By Deepak Maheshwari: Today (October 17, 2023) marks 23 years since India’s Information Technology Act (IT Act) had come into force on October 17, 2000. Considering the adoption, diffusion and integration in daily lives of Internet and mobile over the past few decades, this legislation has been a subject of enormous interest, intense debate and of course, fervent litigation.
Time to rewind and replay the story:
- July 25, 1998
108 recommendations of the Prime Minister’s IT Task Force notified after approval by the Union Cabinet. These included:
“ (102) A National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data shall be framed by the Government within six months.”
“(107) The draft set of Cyber Laws prepared by the Cyber Law Committee set up by the Committee of Secretaries, shall be approved by the Government with suitable modifications and implemented, as a first step, within six months.”
- May 17, 2000
Parliament passes the Information Technology Bill, 2000, an amended version of the Information Technology Bill, 1999 (IT Bill, 1999).
IT Bill, 1999 was introduced on 16 December 1999 in the Parliament by then Minister for Information Technology Pramod Mahajan. The Bill was referred to the Standing Committee on Science and Technology, Environment and Forests.
Incidentally, before it had morphed into IT Bill, 1998 a set of twin bills were proposed, viz. E-Commerce Bill, 1998 and E-Commerce Support Bill, 1998.
- October 17, 2000
Information Technology Act, 2000 comes into force. President had given assent to Information Technology Act, 2000 (IT Act, 2000) on June 9, 2000.
- February 5, 2002
Safescrypt became the first Certifying Authority (CA) under the IT Act, 2000 and issued the first digital signature to (late) Pramod Mahajan, then Minister of Communications & IT at NASSCOM’s India Leadership Forum (NILF) in Mumbai on the following day, February 6, 2002.
- February 27, 2003
Procedure for Blocking of websites notified with Computer Emergency Response Team – India (CERT-IND) as the sole authority for issuing instructions in this context. CERT was not a statutory body then.
- December 17, 2004
Avnish Bajaj, CEO of the online marketplace Bazee.com (now eBay.in) is arrested (subsequently granted bail on 21 December 2004 and ultimately acquitted by the Supreme Court) on account of an obscene video clip of 2 minute 37 seconds that had been listed and sold by Ravi Raj one of its registered sellers named, also arrested on the same day.
- January 2005
Government constitutes Expert Committee chaired by the then IT secretary Brijesh Kumar to review the IT Act, 2000.
- August 29, 2005
Expert Committee proposes numerous amendments to the IT Act, 2000:
- July 20, 2006
- December 15, 2006
Information Technology (Amendment) Bill, 2006 introduced in the Parliament by then Minister of Communications & IT Thiru. Dayanidhi Maran, and referred to the Parliamentary Standing Committee on IT chaired by Mr. Nikhil Kumar on December 19, 2006.
- September 7, 2007
- December 23, 2008
Information Technology (Amendment) Bill, 2008 passed by the Parliament (December 22 by Lok Sabha and December 23 by Rajya Sabha, respectively). It had been introduced on 16 December 2008 by then Minister of Communications & IT Thiru. A. Raja.
- October 27, 2009
Information Technology (Amendment) Act 2008 comes into force. Rules notified in respect of:
- Procedure and safeguards for interception, monitoring and decryption
- Blocking for access of information by public
- Monitoring and collecting traffic data or information
President had given assent to the Information Technology (Amendment) Act, 2008 on February 5, 2009.
- July 26, 2010
TETRA Communication Secured Communication System Network notified as a ‘Protected System’ under IT Act, first such notification by the Government of India.
- April 11, 2011
Rules notified in respect of procedure and safeguards for:
- Reasonable security practices and procedures and sensitive personal data or information
- Intermediary guidelines
- Guidelines for cyber cafe
- Electronic service delivery
- January 16, 2014
- March 24, 2015
Supreme Court strikes down Section 66A of the IT Act holding it ultra vires of the Constitution in the Public Interest Litigation (PIL) filed by Shreya Singhal, then a law student.
- September 18, 2015
Draft Encryption Policy based on recommendations of a High Level Expert Committee published for public comments.
- December 21, 2015
Central Identity Depository Data Repository (CIDR) of Unique Identification Authority of India (UIDAI) notified as a ‘Protected System’ under the IT Act. Incidentally, the Aadhaar Act was enacted in 2016.
- June 29, 2020
Starting with a ban on 59 mobile apps that day, the Government goes on to ban a total of 267 mobile apps over the next few days. Incidentally, names of these apps were published in the official press releases, unlike the blocking orders that are issued to the service providers only.
- February 25, 2021
- April 28, 2022
These include, inter alia, a mandate to report specific type of “cyber incidents to CERT – In within 6 hours of noticing such incidents or being brought to notice about such incidents”.
Modes of reporting include email, Phone and Fax.
- August 11, 2023
The government “published for general information” The Digital Personal Data Protection Act (DPDPA), 2023 after receiving the President’s assent on the same day. It had been passed in both the houses earlier in the same week.
However, it is pertinent to mention that the DPDPA is yet to come into force and a lot of subordinate legislation would be needed to make it effective.
At least three major policy instruments are under consideration, viz.
- Digital India Act
This is under discussion since 2022 and a presentation was made on March 9, 2023 in Bengaluru. However, the legislative draft Bill is yet to be published for public consultation.
- National Cyber Security Strategy
In 2019, office of the National Cyber Security Coordinator (NCSC) within the National Security Council Secretariat (NSCS) had initiated consultations on the ‘National Cyber Security Strategy’. However, the same is yet to be notified.
- Policy for Non-Personal Data (NPD)
Consultations have also been underway for several years (for example, see India Data Accessibility and Use Policy, 2022) but the formal policy is still awaited. All the same, National Data Sharing and Accessibility Policy (NDSAP), 2012 under the aegis of the Department of Science & Technology continues to be in force.
About The Author: Deepak Maheshwari is a public policy consultant, researcher and archivist.