Authored By: P.SORUBAVINCY
The Central Law College
Introduction
The twenty-first century is defined by digital transformation. Cyberspace has become the primary site for commerce, expression, governance, and social interaction, creating legal questions that territorial, paper-based doctrines cannot resolve. Cyber law has emerged as a distinct discipline to regulate conduct involving computers, networks, data, and digital platforms. From its narrow origin in computer misuse statutes, it now addresses data privacy, cybercrime, intermediary liability, electronic evidence, fintech, artificial intelligence, and cross-border jurisdiction. India’s Information Technology Act, 2000 marked the first comprehensive framework, but the scale of digital adoption—UPI, Aadhaar, social media, cloud computing—has since demanded constant legislative and judicial innovation. Landmark decisions like _Justice K.S. Puttaswamy v. Union of India_ constitutionalized digital privacy, while the Digital Personal Data Protection Act, 2023 created a rights-based data regime. Cyber law therefore sits at the intersection of technology, fundamental rights, and state power, making it one of the most critical emerging areas of law.
Background and Context
Cyber law’s genesis lies in the 1980s when personal computers and early networks enabled new forms of fraud and trespass. The U.S. Computer Fraud and Abuse Act, 1986 and UK’s Computer Misuse Act, 1990 were first-generation responses. Internationally, the UNCITRAL Model Law on Electronic Commerce, 1996 provided a template for legal recognition of electronic records and signatures, which India adopted through the IT Act, 2000. The early 2000s focused on e-commerce, hacking, and viruses. The 2008 amendment to the IT Act responded to the Mumbai attacks and growing cyberterrorism, introducing Section 66F and data protection under Section 43A. The last decade witnessed exponential data generation, platform monopolies, and state surveillance capabilities. Events like the Snowden revelations, Cambridge Analytica, and Pegasus spyware debates globalized privacy discourse. The EU’s General Data Protection Regulation, 2018 became the global benchmark, influencing India’s _Puttaswamy_ judgment and the DPDP Act, 2023. Thus, cyber law now spans criminal, constitutional, corporate, and international law, reflecting cyberspace’s pervasive impact.
Legislative and Regulatory Framework in India
The Information Technology Act, 2000 is the foundational statute. It grants legal validity to electronic records under Section 4, electronic signatures under Section 5, and establishes the Controller of Certifying Authorities. On the penal side, Section 43 imposes civil liability for damage to computer systems; Section 66 criminalizes hacking; Sections 66C and 66D target identity theft and cheating by personation; Section 67 addresses publishing obscene material. The 2008 amendments added Section 66A, later struck down, and Section 69/69A for interception and blocking in the interest of sovereignty or public order. Section 79 provides intermediaries “safe harbour” if they observe due diligence, elaborated in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These Rules require significant social media intermediaries to appoint grievance officers, publish compliance reports, and enable traceability of first originator. The Digital Personal Data Protection Act, 2023 shifts India to a consent-based regime. It defines “data fiduciaries,” mandates notice, purpose limitation, and establishes the Data Protection Board of India for adjudication. Sectoral regulators add layers: RBI’s Cybersecurity Framework for Banks, 2016; SEBI’s Cyber Security and Cyber Resilience Framework, 2015; and CERT-In directions on incident reporting. Together, these create a multi-tiered but fragmented architecture.
Constitutionalization of Digital Rights through Judicial Intervention
Indian courts have played a transformative role. _Shreya Singhal v. Union of India_, (2015) 5 SCC 1, invalidated Section 66A IT Act for vagueness and chilling effect on Article 19(1)(a). The Court also read down Section 79, holding that intermediaries need only take down content on actual knowledge from a court order or government notification. This preserved free speech online while retaining state power against unlawful content. _Justice K.S. Puttaswamy v. Union of India_, (2017) 10 SCC 1, a nine-judge bench, declared privacy an intrinsic part of Article 21. The judgment laid down a four-part proportionality test—legality, legitimate aim, necessity, and proportionality—for state intrusions. It became the foundation for data protection law and constrained Aadhaar’s mandatory use. _Anuradha Bhasin v. Union of India_, (2020) 3 SCC 637, recognized internet access as integral to Article 19 and held that indefinite internet shutdowns are unconstitutional. Suspension orders must be necessary, temporary, and subject to review. In _Internet and Mobile Ass’n of India v. RBI_, (2020) 10 SCC 274, the Supreme Court quashed RBI’s 2018 circular banning banking services to crypto exchanges, ruling that regulatory measures must be proportionate and evidence-based. These cases confirm that constitutional guarantees fully extend to cyberspace and that technological policy requires judicial review.
Enforcement Challenges, Jurisdiction, and Digital Evidence
Despite robust statutes, enforcement is weak. National Crime Records Bureau data shows cybercrime cases rose from 27,248 in 2018 to over 65,000 in 2022, yet conviction rates remain below 5%. Reasons include: lack of trained cyber cells, insufficient forensic labs, and rapid obsolescence of digital evidence. Section 65B Indian Evidence Act, 1872 governs electronic evidence admissibility, but _Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal_, (2020) 7 SCC 1, clarified that a certificate is mandatory, creating procedural hurdles. Jurisdiction is another problem. Section 75 IT Act claims extraterritorial reach if the act involves a computer in India, yet investigation requires Mutual Legal Assistance Treaties that take years. Fraudulent call centers in foreign jurisdictions, crypto scams, and ransomware attacks often escape prosecution. Victim compensation under Section 46 IT Act is adjudicated by Adjudicating Officers, but awards are capped at ₹5 crore and proceedings are slow. The 2021 IT Rules’ traceability requirement under Rule 4(2) conflicts with end-to-end encryption used by WhatsApp and Signal, raising technical infeasibility and privacy concerns currently before the Supreme Court in _Facebook v. Union of India_. Thus, the gap between law-in-books and law-in-action remains wide.
Critical Evolution of Cyber Law Doctrine
Cyber law has shifted from _reactive criminalization_ to _preventive regulation_. Early IT Act provisions punished hacking or data damage post-facto. The DPDP Act, 2023 embodies “privacy by design,” requiring data fiduciaries to implement technical measures, conduct audits, and report breaches. The notion of “intermediary” evolved from ISPs to all platforms hosting third-party content, including OTT, online gaming, and e-commerce under the 2021 Rules. Safe harbour under Section 79 is now conditional: platforms lose immunity if they fail due diligence, do not remove content within 36 hours of court order, or fail to appoint India-based officers. Data localization has become central—RBI mandates payment data storage in India; DPDP Act Section 16 restricts transfer to notified countries. Courts have also developed tech-specific doctrines. _Shreya Singhal_ imported the “clear and present danger” test to online speech. _Puttaswamy_ crafted a privacy-proportionality framework. Emerging issues like deepfakes, AI bias, and algorithmic accountability lack dedicated statutes but are being addressed through CERT-In advisories and proposed Digital India Act. Hence, cyber law is moving toward a risk-based, rights-oriented, and technology-neutral model rather than offense-specific codes.
Comparative Perspective—EU, U.S., UK, and Singapore Models
Global approaches diverge. The European Union’s GDPR, 2018 is rights-centric, granting data subjects rights of access, erasure, and portability, with extraterritorial scope and fines up to 4% of global turnover. It influenced Brazil’s LGPD and California’s CCPA. The United States follows a sectoral model: HIPAA for health, COPPA for children, GLBA for finance. Section 230 of the Communications Decency Act gives platforms broad immunity, unlike India’s conditional safe harbour. This has fostered innovation but enabled misinformation. The United Kingdom retained UK GDPR post-Brexit and enacted the Online Safety Act, 2023, imposing a “duty of care” on platforms to prevent illegal content and protect children, with Ofcom as regulator. Singapore’s Personal Data Protection Act, 2012 combined with the Cybersecurity Act, 2018 adopts a licensing model for Critical Information Infrastructure and proactive threat disclosure. China’s Cybersecurity Law, 2017 and Data Security Law, 2021 emphasize sovereignty, real-name verification, and state access. India’s DPDP Act borrows GDPR’s consent but omits right to erasure, provides broad state exemptions under Section 7, and enables government to block platforms under Section 37. India is also not a party to the Budapest Convention on Cybercrime, preferring bilateral arrangements. Thus, India’s model is a hybrid—more statist than the EU, less laissez-faire than the U.S.
Case Law Analysis
- Shreya Singhal v. Union of India, (2015) 5 SCC 1: The Court differentiated between advocacy and incitement, striking down Section 66A for being overbroad. It upheld Section 69A blocking but mandated reasoned orders. The case re-balanced free speech and state regulation in cyberspace.
- Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1: By locating privacy in dignity, liberty, and autonomy, the Court created a constitutional standard for all data laws. It directly led to the withdrawal of the 2018 Personal Data Protection Bill and drafting of the DPDP Act, 2023.
- Anuradha Bhasin v. Union of India, (2020) 3 SCC 637: The Court held that freedom of speech and trade via internet are constitutionally protected. Suspension orders must be published and cannot be indefinite, creating procedural safeguards.
- Internet and Mobile Ass’n of India v. RBI, (2020) 10 SCC 274: The Court applied proportionality to economic regulation of technology, requiring RBI to show harm before imposing a ban. It opened space for crypto innovation while affirming regulatory power.
- Google India Pvt. Ltd. v. Visaka Industries, (2020) 4 SCC 173: The Supreme Court held that intermediaries can be liable as publishers if they fail to remove content after notice, tightening Section 79 standards.
Conclusion
Cyber law has evolved from a niche IT statute to a central pillar of modern jurisprudence. India’s framework, anchored by the IT Act, 2000, DPDP Act, 2023, and transformative judgments like _Puttaswamy_ and _Shreya Singhal_, now addresses privacy, free speech, and platform governance. Yet enforcement, encryption, AI, and cross-border crime present unresolved challenges. The future demands agile legislation such as the proposed Digital India Act, specialized cyber courts, and investment in forensics. Proportionality must guide state power to ensure security does not eclipse liberty. Comparative study shows India must chart a middle path—avoiding U.S. under-regulation and Chinese over-control—while harmonizing with global standards like GDPR for data adequacy. As metaverse, quantum computing, and generative AI reshape society, cyber law will determine whether technology empowers or subjugates. Its continued evolution will define the balance between innovation, national security, and fundamental rights in the digital age.
Reference(S):
- Information Technology Act, No. 21 of 2000, India Code (2000).
- Digital Personal Data Protection Act, No. 22 of 2023, India Code (2023).
- Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
- Shreya Singhal v. Union of India, (2015) 5 SCC 1.
- Anuradha Bhasin v. Union of India, (2020) 3 SCC 637.
- Internet and Mobile Ass’n of India v. Reserve Bank of India, (2020) 10 SCC 274.
- Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1.
- Google India Pvt. Ltd. v. Visaka Industries, (2020) 4 SCC 173.
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, G.S.R. 139(E).
- Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data (General Data Protection Regulation), 2016 O.J. (L 119) 1.
- Communications Decency Act, 47 U.S.C. § 230 (2018).
- Online Safety Act 2023, c. 50 (U.K.).
- Council of Europe, Convention on Cybercrime, Nov. 23, 2001, E.T.S. No. 185.
- Reserve Bank of India, Cyber Security Framework in Banks, RBI/2015-16/418 (June 2, 2016).
![Salomon v Salomon & Co Ltd. [1897] AC 22 (HL)](https://recordoflaw.in/wp-content/uploads/2025/12/ChatGPT-Image-Dec-17-2025-08_24_07-PM.png)




