Dispute resolution framework under the Information Technology Act, 2000

This blog post highlights the key developments and concerns in the dispute resolution framework under the Information Technology Act, 2000.

1. INTRODUCTION

More than 131 million Indian consumers have been victims of cybercrime and India has lost INR 1.24 trillion in cyber-attacks in the previous year[1]. Most victims of cyber-attacks or frauds in India do not know how to proceed against a cyber-attack. Although multiple online cybercrime complaint portals exist[2], the procedure after filing such complaint is blurry.

The Information Technology Act, 2000 (“IT Act”) sets out a framework for resolution of disputes arising out of cyber-attacks like hacking, data theft, and phishing[3]. The framework allows victims of such attacks to claim damages and compensation from the attackers. The IT Act lays down a two-tier dispute resolution process: (i) Adjudication of disputes; and (ii) appeal against the outcome of such adjudication. However, this process seems to exist mostly on paper, and hasn’t really been implemented. Cybercrimes are mostly dealt with by ‘cybercrime cells’ of the respective police departments. In addition to briefly discussing the current framework for dispute resolution under the IT Act, this blogpost also seeks to discuss the existing challenges in this framework, and how they can be addressed.

2. KEY DETAILS OF THE FRAMEWORK

The scope of the framework is limited; it only applies to disputes that relate to the violations listed in the IT Act[4]. There are two categories of violations under the IT Act: (i) contraventions[5] relating to damage to computer, computer systems; protection of data; failure to furnish information, violation of any provision, rule, regulation or direction under the Act; and (ii) offences[6] including cyber terrorism, violation of privacy and cheating. Only disputes relating to contraventions can be resolved through the dispute resolution framework[7]. Offences are criminal in nature, they are dealt with under the criminal laws of India.

The IT Act is applicable to persons and entities both within and outside India[8]. Once a cyber-dispute is adjudicated as per the dispute resolution framework of the IT Act, the same dispute cannot be taken up by a civil court[9].

2.1. The process of adjudication under the IT Act:

The power to adjudicate is given to an ‘Adjudicating Officer’ (“AO”) appointed by the central government[10]. As per the Ministry of Electronics and Information Technology (“MeitY”), the secretary of the department of information technology of each state is appointed as the AO for that state by default[11]. The AO is a quasi-judicial body[12], as it has dual-powers to: (i) order investigation i.e. hold inquiry into the violation of the IT Act on the basis of evidence produced before it[13]; and (ii) adjudicate i.e. it decides the quantum of compensation or penalty to be awarded in case of a violation[14]. The AO can exercise its jurisdiction over matters in which the claim for compensation or damage does not exceed INR 5 crore[15]. The process of adjudication is as follows–

Figure 1: Adjudication Process under the IT Act

The AO is entitled to order investigation into a complaint at any time from the receipt of a complaint by it[16]. This investigation is conducted by an officer in the Office of Controller of Certifying Authorities or CERT-In, or by a Deputy Superintendent of Police[17].

2.2. Appeal

Orders issued by an AO are appealable before the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) [18]. A party can appeal against AO’s order before the TDSAT within 45 days of receiving the order[19]. The right to appeal is not available to the parties if the adjudication order was passed with the consent of the parties[20].

The TDSAT may confirm, modify or set the adjudication order appealed against, after giving the parties a reasonable opportunity to be heard[21]. The TDSAT has the same powers as are vested in a civil court to summon the parties, order production of documents and to review its decisions[22]. A party can file an appeal against TDSAT’s order to the High Court, within 60 days of receiving the order[23].

3. ISSUES WITH THE DISPUTE RESOLUTION FRAMEWORK UNDER THE IT ACT

The framework may look promising in theory, but it has not been as effective in practice. There is hardly any reportage on a cyber-dispute and there is no data available on the number of cases adjudicated upon by officers or the tribunal. We have identified certain issues that highlight the lacunae in the system:

3.1. Possibility of conflicting orders passed by AOs:

They AOs enjoy wide powers. They can adjudicate on violation  of any provision, rule, regulation or direction passed under the IT Act[24]. AOs have sometimes passed orders with significant ramifications. For example, in one case, an AO held a bank liable for not exercising due diligence to prevent phishing[25]. The AO referred to the prevailing RBI guidelines[26] on internet banking to arrive at this conclusion. Thus, AOs can play a significant role in interpreting the IT Act.

There are multiple AOs, who address similar kind of issues, at the same time. This results in the problem of conflicting opinions on the same issue.  For instance, in a case[27], the AO had held that Section 43[28] of the IT Act was not applicable to the bank as it was a body corporate. However, AOs in other states had held otherwise. In multiple cases, Section 43 has been invoked against body corporates[29]. This can make it difficult for an entity to comply with the IT Act, as it may have to consider the opinion of multiple AOs to function across India.

3.2. Poor availability of orders passed by AOs:

To access adjudication orders passed under the IT Act, one has to search through websites of state governments which are not easy to navigate. There is no reportage of these disputes by popular legal databases as well. There should be a central database for adjudication orders. This will enable officers and other stakeholders to refer to these adjudication orders while dealing with violations under the IT Act. It will also enable businesses to keep a track of cyber disputes.

3.3. Excessive burden on department secretaries appointed as AOs:

Secretaries of the department of information technology of the states are AOs by virtue of an old MeitY Order from 2003[30]. They are responsible for the administration of their department, and are actively involved in the governance of the state, in addition to performing their duties as AOs. The dual-aspect of their job is extremely burdensome. Considering the high amount of cyber-offences in the country, there is a need to revamp this system for appointment of AOs. There are other Indian laws where AOs are given independent roles for adjudicating violations[31]. For instance, the Prevention of Money Laundering Act, 2002 (“PMLA”) lays down a similar adjudication procedure for offences. However, instead of appointing AOs, the PMLA has established an ‘Adjudicating Authority’[32]. This authority comprises of a chairperson and two other members. This authority is only involved in adjudication of offences, it is also allowed to have its own staff for assistance[33]. The IT Act could adopt a mechanism similar to the other laws to ensure efficacy and speedy disposal of adjudications. 

3.4. Need for capacity building in adjudication of cyber offences:

There is a need to build the capacity of AOs. The Crown Prosecution Service of the United Kingdom has issued ‘Cybercrime-prosecution guidance’[34]. This guidance has defined major kinds of cybercrimes like hacking, social media related offences, etc. They provide basic principles for adjudication of cybercrimes. A guidance of a similar nature should be introduced in India to ensure better handling of complaints. 

3.5. Investigation and appreciation of evidence during the adjudication process

Investigation into violations is conducted by an officer in the Office of Controller of Certifying Authorities or CERT-IN; or by the Deputy Superintendent of Police[35]. However, the capacity of these bodies to conduct cyber investigations is questionable.

Most cyber-offences are reported to the police departments, as the National Cyber Crime Portal functions under the domain of the Ministry of Home Affairs[36]. Complaints on this portal are referred to the police department of the state in which the alleged cyber-offence was committed. The police personnel are not equipped to deal with cybercrimes; they may not have the requisite expertise in areas like cyber forensics and investigation. They often appoint private firms to investigate into such matters.[37]  

There is no guiding document under the Indian regulatory framework on cyber investigation or cyber forensics. The Information Technology (Amendment) Act, 2008 has established a body called the “Examiner of Electronic Evidence”[38]. This body provides expert opinion on electronic evidence. The MeitY has appointed various forensic science laboratories as the examiner[39]. These laboratories hold expertise in conducting cyber investigation. However, the Holding of Enquiry Rules, 2003 have not been updated post the coming of the 2008 amendment act. The rules must be amended to give AOs the power to order such examiners to investigate into the matters before them.

There should be guidelines or principles on investigation of cyber offences to better equip the police and other investigating agencies to handle such cases. For instance, the United States Department of Justice had issued a guide on ‘Electronic Crime Scene Investigation’ in 2001[40]. This is a comprehensive guide which sets out investigation techniques for different kinds of cyber violations like frauds, identity theft etc. A similar national guideline on cyber investigations must be issued in India. A cybercrime investigation manual was launched by the Data Security Council of India[41]. Steps must be taken by the central government to notify such guidelines.

3.6. Issues with the TDSAT

Initially, a “Cyber Appellate Tribunal” was established under the IT Act to deal with appeals from orders of AOs. In 2015, a Parliamentary Standing Committee was constituted to study the conditions of tribunals and pendency of cases. This committee in its report highlighted that the position of the Chairperson of the Cyber Appellate Tribunal was vacant since 2011 and was thus dysfunctional. As of 31 December 2014, only 34 cases were pending in this tribunal[42]. Considering the state of affairs, this tribunal was merged with the TDSAT in 2017[43].

As per the TRAI Act, the TDSAT consists of a chairperson and two other members only. Considering that telecom and information technology are separate subjects, a different set of expertise is required to decide upon them. It is necessary that the TDSAT increase its strength and involve experts having a background in information technology to decide upon cases relating to the subject. There should be a separate bench to decide upon cyber appeals.

3.7. Adjudication and handling of cyber violations by sectoral authorities

Most instances of cyber violations relate to online banking frauds, including KYC frauds and phishing related cases[44]. For this, the RBI has an “Ombudsman Scheme for Digital Transaction, 2019”[45]. This allows victims of cyber violations to file online complaints. Such complaints should relate to default of the bank, payment system or prepaid payment instruments provider. The ombudsman is empowered to award compensation up to INR 20 lakh rupees to the victim.  Similarly, the Ministry of Home Affairs had introduced a National Cyber Crime Reporting Portal[46]. Complaints pertaining to online financial frauds, social media related frauds and hacking can be reported on this portal[47]. However, the procedure post filing a complaint on this portal is not set out. It is good to have sectoral regulations for handling cybercrimes. Sectoral regulators may be better equipped to deal with the cybercrimes pertaining to their particular area. At the same time, different sets of regulations may lead to potential conflict between authorities under the IT Act and the sectoral authorities. There should be a channel for sectoral regulators to seek consultation from the authorities under the IT Act, where required. For instance, Section 21 of the Competition Act, 2002 lays down a framework for references by statutory authorities. This section allows other statutory authorities to take the Competition Commission of India’s opinion on whether any decision taken by such authority would be contrary to the Competition Act. A similar framework should be incorporated into the IT Act.

4. CONCLUSION

Considering the large number of incidents of cyber-attacks in the country, it is the need of the hour to bolster the current dispute resolution framework under the IT Act. The dispute resolution framework can create a strong deterrent for cyber offenders by forcing them to pay damages and compensation. It can also serve as an effective complaint redress platform for victims. In its current state it has failed to achieve the desired result.

The authorities under the IT Act function in a vast domain, which encompasses issues relating to cybersecurity, intermediary liability, data privacy, and cyber offences. Therefore, these authorities must be adequately equipped to exercise their wide ranging powers.

The government has stressed heavily upon its Digital India initiative which will support India’s goal of becoming a $5 trillion economy by 2025[48].  Also, India has a  large user base of 697 million internet users[49]. Considering India’s quest to digital transformation, it is pertinent to give teeth to the Act, especially to its dispute resolution framework. This will ensure that disputes in the cyberspace are effectively managed and resolved. This will increase the confidence of the masses as well as the stakeholders towards the regulatory framework.

This post is authored by Aditya Sharma, Associate with inputs from Arpit Gupta, Senior Associate.

For more on the topic, please reach out to us at contact@ikigailaw.com

[1] Page 9, 2019 Cyber Safety Insights Report Global Results, The Harris Poll – Norton LifeLock, March 30, 2020, https://now.symassets.com/content/dam/norton/campaign/NortonReport/2019/2018_Norton_LifeLock_Cyber_Safety_Insights_Report_US_Media_Deck.pdf?promocode=DEFAULTWEB%20

[2] National Cyber Crime Reporting Portal, Ministry of Home Affairs, https://www.cybercrime.gov.in/

[3] Chapter IX, Information Technology Act, 2000.

[4] As per Rule 4(a) of the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, the Adjudicating shall exercise jurisdiction in respect of the contraventions in relation to Chapter IX of I T Act, 2000 and the matter or matters or places or area or areas in a State or Union Territory of the posting of the person.

[5] Section 43-44, Chapter IX, Information Technology Act, 2000.

[6] As per Section 61 of the Information Technology Act, 2000, no civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act.

[7] As per Rule 4(l) of the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, if an adjudicating officer is convinced that the scope of a case extends to any offence (under the Information Technology Act, 2000), she should transfer the case to a Magistrate having jurisdiction to try the case.

[8] Section 1(2), Information Technology Act, 2000.

[9] Section 61, Information Technology Act, 2000.

[10] Section 46 of the Information Technology Act provides for the appointment of an ‘adjudicating officer’; as per Section 46(3) of the Information Technology Act, 2000, no person shall be appointed as an adjudicating officer unless she possesses such experience in the field of information technology and legal or judicial experience as may be prescribed. Rule 3 of the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 sets out a detailed eligibility criterion for appointment as an Adjudicating Officer.

[11] Order, Ministry of Communication and Information Technology (Department of Information Technology), Gazette of India, 25 March 2013, http://egazette.nic.in/WriteReadData/2003/E_136_2011_029.pdf

[12]As per Section 46(5) of the Information Technology Act, 2000, every Adjudicating Officer shall have the powers of a civil court and all proceedings before it shall be deemed to be judicial proceedings within the meaning of section 193 and Section 228 of the Indian Penal Code. In the case of Indian National Congress (I) v. Institute of Social Welfare [(2002) 5 SCC 685] it was held that where law requires an authority to hold enquiry before arriving at a decision, such a requirement of law makes the authority a quasi-judicial authority.

[13] Rule 4, the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003.

[14] As per Section 47 of the Information Technology Act, 2000, while adjudging the quantum of compensation or penalty, the Adjudicating Officer shall have due regard to the following factors: (i) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; (ii) the amount of loss caused to any person as a result of the default; and (iii) the repetitive nature of the default.

[15] Section 46(1A), Information Technology Act, 2000.

[16] Rule 4(i), the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003.

[17] Ibid.

[18] Established under Section 14 of the Telecom Regulatory Authority of India Act, 1997. Introduced by Finance Act, 2017, which omitted the sections pertaining to the Cyber Appellate Tribunal.

[19] However, the appellate tribunal may entertain an appeal after the expiry of the said period of forty-five days if it is satisfied that there was sufficient cause for not filing it within that period, according to section 57(3), Information Technology Act, 2000.

[20] Section 57(2), Information Technology Act, 2000.

[21] Section 57(4), Information Technology Act, 2000.

[22] Section 58(2), Information Technology Act, 2000.

[23] Section 62, Information Technology Act, 2000.

[24] Section 46(1), Information Technology Act, 2000.

[25] Umashankar Sivasubramanian v. ICICI Bank, Adjudicating Officer Chennai, Petition No. 2462 of 2008, Order dated April 12, 2010,  https://www.naavi.org/cl_editorial_10/umashankar_judgement.pdf

[26] RBI Master Circular on KYC norms, July 01, 2008, https://m.rbi.org.in/scripts/BS_CircularIndexDisplay.aspx?Id=4354&Mode=0

[27] Rajendra Prasad Yadav v. ICICI Bank, Complaint no. 015/2011, Adjudicating Officer, Karnataka.

[28] Section 43 of the Information Technology Act, 2000, lays down penalty and compensation against “any person” for damage to computer or computer system.

[29] Raju Dada Raut v. ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf

Saurabh Jain v. ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SourabhJain_Vs_ICICI&Idea-22022013.PDF

Ravindra Gunale v. Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013.PDF

[30] Order, Ministry of Communication and Information Technology (Department of Information Technology), Gazette of India, 25 March 2013, http://egazette.nic.in/WriteReadData/2003/E_136_2011_029.pdf   

[31] The process of adjudication is provided under the SEBI Act, 1992; Prevention of Money Laundering Act, 2002; and the Electricity Act, 2003.

[32] Section 6, Prevention of Money Laundering Act, 2002.

[33] Section 7, Prevention of Money Laundering Act, 2002.

[34]Cybercrime – prosecution guidance, Crown Prosecution Service, United Kingdom, https://www.cps.gov.uk/legal-guidance/cybercrime-prosecution-guidance

[35] Ibid.

[36] National Cyber Crime Reporting Portal, Ministry of Home Affairs (India), https://www.cybercrime.gov.in/

[37] Police in states across India are relying on private firms and consultants to solve cybercrime cases, Economic Times, 13 December 2019, https://economictimes.indiatimes.com/news/politics-and-nation/police-in-states-across-india-are-relying-on-private-firms-and-consultants-to-solve-cybercrime-cases/articleshow/72499885.cms?from=mdr

[38] Section 79A, Information Technology Act, 2000.

[39] The Regional Forensic Science laboratory, Dharamshala; Cyber Forensic Laboratory, Army Cyber Group, New Delhi; State Forensic Science Laboratory, Bengaluru; Central Forensic Laboratory, Hyderabad; Directorate of Forensic Science, Gandhinagar; Computer Forensic and Data Mining Laboratory, SFIO, Delhi; and Forensic Science Laboratory, Govt. of NCT, New Delhi, have been notified as ‘Examiner of Electronic Evidence, https://meity.gov.in/notification-forensic-labs-%E2%80%98examiner-electronic-evidence%E2%80%99-under-section-79a-information-technology

[40] Electronic Crime Scene Investigation, A guide for first responders, U.S. Department of Justice, 2001, https://www.ncjrs.gov/pdffiles1/nij/187736.pdf

[41]Cybercrime Investigation Manual, Data Security Council of India, https://uppolice.gov.in/writereaddata/uploaded-content/Web_Page/28_5_2014_17_4_36_Cyber_Crime_Investigation_Manual.pdf

[42] Report of the Department-Related Parliamentary Standing Committee On Personnel, Public Grievances, Law and Justice, 26 February 2015, https://www.prsindia.org/sites/default/files/bill_files/SC_Report-_Tribunals_Bill%2C_2014.pdf

[43] The Cyber Appellate Tribunal was merged into the TDSAT by virtue of Section 169 of the Finance Act, 2017, https://naavi.org/uploads_wp/finance_act_2017.pdf

[44]A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicatory Officers under the IT Act, Divij Joshi, The Centre for Internet & Society, 16 June 2014, https://cis-india.org/internet-governance/blog/review-of-functioning-of-cyber-appellate-tribunal-and-adjudicatory-officers-under-it-act

[45] Ombudsman Scheme for Digital Transaction, 2019, Reserve Bank of India. https://rbidocs.rbi.org.in/rdocs/Content/PDFs/OSDT31012019.pdf

[46] National Cyber Crime Reporting Portal, Ministry of Home Affairs (India), https://www.cybercrime.gov.in/  

[47] FAQs to the National Crime Reporting Portal, https://www.cybercrime.gov.in/Webform/FAQ.aspx

[48]India’s Trillion Dollar Digital Opportunity, Ministry of Electronics and Information Technology (India), 2019, https://meity.gov.in/writereaddata/files/india_trillion-dollar_digital_opportunity.pdf

[49] Internet usage in India – Statistics & Facts, Statista, June 29 2020, https://www.statista.com/topics/2157/internet-usage-in-india/