Professional Documents
Culture Documents
Kumar Gaurav
Assistant Professor of Law
Chanakya National Law University, Patna
SCHEME OF THE ACT
Chapter – I – Preliminary
Chapter – II – Digital Signature and Electronic Signature (Sections 3 & 3A) 29
Chapter – III – Electronic Governance (Sections 4 to 10A)
Chapter – IV – Attribution, Acknowledgement and Dispatch of Electronic Records
(Sections 11 to 13)
Chapter – V – Secure electronic records and secure electronic signatures (Sections
14 to 16)
Chapter – VI – Regulation of Certifying Authorities (Sections 17 to 34)
Chapter – VII – Electronic Signature Certificates (Sections 35 to 39)
First Schedule – Documents or Transactions to which the Act shall not apply
Second Schedule – Electronic signature or Electronic authentication technique or
procedure
CONTINUED….
Chapter – VIII – Duties of Subscribers (Sections 40 to 42)
Chapter – IX – Penalties, Compensation and Adjudication (Sections
43 to 47)
Chapter X – The Cyber Appellate Tribunal (Sections 48 to 64)
Chapter XI – Offences (Sections 65 to 78)
Chapter XII – Intermediaries not to be liable in certain cases (Section
79)
Chapter XIIA – Examiner of Electronic Evidence (Section 79A)
Chapter XIII – Miscellaneous (Sections 80 to 90)
IT ACT ,2000- HIGHLIGHTS
LEGAL RECOCGNITION OF E-DOCUMNT AND
AUTHENTICATION MECHANISMS
CYBER OFFENCES VS CYBER CONTRAVENTION
DATA PROTECTION AND PRIVACY
CYBER SCEURITY
INTERMEDIARY’S LIABILITY
SURVEILLENCE AND ENCRYPTION
LEGAL RECOCGNITION OF E-DOCUMNT AND AUTHENTICATION MECHANISMS
Directory (DAP and LDAP) X500 for publication of certificates and Certification Revocation Lists (CRLs)
Database Management Operations Use of generic SQL
Public Key algorithm DSA and RSA
Digital Hash Function MD5 and SHA-1
Class 0: Digital Certificates under this class shall be issued for “test purpose” or for the
“demonstration purpose” only not otherwise.
Class 1: Digital Certificates under this class do not hold any legal recognition, however these
are considered to be valid on the basis of a valid e-mail not on the direct verification. These
certificates shall be issued to the private subscriber or individual.
Class 2: Digital Signature Certificate under this class can be issued for both – for private
individual use and for business personnel. This class has a pre-verified database which is used
to verify the identity of the person.
Class 3: This class of Certificate is considered as a top class, these are high assurance
Certificate that are preliminary projected for Electronic Commerce applications. This class of
Certificate will be issued to individuals as well as to organizations. This class requires personal
verification means person need to present himself before Registration Authority (RA) to prove
his identity.
Creation of Digital Signature
• If, a Sender ‘A’ wants to send a document to Recipient ‘B’ and wish to authenticate that
electronic document by the use of Digital Signature then, ‘A’ will perform following functions
• I. ‘A’ will generate a hash value by applying hash function on an electronic document.
• II. ‘A’ will encrypt the hash value with its Private Key. Encrypted hash value is known as
Digital Signature.
• III. ‘A’ will append Digital Signature with the electronic document and send it to the recipient
‘B’.
Verification of Digital signature by the recipient end involves following steps
• II. ‘B’ will generate a hash value by applying hash function on the electronic
• III. Then ‘B’ will decrypt the Digital Signature by applying ‘A’’s (Sender’s)Public
Key and recovers the hash value that was calculated by ‘A’. IV. If, both hash values
obtained in step I and II are same then, the received document is authentic i.e. it was
Sensitive personal data or information of a person means such personal information which consists of
information relating to;—
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument
details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or
processed under lawful contract or otherwise:
provided that, any information that is freely available or accessible in public domain or furnished under the
Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive
4. BODY CORPORATE TO PROVIDE POLICY FOR PRIVACY AND
DISCLOSURE OF INFORMATION
A person shall not collect any sensitive personal data or information of an individual unless there is a connected
lawful purpose.
The information provider must be provided with an alternative to not to give sensitive personal data or
information.
The data collected shall not be used for any purpose other than specified at the time of its collection.
A body corporate must appoint a grievance officer to address the complaints. The contact details of such officer
• In Shreya Singhal v. Union of India judgement, Justices Rohinton F. Nariman and J. Chelameswar had observed that the
weakness of Section 66A lay in the fact that it had created an offence on the basis of undefined actions: such as causing
“inconvenience, danger, obstruction and insult”, which do not fall among the exceptions granted under Article 19 of
the Constitution, which guarantees the freedom of speech.
• The court also observed that the challenge was to identify where to draw the line. Traditionally, it has been drawn at
incitement while terms like obstruction and insult remain subjective.
• In addition, the court had noted that Section 66A did not have procedural safeguards like other sections of the law with
similar aims, such as :
– The need to obtain the concurrence of the Centre before action can be taken.
– Local authorities could proceed autonomously, literally on the whim of their political masters.
• The judgment had found that Section 66A was contrary to both Articles 19 (free speech) and 21 (right to life) of the
Constitution. The entire provision was struck down by the court.
FACTS OF THE CASE:
There was a Bandh declared by Shiv Sena in Maharashtra on death of the political leader Bal
Thakery.
Two girls named Shaheen Dhada and Rinu Shrinivasan expressd their displeasure against the
bandh by posting a comment on Facebook and liking it.
They were arrested by Mumbai Police immediately under section 66 A of Information Technology
Act for posting and liking comment which could cause annoyance & hatred in minds of public at
large.
Soon the girls were released but it attracted a large public protest and media attention claiming that
it was violative of Freedom of Speech and Expression guaranteed under Article 19 of Constitution.
It was also asserted that the police authorities abuse their power by invoking Section 66 A of I.T
Act which allow the police authorities to investigate a case without any warrant. It has led to large
arrest of innocent people for mere expressing their opinion and views which according to the
Government was Obnoxious Content.
CONTINUED…
After this incident in 2013 the Central Government issued an
advisory under which no person can be arrested without the
prior approval of Inspector General of Police.
Soon several petitions were filed together under Article 32 of
the constitution challenging the validity of Section 66 – A of
the I.T act.
The Supreme Court clubbed all these petitions under a single
P.I.L and the case was named as Shreya Singhal vs. Union of
India.
CONTENTIONS
The Petitioners argued that Section 66A was unconstitutional because its intended protection against
annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, or ill-will fall outside the
purview of Article 19(2). They also argued that the law was unconstitutionally vague as it fails to specifically
define its prohibitions. In addition, they contended that the law has a “chilling effect” on the right to freedom
of expression. [para. 5]
The government, on the other hand, argued that the legislature is in the best position to fulfill the needs of
people and courts may interfere with legislative process only when “a statute is clearly violative of the rights
conferred on the citizen under Part-III of the Constitution.” [para. 6] The government contended that mere
presence of abuse of a provision may not be a ground to declare the provision as unconstitutional. Also, the
government was of the opinion that loose language of the law could not be a ground for invalidity because
the law is concerned with novel methods of disturbing people’s rights through internet. According to the
government, vagueness cannot not a ground to declare a statute unconstitutional “if the statute is otherwise
legislatively competent and non-arbitrary.” [para. 6]
Courts view
The Court first discussed three fundamental concepts in understanding the freedom of expression: discussion,
advocacy, and incitement. According to the Court, “[m]ere discussion or even advocacy of a particular cause
howsoever unpopular is at the heart” of the right. [para. 13] And, the law may curtail the freedom only when a
discussion or advocacy amounts to incitement. [para. 13]
As applied to the case in hand, the Court found that Section 66A is capable of limiting all forms of internet
communications as it makes no distinction “between mere discussion or advocacy of a particular point of view, which
may be annoying or inconvenient or grossly offensive to some and incitement by which such words lead to an
imminent causal connection with public disorder, security of State etc.” [para. 20]
The Court further held that the law fails to establish a clear proximate relation to the protection of public order.
According to the Court, the commission of an offense under Section 66A is complete by sending a message for the
purpose of causing annoyance or insult. As a result, the law does not make distinction between mass dissemination
and dissemination to only one person without requiring the message to have a clear tendency of disrupting public
order.
As to whether Section 66A was a valid attempt to protect individuals from defamatory statements through online
communications, the Court noted that the main ingredient of defamation is “injury to reputation.” It held that the law
does not concern this objective because it also condemns offensive statements that may annoy or be inconvenient to
an individual without affecting his reputation. [para. 43
CONTINUED…
The Court also held that the government failed to show that the law intends to prevent communications that incite
the commission of an offense because “the mere causing of annoyance, inconvenience, danger etc., or being
grossly offensive or having a menacing character are not offences under the Penal Code at all.” [para. 44]
As to petitioners’ challenge of vagueness, the Court followed the U.S. judicial precedent, which holds that “where
no reasonable standards are laid down to define guilt in a Section which creates an offense, and where no clear
guidance is given to either law abiding citizens or to authorities and courts, a Section which creates an offense and
which is vague must be struck down as being arbitrary and unreasonable.” [para. 52] The Court found that Section
66A leaves many terms open-ended and undefined, therefore making the statute void for vagueness.
The Court also addressed whether Section 66A is capable of imposing chilling effect on the right to freedom of
expresssion. It held that because the provision fails to define terms, such as inconvenience or annoyance, “a very
large amount of protected and innocent speech” could be curtailed. [para. 83]
The Court also noted the intelligible difference between information transmitted through internet and other forms of
speech, which permits the government to create separate offenses related to online communications. Accordingly,
the Court rejected petitioners’ argument that Section 66A was in violation of Article 14 of the Constitution against
discrimination. [para. 98]
Observation
Definition of information as per IT act does not refer to what the content of information can be. It
refers only to the medium through which such information is disseminated. It is clear, therefore, that
the petitioners are correct in saying that the public's right to know is directly affected by Section
66A.
It is clear that Section 66A is intended to punish any person who uses the internet to disseminate any
information that falls within the sub-clauses of Section 66A. It will be immediately noticed that the
recipient of the written word that is sent by the person who is accused of the offence is not of any
importance so far as this Section is concerned.
It will be noticed that for something to be defamatory, injury to reputation is a basic ingredient.
Section 66A does not concern itself with injury to reputation. Something may be grossly offensive
and may annoy or be inconvenient to somebody without at all affecting his reputation. It is clear
therefore that the Section is not aimed at defamatory statements at all.
CONTINUED….
Penal law is void for vagueness if it fails to define the criminal offence with sufficient
definiteness. Ordinary people should be able to understand what conduct is prohibited and
what is permitted. Also, those who administer the law must know what offence has been
committed so that arbitrary and discriminatory enforcement of the law does not take place.
It is held that the Section is unconstitutional also on the ground that it takes within its
sweep protected speech and speech that is innocent in nature and is liable therefore to be
used in such a way as to have a chilling effect on free speech and would, therefore, have to
be struck down on the ground of over breadth.
Section 66A of the Information Technology Act, 2000 is struck down in its entirety being
violative of Article 19(1) (a) and not saved under Article 19(2).
CONTINUED….
Penal law is void for vagueness if it fails to define the criminal offence with sufficient
definiteness. Ordinary people should be able to understand what conduct is prohibited and
what is permitted. Also, those who administer the law must know what offence has been
committed so that arbitrary and discriminatory enforcement of the law does not take place.
It is held that the Section is unconstitutional also on the ground that it takes within its
sweep protected speech and speech that is innocent in nature and is liable therefore to be
used in such a way as to have a chilling effect on free speech and would, therefore, have to
be struck down on the ground of over breadth.
Section 66A of the Information Technology Act, 2000 is struck down in its entirety being
violative of Article 19(1) (a) and not saved under Article 19(2).
CONTINUED .….
Section 69A and the Information Technology
(Procedure & Safeguards for Blocking for Access of
Information by Public) Rules 2009 are constitutionally
valid.
Sec 66 D: Impersonation
Whoever by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term which
may extend to three years and shall also be liable to fine which may extend to one lakh
rupees.
SECTION 66 E: VIOLATION OF PRIVACY
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of
any person without his or her consent, under circumstances violating the privacy of that persons, shall be
punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees
or with both.
Explanation:- For the purposes of this section,
(a) "transmit" means to electronically send a visual image with the intent that it be viewed by a person or
persons:
(b) "capture" with respect to an image, means to video tape, photograph, film or record by any means
(c) "private area" means the naked or undergarment clad genitals, pubic area, buttocks or female breast
(d) publishes" means reproduction in the printed or electronic form and making it available to public
(e) "under circumstances violating privacy" means circumstances in which a person can have a
reasonable expectation that (i) he or she could disrobe in privacy, without being concerned that an image of
his private area was being captured; or (ii) any part of his or her private area would not be visible to the
public, regardless of whether that person is in a public or private place.
Section 354 C. Voyeurism.
• Any man who watches, or captures the image of a woman engaging in a private act in circumstances where
she would usually have the expectation of not being observed either by the perpetrator or by any other
person at the behest of the perpetrator or disseminates such image shall be punished on first conviction
with imprisonment of either description for a term which shall not be less than one year, but which may
extend to three years, and shall also be liable to fine, and be punished on a second or subsequent
conviction, with imprisonment of either description for a term which shall not be less than three years, but
which may extend to seven years, and shall also be liable to fine.
• Explanation 1.—For the purpose of this section, "private act" includes an act of watching carried out in a
place which, in the circumstances, would reasonably be expected to provide privacy and where the victim's
genitals, posterior or breasts are exposed or covered only in underwear; or the victim is using a lavatory; or
the victim is doing a sexual act that is not of a kind ordinarily done in public.
• Explanation 2.—Where the victim consents to the capture of the images or any act, but not to their
dissemination to third persons and where such image or act is disseminated, such dissemination shall be
considered an offence under this section.
Section 72 in The Information Technology Act, 2000
• Save as otherwise provided in this Act or any other law for the time
being in force, any person including an intermediary who, while
providing services under the terms of lawful contract, has secured
access to any material containing personal information about another
person, with the intent to cause or knowing that he is likely to cause
wrongful loss or Wrongful gain discloses, without the consent of the
person Concerned , or in breach of a lawful contract, such material to
any other person, shall be punished with imprisonment for a term
which may extend to three years, or with fine which may extend to
five lakh rupees, or with both.
CONTINUED…
This section applies to: any person (including an intermediary) who, while
providing services under the terms of lawful contract, has secured access to
any material containing personal information about another person. This
person will be penalised if he discloses such material:
(1) without the consent of the person concerned, or in breach of a lawful
contract, and
(2) with the intent to cause or knowing that he is likely to cause wrongful
loss or wrongful gain.
This section does not apply if the person reveals this information in
compliance with any law.
• Section 10 in The Indian Contract Act, 1872
• 10. What agreements are contracts.—All agreements are contracts if they
are made by the free consent of parties competent to contract, for a lawful
consideration and with a lawful object, and are not hereby expressly
declared to be void. —All agreements are contracts if they are made by the
free consent of parties competent to contract, for a lawful consideration and
with a lawful object, and are not hereby expressly declared to be void."
Nothing herein contained shall affect any law in force in 1[India], and not
hereby expressly repealed, by which any contract is required to be made in
writing 2or in the presence of witnesses, or any law relating to the
registration of documents.
INTERMEDIARY
Whoever,– (a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children
engaged in sexually explicit act or conduct; or
(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any
electronic form depicting children in obscene or indecent or sexually explicit manner; or 26
(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner
that may offend a reasonable adult on the computer resource; or
(d) facilitates abusing children online, or
(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first
conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh
rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven
years and also with fine which may extend to ten lakh rupees:
Provided that provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing,
painting representation or figure in electronic form–
(i) the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing,
drawing, painting representation or figure is the interest of science, literature, art or learning or other objects of general concern; or
(ii) which is kept or used for bona fide heritage or religious purposes. Explanation–For the purposes of this section, ―children‖ means a
person who has not completed the age of 18 years.
CYBER SECURITY
2(1) (nb) ―cyber security- means protecting information, equipment, devices,
computer, computer resource, communication device and information stored
therein from unauthorised access, use, disclosure, disruption, modification or
destruction;
2(1) (ze) ―secure system -means computer hardware, software, and procedure
that– (a) are reasonably secure from unauthorised access and misuse; (b) provide
a reasonable level of reliability and correct operation; (c) are reasonably suited to
performing the intended functions; and (d) adhere to generally accepted security
procedures;
SECTION 70 PROTECTED SYSTEM
• [(1) The appropriate Government may, by notification in the Official Gazette, declare any computer
resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a
protected system. Explanation. -For the purposes of this section, "Critical Information
Infrastructure" means the computer resource, the incapacitation or destruction of which, shall have
debilitating impact on national security, economy, public health or safety.]
• (2) The appropriate Government may, by order in writing, authorise the persons who are authorised
to access protected systems notified under sub-section (1).
• (3) Any person who secures access or attempts to secure access to a protected system in
contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.
• 86 [(4) The Central Government shall prescribe the information security practices and procedures for
such protected system.]
• ‘Rules for the Information Security Practices and Procedures for Protected System’, promulgated vide
Gazette Notification dated 22 May 2018 (Regd No D.L.- 33004/99),
SECTION 70 A NATIONAL NODAL AGENCY
(1) The Central Government shall, by notification in the Official Gazette, appoint an agency of the Government to
be called the Indian Computer Emergency Response Team.
(2) The Central Government shall provide the agency referred to in sub-section (1) with a Director-General and
such other officers and employees as may be prescribed.
(3) The salary and allowances and terms and conditions of the Director- General and other officers and employees
shall be such as may be prescribed.
(4) The Indian Computer Emergency Response Team shall serve as the national agency for performing the
following functions in the area of cyber security,-
(a) collection, analysis and dissemination of information on cyber incidents;
(b) forecast and alerts of cyber security incidents;
(c) emergency measures for handling cyber security incidents;
(d) coordination of cyber incidents response activities;
CONTINUED…
(e) issue guidelines, advisories, vulnerability notes and whitepapers relating to information security
practices, procedures, prevention, response and reporting of cyber incidents;
(f) such other functions relating to cyber security as may be prescribed.
(5) The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such
as may be prescribed.
(6) For carrying out the provisions of sub-section (4), the agency referred to in sub-section (1) may call for
information and give direction to the service providers, intermediaries, data centres, body corporate and
any other person.
(7) Any service provider, intermediaries, data centres, body corporate or person who fails to provide the
information called for or comply with the direction under sub-section (6), shall be punishable with
imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees
or with both.
(8) No court shall take cognizance of any offence under this section, except on a complaint made by an
officer authorised in this behalf by the agency referred to in sub-section (1).
69 POWER TO ISSUE DIRECTIONS FOR INTERCEPTION OR MONITORING OR
DECRYPTION OF ANY INFORMATION THROUGH ANY COMPUTER RESOURCE.
(1) Where the Central Government or a State Government or any of its officers specially
authorised by the Central Government or the State Government, as the case may be, in this
behalf may, if satisfied that it is necessary or expedient to do in the interest of the
sovereignty or integrity of India, defence of India, security of the State, friendly relations
with foreign States or public order or for preventing incitement to the commission of any
cognizable offence relating to above or for investigation of any offence, it may, subject to
the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any
agency of the appropriate Government to intercept, monitor or decrypt or cause to be
intercepted or monitored or decrypted any information generated, transmitted, received or
stored in any computer resource.
(2) The procedure and safeguards subject to which such interception or monitoring or
decryption may be carried out, shall be such as may be prescribed.
CONTINUED….
(3) The subscriber or intermediary or any person in-charge of the computer
resource shall, when called upon by any agency referred to in sub-section
(1), extend all facilities and technical assistance to-
(a) provide access to or secure access to the computer resource generating,
transmitting, receiving or storing such information; or
(b) intercept, monitor, or decrypt the information, as the case may be; or
(c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the
agency referred to in sub-section (3) shall be punished with imprisonment
for a term which may extend to seven years and shall also be liable to fine.]
69A POWER TO ISSUE DIRECTIONS FOR BLOCKING FOR PUBLIC
ACCESS OF ANY INFORMATION THROUGH ANY COMPUTER
RESOURCE. –
(1) Where the Central Government or any of its officer specially authorised by it in this behalf
is satisfied that it is necessary or expedient so to do, in the interest of sovereignty and integrity
of India, defence of India, security of the State, friendly relations with foreign States or public
order or for preventing incitement to the commission of any cognizable offence relating to
above, it may subject to the provisions of sub-section (2) for reasons to be recorded in writing,
by order, direct any agency of the Government or intermediary to block for access by the
public or cause to be blocked for access by the public any information generated, transmitted,
received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public may
be carried out, shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall
be punished with an imprisonment for a term which may extend to seven years and shall also
be liable to fine.
69 B POWER TO AUTHORISE TO MONITOR AND COLLECT TRAFFIC
DATA OR INFORMATION THROUGH ANY COMPUTER RESOURCE FOR
CYBER SECURITY. -
(1) The Central Government may, to enhance cyber security and for identification, analysis and prevention of intrusion
or spread of computer contaminant in the country, by notification in the Official Gazette, authorise any agency of the
Government to monitor and collect traffic data or information generated, transmitted, received or stored in any
computer resource.
(2) The intermediary or any person in-charge of the computer resource shall, when called upon by the agency which has
been authorised under sub-section (1), provide technical assistance and extend all facilities to such agency to enable
online access or to secure and provide online access to the computer resource generating, transmitting, receiving or
storing such traffic data or information.
(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be
prescribed.
(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished
with an imprisonment for a term which may extend to three years and shall also be liable to fine. Explanation. -For the
purposes of this section,-
(i) "computer contaminant" shall have the meaning assigned to it in section 43;
(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer
network or location to or from which the communication is or may be transmitted and includes communications origin,
destination, route, time, data, size, duration or type of underlying service or any other information.
Section 87. Power of Central Government to make rules.–
• (k) “monitor” with its grammatical variations and cognate expressions, includes to view or inspect
or to record or collect traffic data or information generated, transmitted, received or stored in a
computer resource by means of a monitoring device;
• 3. Directions for monitoring.—
• 4. Authorised agency of government for monitoring and collection of traffic data or information.—
• 5. Intermediary to ensure effective check in handling monitoring or collection of traffic data or
information.—
• 6. Responsibility of intermediary.
• 7. Review of directions of competent authority.—
• 8. Destruction of records.—
• 9. Prohibition of monitoring or collection of traffic data or information without authorisation.—
• 10. Prohibition of disclosure of traffic data or information by authorised agency.—
• 11. Maintenance of confidentiality.
3. Directions for monitoring.—
• (1) No directions for monitoring and collection of traffic data or information under sub-section (3) of
• section 69B of the Act shall be issued, except by an order made by the competent authority.
• (2) The competent authority may issue directions for monitoring for any or all of the following
• purposes related to cyber security, namely:-
• (a) forecasting of imminent cyber incidents;
• (b) monitoring network application with traffic data or information on computer resource;
• (c) identification and determination of viruses or computer contaminant;
• (d) tracking cyber security breaches or cyber security incidents;
• (e) tracking computer resource breaching cyber security or spreading virus or computer
• contaminants;
• (f) identifying or tracking of any person who has breached, or is suspected of having breached or
• being likely to breach cyber security; (g) undertaking forensic of the concerned computer resource as a part of investigation or internal
• audit of information security practices in the computer resources;
• (h) accessing a stored information for enforcement of any provisions of the laws relating to cyber
• security for the time being in force;
• (i) any other matter relating to cyber security.
• (3) Any direction issued by the competent authority under sub-rule (2) shall contain reasons for such
• direction and a copy of such direction shall be forwarded to the Review Committee withing a period of
• seven working days.
• (4) The direction of the competent authority for monitoring and collection of traffic data or
• information may include the monitoring and collection of traffic data or information from any person
• or class of persons or relating to any particular subject whether such traffic data or information, or
• class of tra?ic data of information, are received with one or more computer resources, being a
• computer resource likely to be used for generation, transmission, receiving, storing of traffic data or
• information from or to one particular person or one or many set of premises.
4. Authorised agency of government for monitoring and collection of traffic data or information.
• —
• (1) The competent authority may authorise any agency of the government for monitoring and
• collection of traffic data or information generated, transmitted, received or stored in any computer
• resource.
• (2) The agency authorised by the competent authority under sub-rule (1) shall designated one or
• more nodal oficer, not below the rank of Deputy Secretary to the Government of India, for the
• purpose to authenticate and send the requisition conveying direction issued under rule 3 to the
• designated oficers of the concerned intermediary or person in-charge of computer resources.
• (3) The requisition under sub-rule (2) shall specify the name and designation of the o?icer or the
• agency to whom the monitored or collected tra?ic data or information is to be disclosed.
• (4) The intermediaries or person in-charge of computer resource shall designate one or more o?icers
• to receive requisition and to handle such requisition from the nodal o?icer for monitoring or
• collection of tra?ic data or information.
• (5) The requisition conveying directions for monitoring shall be conveyed to the designated o?icers of
• the intermediary or person in-charge of computer resources, in writing through letter or fax by the
• nodal o?icer or delivered, (including delivery by email signed with electronic signature), by an o?icer
• not below the rank of Under Secretary or o?icer of the equivalent rank.
6. Responsibility of intermediary.—
• The intermediary or person in-charge of computer resource
shall be responsible for the actions of their employees also,
and in case of violation of the provision of the Act and rules
made thereunder pertaining to maintenance of secrecy and
confidentiality of information or any unauthorised
monitoring or collection of traffic data or information, the
intermediary or person in-charge of computer resource shall
be liable for any action under the relevant provision of the
laws for the time being in force.
8. Destruction of records.—
• (1) Every record, including electronic records pertaining to such directions for monitoring or
collection of traffic data shall be destroyed by the designated officer after the expiry of a period of
nine months from the receipt of direction or creation of record, whichever is later, except in a
case where the traffic data or information is, or likely to be, required for functional requirements.
• (2) Save as otherwise required for the purpose of any ongoing investigation, criminal complaint or
• legal proceedings the intermediary or the person in-charge of computer resource shall destroy
• records pertaining to directions for monitoring or collection of information within a period of six
• months of discontinuance of the monitoring or collection of traffic data and in doing so they shall
• maintain extreme secrecy.
CONTINUED…
• (f) “cyber security incident” means any real or suspected adverse event in
relation to cyber security that violates an explicitly or implicitly applicable
security policy resulting in unauthorised access, denial of service/disruption,
unauthorised use of a computer resource for processing or storage of
information or changes to data, information without authorisation;