Information Technology (Amendment) Act, 2008: A new vision through

a new change
Vikas Asawat
Intellectual Property Facilitation Centre for MSMEs
Punjab State Council for Science & Technology, Chandigarh, 160019 India
Corresponding author e-mail:- vsasawat@gmail.com

Abstract:
The Information Technology Bill, 2008 has been passed both the houses of Parliament in
the last week of December, 2008 and was signed by the President of India on February 5,
2009 and became the Amendment Act. The Amendment Act aims to make revolutionary
changes in the existing Indian cyber law framework, including incorporation of
Electronic Signature i.e. enable authentication of electronic records by any electronic
signature technique. There are insertions of new express provisions to bring more cyber
offences within the purview of the Information Technology Act, 2000. There are various
provisions in the new amendment relating to data protection and privacy as well a
provision to curb terrorism using the electronic and digital medium. The original Act i.e.
Information Technology (IT) Act, 2000 is the legislation to provide legal recognition for
e-commerce and e-transactions, to facilitate e-governance, to prevent computer based
crimes and ensure security practices and procedures in the context of widest possible use
of information technology worldwide. The amendment has defined intermediary so as
to bring clarity in the legislation when it comes to deciding the onus of offence. Now,
Intermediaries are required to remove unlawful data or content on receiving information
about it. Definition of Communication Device and Cyber Cafe has also been
incorporated in the amendment act. The upper limit of compensation for damage to
computer, computer system etc has now been removed and now it can go to any just
compensation. In Section 43 two new offences have been added i.e. destroying, deleting
or altering information in a computer resource to diminish its value and stealing
concealing or destroying any computer source code with intention to cause damage. The
responsibility of body corporate Data protection is greatly emphasized by inserting
Section 43A in the Amendment Act
whereby corporate bodies handling sensitive
personal information in a computer resource are under an obligation to ensure adoption of
reasonable security practices and procedure to maintain its secrecy. The failing in
performing such obligation by such body corporate will make them liable to pay damages
by way of compensation, to the person so affected. Sections 66A to 66F have been added
to include 8 more offences as cyber crime. The offence includes sending offensive
electronic message, identity theft, cheating by impersonation using computer resources,
violation of privacy and cyber terrorism. Incorporation of Sections 67 A to 67 C i.e.
publishing or transmitting material in electronic form containing sexually explicit act,

Electronic copy available at: http://ssrn.com/abstract=1680152

Child pornography and obligation of intermediary to preserve and retain such

information as may be specified by central government. Section 69 has been redrafted
enabling Government agencies to intercept, monitor or decrypt any electronic
information with the help of subscribers, intermediary or person incharge of computer
resources. With amended section 79, Intermediaries are not liable for third party data if
they can prove they have only limited function as access, do not initiate the transmission
or do not select receiver and finally taken all due diligence. They are required to remove
unlawful content on receiving actual knowledge. In section 81 of the principal Act, the
following proviso has been inserted at the end, which provides that nothing contained in
this Act shall restrict any person from exercising any right conferred under the Copyright
Act, 1957 or the Patents Act, 1970. So, the rights under patents act and copyright act may
always be exercised.
Introduction:
The Information Technology Act, 2000, (IT Act), was enacted with a view to give legal
recognition and hence, provide extra fillip to the concept of e- transactions, e- commerce
and e- transactions, to prevent cyber crimes and ensure security practices. Due to the
proliferation of information technology enabled services and the recent increase in cyber
crimes, concerns of data security have assumed greater importance. With the above in
mind and to bring the IT Act in line with the Model Law on Electronic Signatures
adopted by the United Nations Commission on International Trade Law, the Information
Technology (Amendment) Act, 2008 (Amended Act) was passed in December 2008,
and has been made effective from 27th October, 2009. A review of the amendments
indicates that there are several provisions relating to data protection and privacy as well
as provisions to curb terrorism using the electronic and digital medium that have been
introduced into the new Act.
Incorporation of Electronic Signature
The term digital signature has been replaced with electronic signature to make the
Act more technology neutral. The phrase electronic signature is the umbrella term to
describe any type of digital marking used by a party to be bound or to authenticate a
record. It is a very broad term, and could include markings as diverse as digitized images
of paper signatures, typed notations such as "/s/Ram Prakash at the bottom of an
electronic document, or even addressing notations, such as electronic mail headers or
footers
Digital signatures are a specific type of electronic signature. A digital signature is
legally more acceptable than other types of electronic signatures, as it offers both
signer and document authentication. Signer authentication is the capability to identify the
person who digitally signed the document. Document authentication ensures that the
document or transaction (or the signature) cannot be easily altered. The process of
creating a digital signature and verifying it accomplishes the essential effects that a
handwritten signature does today for many legal purposes.

Electronic copy available at: http://ssrn.com/abstract=1680152

Insertion of new Section to define Communication Device:

Communication device means cell phones, personal digital assistance or combination of
both or any other device used to communicate, send or transmit any text, video, audio or
image. It became imperative as the current law is quiet on what kind of devices can be
included under this category. The amended IT Act has clarified that a cellphone or a
personal digital assistance can be termed as a communication device and action can be
initiated accordingly.
Inclusion of definition of Cyber Cafe:
There have been many instances in last few years in India where Cyber Cafes have been
used either for real or false communication. Various Cyber Crimes like acquiring net
banking password through wrong ways and then withdrawing money from the concerned
bank account have been done at Cyber Cafes. It has been a common practice where
Cyber Cafes have also been used to send unwanted obscene e- mails to harass the
recipients. So, in order to resort the above said problem, Cyber Cafes have been
considered as one of the key intermediaries which need to be regulated.
There was no explicit definition of Cyber Cafes in the Information Technology Act, 2000
and one had to interpret them as Network Service Providers as interpreted from Section
79 which imposed on them a responsibility for Due Diligence failing which they would
be liable for the offences committed in their network.
The New Amendments Act has however provided an explicit definition for Cyber Cafe
and also included them under the term Intermediaries. Several aspects of the act
therefore become applicable to Cyber Cafes and there is a need to take a fresh look at
what Cyber Cafes are expected to do for Cyber Law Compliance.
Cyber cafe, as defined in section 2 (na) means any facility from where access to the
internet is offered by any person in the ordinary course of business to the members of the
public.
Broadening the definition of Intermediary:
Now as per the amendment act. 2008 intermediary, with respect to any particular
electronic records, means any person who on behalf of another person receives, stores or
transmits that record or provides any service with respect to that record and includes
telecom service providers, network service providers, internet service providers, web
hosting service providers, search engines, online payment sites, online-auction sites,
online-market places and cyber cafes;.

Enforceability of Contract:
After section 10 of the principal Act, a new section shall be inserted, which reads asWhere in a contract formation, the communication of proposals, the acceptance of
proposals, the revocation of proposals and acceptances, as the case may be, are expressed
in electronic form or by means of an electronic record, such contract shall not be deemed
to be unenforceable solely on the ground that such electronic form or means was used for
that purpose.
So we can interpret that in contracts, the communication of proposals/ acceptance/
revocation of proposals and acceptances concluded electronically, shall henceforth, be
recognized and be enforceable.

Heavy Compensation to affected user (Section 43 A):

A new section 43A has been inserted to protect sensitive personal data or information
possessed, dealt or handled by a body corporate in a computer resource which such body
corporate owns, controls or operates. If such body corporate is negligent in implementing
and maintaining reasonable security practices and procedures and thereby causes
wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of
compensation to the person so affected.
Reasonable security practices and procedures
With the incorporation of section 43, the IT Act now requires corporates to maintain
reasonable security practices, and procedures as to sensitive personal data or information.
At the same time there is a gap that the act does not define the phrase reasonable security
practices, and procedures. Referring to section 43A, Reasonable Security Practice and
Procedures can be determined as
a) As defined between the parties by mutual agreement or
b) As specified in any law for the time being in force or
c) To be specified by the Central Government in consultation with such professional
bodies or associations as it may deem fit.
But the bitter fact is that till now there is no law specifying security practice nor has the
Central government defined the security practices to be implemented in order to securing
vital data. So, the contracting parties have freedom to decide their own procedures of
protecting their confidential information. In addition to that the parties are free to put
provision regarding penalizing for any breach of such contractual obligations. So, as long
as the term is not defined, the companies can enter into their own contracts and lay down
minimum standards for protecting data.
If we see the practice followed, then it can be realized that initially Indian companies
primarily comply with BS 7799, a global standard that covers all domains of security.

Now, ISO 27001 is the replacement for BS7799. Basically, ISO 27001 is Information
Security Management mandated for Public Companies and critical sectors. In addition,
companies make Service Level Agreements (SLA) having very strict confidentiality and
security clauses.

Indian Computer Emergency Response Team (Cert-In) securing the National

Cyber Space
Indian Computer Emergency Response Team (CERT-In) was established by the
Department of Information Technology, Govt. of India in January 2004 with a specific
mandate to respond to computer security incidents. With the passage of Information
Technology (Amendment) Act 2008, CERT-In has been designated as Nodal agency for
coordinating all matters related to cyber security and emergency response. It is now
assigned with the task of oversight of the Indian cyber space for enhancing cyber
protection, enabling security compliance and assurance in Government and critical
sectors and facilitating early warning & response as well as information sharing and
cooperation.
Additions in Section 66:
The amendment act defines the concept of cyber terrorism and has made it a abominable
crime. As an offence, Cyber terrorism has been made punishable with life term
imprisonment and fine in the amendment act. This is really a welcoming amendment
keeping in mind the sovereignty, integrity and security of India. We can see this
amendment as highly qualifies strategy after Mumbai 26/11 Attacks.
Section 66 expands the definition of cybercrime to include identity theft and makes it
punishable by up to three years of imprisonment. Sections 66A 66F define and impose
penalties for other cyber crimes, including cyber-terrorism. These sections are Spoofing
and SPAM (Section 66A), Identity theft (Section 66C), E-Commerce Frauds (Section 66
C and D), Phishing (Section 66D), Violation of Privacy (Section 66 E) Cyber Terrorism
(Section 66F). Clearly, this addition in section 66 is one of the most important changes
that have been brought about pertains to cyber terrorism, with Section 66 F of the
amended legislation prescribing life imprisonment for such offences. This assumes
significance as the recent terror attacks have demonstrated just how tech-savvy militants
can be.

Amendment in Section 67:

Section 67 of the old Act is amended to reduce the term of imprisonment for publishing
or transmitting obscene material in electronic form to three years from five years and
increase the fine thereof from Indian Rupees 100,000 (approximately USD 2000) to
Indian Rupees 500,000 (approximately USD 10,000). A host of new sections have been
inserted as Sections 67 A to 67C. While Sections 67 A and B insert penal provisions in

respect of offenses of publishing or transmitting of material containing sexually explicit

act and child pornography in electronic form, section 67C deals with the obligation of an
intermediary to preserve and retain such information as may be specified for such
duration and in such manner and format as the central government may prescribe.
The Chennai Police cyber cell has became the first agency to apply the Section 67amended act. The Section 67-B of the amended act firmly deal with the offence of
publishing or transmitting Child pornography material through electronic medium. A
Dutch national residing in Chennai was arrested by the cyber crime police who was found
indulged in the felonious act of uploading child pornographic materials on the internet.
The Chennai police got the tip off of the crime from the Child Exploitation Online
Protection Centre in Germany through Interpol that led to the arrest of Heum. The
amended act has considered the offence of child pornography as a heinous one and has
made it cognizable and non-bailable. It is equally a positive sign that cyber crime cell is
enforcing the Information Technology Amendment Act, 2008 with the help from their
foreign counterparts.
Revision of Section 69
Revision of existing Section 69 to empower Central Government to designate agencies
and issue direction for interception and safeguards for monitoring and decryption. The
provision of Blocking of Information for public access is mentioned in Section 69A. The
provision of Monitoring of Traffic Data and Information for Cyber Security is mentioned
in Section 69B. So, the new amendments have strengthened the hands of the
administration by increasing the ambit of the powers of interception of the Government.
Breach of confidentiality and privacy
The new amended section 72A implies that an intermediary is required to act as per the
terms of its lawful contract and not to disclose any personal information to cause
wrongful loss or wrongful gain to any other person. It states that except as otherwise
provided in the IT Act or any other law in force, if any person, including an intermediary,
while providing services under the terms of a lawful contract, has secured access to any
material containing personal information about another person, and with intent to cause
or knowing that he is likely to cause wrongful loss or wrongful gain, discloses the
material to another person without the consent of the person concerned or in breach of a
contract, then the person disclosing such information can be punished with imprisonment
for up to three years and/or can be fined up to INR 5 lakh. While the existing provision,
section 72 of the IT Act, which provides penalty in the form of fine and/or imprisonment
if information obtained by virtue of a power granted under the IT Act is disclosed to a
third party without the consent of the person concerned. So, the section 72 has a limiting
factor of the phrase power granted under the IT Act. At the same time the ambit of
section 72A, is wider than the existing section 72 and extends to disclosure of personal
information of a person (without consent) while providing services under a lawful
contract and not merely disclosure of information obtained by virtue of powers granted
under the IT Act.

A confidence giving legislation to Internet Service Providers

With the increasing use of internet technology the issue of liability of internet service
providers (ISPs) for third party content is one of the most controversial issues in the
world cyber law. Different jurisdictions around the world have dealt with the issue either
through legislative provisions or judicial pronouncements. Till now, position in India was
indefinite with respect to liability for copyright infringing third party content. With the
advent of IT (Amendment) Act, 2008 there is a significant clarification regarding the
scope of immunities available to intermediaries. Unlike the immunities under the old IT
Act, these immunities are not only available with respect to offences under the IT Act,
2000 but even for the liabilities arising under any law.
Amended Section 79 states that subject to the exceptions, an intermediary shall not be
liable for any third party information, data, or communication link made available or
hasted by him.
The exception to the above are:
the intermediary has conspired or abetted in the commission of the unlawful act;
or
2. upon receiving actual knowledge, or on being notified by the appropriate
Government or its agency that any information, data or communication link
residing in or connected to a computer resource controlled by the intermediary is
being used to commit the unlawful act, the intermediary fails to expeditiously
remove or disable access to that material on that resource without vitiating the
evidence in any manner.
1.

Means in the above two situation, the ISPs will be made liable. Also, we have to
remember that third party information means any information dealt with by an
intermediary in his capacity as an intermediary.
Also it is interesting to note that the requirement of knowledge has now been expressly
changed to receiving actual knowledge. Actual knowledge here may mean the receipt of
information from a third party, but not necessarily from own inquiry upon the content of
the information. This has been combined with a notice and take down duty. Preventive
due diligence has been done away with and the ISP is only required to prove that it did
not conspire or abet the commission of the unlawful act. These changes seem
advantageous to ISPs as they set more lenient parameters for qualifying for safe harbour.
The ISP shall not be liable only in cases where intermediary has limited themselves to
providing access to a communication system over which information made available by
third parties is transmitted or temporarily stored or the intermediary does not (i) initiate
the transmission,(ii) select the receiver of the transmission, and (iii) select or modify the
information contained in the transmission; and the intermediary observes due diligence

while discharging his duties under this Act and also observes such other guidelines as the
Central Government may prescribe in this behalf.
The amendments to Section 79 of the IT Act contains non obstanate clause i.e.
Notwithstanding anything contained in any law for the time being in force and
accordingly it gives a protective shield to ISP against liability arising due to some other
legislation. At the same time the amended section 81 has a proviso- Provided that
nothing contained in this Act shall restrict any person from exercising any right conferred
under the Copyright Act, 1957 or the Patents Act, 1970. The interpretation of this
section is that it is to keep the primacy of the Patent Act and the Copyright Act over the
Information Technology Act. We can correlate the section 79 and 81 by inferring that
other legislation is Copyright Act. Both the section counter each other but a careful and
finer study will justify that the section 79 has been amended to give more relaxation to
ISPs.
Basically, section 79 of the amended act has been framed in accordance with EU
Directives on E- Commerce to determine the extent of responsibility of intermediaries for
third party data or content. The objective of the directive is to promote free flow of
information between the member states. The EU Directive provides for the liability of the
intermediaries in a very detailed manner, which includes not only intellectual property
rights and associated liabilities but also general content liability. The motivation behind
the EU Directive on electronic commerce is to develop information society services
(ISS), ensure legal certainty and consumer confidence through the coordination of
national laws, and clarify legal concepts for the proper functioning of the internal market,
in order to create a legal framework to ensure the free movement of ISS between Member
States. This specific free movement of services is part of a general principle of law in
the European Economic Community, namely freedom of expression, as enshrined in
Article 10(1) of the European Convention on Human Rights and Fundamental Freedoms.
This principle is subject only to restrictions expressed in paragraph 2 of that Article and
in Article 56 (1) of the EC Treaty.

Under the E-Commerce Directive, an ISP is exempt from liability when it serves as a
"mere conduit" (Article 12) or provides "temporary caching" (Article 13) for the sole
purpose of making the transmission of content more efficient, is of a mere technical,
automatic and passive nature, and where the ISP has neither knowledge nor control over
the content being transmitted or stored. The conditions under which a hosting provider is
exempted from liability, as stated at Article 14(1)(b) form the basis for the development
of "notice and take down" procedures by copyright owners to ISPs to remedy instances of
infringement. However, the EU does not recommend legislative initiative in this regard;
it prefers that ISPs, in consultation with rights holders, develop their own notice and take
down procedures.

Conclusion:
Though, Information Technology Act, 2000, itself is a comprehensive legislation but it
has had some inherent shortcomings. With the new amendment act now in force, we can
hope that various difficulties and issues in real cyber world will be resolved. The
amended act is a welcoming attempt to fill gaps in old act in India, for instance,
introducing legal recognition to electronic signatures, data protection obligations and
mechanisms, provisions to combat emerging cyber security threats such as cyber
terrorism, identity theft, spamming, video voyeurism, pornography on internet, and other
crimes. It paved the way for removing the implementation of the IT Act by removing
certain undesirable wordings in some sections.
It can be expected that the lacuna may also be filled with the time as and when more
problems will be encountered by the Judiciary. Basically we cannot say that this
amendment is an end itself but it is a beginning as the IT act may require amendments as
and when the technology advances more and more. As it is evident that the dimension of
the technology is increasing both vertically as well as, more amendments may be made to
make it full proof.
Reference:
Information Technology Act with Amendments Act 2008.
Computer Contracts & Information Technology Law: Joga Rao S: Wadhwa and
Company, 2005.
A handbook on Information technology: Cyber law and E-Commerce Syed Shakil
Ahmed: Rajiv Raheja, Capital Law House.
Network Security Essentials: Applications and Standards W. Stallings: Pearson
Education.