In the renowned case of K.S. Puttaswamy (Retd.) v. Union of India (2017), the Supreme Court recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India. This landmark judgment has significant implications for data protection and privacy in the digital age. To ensure the protection of privacy in India, cyber laws were introduced, the first being the Information Technology Act, 2000.
Cyber laws are crucial for several reasons. They provide a framework to protect individuals and organizations from cybercrimes, ensure data privacy and security, and regulate online activities. As the digital world continues to evolve, cybercrimes also adapt, creating new challenges and opportunities. With technological advancement, cybercrimes grow more complex, and the legal framework must adapt effectively. The emergence of AI has further highlighted the need for updated cyber laws to maintain checks and balances in the digital sphere.
The prolonged use of the internet over the last decades gave rise to cyber law in the 20th century. Cyber law governs cyberspace, the virtual society formed by interconnected computers and telecommunication networks. It protects this virtual sphere, covering all aspects of online transactions and activities involving the internet, the world wide web, and cyberspace. Every action in cyberspace carries legal and cyber-legal implications. Cyber law addresses areas such as cybercrimes, electronic and digital signatures, intellectual property, and data protection and privacy.
Cyberspace is also exploited by malicious actors using techniques that cybersecurity professionals often employ legitimately. For example, Nmap (network scanning), Metasploit (penetration testing framework), Burp Suite (web proxy), and Aircrack-ng (wireless network security testing) are tools that can be misused. As India advances under the Digital India scheme, strong legal frameworks are essential to protect individuals, businesses, and the nation from risks of the digital age.
Additional tools like Artificial Intelligence (AI) and Blockchain can also impose cyber threats. However, when used correctly, they enhance cybersecurity. AI excels in real-time threat detection, anomaly detection, and automated responses, while blockchain ensures data integrity, decentralization, and secure identity management. Together, these technologies can strengthen cybersecurity. Yet, they can also be misused—AI may power cyberattacks, phishing campaigns, or deepfakes, while blockchain can aid money laundering, phishing, and ransomware due to its decentralized nature.
India is integrating AI into legal research, case management, judicial procedures, and law enforcement, streamlining operations and improving access to justice. The case of Tamil Nadu v. Suhas Katti (2004) was the first cybercrime judgment under the IT Act. It dealt with cyberstalking, online evidence, and subsequent legal developments under Section 67 of the IT Act. This case motivated many to report cybercrimes and set a benchmark by accepting online evidence under the Indian Evidence Act for the first time. It significantly impacted courts and society by encouraging resistance to cyber harassment and defamation.
Concept of Cyber Crime
Cyber crimes are unlawful or illicit activities committed using computers, networks, or other electronic devices. They include financial fraud, identity theft, and malware distribution. Cybercrimes can target computers or networks directly or use them as tools to commit crimes globally. These activities affect individuals, businesses, and governments, aiming to cause disruptions, steal data, or conduct fraud. The famous Sony Sambandh case, India’s first cybercrime conviction, highlighted the importance of relying on the Indian Penal Code (IPC), 1860, when the IT Act was insufficient.
Types of Cyber Crimes
- Breach of Cyber Security: Unauthorized access to computer systems or networks leading to data theft or disruption. Examples include data breaches, ransomware attacks, cyber terrorism, and supply chain infiltrations.
- Cyber Threats: Unlawful acts by hackers aiming to damage networks, systems, or devices. Examples include Trojan attacks, Advanced Persistent Threats (APTs), and phishing activities like fraudulent emails or texts.
- Digital Content Offences and Cyberbullying & Harassment: Creation or distribution of harmful content online. This includes identity theft, cyberbullying, phishing, child pornography, cyberstalking, morphing, and hate speech. The Information Technology Act and the Indian Penal Code provide punishments for these crimes. In Shreya Singhal v. Union of India, the Supreme Court struck down Section 66A of the IT Act for being vague and threatening free speech.
- Fraudulent Activities in Cyberspace: Crimes like credit card scams and OTP fraud. For example, in the Pune Citibank MphasiS Call Center Fraud, a former employee illegally accessed Citibank client accounts. The case highlighted outsourcing risks and the importance of strong data protection measures.
Background of Indian Cyber Law
There are three types of lists in India, namely the Union List, State List, and Concurrent List, which include subjects decided by the legislature of India. However, the subject of security is not a part of any of these three lists. Instead, it falls under the Residuary List. The subjects not included in any of the three lists in the 7th Schedule of the Indian Constitution are called residuary subjects. Under Article 248 of the Constitution, the Parliament has the power to make laws on these subjects.
In the late 1990s, with the rapid growth of the internet, the need arose to address issues legally. This surge in internet usage brought concerns such as cybercrime, data privacy, and intellectual property disputes. Traditional laws were insufficient to address these new challenges, which created the need for specific legislation for the digital realm. Hence, cyber law, also known as information technology law, became necessary.
In the year 2000, this need was fulfilled by the Information Technology Act (IT Act), introduced on 17th October 2000. The Act marked the beginning of cyber law in India. It deals with cybercrime and electronic commerce, providing legal recognition for electronic transactions and filing documents with government agencies. The Act consists of 13 chapters, 94 sections, and 4 schedules.
The IT Act has been updated over time to keep up with emerging technologies and cyber threats. It was amended in 2008, coming into effect in 2009. The Information Technology (Amendment) Act, 2008, introduced provisions for cyber-terrorism, identity theft, intermediary liability, and stronger penalties for cyber offenses. It also focused on data protection, requiring organizations to implement reasonable security measures for personal data.
In 2023, the IT Act was amended again through the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023. These rules focused on creating a government-controlled fact-checking unit and regulating online gaming. They gave the Union Government the authority to remove online content deemed “false, fake, or misleading” related to its business, potentially affecting the safe harbor protections of social media platforms.
The primary reason for amending the IT Act has been to address the evolving landscape of cybercrimes and data protection concerns. However, with new technologies like Artificial Intelligence (AI) and Blockchain emerging, the need for more checks and balances continues to grow.
Artificial Intelligence
Artificial Intelligence (AI) is the simulation of human intelligence in machines designed to replicate human actions. AI covers a wide range of technologies, including machine learning and deep learning. These systems can learn, reason, solve problems, and make decisions, often surpassing human abilities in specific tasks. AI is used in applications such as voice assistants, recommendation systems, and self-driving cars.
India faces several challenges with the rise of AI. Despite increasing demand, there is a significant skills gap. Initiatives like skill-enhancing courses on platforms such as Lawsikho, Lawoctopus, and Addictive Learning aim to bridge this gap among legal scholars and practitioners. However, AI also raises concerns about data security and privacy. India is still working on comprehensive data protection laws, like the Personal Data Protection Bills. Moreover, AI technologies require robust digital infrastructure, which is still lacking in rural areas.
AI is also being misused for illegal purposes. Algorithms can enhance ransomware by selecting the most critical data to encrypt. Deepfake AI is used to create fake images and voices, leading to scams, illicit images, and extortion. For example, a New Zealand MP revealed her deepfake images in parliament to highlight the dangers posed by such technology. AI also automates phishing attacks, helping criminals steal sensitive information. In March 2024, the US Treasury Department reported that misuse of AI poses dangers to financial services, enhancing cyberattacks and espionage.
Cyber laws are necessary not only to counter AI-driven crimes but also to address corporate issues like copyright infringement and DMCA violations. In the case of Doe vs Github, the plaintiffs alleged that Microsoft, Github, and OpenAI violated open-source licenses and the DMCA by using copyrighted material to build Copilot and Codex. Similarly, in Bartz vs Anthropic, the plaintiffs alleged copyright infringement in the creation of Claude LLMs. These cases may significantly impact how AI tools are developed and deployed.
Blockchain Technology
Blockchain technology is a secure record-keeping system, primarily used in accounting to track financial transactions. It enables the registration of transactions and tracking of assets across networks, storing data in digital form for safe transactions.
Blockchain was first introduced by Bitcoin, launched on 3rd January 2009 by Satoshi Nakamoto. Nakamoto developed blockchain, also known as a decentralized ledger, to solve the problem of “double spending” in digital currency. Blockchain, also called Distributed Ledger Technology (DLT), organizes data in blocks that are linked together in chains.
While blockchain is praised for its security, it is not immune to cybercrime. Cybercriminals exploit vulnerabilities through phishing, smart contract exploits, and 51% attacks, leading to financial losses, data breaches, and network disruptions. Though blockchain’s decentralized and immutable nature provides protection, criminals often target user behavior and weak platform interfaces, tricking victims into revealing sensitive information to steal funds.
The legal status of blockchain in India is still uncertain. There is no specific law regulating blockchain, though existing laws provide partial guidance, particularly in relation to crypto exchanges. A landmark case was Internet and Mobile Association of India (IAMAI) vs Reserve Bank of India (RBI), 2021, decided by a three-judge bench comprising Justices V. Ramasubramaniam, Aniruddha Bose, and Rohinton Fali Nariman. The Supreme Court quashed the RBI’s ban on cryptocurrency dealings, ruling that it violated Article 19(1)(g) of the Indian Constitution. This judgment had a significant impact, restoring banking services for cryptocurrency businesses in India.
Digital Sovereignty
The 21st century has brought continuous digitalization in India. With these changes, the idea of Digital Sovereignty is evolving. Although the term was coined in the 1990s, it gained major relevance in recent years due to the increasing politicization of technology.
Its roots can be traced back to the 1947 Atlantic City Conference. During the 2000s, discussions on digital sovereignty peaked, focusing on data privacy, economic competitiveness, and security. Today, the concept continues to evolve with ongoing debates on its meaning, implications, and applications across various fields.
India’s Three Pillars of Digital Sovereignty
- Emphasizing data as a key tool of economic growth and development, while closely monitoring multinational private actors.
- Pursuing a domestic strategy backed by global diplomacy to prevent inequitable digital trade rules.
- Leveraging data security in bilateral security disputes.
Meaning of Digital Sovereignty
Digital sovereignty combines the concepts of “digital” and “sovereignty.” It refers to the ability of an individual, organization, or nation to control its digital assets, data, and operations within a specific jurisdiction.
It is an umbrella term that includes the right to store, process, access, and govern digital information. In simpler words, it means managing your own data and avoiding foreign control.
Important Case Law and Legislation
- K.S. Puttaswamy & Anr. vs Union of India & Ors. – Recognized the right to privacy as a fundamental right under Article 21, leading to the Digital Data Protection Act, 2023.
- Anvar P.V. vs P.K. Basheer & Ors. (2014) – Clarified requirements for admitting electronic records as evidence, particularly the need for a Section 65B certificate under the Indian Evidence Act.
Current laws relevant to digital sovereignty include the DPDP Act, SEBI and RBI regulations, the Information Technology Act, cybersecurity rules, and TRAI regulations. However, India still lacks a specific law dedicated solely to digital sovereignty.
Challenges to Digital Sovereignty in India
- Global divide: The U.S. favors unrestricted data flow with a laissez-faire approach, while Russia and China advocate for information sovereignty.
- Data colonialism: Western tech companies exploit data from developing countries to strengthen their market dominance, often at the cost of local users.
- Trust deficit: Public mistrust arises due to limited understanding of rapidly advancing technology among lawmakers, officials, and citizens.
Conclusion: Need For Change In Dynamics Of Cyber Law
Change is essential for progress. As technology advances, cyber laws must evolve to remain effective. Current laws are insufficient to address emerging technologies such as Artificial Intelligence and Blockchain. With the rise of digital sovereignty, reform in India’s cyber laws has become urgent.
The essence of law is to create order, ensure justice, protect rights, and promote fairness. However, present cyber laws are not comprehensive enough to regulate AI, blockchain misuse, or to safeguard digital sovereignty effectively. Strengthening these laws is vital for India’s future in the digital era. References:
- Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) – Landmark case affirming the right to privacy as a fundamental right.
- Suhas Katti v. State of Tamil Nadu (2004) – First conviction in India for cyber defamation.
- Sony Sambandh case (CBI v. Arif Azim, 2013) – One of India’s earliest cases addressing cyber fraud.
- Indian Penal Code, 1860 – Sections 418, 419, and 420 deal with cheating, impersonation, and fraud.
- Shreya Singhal v. Union of India (2015) – Supreme Court struck down Section 66A of the IT Act, protecting free speech online.
- Artificial Intelligence in Financial Services Report (Dec 2024) – U.S. Treasury’s report on AI use, risks, and opportunities in finance. Source: https://home.treasury.gov/system/files/136/Artificial-Intelligence-in-Financial-Services.pdf
- Doe v. GitHub (2023) – Case filed in the U.S. District Court (N.D. California) concerning AI and copyright issues.
- Bartz v. Anthropic (2024) – Legal dispute in N.D. California involving AI accountability.
- IAMAI v. RBI (2021) – Supreme Court struck down RBI’s ban on cryptocurrency services in India.
- 1947 International Telecommunication Union Conference – Held in Atlantic City, USA, shaping global communication frameworks.
- K.S. Puttaswamy v. Union of India (2014) – Early privacy rights case leading to the 2017 landmark judgment.
- Anvar P.V. v. P.K. Basheer & Ors. (2014) – Supreme Court clarified rules on electronic evidence admissibility.
Written By: Ayush Kumar Arihant, 4th year B.A.LL.B.(Hons) – University of Allahabad, Prayagraj.
The author may be reached at [email protected]
