It Project

UNIVERSITY INSTITUTE OF LEGAL STUDIES,
PANJAB UNIVERSITY.
TOPIC:-THE PENALTIES & ADJUDICATIONS.

SUBJECT:- THE INFORMATION TECHNOLOGY LAWS.
SUBMITTED TO- DR. AMITA VERMA SUBMITTED BY- SOUMIL GOYAL
ROLL NO. 97/13
10TH SEMESTER
B.A. LL.B. (HONS.)
UILS
PANJAB UNIVERSITY
- UNIVERSITY INSTITUTE OF LEGAL STUDIES -
ACKNOWLEDGMENT
I would like to express my special thanks of gratitude to my teacher “DR. AMITA VERMA” who
gave me the golden opportunity to do this wonderful project on the topic ‘Penalties &
Adjudications’, which also helped me in doing a lot of Research and I came to know about so
many new things. I am really thankful to her. I would also like to thank my parents and
friends who helped me a lot in finishing this project within the limited time.
- PENALTIES & ADJUDICATIONS - Page 1

THE TABLE OF CONTENTS
1. THE LIST OF ABBREVIATIONS…………………. 3
2. THE TABLE OF CASES………………………….. 4
3. INTRODUCTION………………………………… 5
4. SECTION 43…………………………………….. 7
5. SECTION 43 A………………………………….. 14
6. SECTION 44 & SECTION 45……………………. 18
7. SECTION 46…………………………………….. 19
8. SECTION 47…………………………………….. 21
9. BIBLIOGRAPHY………………………………… 22

THE LIST OF ABBREVIATIONS
AIR All India Reporter
IT Information Technology, 2000
Hon’ble Honorable
etc et cetera
i.e. id est (that means)
r/w read with
LJ Law Journal
Re. Reference
US United States
No. Number
Ors. Others
p. Page
u/s under section
w.e.f with effect from
SC Supreme Court
SCC Supreme Court Cases
v. Versus
Vol. Volume

THE TABLE OF CASES
1. Avtar Singh v. State of Punjab, AIR 1965 SC 666.
2. Rajkot Municipal Corpn. v. Manjulben Jayantilal Nakum, (1997) 9 SCC 552.
3. Indian National Congress (I) v. Institute of Social Welfare , (2002) 5 SCC 685

INTRODUCTION
Cyber Crime means any crime that is committed with the help of computer, computer system,
and computer network or communication device. It is a criminal activity that uses a computer
either as an instrument, target or a means for perpetuating further crimes. Thus, cyber crime
may be defined in simple terms as unlawful act wherein the computer is either a tool or target
or both.
Under Information Technology Act, 2000 Cyber Contraventions refers to a Civil wrong.
Cyber contraventions may be defined as Civil Wrongs where compensation is the remedy.
Cyber Contraventions have been described under Chapter IX in Section 43 to 45 of the
Information Technology Act, 2000.
Cyber Crime may be classified under two heads:
I. Cyber Contraventions (Section 43-45)

II. Cyber Offences (Section 65-74)
 The cyber contraventions are less serious and adjudicated by adjudicating officers,
however, cyber offences are treated as more serious crimes and trial is made in the
judicial Courts.
 The remedy for cyber contraventions is compensation whereas remedy for cyber
offences is imprisonment or fine or both
 The element of mens rea is missing in the cyber contraventions whereas mens rea is
an essential element to constitute cyber offences.1
A cyber contravention is a violation of the cyber law in India that does not result in criminal
proceedings, but may result in civil proceedings. The punishment may range from payment of
compensation or penalty. 2 Basically, Cyber Contraventions are ‘civil wrongs’ for which
compensation is payable by the defaulting party. Cyber offences on the other hand constitute
cyber frauds and crimes which are criminal wrongs for which punishment of imprisonment
and/or fine is prescribed by the Information Technology Act 2000.
1
Dr. Kunwar Vijay Pratap Singh, A Handbook on Cyber Laws & Investigations, Shreeram Law House,
Chandigarh, 1st Ed. (2012), p. 271.
2
http://lawisgreek.com/cyber-laws-what-is-cyber-contravention-and-cyber-offences/

In the scheme of the act, sections 43-45 are the ones that fall in the category of ‘Cyber
contraventions’. These sections address different issues and hence impose variable penalties
on the offenders.
Section 43 is a very important provision in the sense that it identifies ten different causes of
causing damage to computer, computer system or computer network. Likewise, section 43-A
deals with the failure to protect any sensitive personal data or information. The contravener
whether of section 43 and section 43A is liable to pay damages by way of compensation to
the person so affected. It is for the affected person to assess the value of damage caused and
approach the appropriate.

SECTION 43
I. SECTION 43 (A) ACCESSES

OR SECURES ACCESS TO SUCH COMPUTER, COMPUTER
SYSTEM OR COMPUTER NETWORK [OR COMPUTER RESOURCE];
Section 43 (a) takes into account:
i) attempts made to access or
ii) securing access to: Computer, computer system or computer network

or computer resource without permission of the owner or any other
person who is incharge of such computer, computer system or
computer network.
That is, even repeated attempts or trials to access, whether successful or not will be covered
under this clause. Definition of Access: section 2(1) (a) as given in this act. The important
ingredient of ‘access’ is:
“instructing or communicating with the logical, arithmetical or

memory function resources of a computer, computer system or
computer network.”
The term covers both physical and virtual access to computer, computer system or computer
network. Physical access means being ‘physically present’ whereas virtual access means
being ‘remotely connected’ using satellite, microwave, terrestrial line or other
communication media.
II. SECTION 43 (B) DOWNLOADS,COPIES OR EXTRACTS ANY DATA, COMPUTER DATA

BASE OR INFORMATION FROM SUCH COMPUTER, COMPUTER SYSTEM OR COMPUTER
NETWORK INCLUDING INFORMATION OR DATA HELD OR STORED IN ANY
REMOVABLE STORAGE MEDIUM;
The aforesaid clause (b) is an attempt by the legislature to introduce elements of copyright
protection in the digital medium. It is about digital content rights. The aforesaid clause (b)
has used specific words, like ‘downloads” ,”copies’ or “extracts” to highlight the ‘software-
hardware’ interface involving a computer, computer system or computer network. Any
unauthorised “downloading”, “coping” or “extraction” of any data, computer database are
specific acts of omissions that shall make the offender liable to pay damages by way of
compensation not exceeding one crore rupees to the person so affected.
This sub clause also takes into consideration unauthorized infringement of data [section 2(o)]
in any form (including computer printouts, magnetic or optical storage media, punched cards,
punched tapes) or data stored internally n the memory of the computer, computer databases.
Illustration:
A lady has violated Section 43 of The Information Technology Act,2000 and made
unauthorized access to Gmail accounts of her husband and her father-in law, and

unauthorisedly downloaded/forwarded/printed their emails and chat sessions with others, thus
committing Identity. Theft by using the password belonging to others dishonestly, and
violating the privacy of not only the Complainants, but also of others with whom these chat
sessions were conducted. Given the fact that she gave the evidence only to Police and the
Court, in the Dowry case lodged by her against her husband and in-laws, and did not make It
widely public. Hence the Court ordered that she pay a token fine of Rupees One Hundred to
the State Treasury.3
Surprisingly, the aforesaid clause (b) would term 'access support systems’, like caching
activity as infringement to the digital content rights of an owner. Caching means copying of a
web page/site and storing that copy for the purpose of speeding up subsequent accesses. It
ensures that the load on the servers of on in will be reduced as they can be accessed from the
cached servers. It also means that caching involves duplicating/copying other peoples literary
and artistic work stored in binary files on to the hardware of the PC/server and may constitute
copyright infringement. Caching by its application process reproduces a copy ink another
server that is against the copyright holder's reproduction rights.
III. SECTION 43 (C) INTRODUCES

OR CAUSES TO BE INTRODUCED ANY COMPUTER
CONTAMINANT OR COMPUTER VIRUS INTO ANY COMPUTER, COMPUTER SYSTEM OR
COMPUTER NETWORK;
The aforesaid clause (c) takes into account:
i) attempts made to introduce or

ii) successful introduction, of any computer contaminant or computer virus into
any computer, computer system or computer network without permission of
the owner or any other person who is incharge of such computer, computer
system or computer network.
The Explanation attached to section 43 further defines the terms 'computer contaminant' and
'computer virus'.
Any person who introduces or causes to introduce any computer contaminant or computer
virus into any computer, computer system or computer network shall be liable to pay
damages by way of compensation to the person so affected. Now an affected person is at a
liberty to quantify the losses on account of disruption in its normal (programmed) activity
caused by a computer contaminant or computer virus.
IV. SECTION 43 (D) DAMAGES OR CAUSES TO BE DAMAGED ANY COMPUTER, COMPUTER

SYSTEM OR COMPUTER NETWORK, DATA, COMPUTER DATA BASE OR ANY OTHER
PROGRAMMES RESIDING IN SUCH COMPUTER, COMPUTER SYSTEM OR COMPUTER
NETWORK;
The aforesaid clause (d) takes into account:
i) attempts made to damage or or
3
http://sapost.blogspot.in/2011/11/beware-of-section-43-of-information.html

ii) successful damage, of any computer, computer system or computer

network,data,computer database or any other programmes residing in such
computer, computer system or computer network.
MEANING OF “DAMAGE”:
 The Explanation (iv) attached to section 43(iv) defines the word "damage" as means
to destroy, alter, delete, add modify or rearrange any computer resource by any
means.
 It includes damage to both hardware and/or software either done physical or through a
virtual medium. It includes both physical and/or virtual damage to any computer,
computer system or computer network, data, computer data base Or other
programmes residing in such computer, computer system or computer network. 4
Any person who damages or causes to be damaged any computer, computer system or
computer network, data, computer data base or any other programs residing in such
computer, computer system or computer network shall be liable to pay damages by way of
compensation to the person so affected.
V. SECTION 43 (E) DISRUPTS

OR CAUSES DISRUPTION OF ANY COMPUTER, COMPUTER
SYSTEM OR COMPUTER NETWORK;
The aforesaid clause (e) takes into account
(i) attempts made to disrupt or

(ii) successful disruptions, of any computer, computer system or computer
network; Disruption here implies unexpected deviation in the normal
(programmed) standard operations of a computer, computer system or
computer network.
Disruptions may lead to malfunctioning of a computer, computer system or computer
network thereby affecting its expected normal (programmed)/ standard performance. It is
obligatory that the clause (e) be studied/ applied along with aforementioned clauses (c) and
(d) as these clauses may also be one of the reasons of disruption. Any person who disrupts or
causes disruption of any computer ,computer system or computer network, data, computer
data base or any other program residing in such computer, computer system or computer
network shall be liable to damages by way of compensation to the person so affected.
Illustration:
Mr.A by altering the user ID of Mr.B denies access to him to any computer, computer system
or computer network whereby Mr.B was authorised to secure access, hence he Mr.A is liable
under section 43(f).5
VI. SECTION 43 (F) DENIESOR CAUSES THE DENIAL OF ACCESS TO ANY PERSON
AUTHORISED TO ACCESS ANY COMPUTER, COMPUTER SYSTEM OR COMPUTER
NETWORK BY ANY MEANS;
4
Sharma Vakul, “Information Technology Law and Practice”, Third Edition, Universal Law Publishing Co.,
New Delhi,2014,p.120
5
Dr.Rattan Jyoti,Rattan Vijay, “Cyber Laws and Information Technology”, Fifth Edition, Bharat Law House
Pvt.Ltd.,New Delhi,2015,p.264

The aforesaid clause (f) takes into account
i) attempts made to deny or

ii) Successful denial, of access to any person authorized to access any computer,
computer system or computer network by any means.
That is, denying legitimate physical and virtual access by manipulating the access
code/password/user id, etc. by altering/modifying/dismantling/by passing or any other means
the cured system.
One of the objectives of the clause is to prevent occurrence of 'Denial of Service'

(DOS)attacks, as such attacks block the authorized users from using the site-services. In the
realm of e-commerce and related activities, such a clause has an extremely important role to
play. Any person who denies or causes the denial of access to any person authorized to access
any computer, computer system or computer network by any means shall be liable to pay
damages by way of compensation to the person so affected.
CASE LAW:
MafiaBoy was the Internet alias of Michael Calce (born 1986), a high school student
from West Island, Quebec, who launched a series of highly publicized denial-of-service
attacks in February 2000 against large commercial websites,
including Yahoo!, Fifa.com, Amazon.com, Dell,Inc., E*TRADE, eBay, and CNN.
On February 7, 2000, Calce targeted Yahoo! with a project he named Rivolta, meaning “riot”
in Italian. Rivolta was a denial-of-service attack in which servers become overloaded with
different types of communications to the point where they shut down completely. At the
time, Yahoo! was a multibillion-dollar web company and the top search engine. Mafiaboy's
Rivolta managed to shut down Yahoo! for almost an hour. Calce's goal was, according to
him, to establish dominance for himself and TNT, his cybergroup, in the
cyberworld. Buy.com was shut down in response. Calce responded to this in turn by bringing
down eBay, CNN, Amazon and Dell.com via DDoS over the next week.6
VII. SECTION 43 (G) PROVIDES ANY ASSISTANCE TO ANY PERSON TO FACILITATE ACCESS
TO A COMPUTER, COMPUTER SYSTEM OR COMPUTER NETWORK IN CONTRAVENTION
OF THE PROVISIONS OF THIS ACT, RULES OR REGULATIONS MADE THEREUNDER;
The aforesaid clause (g) is an attempt by the legislature to create an obligation for the users.
The sweep of the clause is quite broad as it refers to providing any assistance to any person to
facilitate access to a computer, computer system or computer network in contravention of the
provisions of this Act, rules or regulations made thereunder.
It is important to note that the definition of access [section 2(1)(a)] which provides for
gaining entry into, instructing or communicating with the logical, arithmetical, or memory
function resources of a computer, computer system or computer network, very well
articulates technological aspects of access. Any person who provides any assistance to any
6
“MAFIABOY”, https://en.wikipedia.org/wiki/MafiaBoy.

person to facilitate access to a computer, Computer system or computer network in

contravention of the provisions of this Act, rules or regulations made thereunder shall be
liable to pay damages by way of compensation to the person so affected. 0
VIII. SECTION 43 (H) CHARGES THE SERVICES AVAILED OF BY A PERSON TO THE ACCOUNT
OF ANOTHER PERSON BY TAMPERING WITH OR MANIPULATING ANY COMPUTER,
COMPUTER SYSTEM, OR COMPUTER
The purpose of the aforesaid clause (h) is to safeguard the rights of a holder of an Internet
Service Provider (ISP) or e-commerce sites by another person.The idea is to prevent theft,
misappropriation, misrepresentation, fraud or forgery of access code/user id/password, etc.,
by a person to the account of another person by tampering with or manipulating any
computer, computer system or computer network.
Any person who charges the services availed of by a person to the account of another person
by tampering with or manipulating any computer, computer system, or computer network
shall be liable to pay damages by Way of compensation to the person so affected.
Illustration:
Theft of Internet Hours In order to constitute theft under section 378 of IPC, five ingredients
are essential:
(a) Dishonest intention to take property;

(b) the property must be removable;
(c) it should be taken out of the possession of another person;
(d) it should be taken without the consent of that person; and
(e) there must be some moving of the property in order to accomplish the taking of it.
From the point of view of an accountholder of an Internet account the important question is,
would 'theft of Internet hours' constitute theft as defined under section 378 of IPC? Would it
mean that the 'Internet hours' constitute a moveable property?
It was held by the Supreme Court in Avtar Singh v. State of Punjab7, that though electricity is
not movable property within the meaning Of section 378, IPC, and as such its dishonest
abstraction cannot be regarded as theft under section 378, yet by a legal fiction created by
section 39 of the, Indian Electricity Act, 1910, such act should be deemed to be an offence of
theft and punished under section 379, IPC, read with section 39 of the Electricity Act, 1910.
The prosecution in cases of theft of electricity however, has to be launched only at the
instance of a person named in section 50 of the Electricity Act.
Keeping in view the aforesaid judgment it may be argued that though the `Internet hours' is
not a movable property within the meaning of section 378 ,IPC yet by a legal condition
created by section 43(h) of the Information Technology act.
7
AIR 1965 SC 666.

IX. SECTION 43 (I) DESTROYS,

DELETES OR ALTERS ANY INFORMATION RESIDING IN A
COMPUTER RESOURCE OR DIMINISHES ITS VALUE OR UTILITY OR AFFECTS IT
INJURIOUSLY BY ANY MEANS;
It takes into account any activity, which may result into destruction, deletion or alteration of
any information residing in a computer resource or diminishes its (computer resource) value
or utility or affects it (computer resource) injuriously by any means.
The aforesaid clause (i) in a way identifies 'computer related contraventions'. One may find
the subject-matter of clause (i) and previous section 66 (of old Act) somewhat similar. The
only difference is that under clause (1) "intention or knowledge" is not an essential
ingredient.
The essentials of 'computer-related contraventions' under clause (i) are:
(a) Whoever,
(b) Causing wrongful loss or damage to the public or any person,
(c) Destroying, deleting or altering any information residing in a computer resource,
Or diminishing its value or utility, or affecting it injuriously by any means.
It involves an invasion of right and diminution of the value or utility of one's information
residing in a computer resource. The contravener may not have contemplated this when he
destroyed, deleted or altered any information in a computer resource. Hacking involves
mental act with destructive animus. It is the essence of this contravention that the contravener
must have caused (or attempts to cause) destruction or alteration of information residing in a
computer resource or diminish its value or utility or affect it injuriously by any means in
order to make out a contravention under clause (i), it necessary to show that there was
wrongful loss or damage to the public or any person. The word wrongful' means prejudicially
affecting a party in some legal right.
X. SECTION 43 (J) STEAL, CONCEALS, DESTROYS OR ALTERS OR CAUSES ANY PERSON

TO STEAL, CONCEAL, DESTROY OR ALTER ANY COMPUTER SOURCE CODE USED FOR A
COMPUTER RESOURCE WITH AN INTENTION TO CAUSE DAMAGE;
[HE SHALL BE LIABLE TO PAY DAMAGES BY WAY OF COMPENSATION TO THE PERSON
SO AFFECTED]
It takes into account any activity, which may result into stealing, concealing, destruction or
alteration of any computer source code used for a computer resource with an intention to
cause damage.
The essence of this contravention is that the contravener must have caused (or attempts to
cause) stealing, concealing, destruction or alteration of any computer source code. The term
"computer source code" has been defined in the Explanation (v) attached to the aforesaid
section as:

",..the listing of programmes, computer commands, design and layout and programme
analysis of computer resource in any form".
Interestingly, this clause (j) has added "intention" on the part of the contravener to cause
damage. This is ,the only clause under section 43 which falls in the category of 'pre-
mediated’ cyber contravention. An act is intentional if it exists in idea before it exists in fact,
the idea realizing itself in the fact because of the desire by which it is accompanied. 8
Under the section 43, the presumption is that any given computer, computer system or
computer network under the control of the owner/incharge at any given place or time is a
secure system. Any access without permission of the owner or any, other person who is
incharge of such computer, computer system or computer network (or computer resource)
shall attract penalty under the said provision.
An affected party under section 43 has a right to seek damages from the wrongdoer by
compelling him to pay for the damage done. The remedy lies in tort. The purpose of the law
of tort is to adjust losses and offer compensation for tortuous liability. It was held by the
Supreme Court in Rajkot Municipal Corpn. v. Manjulben Jayantilal Nakum9: that the law
could not attempt to compensate all losses. Such an aim would not only be overambitious but
might conflict with basic notions of social policy. Society has no interest in mere shifting of
loss between individuals for its own sake. The loss, by hypothesis, may have already
occurred, and whatever benefit might be derived from repairing, the fortunes of one person is
exactly offset by the harm caused through taking that amount away from another. The
economic assets of the community do not increase and expense is incurred in the process of
realization.
The Court further observed that:

"in absence of statutory law in this regard in India, common law
principles evolved in England may be applied in India to the extent of
suitability and applicability to Indian conditions".
Hence, it is important that the adjudicating officer [section 46] under the Act must follow ,the
law of tort principles while granting damages by way of compensation. Further, it is
obligatory to note that section 43 is the 'heart-of-the-matter' of this Act. One must be creative
enough to interpret this section vis-a-vis various cyber contraventions. An attempt has been
made to articulate the scope of this section.
8
Supra note 4.
9
(1997) 9 SCC 552.

SECTION 43 A
This provision is applicable for the wrong committed by the Body Corporate. It is important
to note that Section 43 A was inserted by Information Technology (Amendment) Act, 2008.
It provides for compensation for failure to protect data by a Body Corporate.
“Where a body corporate, possessing, dealing or handling any

sensitive personal data or information in a computer resource which it
owns, controls or operates, or is negligent in implementing and
maintaining reasonable security practices or procedures and thereby
causes wrongful loss or wrongful gain to any person, such body
corporate shall be liable to pay damages by way of compensation to
the person such affected.”
SENSITIVE PERSONAL DATA OR INFORMATION. —
Explanation (iii) to Section 43 A Sensitive Personal Data or Information means such personal
information as may be prescribed as sensitive by the Central Govt. in consultation with such
professional bodies or associations as it may deem fit.
According to Rule 3 of the Information Technology (Reasonable Security Practices and

Procedures and Sensitive Personal Data or Information) Rules, 2011:10
Sensitive personal data or information of a person means such personal information which
consists of information relating to;—
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other
payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise:
Provided that, any information that is freely available or accessible in public domain or
furnished under the Right to Information Act, 2005 or any other law for the time being in
force shall not be regarded as sensitive personal data or information for the purposes of these
rules.
10
http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf

BODY CORPORATE:- According to Explanation (i) to Section 43 A “body corporate”

means any company: and includes a firm, sole proprietorship or other associations of
individual engaged in commercial or professional activities.
DUTIES OF BODY CORPORATE:11
1. To provide policy for privacy and disclosure of information

2. To collect information
3. Prior Permission before disclosure of information
4. Transfer of information.
TO PROVIDE POLICY FOR PRIVACY AND DISCLOSURE OF INFORMATION

{Rule 4 of The Information Technology (Reasonable Security Practices and Procedures
And Sensitive Personal Data or Information) Rules, 2011:12
(1) The body corporate or any person who on behalf of body corporate collects, receives,
possess, Stores, deals or handle information of provider of information, must provide
a privacy policy for handling of or dealing in personal information including sensitive
personal data or information and ensure that the same are available for view by such
providers of information who has provided such information under lawful contract.
Such policy must be published on website of body corporate or any person on its
behalf and must provide for:
(i) Clear and easily accessible statements of its practices and policies.
(ii) Type of personal or sensitive personal data or information collected.
(iii) Purpose of collection and usage of such information.
(iv) Disclosure of information including sensitive personal data or information.
(v) Reasonable security practices and procedures.
TO COLLECT INFORMATION (Rule 5 of The Information Technology (Reasonable

Security Practices and Procedures And Sensitive Personal Data or Information) Rules,
2011:13
(1) Body corporate or any person on its behalf shall obtain consent in writing through letter
or Fax or email from the provider of the sensitive personal data or information regarding
purpose of usage before collection of such information.
(2) Body corporate or any person on its behalf shall not collect sensitive personal data or
information unless —
(a) The information is collected for a lawful purpose connected with a function or
activity of the body corporate or any person on its behalf; and
11
Dr. Kunwar Vijay Pratap Singh, A Handbook on Cyber Laws & Investigations, Shreeram Law House,
Chandigarh, 1st Ed. (2012), p. 287.
12
13

(b) The collection of the sensitive personal data or information is considered

necessary for that purpose.
(3) While collecting information directly from the person concerned, the body corporate or
any person on its behalf snail take such steps as are, in the circumstances, reasonable to
ensure that the person concerned is having the knowledge of —
(a) The fact that the information is being collected;
(b) The purpose for which the information is being collected;
(c) The intended recipients of the information; and
(d) The name and address of —
(i) The agency that is collecting the information; and
(ii) The agency that will retain the information.
(4) Body corporate or any person on its behalf holding sensitive personal data or information
shall not retain that information for longer than is required for the purposes for which the
information may lawfully be used or is otherwise required under any other law for the time
being in force.
(5) The information collected shall be used for the purpose for which it has been collected.
(6) Body corporate or any person on its behalf permit the providers of information, as and
when requested by them, to review the information they had provided and ensure that any
personal information or sensitive personal data or information found to be inaccurate or
deficient shall be corrected or amended as feasible: Provided that a body corporate shall not
be responsible for the authenticity of the personal information or sensitive personal data or
information supplied by the provider of information to such boy corporate or any other
person acting on behalf of such body corporate.
(7) Body corporate or any person on its behalf shall, prior to the collection of information
including sensitive personal data or information, provide an option to the provider of the
information to not to provide the data or information sought to be collected. The provider of
information shall, at any time while availing the services or otherwise, also have an option to
withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall
be sent in writing to the body corporate. In the case of provider of information not providing
or later on withdrawing his consent, the body corporate shall have the option not to provide
goods or services for which they said information was sought.
(8) Body corporate or any person on its behalf shall keep the information secure as provided
in rule 8.
(9) Body corporate shall address any discrepancies and grievances of their provider of the
information with respect to processing of information in a time bound manner. For this

purpose, the body corporate shall designate a Grievance Officer and publish his name and
contact details on its website. The Grievance Officer shall redress the grievances or provider
of information expeditiously but within one month ' from the date of receipt of grievance.
PRIOR PERMISSION BEFORE DISCLOSURE OF INFORMATION (Rule 6 of the

Information Technology (Reasonable Security Practices and Procedures And Sensitive
Personal Data or Information) Rules, 2011:14
(1) Disclosure of sensitive personal data or information by body corporate to any third party
shall require prior permission from the provider of such information, who has provided such
information under lawful contract or otherwise, unless such disclosure has been agreed to in
the contract between the body corporate and provider of information, or where the disclosure
is necessary for compliance of a legal obligation: Provided that the information shall be
shared, without obtaining prior consent from provider of information, with Government
agencies mandated under the law to obtain information including sensitive personal data or
information for the purpose of verification of identity, or for prevention, detection,
investigation including cyber incidents, prosecution, and punishment of offences. The
Government agency shall send a request in writing to the body corporate possessing the
sensitive personal data or information stating clearly the purpose of seeking such information.
The Government agency shall also state that the information so obtained shall not be
published or shared with any other person.
(2) Notwithstanding anything contain in sub-rule (1), any sensitive personal data on
Information shall be disclosed to any third party by an order under the law for the time being
in force.
(3) The body corporate or any person on its behalf shall not publish the sensitive personal
data or information.
(4) The third party receiving the sensitive personal data or information from body corporate
or any person on its behalf under sub-rule (1) shall not disclose it further.
TRANSFER OF INFORMATION (Rule 7 of the Information Technology (Reasonable

Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011:15
A body corporate or any person on its behalf may transfer sensitive personal data or
information including any information, to any other body corporate or a person in India, or
located in any other country, that ensures the same level of data protection that is adhered to
by the body corporate as provided for under these Rules. The transfer may be allowed only if
it is necessary for the performance of the lawful contract between the body corporate or any
person on its behalf and provider of information or where such person has consented to data
transfer.
14
15

SECTION 44 & SECTION 45
Section 44. Penalty for failure to furnish information, return, etc.- If any person who is
required under this Act or any rules or regulations made there under to-
(a) furnish any document, return or report to the Controller or the Certifying Authority
fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and
fifty thousand rupees for each such failure;
(b) file any return or furnish any information, books or other documents within the
time specified therefor in the regulations fails to file return or furnish the same within
the time specified therefor in the regulations, he shall be liable to a penalty not
exceeding five thousand rupees for every day during which such failure continues;
(c) maintain books of account or records, fails to maintain the same, he shall be liable
to a penalty not exceeding ten thousand rupees for every day during which the failure
continues.
Section 45: Residuary penalty.-Whoever contravenes any rules or regulations made under
this Act, for the contravention of which no penalty has been separately provided, shall be
liable to pay a compensation not exceeding twenty-five thousand rupees to the person
affected by such contravention or a penalty not exceeding twenty-five thousand rupees.

SECTION 46: POWER TO ADJUDICATE
Section 46 of the Act grants the Central Government the power to appoint an adjudicating
officer to hold an enquiry to adjudge, upon complaints being filed before that adjudicating
officer, contraventions of the Act. The adjudicating officer may be of the Central
Government or of the State Government [section 46(1) of the Act], must have field
experience with information technology and law section 46(3) of the Act] and exercises
jurisdiction over claims for damages up to 5,00,00,000 [see section 46(1A) of the Act]. For
the purpose of adjudication, the officer is vested with certain powers of a civil court [section
46(5) of the Act] and must follow basic principles of natural justice while conducting
adjudications [see section 46(2) of the Act]. Hence, the adjudicating officer appointed under
section 46 is a quasi-judicial authority.
In addition, the quasi-judicial adjudicating officer16 may impose penalties, thereby vesting
him with some of the powers of a criminal court [section 46(2) of the Act], and award
compensation, the quantum of which is to be determined after taking into account factors
including unfair advantage, loss and repeat offences [section 47 of the Act]. The adjudicating
officer may impose penalties for any of the offences described in section 43, section 44 and
section 45 of the Act; and, further, may award compensation for losses suffered as a result of
contraventions of section 43 and section 43A. The text of these sections is reproduced in the
Schedule below. Further law as to the appointment of the adjudicating officer and the
procedure attendant on all adjudications was made by Information Technology (Qualification
and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003.17
The section 46(1) makes it very clear that for the purpose of adjudging under this Chapter
[Chapter IX: Penalties and Adjudication] whether any person has committed a contravention
of any of the provisions of this Act or of any rule, regulation, direction or order made
thereunder, there shall be an adjudicating officer for holding an inquiry in the manner
prescribed by the Central Government.
It is obligatory to note that the Central Government as per the Gazette Notification for
Information Technology Rules, 2003 under the short title "Qualification and Experience of
16
Indian National Congress (I) v. Institute of Social Welfare ,“ where law requires that an authority before
arriving at a decision must make an enquiry, such a requirement of law makes the authority a quasi-judicial
authority"(2002) 5 SCC 685
17
http://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication
maharashtra.

Adjudicating Officer and Manner of Holding Enquiry" vide Gazette Notification G.S.R.
220(E), dated 17th March, 2003 has notified 'Scope and Manner of Holding Inquiry' [rule 4]
Some of its important provisions are:

(a) to exercise jurisdiction in respect of the contraventions in relation to Chapter IX of the
Act;
(b) to receive complaint from the complainant;
(c) to issue notices together with all the documents to all the necessary parties to the
proceedings, fixing a date and time for further proceedings;
(d) to hold an enquiry or dismiss the matter or may get the matter investigated; (e) to enforce
attendance of any person or persons;
(f) to fix a date and time for production of documents (including electronic records) or
evidence; and
(g) to hear and decide every application, as far as possible, in four months and the whole
matter in six months.

SECTION 47: FACTORS TO BE TAKEN INTO ACCOUNT BY THE ADJUDICATING OFFICER-
While adjudging the quantum of compensation under this Chapter, the adjudicating officer
shall have due regard to the following factors, namely:-
(a) the amount of gain of unfair advantage, whenever quantifiable, made
as a result of the default;
(b) the amount of loss caused to any person as a result of the default;
(c) the repetitive nature of the default.
The Chapter is self-contained code. It also lays down factors for adjudging the quantum of
compensation. Since, the amount of compensation is not to exceed rupees five crore, it is
important that the adjudicating officer must create an objective framework to arrive
'reasonably' at the compensation amount. The task of the adjudicating officer is to measure
the cost of contravention (default) in terms of monetary value. It is basically a 'cause, effect
and compensation' approach. It covers provisions of section 43(a) to (j), section 43A, section
44 and section 45. The idea is that the defaulter has to make good of be losses.While deciding
the quantum of compensation, it is mandatory for the adjudicating officer to calculate the
'cost of default' under three different heads:(a) gain of unfair advantage i.e., estimated trade
loss; (b) the actual 'monetary loss' caused to any person as a result of the default; and (c) the
repetitive nature of the default (recurring default cost), if any.
Further, it is obligatory to note that the term "compensation" as stated in the Oxford
Dictionary, signifies that, which is given in recompense, ana equivalent rendered. "Damages"
on the other hand constitute the sum of money claimed or adjudged to be paid in
compensation for loss or injury sustained, the value estimated in money, of something lost or
withheld. The term "compensation" etymologically suggests the image of balancing one thing
against another; its primary signification is equivalence, and the secondary and more
common waning is something given or obtained as an equivalent1. "Compensation" is a
return for the loss or damage sustained. Justice requires that it should be equal in value,
although not alike in kind . The adjudicating officer has an important role to play. He has not
only the trappings of a quasi-judicial authority but also has the power of a court to give a
decision or a definitive judgment which has finality and authoritativeness which are essential
tests of a judicial pronouncement. The adjudicating officer, therefore, possesses all the
attributes of a court. 18
18
Supra note 4,p.139

BIBLIOGRAPHY
STATUTORY COMPILATIONS
1. THE INFORMATION TECHNOLOGY ACT, 2000.
DICTIONARIES
1. BRYAN A. GARNER, BLACK’S LAW DICTIONARY (8th ed. 2001).
2. OXFORD ENGLISH DICTIONARY, (2nd ed. 2009).
3. WEBSTER’S NEW INTERNATIONAL DICTIONARY (1926).
WEBSITES
1. http://lawisgreek.com/cyber-laws-what-is-cyber-contravention-and-cyber-offences/
2. http://sapost.blogspot.in/2011/11/beware-of-section-43-of-information.html
3. https://en.wikipedia.org/wiki/MafiaBoy
4. http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
5. http://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-
for-adjudication maharashtra.
BOOKS
1. Kunwar, Vijay, A Handbook on Cyber Laws & Investigations, Chandigarh: Shreeram
Law House, 1st ed. (2012).
2. Sharma, Vakul, “Information Technology Law and Practice”, 3rd ed., New Delhi:
Universal Law Publishing Co., 2014.
3. Jyoti, Rattan, “Cyber Laws and Information Technology”, 5th ed., Delhi: Bharat Law
House Pvt. Ltd., 2015.

It Project

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

It Project

Diunggah oleh

Hak Cipta:

Format Tersedia

UNIVERSITY INSTITUTE OF LEGAL STUDIES,

TOPIC:-THE PENALTIES & ADJUDICATIONS.

- PENALTIES & ADJUDICATIONS - Page 1

THE TABLE OF CONTENTS

1. THE LIST OF ABBREVIATIONS…………………. 3

2. THE TABLE OF CASES………………………….. 4

6. SECTION 44 & SECTION 45……………………. 18

- PENALTIES & ADJUDICATIONS - Page 2

THE LIST OF ABBREVIATIONS

AIR All India Reporter

IT Information Technology, 2000

i.e. id est (that means)

r/w read with

u/s under section

w.e.f with effect from

SCC Supreme Court Cases

- PENALTIES & ADJUDICATIONS - Page 3

THE TABLE OF CASES

1. Avtar Singh v. State of Punjab, AIR 1965 SC 666.

2. Rajkot Municipal Corpn. v. Manjulben Jayantilal Nakum, (1997) 9 SCC 552.

- PENALTIES & ADJUDICATIONS - Page 4

Cyber Crime may be classified under two heads:

I. Cyber Contraventions (Section 43-45)

- PENALTIES & ADJUDICATIONS - Page 5

- PENALTIES & ADJUDICATIONS - Page 6

I. SECTION 43 (A) ACCESSES

Section 43 (a) takes into account:

i) attempts made to access or

ii) securing access to: Computer, computer system or computer network

“instructing or communicating with the logical, arithmetical or

II. SECTION 43 (B) DOWNLOADS,COPIES OR EXTRACTS ANY DATA, COMPUTER DATA

- PENALTIES & ADJUDICATIONS - Page 7

III. SECTION 43 (C) INTRODUCES

The aforesaid clause (c) takes into account:

i) attempts made to introduce or

IV. SECTION 43 (D) DAMAGES OR CAUSES TO BE DAMAGED ANY COMPUTER, COMPUTER

The aforesaid clause (d) takes into account:

i) attempts made to damage or or

- PENALTIES & ADJUDICATIONS - Page 8

ii) successful damage, of any computer, computer system or computer

V. SECTION 43 (E) DISRUPTS

The aforesaid clause (e) takes into account

(i) attempts made to disrupt or

- PENALTIES & ADJUDICATIONS - Page 9

The aforesaid clause (f) takes into account

i) attempts made to deny or

One of the objectives of the clause is to prevent occurrence of 'Denial of Service'

- PENALTIES & ADJUDICATIONS - Page 10

person to facilitate access to a computer, Computer system or computer network in

(a) Dishonest intention to take property;

- PENALTIES & ADJUDICATIONS - Page 11

IX. SECTION 43 (I) DESTROYS,

The essentials of 'computer-related contraventions' under clause (i) are:

(b) Causing wrongful loss or damage to the public or any person,

(c) Destroying, deleting or altering any information residing in a computer resource,

Or diminishing its value or utility, or affecting it injuriously by any means.

X. SECTION 43 (J) STEAL, CONCEALS, DESTROYS OR ALTERS OR CAUSES ANY PERSON

- PENALTIES & ADJUDICATIONS - Page 12

The Court further observed that:

- PENALTIES & ADJUDICATIONS - Page 13

“Where a body corporate, possessing, dealing or handling any

SENSITIVE PERSONAL DATA OR INFORMATION. —

According to Rule 3 of the Information Technology (Reasonable Security Practices and

- PENALTIES & ADJUDICATIONS - Page 14