Author: Tanu Rani Mahato, New Law College, Bharti Vidyapeeth
To the Point
The rise in internet penetration, smartphone usage, and digital transactions has made cybersecurity a strategic and legal priority for India. The cornerstone of India’s cyber legal system is the Information Technology Act, 2000, which addresses crimes committed via digital means, regulates electronic transactions, and defines responsibilities for digital intermediaries. The Digital Personal Data Protection Act, 2023 further strengthens this legal framework by laying down principles for the collection, processing, and protection of personal data.
India’s legal response is structured around:
Preventive legal frameworks through enforceable rules and policy.
Punitive legal action to deter and punish cyber offenders.
Institutional protection via national bodies like CERT-IN and state-level cyber labs.
Abstract
While the IT Act, 2000 was initially intended to facilitate online commerce, its scope has been expanded to address crimes like identity theft, data breaches, cyber terrorism, online defamation, and revenge porn.
The Digital Personal Data Protection Act, 2023 complements this framework by introducing a structured approach to user consent, data localization, and accountability of data fiduciaries. Notably, this legislation empowers a Data Protection Board to enforce penalties up to ₹250 crore.
The legal regime also interacts with constitutional principles, especially the Right to Privacy enshrined under Article 21, as affirmed in the Puttaswamy v. Union of India (2017) judgment, making it obligatory for data processing to pass the tests of necessity and proportionality.
Use of Legal Jargon
Mens rea – Implied criminal intention in cyber offenses such as online impersonation or fraud.
Actus reus – The actionable unlawful conduct like hacking or spreading malware.
Lex loci delicti commissi – Jurisdiction lies with the territory where the digital crime took place.
Intermediary liability – As per Section 79 of the IT Act, digital platforms are shielded unless they fail to exercise due diligence.
Ex post facto law – A retrospective application of penal laws is constitutionally invalid.
Due diligence – A regulatory obligation under Rule 3(1) of the 2021 IT Rules, requiring platforms to monitor and act against unlawful content.
The Proof
Cybercrime is no longer peripheral—it is mainstream. According to the NCRB’s 2023 data, India logged over 65,000 cybercrime cases, marking a 9.3% annual increase. Sectors like health, finance, and education have become soft targets for ransomware syndicates. IBM’s 2022 cybersecurity report placed India second among global victims of cyberattacks.
Notable incidents include
Aadhaar data exposure: Massive concerns over systemic vulnerabilities in the nation’s identity repository.
Espionage campaigns: Attempts attributed to foreign state actors targeting sensitive Indian databases.
Conclusion
India’s cybersecurity legal architecture is robust but evolving. The IT Act remains the central statute, reinforced by evolving policies and the Data Protection Act, 2023, which together aim to protect user interests and digital ecosystems.
However, challenges persist:
Absence of a dedicated Cybersecurity Act for critical infrastructure.
Inadequate forensic resources across districts.
Complexities in extraterritorial enforcement and digital evidence collection.
To fortify cyber resilience, India must:
Establish a National Cybersecurity Authority.
Mandate periodic cybersecurity audits for public and private sectors.
Build judicial and law enforcement expertise in handling digital evidence and cyber law.
FAQS
Q1: What is the primary cyber law applicable in India?
A: The Information Technology Act, 2000, along with its amendments and associated rules.
Q2: Can individuals be penalized for spreading misinformation on social media?
A: Yes. Offenses such as impersonation or obscenity are punishable under Sections 66D and 67 of the IT Act, as well as relevant IPC provisions.
Q3: What duties do intermediaries like Google and Facebook have?
A: They are required to comply with due diligence obligations under the IT Rules, 2021, including content moderation and grievance handling mechanisms.
Q4: How can someone report cyberbullying or harassment?
A: Victims may file online complaints via cybercrime.gov.in or contact their nearest cyber police station. Relevant sections include 67 (IT Act) and 354D (IPC).
Q6: Has the Data Protection Act been implemented yet?
A: Yes. The Digital Personal Data Protection Act, 2023 is in force, overseen by the Data Protection Board of India, and prescribes strict rules and penalties for personal data breaches.
