23 Milestones of India’s IT Act @ 23

By Deepak Maheshwari: Today (October 17, 2023) marks 23 years since India’s Information Technology Act (IT Act) had come into force on October 17, 2000. Considering the adoption, diffusion and integration in daily lives of Internet and mobile over the past few decades, this legislation has been a subject of enormous interest, intense debate and of course, fervent litigation.

Time to rewind and replay the story:

1. July 25, 1998

108 recommendations of the Prime Minister’s IT Task Force notified after approval by the Union Cabinet. These included:

“ (102)     A National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data shall be framed by the Government within six months.”

“(107)      The draft set of Cyber Laws prepared by the Cyber Law Committee set up by the Committee of Secretaries, shall be approved by the Government with suitable modifications and implemented, as a first step, within six months.”

2. May 17, 2000

Parliament passes the Information Technology Bill, 2000, an amended version of the Information Technology Bill, 1999 (IT Bill, 1999).

IT Bill, 1999 was introduced on 16 December 1999 in the Parliament by then Minister for Information Technology Pramod Mahajan. The Bill was referred to the Standing Committee on Science and Technology, Environment and Forests.

Incidentally, before it had morphed into IT Bill, 1998 a set of twin bills were proposed, viz. E-Commerce Bill, 1998 and E-Commerce Support Bill, 1998.

3. October 17, 2000

Information Technology Act, 2000 comes into force. President had given assent to Information Technology Act, 2000 (IT Act, 2000) on June 9, 2000.

4. February 5, 2002

Safescrypt became the first Certifying Authority (CA) under the IT Act, 2000 and issued the first digital signature to (late) Pramod Mahajan, then Minister of Communications & IT at NASSCOM’s India Leadership Forum (NILF) in Mumbai on the following day, February 6, 2002.

5. February 27, 2003

Procedure for Blocking of websites notified with Computer Emergency Response Team – India (CERT-IND) as the sole authority for issuing instructions in this context. CERT was not a statutory body then.

6. December 17, 2004 

Avnish Bajaj, CEO of the online marketplace Bazee.com (now eBay.in) is arrested (subsequently granted bail on 21 December 2004 and ultimately acquitted by the Supreme Court) on account of an obscene video clip of 2 minute 37 seconds that had been listed and sold by Ravi Raj one of its registered sellers named, also arrested on the same day.

7. January 2005

Government constitutes Expert Committee chaired by the then IT secretary Brijesh Kumar to review the IT Act, 2000.

8. August 29, 2005

Expert Committee proposes numerous amendments to the IT Act, 2000:

Press Release

Summary of the Amendments Proposed by the Expert Committee

Report of the Expert Committee

9. July 20, 2006

Government directs Internet Service Providers to “provide unhindered access to Internet except for the websites/webpages which have been specifically” directed to be blocked.

10. December 15, 2006

Information Technology (Amendment) Bill, 2006 introduced in the Parliament by then Minister of Communications & IT Thiru. Dayanidhi Maran, and referred to the Parliamentary Standing Committee on IT chaired by Mr. Nikhil Kumar on December 19, 2006.

11. September 7, 2007

Parliamentary Standing Committee on IT recommends additional amendments in its report

Summary of the Standing Committee Report by PRS Legislative Research

12. December 23, 2008

Information Technology (Amendment) Bill, 2008 passed by the Parliament (December 22 by Lok Sabha and December 23 by Rajya Sabha, respectively). It had been introduced on 16 December 2008 by then Minister of Communications & IT Thiru. A. Raja.

13. October 27, 2009

Information Technology (Amendment) Act 2008 comes into force. Rules notified in respect of:

• Procedure and safeguards for interception, monitoring and decryption
• Blocking for access of information by public
• Monitoring and collecting traffic data or information

President had given assent to the Information Technology (Amendment) Act, 2008 on February 5, 2009.

14. July 26, 2010

TETRA Communication Secured Communication System Network notified as a ‘Protected System’ under IT Act, first such notification by the Government of India.

15. April 11, 2011

Rules notified in respect of procedure and safeguards for:

• Reasonable security practices and procedures and sensitive personal data or information
• Intermediary guidelines
• Guidelines for cyber cafe 
• Electronic service delivery

16. January 16, 2014

National Critical Information Infrastructure Protection Centre (NCIIPC) notified as the National Nodal Agency under Section 70A.

Computer Emergency Response Team (CERT-In) rules notified under Section 70B. Incidentally, CERT-In had been set up more than a decade prior to this notification, albeit vide an executive order.

17. March 24, 2015

Supreme Court strikes down Section 66A of the IT Act holding it ultra vires of the Constitution in the Public Interest Litigation (PIL) filed by Shreya Singhal, then a law student.

18. September 18, 2015

Draft Encryption Policy based on recommendations of a High Level Expert Committee published for public comments.

Subsequently, the government clarified that the draft policy did not represent its final view and the draft encryption policy was withdrawn on 22 September 2015.

19. December 21, 2015

Central Identity Depository Data Repository (CIDR) of Unique Identification Authority of India (UIDAI) notified as a ‘Protected System’ under the IT Act. Incidentally, the Aadhaar Act was enacted in 2016.

20. June 29, 2020

Starting with a ban on 59 mobile apps that day, the Government goes on to ban a total of 267 mobile apps over the next few days. Incidentally, names of these apps were published in the official press releases, unlike the blocking orders that are issued to the service providers only.

21. February 25, 2021

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 notified.

22. April 28, 2022

CERT-In issues directions “relating to information security practices, procedure, prevention,  response and reporting of Cyber Incidents for Safe & Trusted Internet.”

These include, inter alia, a mandate to report specific type of “cyber incidents to CERT – In within 6 hours of noticing such incidents or being brought to notice about such incidents”.

Modes of reporting include email, Phone and Fax.

23. August 11, 2023

The government “published for general information” The Digital Personal Data Protection Act (DPDPA), 2023 after receiving the President’s assent on the same day. It had been passed in both the houses earlier in the same week.

25 years after the union cabinet had decided to put in place a framework for Data Protection in July 1998, India does have a dedicated Data Protection Act.

However, it is pertinent to mention that the DPDPA is yet to come into force and a lot of subordinate legislation would be needed to make it effective.

What’s Next?

At least three major policy instruments are under consideration, viz.

• Digital India Act

This is under discussion since 2022 and a presentation was made on March 9, 2023 in Bengaluru. However, the legislative draft Bill is yet to be published for public consultation.

• National Cyber Security Strategy

In 2019, office of the National Cyber Security Coordinator (NCSC) within the National Security Council Secretariat (NSCS) had initiated consultations on the ‘National Cyber Security Strategy’. However, the same is yet to be notified.

• Policy for Non-Personal Data (NPD)

Consultations have also been underway for several years (for example, see India Data Accessibility and Use Policy, 2022) but the formal policy is still awaited. All the same, National Data Sharing and Accessibility Policy (NDSAP), 2012 under the aegis of the Department of Science & Technology continues to be in force.

In addition, the government had invited comments on the Draft National Strategy on Robotics in September 2023. In October 2023,  IndiaAI 2023: Expert Group Report – First Edition was published.

About The Author: Deepak Maheshwari is a public policy consultant, researcher and archivist.