Signature Certificate. Back to Index



	PART VIII PENALTIES AND ADJUDICATION Compensation for Computer Crimes 46. If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network system, - (a) secures access to such computer, computer system or network system; (b) downloads, copies or extract any data, computer data base or information from such computer, computer system or computer network system including information or data held or stored in any removable storage medium; (c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network system; (d) damages or causes to be damaged any computer, computer system or computer network system, data, computer data base or any other programmes residing in such computer, computer system or computer network system; (e) disrupts or causes disruption of any computer, computer system or computer network system; (f) denies or causes the denial of access to any person authorised access any computer, computer system or computer network system by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder; (h) charges the services availed by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network system, he shall be liable to pay damages by way of compensation to the person so affected, not exceeding ten lakhs rupees. Explanation - For the purposes of this section,- (i) "computer contaminant" means any set of computer instructions that are designed to,- (a) modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or (b) by any means usurp the normal operation of the computer, computer system, or computer network. (ii) "computer virus" means any computer instruction, information, data or programme that destroy, damages, degrades or spoils the performance of a computer resource; or attaches itself to another computer and executes when in the host computer a programme, data or instruction is executed or when some other event takes place in the host computer resource. Residuary compensation 47. Whoever contravenes any regulations made under this Act, for the contravention of which no liability has been separately provided, shall be liable to a compensation not exceeding twenty five thousand rupees to the person affected by such contravention. Power to adjudicate 48. (1) For the purpose of adjudicating under this Part and subject to the provisions of sub-section (2), the Central Government shall appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in the prescribed manner after giving any person concerned a reasonable opportunity of being heard. (2) No person shall be appointed as an adjudicating officer unless he possesses such legal or judicial experience as may be prescribed by the Central Government. (3) Every adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Regulations Appellate Tribunal under sub-section (2) of section 59 and- all proceedings before it shall be deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code; (b) shall be deemed to be a civil court for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973. Factors to be taken into account by the adjudicating officer 49. While adjudicating the quantum of compensation under this Part, the adjudicating officer shall have due regard to the following factors, namely:- (a) the amount of gain or unfair advantage, wherever quantifiable, made as a result of the default; the amount of loss caused to any person as a result of the default; the repetitive nature of the default. Back to Index



	PART IX CYBER REGULATIONS APPELLATE TRIBUNAL Establishment of Cyber Regulations Appellate Tribunal 50. (1) The Central Government shall by notification, establish one or more Appellate Tribunals to be known as the Cyber Regulations Appellate Tribunal . (2) The Central Government shall also specify in the notification referred to in sub-section (1) the matters and places in relation to which the Cyber Regulations Appellate Tribunal may exercise jurisdiction. Composition of Cyber Regulations Appellate Tribunal 51. A Cyber Regulations Appellate Tribunal shall consist of one person only (hereinafter referred to as the Presiding Officer of the Cyber Regulations Appellate Tribunal) to be appointed, by notification, by the Central Government. Qualifications for appointment as Presiding Officer of the Cyber Regulations Appellate Tribunal 52. A person shall not be qualified for appointment as the Presiding Officer of a Cyber Regulations Appellate Tribunal unless he - (a) is, or has been, or is qualified to be, a Judge of a High Court; or (b) has been a member of the Indian Legal Service and has held a post in Grade I of that Service for at least three years. Term of office 53. The Presiding Officer of a Cyber Regulations Appellate Tribunal shall hold office until he attains the age of sixty five years. Salary and allowances and other terms and conditions of service of Presiding Officer 54. The salary and allowances payable to and the other terms and conditions of service including pension, gratuity and other retirement benefits of, the Presiding Officer of a Cyber Regulations Appellate Tribunal shall be such as may be prescribed: Provided that neither the salary and allowances nor the other terms and conditions of service of the said Presiding Officers shall be varied to their disadvantage after appointment. Filling up of vacancies 55. If, for reason other than temporary absence, any vacancy occurs in the office of the Presiding Officer of a Cyber Regulations Appellate Tribunal, then the Central Government shall appoint another person in accordance with the provisions of this Act to fill the vacancy and the proceedings may be continued before the Cyber Regulations Appellate Tribunal from the stage at which the vacancy is filled. Resignation and removal 56. (1) The Presiding Officer of a Cyber Regulations Appellate Tribunal may, by notice in writing under his hand addressed to the Central Government, resign his office: Provided that the said Presiding Officer shall, unless he is permitted by the Central Government to relinquish his office sooner, continue to hold office until the expiry of three months from the date of receipt of such notice or until a person duly appointed as his successor enters upon his office or until the expiry of his term of office, whichever is the earliest. (2) The Presiding Officer of a Cyber Regulations Appellate Tribunal shall not be removed from his office except by an order by the Central Government on the ground of proved misbehaviour or incapacity after an inquiry made by a Judge of the Supreme Court, in which the Presiding Officer concerned has been informed of the charges against him and given a reasonable opportunity of being heard in respect of these charges. (3) The Central Government may, by rules, regulate the procedure for the investigation of misbehaviour or incapacity of the aforesaid Presiding Officer. Orders constituting Appellate Tribunal to be final and not to invalidate its proceedings 57. No order of the Central Government appointing any person as the Presiding Officer of a Cyber Regulations Appellate Tribunal shall be called in question in any manner, and no act or proceeding before a Cyber Regulations Appellate Tribunal shall be called in question in any manner on the ground merely of any defect in the constitution of a Cyber Regulations Appellate Tribunal. Staff of the Cyber Regulations Appellate Tribunal 58. (1) The Central Government shall provide the Cyber Regulations Appellate Tribunal with such officers and employees as that Government may think fit. (2) The officers and employees of the Cyber Regulations Appellate Tribunal shall discharge their functions under general superintendence of the Presiding Officer. (3) The salaries and allowances and other conditions of service of the officers and employees of the Cyber Regulations Appellate Tribunal shall be such as may be prescribed. Appeal to the Cyber Regulations Appellate Tribunal 59. (1) Save as provided in sub-section (2), any person aggrieved by an order made by an Adjudicating Officer under this Act, may prefer an appeal to a Cyber Regulations Appellate Tribunal having jurisdiction in the matter. (2) No appeal shall lie to the Cyber Regulations Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties. (3) Every appeal under sub-section (1) shall be filed within a period of forty-five days from the date on which a copy of the order made by the adjudicating officer is received by him and it shall be in such form and be accompanied by such fee as may be prescribed: Provided that the Cyber Regulations Appellate Tribunal may entertain an appeal after the expiry of the said period of forty-five days if it is satisfied that there was sufficient cause for not filing it within that period. (4) On receipt of an appeal under sub-section (1), the Cyber Regulations Appellate Tribunal may after giving the parties to the appeal, an opportunity of being heard pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. (5) The Cyber Regulations Appellate Tribunal shall send a copy of every order made by it to the parties to the appeal and to the concerned Adjudicating Officer. (6) The appeal filed before the Cyber Regulations Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and endeavour shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. Procedure and powers of the Cyber Regulations Appellate Tribunal 60. (1) The Cyber Regulations Appellate Tribunal shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908), but shall be guided by the principles of natural justice and, subject to the other provisions of this Act and of any rules, the Cyber Regulations Appellate Tribunal shall have powers to regulate their own procedure including the place at which they shall have their sittings. (2) The Cyber Regulations Appellate Tribunal shall have, for the purposes of discharging their functions under this Act, the same powers as are vested in a Civil Court under the Code of Civil Procedure, 1908 (5 of 1908), while trying a suit, in respect of the following matters, namely:- (a) summoning and enforcing the attendance of any person and examining him on oath; (b) requiring the discovery and production of documents or other electronic records; (c) receiving evidence on affidavits; (d) issuing commissions for the examination of witnesses or documents; (e) reviewing its decisions; (f) dismissing an application for default or deciding it ex parte; (h) any other matter which may be prescribed. (3) Every proceeding before the Cyber Regulations Appellate Tribunal shall be deemed to be a judicial proceeding within the meaning of sections 193 and 228, and for the purposes of section 196, of the Indian Penal Code and the Cyber Regulations Appellate Tribunal shall be deemed to be a civil court for all the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973 . Right to legal representation 61. The appellant may either appear in person or authorise one or more legal practitioners or any of its officers to present his or its case before the Cyber Regulations Appellate Tribunal. Limitation 62. The provisions of the Limitation Act, 1963, shall, as far as may be, apply to an appeal made to the Cyber Regulations Appellate Tribunal. Civil Court not to have jurisdiction 63. No court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or a Cyber Regulations Appellate Tribunal constituted under this Act is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken to or to be taken in pursuance of any power conferred by or under this Act. Appeal to High Court 64. Any person aggrieved by any decision or order of the Cyber Regulations Appellate Tribunal may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Regulations Appellate Tribunal to him on any question of fact or law arising out of such order: Provided that the High Court may, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days. Compounding of contraventions 65. (1) Any contravention under this Part may, either before or after the institution of adjudication proceedings, be compounded by the Controller or such other officer as may be specially authorised by him in this behalf, on payment for credit to the Government of such sum as the Controller or such other officer may specify : Provided that such sum shall not, in any case, exceed the maximum amount of the fine which may be imposed under this Act for the contravention so compounded. (2) Nothing in sub-section (1) shall apply to a person who commits the same or similar contravention within a period of three years from the date son which the first contravention, committed by him, was compounded. Explanation.- For the purposes of this sub-section, any second or subsequent contravention committed after the expiry of a period of three years from the date on which the contravention was previously compounded, shall be deemed to be a first contravention. (3) Where any contravention has been compounded under sub-section (1), no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded. Back to Index



	PART X OFFENCES COMPUTER CRIME Tampering with computer source documents 66. Whoever knowingly or intentionally conceals, destroys, or alters or intentionally or knowingly causes another to conceal, destroy, or alter any computer source document used for a computer, computer programme, computer system, or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with a fine which may extend up to rupees two lakhs or with imprisonment up to three years, or with both. Explanation.- For the purposes of this section computer source code means the listing of programmes, computer commands,design and layout and programme analysis of computer resource in any form. Publishing of information which is obscene in electronic form 67. Whoever publishes or causes to be published in the electronic media any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprive and corrupt persons who are likely having regard to all relevant circumstances to read, see or hear the matter contained or embodied in it shall be punished on first conviction with imprisonment of either description for a term which may extend to two years and with fine which may extend to twenty five thousand rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to fifty thousand rupees. Penalty for misrepresentation 68. If any person makes any misrepresentation or suppresses any material fact to the Controller or the Certifying Authority for obtaining any license or Digital Signature Certificate as the case may be shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Breach of confidentiality 69. Save as otherwise provided in this Act or any other law for the time being in force if any person who , in pursuant to any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Penalty for publishing Digital Signature Certificate false in certain particulars 70. (1) No person shall publish a Digital Signature Certificate or otherwise make it available to any other person with the knowledge that- (a) the Certifying Authority listed in the certificate has not issued it; or (b) the subscriber listed in the certificate has not accepted it; or the certificate has been revoked or suspended, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation. (2) Any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Penalty for failure to furnish information, return, etc. 71. If any person, who is required under this Act or any rules or regulations made thereunder fails to, - (a) furnish any document, return or report to the Controller or the Certifying Authority, fails to furnish the same, he shall be liable to a fine not exceeding one lakh and fifty thousand rupees for each such failure; file any return or furnish any information, books or other documents within the time specified therefor in the regulations, he shall be liable to a penalty not exceeding give thousand rupees for every day during which such failure continues; (c) maintain books of accounts or records, fails to maintain the same, he shall be liable to a fine not exceeding ten thousand rupees for every day during which the failure continues. Offences by companies 72. (1) Where an offence or contravention under this Act has been committed by a company, every person who at the time the offence or contravention was committed was in charge of, and was responsible to the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence or contravention and shall be liable to be proceeded against and punished accordingly: Provided that nothing contained in this sub-section shall render any such person liable to any punishment provided in this Act, if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention. (2) Notwithstanding anything contained in sub-section (1), where an offence or contravention under this Act has been committed by a company and it is proved that the offence or contravention has been committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the offence or contravention and shall be liable to be proceeded against and punished accordingly. Explanation.- For the purposes of this section, - (a) "company" means any body corporate and includes a firm or other association of individuals; and (b) "director", in relation to a firm, means a partner in the firm. Publication for fraudulent purpose 73. Whoever knowingly creates, publishes or otherwise makes available a Digital Signature Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Act to apply for offences committed outside India 74. (1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any contraventions and offences committed outside India by any person irrespective of his nationality. (2) For the purposes of sub-section (1) this Act shall apply to an offence committed outside India by any person if the Act constituting the offence involves a computer, computer system or computer network located in India. Protected system 75. (1) The appropriate Government may, by notification in the official Gazette, declare that any computer, computer system or computer network system to be a protected system. (2) The appropriate Government may, by order in writing authorise the persons who are authorised to access protected systems. (3) Any person who secures access or attempts to secure access to a protected system in contravention of this section shall be punished with imprisonment for a term which may extend to ten years. Confiscation 76. Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act or regulations made thereunder has been or is being contravened, shall be liable to confiscation: Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act or regulations made thereunder, the court may, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorised by this Act against the person guilty of the breach of the provisions of this Act or regulations made thereunder as it may think fit. Compensation and Confiscation not to interfere with other punishments 77. No award of any compensation under Part IX shall prevent the infliction of any punishment to which the person affected thereby is liable under the provisions of this Act or under any other law. Power to investigate offences 78. Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (1 of 1974), a police officer not below the rank of Deputy Superintendent of Police shall investigate any offence or contravention under this Act. Back to Index



	PART XI NETWORK SERVICE PROVIDERS NOT TO BE LIABLE IN CERTAIN CASES Network service providers not to be liable in certain cases 79. For the removal of doubts it is hereby declared that no person providing any service as a network service provider shall be liable under this Act, rule or regulation for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention. Explanation.-For the purposes of this section,- (a) " network service provider" means an intermediary; (b) "third party information" means any information dealt with by a network service provider in his capacity as an intermediary; Back to Index



	PART XIII MISCELLANEOUS Power to search 80. Power of police officer and other officers to enter, search, etc.-(1) Notwithstanding anything contained in the Code of Criminal Procedure, 1973, any police officer not below the rank of a Deputy Superintendent of Police, or any other officer of the Central Government or a State Government authorised by the Central Government in this behalf may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected or having committed or of committing or of being about to commit any offence under this Act. Explanation.-For the purposes of this sub-section, the expression "public place" includes any public conveyance, any hotel, any shop or any other place intended for use by, or accessible to the public. (2) Where any person is arrested under sub-section (1) by an officer other than a police officer, such officer shall, without unnecessary delay, take or sent the person arrested before a magistrate having jurisdiction in the case or before the officer-in-charge of a police station. (3) The provisions of the Code of Criminal Procedure, 1973 shall, subject to the provisions of this section, apply, so far as may be, in relation to any entry, search or arrest, made under this section. (4) The provisions of this section shall have effect notwithstanding anything inconsistent, therewith contained in any other provision of this Act. Overriding effect 81. The provisions of this Act shall be in addition to, and not in derogation of the provisions of any enactment other than this Act. Controller, Deputy Controller and Assistant Controllers to be public servants 82. The Presiding Officer and other officers and employees of a Cyber Regulations Appellate Tribunal, the Controller, the Deputy Controller and Assistant Controllers shall be deemed to be public servants within the meaning of section 21 of the Indian Penal Code. Power to give directions 83. The Central Government may give directions to the Government of a State as to the carrying into execution in the State of any of the provisions of this Act. Protection of action taken in good faith 84. No suit, prosecution or other legal proceeding shall lie against the Central Government, the State Government , the Controller or any person acting on behalf of him ,the Presiding officer, Adjudicating officers and the staff of the Cyber Regulations Appellate Tribunal, for anything which is in good faith done or intended to be done in pursuance of this Act, any rule, regulation or order made thereunder. Removal of Difficulties 85. (1) If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order published in the Official Gazette, make such provisions not in consistent with the provisions of this Act as appear to it to be necessary or expedient for removing the difficulty: Provided that no order shall be made under this section after the expiry of a period of two years from the commencement of this Act. (2) Every order made under this section shall be laid, as soon as may be after it is made, before each House of Parliament. Power of Central Government to make rules 86. (1)The Central Government may, by notification in the official Gazette , make rules to carry out the provisions of this Act. (2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely:- for matter specified in sub-section (2) of section 5; for matters specified in section 9; satisfy such other standards where the Controller acts as repository under clause (d) of sub-section (2) of section 21; the form in which application for license and the fee payable with documents under sub-section (1) of section 22; requirements to be fulfilled for issue of license by the applicants under sub-section (2) of section 22; the form in which application for renewal under clause (a) of section 24; conditions to be complied for the renewal of license after the expiry of the specified period under clause (b) of section 25; the form in which applications for issue of a Digital Signature Certificate under sub-section (1) of section 38; the fee for application to the issue of Digital Signature Certificate under sub-section (2) of section 38; the qualification and experience to be fixed by the Central Government under sub-section (2) of section 48; the procedure for investigation of misbehaviour or incapacity of the presiding officer of the Cyber Regulations Appellate Tribunal under sub-section (3) of section 56; the salary and allowances and other terms and conditions of service of presiding officer and other officers and employees of the Cyber Regulations Appellate Tribunal under section 54 and sub-section (3) of section 58; the form in which appeal may be filed before the Cyber Regulations Appellate Tribunal under sub-section (3) of section 59; any other power of a civil court required to be prescribed under clause (h) of sub-section (2) of section 60. (3) Every rule made by the Central Government under this Act shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the rule or both Houses agree that the rule should not be made, the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule. Constitution of Advisory Committee 87. (1) The Central Government shall, as soon as may be after the commencement of this Act, constitute a Committee called the Cyber Regulations Advisory Committee. (2) The Cyber Regulations Advisory Committee shall consist of a Chairperson and such number of other official and non-official members representing the interests principally affected or having special knowledge of the subject-matter as may be prescribed by the Central Government. (3) The Cyber Regulations Advisory Committee shall advise- the Central Government either generally as regards any rules or for any other purpose connected with this Act; the Controller in framing the regulations under this Act. (4) There shall be paid to the non-official members of such Committee such travelling and other allowances as the Central Government may fix. Power to make regulations 88. (1) The Controller may, after consultation with the Cyber Regulations Advisory Committee and after previous approval of the Central Government, by notification in the Official Gazette, make regulations under this Act. (2) In particular, and without prejudice to the generality of the foregoing power, such regulations may provide for all or any of the following matters, namely:- particulars relating to maintenance of database containing the disclosure record of every certifying authority under clause (m) of section 19; conditions and restrictions to recognise any certifying authority authorised to issue a Digital Signature Certificate in a country outside India under section 20; terms and conditions and period of license granted under sub-section (4) of section 22; directions by order by Controller to take such measures by a certifying authority or an employee of such authority under sub-section (1) of section 29; standards to be specified in respect of computer security system by a certifying authority under clause (e) of section 33; statement containing particulars about certification practice statement under sub-section (3) of section 38; time to be specified to file any return or furnish any information etc. under clause (b) of section 71; Power of State Government to make rules 89. (1) The State Government may , by notification in the Official Gazette, make rules to carry out the provisions of this Act. In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely:- (a) for matters specified in sub-section (2) of section 5; (b) any other matter which is required to be provided by rules. (3) Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House. Amendments to certain enactments 90. The enactments specified in the Schedule to this Act shall be amended in the manner provided therein. Back to Index



	THE SCHEDULE (See section 90) AMENDMENTS TO CERTAIN ENACTMENTS PART I AMENDMENTS TO THE INDIAN PENAL CODE, 1860 1. After section 29, the following section shall be inserted, namely;- "29A. Electronic records shall have the meaning assigned to it in clause (20) of section 2 of the Information Technology Act, 1999. 2. In section 167, for the words "such public servant charged with the preparation or translation of any document, frames or translates that document" the words "charged with the preparation or translation of any document or electronic record frames or translates that document or electronic record" shall be substituted. In section 172, for the words "produce a document in a court of justice" the words "produce a document or electronic record in a court of justice" shall be substituted. 4. In section 173, for the words "to produce a document in a court of justice" the words "to produce a document or electronic record in a court of justice" shall be substituted. 5. In section 175, for the word "document" in both the places where it occurs, the words "document or electronic record" shall be substituted. In section 192, for the words "makes any document" the words "makes any document or electronic record" shall be substituted. In section 204, for the word "document" in both the places where it occurs, the word "document or electronic record" shall be substituted. In section 463, for the words "any false document or part of a document with the intent to cause damage or injury",the words " any false document, false electronic record or part of a document or electronic record , with the intent to cause damage or injury" shall be substituted. For section 464 the following section shall be substituted,namely:- "464. Making a false document or false electronic record: A person is said to make a false document or false electronic record - First - Who dishonestly or fraudulently makes, signs, seals or executes a document, part of a document or electronic record or makes any mark denoting the execution of a document or affixes any digital signature or makes any mark denoting the authenticity of digital signature, with the intention of causing it to be believed that such document or electronic record was made, signed, sealed , executed or affixed by or by the authority of a person by whom or by whose authority he knows that it was not made ,signed ,sealed or affixed; or Secondly - Who, without lawful authority, dishonestly or fraudulently, by cancellation or otherwise, alters a document or an electronic record in any material part thereof, after it has been made,executed or affixed with digital signature either by himself or by any other person,whether such person be living or dead at the time of such alteration; or Thirdly - Who dishonestly or fraudulently causes any person to sign, seal, execute or alter a document or an electronic record or to affix his digital signature knowing that such person by reason of unsoundness of mind or intoxication cannot, or that by reason of deception practiced upon him, he does not know the contents of the document or electronic record or the nature of the alteration. In section 466, for the words "whoever forges a document", the words "whoever forges a document or electronic record" shall be substituted. In section 468, for the words "document forged", the words "document or electronic record forged" shall be substituted. In section 469, for the words "intending that the document forged", the words "intending that the document or electronic record forged" shall be substituted. In section 470, for the word "document" in both the places where it occurs, the words "document or electronic record" shall be substituted. In section 471, for the word "document wherever it occurs, the words "document or electronic record" shall be substituted. In section 477A, for the words " any book, paper writing", in both the places where they occur, the words " any book, electronic record, paper writing" shall be substituted. Back to Index



	PART II AMENDMENTS TO THE INDIAN EVIDENCE ACT 1872 In section 3,- (a) in the definition of "Evidence" for the words "all documents produced for the inspection of the Court ", the words, " all documents including electronic records produced for the inspection of the Court " shall be substituted. (b) after the definition of "India", the following shall be inserted, namely:- ‘the expressions "Certifying Authority", "digital signature", "Digital Signature Certificate", "electronic form", "electronic records" and "subscriber" shall have the meanings respectively assigned to them in the Information Technology Act 1999.’ 2. After section 22 the following section shall be inserted, namely:- When oral admission as to contents of electronic records are relevant: "22A. Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question." 3. In section 34, for the words ," Entries in the books of accounts", the words "Entries in the books of accounts, including those maintained in an electronic form" shall be substituted. 4. In section 35, for the word "record" ,the words " record or an electronic record", shall be substituted. 5. After section 47 the following section shall be inserted namely:- Opinion as to digital signature when relevant "47A. When the Court has to form an opinion as to the digital signature of any person, the opinion of the Certifying Authority which has issued the Digital Signature Certificate is a relevant fact.". 6. In section 59, for the words "contents of documents " the words "contents of documents or electronic records" shall be substituted. 7.-After section 65, the following sections shall be inserted, namely:- "65A The contents of electronic record may be proved in accordance with the provisions of section 65B. Admissibility of computer outputs 65B. (1) Notwithstanding anything contained in this Act, a statement contained in a electronic record and included in a media, paper, optical or magnetic produced by a computer (hereinafter referred to as a "computer output"), if the conditions mentioned in sub-section (2) and the other provisions contained in this section are satisfied in relation to the statement and the computer in question, shall be deemed to be also a document and shall be admissible in any proceedings , without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible. (2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:- the computer output containing the statement was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer; during the said period, there was regularly supplied to the computer in the ordinary course of the said activities, information of the kind contained in the statement or of the kind from which the information so contained is derived; throughout the material part of the said period, the computer was operating properly or, if not, then any respect in which it was not operating properly or was out of operation during that part of the period was not such as to affect the production of the document or the accuracy of the contents; and the information contained in the statement reproduces or is derived from information supplied to the computer in the ordinary course of the said activities. Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether - by a combination of computers operating over that period; or by different computers operating in succession over that period; or by different combinations of computers operating in succession over that period; or in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly. In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say – identifying the document containing the statement and describing the manner in which it was produced; giving such particulars of any device involved in the production of that document as may be appropriate for the purpose of showing that the document was produced by a computer; dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stated it. For the purposes of this section, - (a) information shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment; (b) whether in the course of activities carried on by any official, information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities; (c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment. Explanation.- For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.’. 8. After section 67,the following section shall be inserted, namely:- "67A. Except in the case of a secure digital signature, if a digital signature of any subscriber is alleged to have been affixed to an electronic record the fact that such digital signature must be proved to be that of the subscriber .". 9. After section 73 the following section shall be inserted, namely:- Verification of digital signature "73A. In order to ascertain whether a digital signature is that of the person by whom it purports to have been affixed the court may direct,- that person or the Controller or the Certifying Authority to produce the Digital Signature Certificate; any other person to apply the public key listed in the Digital Signature Certificate and verify the Digital Signature purported to have been affixed by that person". 10. After section 81, the following section shall be inserted, namely:- Presumption as to Gazettes "81A. The Court shall presume the genuineness of every electronic record purporting to be the Official Gazette, or purporting to be document directed by any law to be kept by any person, if such document is kept substantially in the form required by law and is produced from proper custody.". Presumptions as to electronic messages 11 . After section 85 the following sections shall be inserted, namely:- Presumptions as to Electronic Contracts "85A. The Court shall presume that every electronic record purporting to be an electronic contract containing the digital signatures of the parties was so concluded by affixing the digital signature of the parties". Presumptions as to electronic records and digital signatures 85B.(1) In any proceedings involving a secure electronic record , the court shall presume unless contrary is proved, that the secure electronic record has not been altered since the specific point in time to which the secure status relates. (2) In any proceedings, involving secure digital signature , the court shall presume unless the contrary is proved that - (a) the secure digital signature is affixed by that person with the intention of signing or approving the electronic record; (b) except in the case of a secure electronic record or a secure digital signature, nothing in this section shall create any presumption relating to authenticity and integrity of the electronic record or an digital signature. Presumptions regarding Digital Signature Certificates 85C. The court shall presume, unless contrary is proved, that the information listed in a Digital Signature Certificate is correct, except for information specified as subscriber information which has not been verified, if the certificate was accepted by the subscriber.’. 12. After section 88 the following section shall be inserted namely:- Presumptions as to electronic messages "88A. The Court may presume that an electronic message forwarded by the originator through an electronic mail server to the addressee to whom the message purports to be addressed corresponds with the message as fed into his computer for transmission; but the Court shall not make any presumption as to the person by whom such message was sent. 13. After section 90,the following section shall be inserted, namely:- Presumptions as to electronic records five years old "90A. Where any electronic record purporting or proved to be five years old ,is produced from any custody which the Court in the particular case considers proper, the Court may presume that the digital signature which purports to be the digital signature of any particular person was so affixed by him or any person authorised by him in this behalf. Explanation .- Electronic records are said to be in proper custody if they are in the place in which ,and under t

THE INFORMATION TECHNOLOGY BILL, 1999

GIST OF THE IT BILL

Introduction

PRELIMINARY

ELECTRONIC RECORDS AND DIGITAL SIGNATURES

ELECTRONIC RECORDS

SECURE ELECTRONIC RECORDS AND SECURE DIGITAL SIGNATURE

REGULATION OF CERTIFYING AUTHORITIES

DIGITAL SIGNATURE CERTIFICATES

DUTIES OF SUBSCRIBERS

PENALTIES AND ADJUDICATION

CYBER REGULATIONS

COMPUTER CRIME

NETWORK SERVICE PROVIDERS NOT TO BE LIABLE IN CERTAIN CASES

MISCELLANEOUS

AMMENDMENTS

AMENDMENTS TO THE INDIAN PENAL CODE, 1860

AMENDMENTS TO THE INDIAN EVIDENCE ACT 1872

AMENDMENT TO THE BANKER’S BOOK EVIDENCE ACT , 1891

AMENDMENTS TO THE RESERVE BANK OF INDIA ACT, 1934

THE INFORMATION TECHNOLOGY BILL, 1999

PRELIMINARY

ELECTRONIC RECORDS AND DIGITAL SIGNATURES

ELECTRONIC RECORDS

SECURE ELECTRONIC RECORDS AND SECURE DIGITAL SIGNATURE

REGULATION OF CERTIFYING AUTHORITIES

DIGITAL SIGNATURE CERTIFICATES

DUTIES OF SUBSCRIBERS

PENALTIES AND ADJUDICATION

CYBER REGULATIONS APPELLATE TRIBUNAL

OFFENCES

COMPUTER CRIME

NETWORK SERVICE PROVIDERS NOT TO BE LIABLE IN CERTAIN CASES

MISCELLANEOUS

AMENDMENTS TO THE INDIAN PENAL CODE, 1860

AMENDMENTS TO THE INDIAN EVIDENCE ACT 1872