Vaibhav Salunkhe

E-Commerce and Laws in India

Digital / Electronic Signature in Indian Law

E-Signature Legality Summary

The relevant laws and regulations surrounding the use of electronic signatures in India are the ITA,
the ICA, the ESEATPR, the Indian Stamp Act of 1899 and the relevant state stamp acts. These laws
form the basis for:
1. What are officially recognized “electronic signatures” in India;
2. What documents or transactions cannot be entered into electronically;
3. What conditions all contracts must meet, including contracts using an electronic signature
that does not meet the officially recognized requirements under the ITA; and
4. Whether stamp duty needs to be paid on any particular transaction entered into
electronically.
As a threshold matter, the ITA states that a contract cannot be denied enforceability merely because
it was conducted electronically provided the contract fulfils the essential elements of a valid contract
under the ICA.
The essential elements of a valid contract are set out in Section 10 of the ICA. These elements are as
follows:
 It is entered into by parties who are competent to contract;
 It is entered into by parties as a result of their free will (i.e. valid proposal and acceptance);
 It provides for mutual consideration between the parties;
 It does not require the doing of any act which is forbidden by law.
Note that under Indian law, contracts between private parties do not require a signature for validity;
the only express requirements for validity are those set forth above.
Types of Permitted Electronic Signature
The ITA defines an electronic signature as an “authentication of any electronic record by a subscriber
by means of the electronic technique specified in the Second Schedule and includes digital
signature.”
The ITA defines a “digital signature” as the “authentication of any electronic record by a subscriber
by means of an electronic method or procedure in accordance with the provisions of section 3 [of
the ITA].”
To be validly recognized under the ITA, an “electronic signature” must
1. Be "reliable" and
2. Use an authentication technique specified in the Second Schedule to the ITA.
An electronic signature is considered “reliable” if:

1|P a ge
 Vaibhav Salunkhe

 The signature creation data or the authentication data are, within the context in which they
are used, linked to the signatory or to the authenticator and to no other person;
 The signature creation data or the authentication data were, at the time of signing, under
the control of the signatory or the authenticator and of no other person;
 Any alteration to the electronic signature made after affixing such signature is detectable;
 Any alteration to the information made after its authentication by electronic signature is
detectable;
 There is an audit trail of steps taken during the signing process; and
 The digital signer certificates are issued by a Certifying Authority recognized by the
Controller of Certifying Authorities appointed under the IT Act.
 The Second Schedule provides that an “electronic signature” or electronic record can be
authenticated by using either of the following methodologies:
 Adhaar e-KYC services, or
 A third-party service by subscriber's key pair-generation, storing of key pairs on hardware
security modules and creation of digital signature provided that the trusted third party
providing such services shall be offered by any of the licensed Certifying Authority.
 To create a digital signature, a user obtains a digital certificate from a licensed Certifying
Authority.
Documents That May be Signed Electronically
An array of commercial agreements can be executed by using an electronic signature except for
some as provided under the First Schedule to the ITA. Certain specific documents or transactions
cannot be entered into by using an electronic signature:
 Negotiable instrument such as promissory notes or bills of exchange other than a cheque;
 Power-of-attorney;
 Trust deeds;
 Will and any other testamentary disposition by whatever name called; and
 Any contract for the sale or conveyance of immovable property or any interest in such
property.
Further Guidance
The Indian Stamp Act or the relevant stamp act applicable to the state requires that certain
instruments be stamped at or before the time of execution. The Indian Stamp Act or any other law in
force and effect in India does not address electronic records and the method of stamping electronic
records. However, several states (e.g., Maharashtra, Gujarat, Karnataka, Delhi, Uttar Pradesh,
Rajasthan etc.) have amended their respective stamp acts to specifically include “electronic

2|P a ge
 Vaibhav Salunkhe

records,” as defined under the ITA, under the definition of an “instrument”, thereby extending the
requirement of stamping an electronic record.
An “instrument” includes every document by which any right or liability is, or purports to be created,
transferred, limited, extended, extinguished or recorded.
ITA Electronic Signatures, provided such signatures meet the requirements set forth in the ITA, will
be deemed valid and if a party disputes the validity of such electronic signature, such challenging
party will need to produce evidence that the signature was invalid, not the party relying on the
signature.
For non-ITA electronic signatures, if the validity of the signature is challenged, the party seeking to
enforce the signature may, in addition to the above-mentioned conditions, need to produce
evidence to show that all the essentials of a valid contract, as per the ICA, were satisfied.

3|P a ge
 Vaibhav Salunkhe

E-Commerce: Issues and provisions in Indian Law

E-commerce is an online based business model which has been set up for providing the consumers
an online market portal used by people for buying and selling the products and the services. The
Consumer Protection Act, 2019 defines, the term as, "buying or selling of goods or services including
digital products over digital or electronic network." Thus, e-commerce usually functions using a lot of
electronic services itself like the internet services, electronic funds transfer services, electronic data
exchange etc. Since in India a large percentage of products and services are availed through
electronic means in an online environment (especially in the present pandemic / lock – down ridden
world), the laws that govern its functioning to keep checks and balances are to be oriented.
Types of Business Models under E-Commerce
The most commons business models facilitated by e-commerce are:
B2B describes commerce transactions between various businesses
thereby enabling various businesses to build new relationships with
Business to Business (B2B)
other businesses such as between manufacturer and a wholesaler,
or between wholesaler and a retailer.
B2C describes activities of businesses serving end consumers with
Business to Consumer (B2C)
products and/or services.
C2C involves the electronically facilitated transactions between
consumers through some third party. Traditionally consumers have
Consumer to Consumer (C2C)
had dealings with other consumers, but only few of those activities
were in a commercial sense.

C2B involves consumers which provide goods/services to

Consumer to Business (C2B)
businesses and create value for the business.
This is an alternative to the B2C model in which there is an
additional intermediary business to assist the first business to
Business to Business to Consumer
transact with the end consumer. For instance, Flipkart which is one
(B2B2C)
of the successful e-commerce portals and which provides a stage
for consumers to purchase a wide range of products.

As we now understand the concept of e-commerce, it is very necessary to know that the regulation
of this sector in India is very scattered, with a wide gamut of statutory enactments which have been
amended / enacted to govern the sector. Nonetheless, there are various statutes that govern e-
commerce activities which are divided into broad categories as explained in this post.

4|P a ge
 Vaibhav Salunkhe

A. Laws Governing E-Commerce

1. Information Technology Act, 2000 ("IT Act")
There are different provisions under the IT Act which guides the working for the e-
commerce. Section 84A of the IT Act cast a duty on the Central Government for the
promotion of e-governance and e-commerce. It also has to provide for secures use of
electronic mean. Provisions regarding the data protection are contained in Section 43A of
the IT Act. Section 66A of the IT Act imposes a penalty in case of theft of identity and
provides that whosoever person dishonestly uses the password, identity of other shall be
punished with imprisonment that may extend to 2 years or with fine of INR 1,00,000/- or
both.
E-commerce entities must comply with the Information Technology (Reasonable security
practices and procedures and sensitive personal data or information) Rules, 2011.
Intermediary websites and the content they display will govern by the Intermediary Rules
2011, under the IT Act. On 25 February 2021, the Ministry of Electronics and Information
Technology (MeitY) notified the Information Technology (Guidelines for Intermediaries and
Digital Media Ethics Code) Rules, 2021 ("Rules") in consultation with the Ministry of
Information and Broadcasting. The Rules have been issued pursuant to the government's
rule making powers under Section 87 of IT Act which includes rules in relation to the
guidelines to be followed by intermediaries and blocking of access to content under the IT
Act.
The Rules inter alia, require intermediaries to publish their rules and regulations, privacy
policy and user agreement on their websites/applications and periodically inform users of
the same, place hosting, storing, publishing, etc., prohibitions on intermediaries, and
prescribe for an information retention period.
2. Consumer Protection Act, 2019 and Consumer Protection (E-Commerce) Rules, 2020
The Ministry of Consumer Affairs, Food and Public Distribution has recently notified the
Consumer Protection Act, 2019 (CPA 2019) and the Consumer Protection (E-Commerce)
Rules, 2020 (E-Commerce Rules). The CPA 2019 introduced significant changes to the 1986
consumer protection law, to address unique issues arising in this era of digitization and e-
commerce. The E-Commerce Rules provide a framework to regulate the marketing, sale and
purchase of goods and services online.
The E-Commerce Rules apply to: (a) all goods and services (including digital products)
transacted over an electronic/digital network; (b) all models of e-commerce, including
marketplace and inventory models (discussed below); (c) all e-commerce retail (including

5|P a ge
 Vaibhav Salunkhe

multi-brand and single brand retail trading); and (d) all forms of unfair trade practices across
all e-commerce models.
While the E-Commerce Rules apply to e-commerce entities, they do not apply to a natural
person if: (a) the activities are performed in a personal capacity; and (b) the activities are not
part of any professional or commercial activity that is carried out on a regular or systematic
basis.2 Simply put, where an individual engages in a transaction in a personal capacity and
not on a regular or systematic basis for any professional or commercial activity, the E-
Commerce Rules will not apply. As a result, natural persons engaged in occasional
transactions entailing consumer to consumer or business to consumer interface may be
excluded.
Further, the E-Commerce Rules have extra-territorial application on those e-commerce
entities which may not be established in India, but systemically offers goods and services to
consumers in India. A proposed amendment contemplated by the Ministry of Consumer
affairs to the E-Commerce Rules ("Draft Amendment") intends to widen the outreach as
well as the list of dos and don'ts for e-commerce entities however, it is presently unclear as
to where this amendment is headed. The salient features of the Draft Amendment cover the
following:

i. While e-commerce entities that were owners/operators/managers of e-commerce

platforms were governed by the E-Commerce Rules, the Draft Amendment widens
the ambit of an "e-commerce entity" to include related parties as well as any entity
engaged by the e-commerce entity to fulfil the orders placed by its users;

ii. E-commerce entities are required to mandatorily register themselves with the
Department for Promotion of Industry and Internal Trade (DPIIT) and display their
registration numbers prominently to their users on their platform as well as the
invoices;

iii. Prohibition on the promotion or display of misleading advertisements during the

entity's ordinary course of business or for any other such function;

iv. Change in the grievance redressal mechanism for e-commerce entities by creating,
in addition to the grievance redressal mechanism with an Indian citizen and a
resident "Chief Compliance Officer" who would be managerial personnel or a senior

6|P a ge
 Vaibhav Salunkhe

employee of the e-commerce entity liable for any proceedings pertaining to third
party information, data or communication link provided by the e-commerce entity;

v. Appointment of nodal contact person (again an employee (other than the Chief
Compliance Officer) who is an Indian citizen and resident in India, for continuous
coordination with law enforcement agencies and officers for compliance of orders
and requisitions; and

vi. Prohibition of flash sales and cross selling.

B. Sectorial and Regulatory Compliance

1. Foreign Exchange Management (Non - Debt Instruments) Rules, 2019
E-Commerce entities/platforms with Foreign Direct Investment (FDI) are presently regulated
by the Foreign Exchange Management (Non-Debt Instruments) Rules, 2019. E-commerce
entity as per the aforementioned rules, means a company incorporated under Companies
Act 1956 or the Companies Act, 2013.
2. Legal Metrology Act, 2009
The Legal Metrology Act defines "E-commerce entity" means a company incorporated under
the Companies Act, 1956 or the companies Act, 2013 or a foreign company covered under
Section 2(42) of the Companies Act, 2013, or an office, branch or agency in India covered
under Section 2(ii)(v) of the Foreign Exchange Management Act, 1999 owned or controlled
by a person resident outside India and conducting e-commerce business.
Any e-commerce entity must comply with and meet the standards relating to labelling and
packaging set by the Legal Metrology Act, 2009 read with Legal Metrology (Packaged
Commodity) Rules, 2011 that state that the online platform must display such mandatory
information about the goods on the network, as is required to be displayed on physical
packages as well. Display of mandatory information includes:

7|P a ge
 Vaibhav Salunkhe

The product manufacturer/seller/dealer/importer is responsible for the correctness of

statements made on marketplace model e-commerce portals, whereas e-commerce
corporations are responsible for making the declaration. While the manufacturer, seller,
dealer, or importer will be held responsible and punished under the Legal Metrology Act and
rules for false information declared on a marketplace model e-commerce portal, the e-
commerce institution will be held liable and punished for failing to make relevant
pronouncements as required by the Legal Metrology and rules.

C. Other Laws
1. Indian Contract Act, 1872
In e-commerce transactions, e-contracts are formed which in actual are standard form
agreements governed by the Indian Contract Act, 1872 ("Contract Act"). Thus, for e-
commerce contracts to be valid, it must be (i) entered with the free consent of the parties to
the contract; and (ii) there must be a lawful consideration for the contract. The Contract Act
governs the conditions for validity of contracts formed through electronic means;
communication and acceptance of proposals; additionally, revocation, and contract
formation between consumers, sellers, and intermediaries. 4 Further, the terms of service,
privacy policy, and return policies of any online platform must be ensured to be legally
binding agreements. The provisions relating to contract formations carried out electronically
are contained under the Information Technology Act, 2008. Section 10A of the Information
Technology Act, 2000 provides for the validity of the contract entered through electronic
modes. It states whenever the communication and acceptance of the proposal, its
revocation and acceptance are made in electronic form, such contract shall not be deemed
to be invalid or unenforceable solely on the ground that electronic means is used for the

8|P a ge
 Vaibhav Salunkhe

purpose. Further information on the enforceability of electronic contracts is dealt with in our
previous post here.
2. Sale of Goods Act, 1930
The Sale of Goods Act, 1930 covers what the sales and shipping policy of the entity must
contain. Additionally, terms such as the warranties, conditions, and the transfer of property
in goods are also outlined for regulating the sale of goods. Further, the policy must also
contain the fact of existence or non-existence of return/refund options.
3. Competition Act, 2002
The Competition Act, 2002 identifies certain areas of the e-commerce ecosystem which are
likely to come within the ambit of competition issues. Exclusive agreements between the
online retailers (e-tailors) and the sellers, deep discounts offered on the online platforms
which are oftentimes predatory in nature, platform neutrality and platform parity clauses.
Provisions under Section 3, regarding anti-competitive agreements and Section 4 regarding
abuse of dominant position are also applicable for e-commerce platforms.

9|P a ge
 Vaibhav Salunkhe

E-Governance: Concept and Practicality in India

What is e-Governance?
Electronic governance or e-governance is adopted by countries across the world. In a fast-growing
and demanding economy like India, e-governance has become essential. The rapid growth of
digitalisation has led to many governments across the globe to introduce and incorporate
technology into governmental processes. Electronic governance or e-governance can be defined as
the usage of Information and Communication Technology (ICT) by the government to provide and
facilitate government services, exchange of information, communication transactions and
integration of various standalone systems and services.
In other words, it is the use of technology to perform government activities and achieve the
objectives of governance. Through e-governance, government services are made available to
citizens and businesses in a convenient, efficient and transparent manner. Examples of e-governance
include Digital India initiative, National Portal of India, Prime Minister of India portal, Adhaar, filing
and payment of taxes online, digital land management systems, Common Entrance Test etc.
Types of interactions in e-Governance
e-Governance can take place in four major types of interactions, apart from the processes and
interactions in the back-office, within the government framework:
Government to Government (G2G)
Information is exchanged within the government i.e., either, between the central government, state
government and local governments or between different branches of the same government.
Government to Citizen (G2C)
The citizens have a platform through which they can interact with the government and get access to
the variety of public services offered by the Government.
Government to Businesses (G2B)
The businesses are able to interact with the government seamlessly with respect to the services of
the government offered to businesses
Government to Employees (G2E)
The interaction between the government and its employees occurs in an efficient and speedy
manner.
Objectives of e-Governance
The objectives of e-governance can be listed down as given below:
 To support and simplify governance for government, citizens, and businesses.

10 | P a g e
 Vaibhav Salunkhe

 To make government administration more transparent and accountable while addressing

the society’s needs and expectations through efficient public services and effective
interaction between the people, businesses, and government.
 To reduce corruption in the government.
 To ensure speedy administration of services and information.
 To reduce difficulties for business, provide immediate information and enable digital
communication by e-business.
While e-governance provides the advantages of convenience, efficiency and transparency, it also has
problems associated with it. They are as follows:
 Lack of computer literacy: India is still a developing country and a vast majority of the
citizens lack computer literacy which hinders the effectiveness of e-governance.
 Lack of accessibility to the internet or even computers in some parts of the country is a
disadvantage to e-governance.
 e-Governance results in a loss of human interaction. As the system becomes more
mechanised, lesser interaction takes place among people.
 It gives rise to the risk of personal data theft and leakage.
 e-Governance leads to a lax administration. The service provider can easily provide
excuses for not providing the service on technical grounds such as “server is down” or
“internet is not working”, etc.
e-Governance in the Indian context
e-Governance in India is a recently developed concept. The launch of National Satellite-Based
Computer Network (NICENET) in 1987 and subsequent launch of the District Information System of
the National Informatics Centre (DISNIC) programme to computerise all district offices in the country
for which free hardware and software was offered to the State Governments provided the requisite
impetus for e-governance.
e-Governance thereafter developed with the growth of technology. Today, there are a large number
of e-Governance initiatives, both at the Union and State levels. In 2006, the National e-Governance
Plan (NeGP) was formulated by the Department of Electronics and Information Technology and
Department of Administrative Reforms and Public Grievances that aims at making all government
services accessible to the common man, ensure efficiency, transparency and reliability of such
services at affordable costs to realise the basic needs of the common man.
The NeGP has enabled many e-governance initiatives like:
 Digital India was launched in 2015 to empower the country digitally. Its main
components are:

11 | P a g e
 Vaibhav Salunkhe

 Developing a secure and stable digital infrastructure

 Delivering government services digitally
 Achieving universal digital literacy
 Aadhaar is a unique identification number issued by UIDAI that serves as proof of
identity and address on the basis of biometric data. It is being used to provide many benefits
to the members of the society. One can e-sign documents using Adhaar.
 myGov.in is a national citizen engagement platform where people can share ideas and
be involved with matters of policy and governance.
 UMANG is a Unified Mobile Application which provides access to central and state
government services including Adhaar, Digital Locker, PAN, Employee Provident Fund
services, etc.
 Digital Locker helps citizens digitally store important documents like mark sheets, PAN,
Aadhar, and degree certificates. This reduces the need for physical documents and facilitates
easy sharing of documents.
 PayGov facilitates online payments to all public and private banks.
 Mobile Seva aims at providing government services through mobile phones and tablets.
The m-App store has over 200 live applications which can be used to access various
government services.
 Computerisation of Land Records ensures that landowners get digital and updated
copies of documents relating to their property.
In addition to the above, State level e-governance initiatives include:
 E-Seva (Andhra Pradesh) facilitates payment of utility bills, issuance of certificates,
licenses and permits.
 Khajane Project (Karnataka) digitalized the treasury system of the state.
 FRIENDS (Kerala) is a single-window facility to pay taxes and other financial dues to the
State government.
 Lokvani Project (Uttar Pradesh) is a single-window solution relating to the handling of
grievances, land record maintenance and providing a mixture of essential services.
e-Governance Portal of India
The Indian e-governance portal is https://nceg.gov.in. On this portal, one can get comprehensive
information regarding the National Conference on e-Governance and reports on earlier
conferences.
Additionally, the portal provides links to the following important pages:
 Digital India

12 | P a g e
 Vaibhav Salunkhe

 National Portal of India: It is developed to provide access to information and services

being provided by the government
 PM India Website: provides information relating to the Prime Minister’s Office.
 United Nations e-governance website

13 | P a g e
 Vaibhav Salunkhe

E-Taxation Issues in Cyberspace

1. Introduction Tax is a mandatory imposition by the sovereign without any guarantee of special
benefits. The imposition of tax is a constitutional function. Such an imposition may be either upon
person or property or privileges or occupations or enjoyments of the people. Obviously, the primary
implication and object of taxation is to raise money for the purpose of the Government, by means of
contribution from individual persons. While levying a tax, the State, to some extent, brings in
measures to regulate the business activity or the consumption of a commodity or service or even
accumulation of wealth in the hands of a few. Neutrality is an essential precept of taxation which
proposes that economically similar income should be taxed similarly. Thus the taxation principles
that apply to the conventional taxation events should also apply to, in the same spirit and force, in
the cross- border transactions connected to cyberspace. Is not a cyberspace, adaptable to the taxing
power of the sovereign? This is a debatable question in the current scenario. The e-space has a vital
role in the contemporary society and mainly e-commerce presents enormous challenges to the
international tax regime, which focuses on territorial and personal bases of tax jurisdiction.

2. Scope for Taxation in Cyberspace

E-commerce is one of the latest contributions of technological growth. E-commerce consists of the
buying, selling, marketing and servicing of products or services over the computer networks.
Originally, internet facilitated commercial transactions, including sale, electronically. It was, usually,
for limited purpose, by using technology like Electronic Data Interchange, to send the commercial
documents like purchase orders or invoices electronically, in the course of sale of goods. But, it has
developed from a mere means of communication to a mode of carrying the real commercial activity
itself. Of course, Income generated by an e-service provider or an e-commerce man is taxable under
the direct taxation, Income Tax Act. The creation or development of software can be a point of
taxation under the excise law. Software can be developed and installed by sharing the computer or
server, even by a remote access, through a team viewer solution. Transfer of rights, either under
lease or under a sale, in the course of e-commerce business can be taxed under use or consumption
tax or sales and value added tax. A service provider is liable to pay tax under the service tax regime
for his turnover derived from the service, which he has done in the cyberspace. The ongoing
development in information technology facilitates sale and purchase of goods and services over the
World Wide Web via secure servers, specially designed for confidential ordering data keeping
customer protection, and with the help of e-shopping cards and with electronic pay services, like
credit and debit cards. Any product that can be digitalised is amenable to sale and delivery,
electronically. This would include books, newspapers, CDs, motion pictures, photographs, airline and

14 | P a g e
 Vaibhav Salunkhe

movie tickets, and video and sound recordings. Even the saleable commodities like patent, designs
and trademarks, which are digitally convertible can also be the object of electronic commerce,
whether in the form of a total transfer or in the form of partial transfer of rights. E-commerce has a
vital role in the areas of entertainment industry. A wonderful movie having international recognition
can be downloaded and seen through websites by paying charges. Any books attained worldwide
popularity can be read in a website by viewers by paying charges, all over the world. A newly
introduced song of an admired pope singer can be accessed and stored by his admirers around the
world, through the browsing and downloading. While watching such a movie or reading such a book
or listening such a song, certainly transfer of information takes place, either as sale, or as service.

3. Issues in Cyberspace Taxation.

Like any other legal systems, there are challenges, inevitable in the field of cyberspace taxation also.
Such tax challenges are unique throughout the world, evidently in gaining jurisdiction to set the
rules, to judge and enforce the municipal taxation laws to the cyberspace. There are other areas
which raise cross boarder legal issues like, conflicts in applying different principles of law. In
international taxation, income earned from the economic activity by a resident of one country in the
territory of another country can be subject to levy of tax on income in both the countries. The home
state justifies in levying tax on the basis of residence rule, however the host state may impose the
tax on the basis of source rule.

3(i). Jurisdictional Issues in E-commerce

When e-commerce enables transaction of sale and services, across borders there is unavoidable
ambiguity regarding jurisdiction and the applicable tax law. Parties to a cyber generated contract
may be located in different jurisdictions which may have serious implications in the interpretation
and enforcement of the law. Is it the municipal law of the country or the law of other party having
foreign jurisdiction that covers the field? The traditional rules of private international law state that
the jurisdiction of a country extends only to individuals who are within the country or to the
transactions and events that occur within the natural boundary of the country. There are some
important principles governing the issues.

3(i)(a). Theory of Minimum Contacts The theory of minimum contacts would mean that even if a
person is not physically present in a country, he can be proceeded in that foreign court as long as his
website has minimum contacts with that country. This general law has universal application.
Normally a service provider may insert appropriate choice of law in the online contracts, including

15 | P a g e
 Vaibhav Salunkhe

specification of the jurisdiction to which the parties to the contract would be subject to and such
clauses are binding upon the parties.
3(i)(b). Source and Residence Principles.
The principles of source or residence govern the jurisdiction of taxing subject, apparently, in direct
taxation. As per this principle, the income is subject to tax where the income is sourced or the
subject has the residence. However in taxing of E-commerce, application of the principles may hit
the regional balances, at least in cases where major portion of goods are sourced in one region and
largely consumed in another region. In cases of countries, which are having vital monopoly on
software and other digital exports, the application of source principles in E-commerce sale will
definitely result in regional imbalance, if the sales are not attributable through a permanent
establishment in the other country. The principle of residence is also inapplicable in certain areas of
taxation that taxes on E-commerce sales, since majority of e-commerce service providers exist in
cyberspace only. Of course, in such cases the residence of such sellers can be attributable to the
location of the server that hosts the home website of the seller.
3(i)(c). Concept of Permanent Establishment.
The concept of ‘Permanent Establishment’ suggests that if the activity passes the permanent
establishment in the source country, that country would have the primary right to tax the activity.
The permanent establishment is defined in the OECD Model Tax Convention to mean, the fixed place
of business through which the business of an enterprise is wholly or partly carried on. It may be a
place of management, a branch, an office, a factory or a workshop. Where a person is acting on
behalf of an enterprise and has habitually exercised an authority to conclude the contracts in the
name of such enterprise, it is deemed that such enterprises shall have a permanent establishment in
such place. However if a broker, general commission agent or any other agent of an independent
status is acting in the ordinary course of their business, it cannot be said that the enterprise is having
a permanent establishment in such place, merely for the reason that business is carried through
such persons. When a foreigner leaves the management of his domestic share portfolio with a
stockbroker in a country, such agency will not constitute a permanent establishment. Thus a website
hosted on a server owned by a domestic independent agent like an ISP (Internet Service Provider),
would not constitute a permanent establishment. A vendor’s home page on the internet and the
access of the internet provided to that homepage do not give rise to a permanent establishment,
since the vendor does not have control over any of the appliances necessary for data transmission,
in a country. A different version is that a web page is likely to constitute a permanent establishment
in the country where the host computer resides. It is because a web page can have a physical
presence, as it is made from binary or digital code and is housed on a magnetic surface, usually a

16 | P a g e
 Vaibhav Salunkhe

disk of some kind. Such a binary code is viewable using the computer and communication device.
3(i)(d). Theory of Physical Presence.
The primary determinative and widely accepted factor regarding eligibility of tax on cyberspace or e-
commerce is the physical presence of seller or service provider in the customer’s state. For
determining whether seller or service provider has physical presence, or a level of activity, the
significant tests are that either the entity must be owning or renting property in that state or having
a warehouse or a fulfilment house that maintains inventory for seller in that state or having
employees in that state or promoting his business in that state through something like a trade show.
The Courts in the United States maintain a sensible legal outlook in this regard. According to them
when the seller or service provider has no activity in the location, but merely a web presence, it
would not bring them within the state’s jurisdiction to proceed against the seller.
In National Bellas Hess, Inc’s case, the U.S Supreme Court has held that the sellers could be required
to pay user taxes only in the states where they have maintained a certain level of physical presence.
This was a major hit on the state’s power to tax on the inter-state mail order or catalogue sales.
Later the U.S. Supreme Court in Quill’s case[4] has held that it is for the Congress to decide the scope
of nexus theory to protect the interest of State’s revenue, though.
3(ii). Issues in Identification of Parties
Identity of parties to a contract is one of the keen issues to be resolved while performing e-
contracts. Unlike communications of offer and acceptance through postal means, in internet
communications, it is not possible to locate the exact place of the parties, in the first instance. It can
be possible only through decoding of protocol addresses and through other technological solutions,
which are time consuming and highly technical. Transactions on the internet, particularly consumer-
related transactions, resulting in sale or service contracts, often occur between parties who have no
pre-existing relationship, which may raise concerns of the person’s identity with respect to issues of
the person’s capacity, authority and legitimacy to enter into a contract.
3(iii). Relative Issues of E-Commerce Taxation
The physical supervisions over the movement of goods or service are some of the prime concerns in
taxing e-commerce. In e- commerce, the majority of sales or service are relating to intangible goods
that are without the need to provide tangible personal property to the customer; sale and service
can be affected through transfer of intangible properties.
3(iii)(a). Administration of Tax
In the traditional system of trading, with respect to the main street-retailers, the administration of
tax is easier. The tax on sale or service is, of course, an indirect tax and it is the primary duty of the
traders or service providers to collect and remit the tax to the State ex-chequer. However, the e-

17 | P a g e
 Vaibhav Salunkhe

commerce businessman may not be obliged to comply with such statutory requirements in the
absence of regular supervision of his business. The role of consumption tax, in relation to tangible
properties, is significant in such situations. The liability, in such cases can be fastened on the
importer or the person who consumes the goods. In cases of electronic supply of intangible goods,
domestically, there is not much difference, as the domestic dealer has an obligation to collect the tax
and such trades are subject to tax audit also. But difficulty may arise when the trader destroys his
back-up. In cases of electronic supply of intangible goods by a foreign supplier, such supplies satisfy
the requirement of import sale and the tax can be levied on the importer, who consumes such
goods. Such use tax is usual, when the seller is incapable of taxing the sale, because he has no nexus
with the destination state. It is an undisputed fact that E-commerce is having a dramatic impact on
almost all aspects of business. It has opened a global market with global suppliers across the nations.
Though regulatory measures were introduced to regulate and protect the issues of intellectual
property rights in the field of cyber space, the law on tax administration is not yet fully developed.
The consequence is that the technologically advanced and high earning society, who builds e-
commerce as parallel market, is out of tax administration. So either the concept of sale tax should
further be modified to cover the field or the taxation jurisprudence should advance further by
developing alternative devices to fill the gap. When an e-commerce service provider projects certain
information to its customers, through the website, by charging money through credit card
payments, and the customer only exploring such information to their mind or even writing down it
into their notebooks, can it be said that any transfer of goods are effected between the web site
owners and customer. Furthermore, a mere download may create a virtual recycle bin with
unnecessary downloads in temporary internet folders or cookies, a temporary storage, which the
person really did not intend. In fact, whether the taxman can tax such downloads, naming it as sale
or service or under the guise of deemed income arising from it. It is as if a software is hosted in a
client’s computer from a remote programming terminal located in faraway place to constitute
transfer of intangible goods through communication devices. It is the law that even if it is not
recorded in tangible media, but only passed through a deputing personal, there is transfer of
property in goods eligible to the sales tax. A momentary service of passing of information, which is a
valuable intangible property, can thus be treated as sale for the purpose of taxation. The taxing
authorities are seriously thinking to curb the situation of tax avoidance in like transactions. While
taxing a commodity, as an article of merchandise, there must be an incidence for tax, i.e., the sale. It
is not that the commodity is subjected to tax, but it transfer as sale which is subjected to tax. In
imposing the sales tax, one of the difficulties, which confront the Taxman, lies in the selection of the
point of time at which the tax shall be attached and become due. In the case of an ordinary retail

18 | P a g e
 Vaibhav Salunkhe

sale for cash across the counter of shop, the stages of agreement, appropriation of the goods to the
contract, delivery, payment of the price and passing of the property are all practically simultaneous.
On the other hand, in transactions like E- commerce, which are more complicated in nature, it is
difficult to find out these stages independently.
3(iii)(b). Sites of Business
When the act of sale or service is the subject of taxation, the place of such event has relevance.
There must be a situs of sale or service. Sale consists of a number of ingredients, such as existence of
goods which form the subject matter of the sale, a bargain or contract of mutual consent, which,
when executed will result passing of the property in the goods for a price, the payment or a promise
to pay the price and the passing of title. When all of it takes place simultaneously, there is no
difficulty to ascertain the place of sale. When one or more ingredients take place at different places,
it is difficult to find out the sites of sale. In e-shopping, the sites of sale is not certain. Goods can be
ordered from one place, payment can be effected from another place and the goods can be
accessed from a place other than the above two. There are cumulative incidents taking place to
finalize the sale of the goods. Can there be levy of sales tax in all places? When the sale occurs with
respect to a physical substance, and the sale being proximate cause of movement of goods from one
place to another, it is easy to find out the physical transfer of goods by way of delivery. It is not
possible to adopt this principle, when intangible properties are transacted through the cyberspace.
3(iii)(c). Culmination of Contract A binding contract is constituted by acceptance of an offer. The
acceptance must be reaching the seller at the time the contract is completed. During electronic offer
and acceptance a number of questions will arise. Can a mere action of downloading be considered as
the acceptance? The user may discard a surfed material, visuals, or writings. A click on the options in
the website cannot be a full acceptance of the information, though a seller anticipates the placing an
offer through the website. Without the use of encryption technology, the reliability and acceptability
of email, is an added difficulty. In systems in which electronic messages are sent, over
communication networks, it is certainly possible for someone to prepare and transmit an E-mail
message or an acceptance and to make it appear that it came from someone other than the true
maker. When authenticity of generation of messages, itself, is doubtful, it is not easy to deal with
the taxing subject for taxation, on the basis of such mail orders.

4. Conclusion E-commerce, being a technologically oriented commercial activity, there are fewer
prospects to supervise the trading and services. The cross- border elements in E- commerce make
the subject more intricate. In the real world, taxing is a sovereign function and is subject to the
territorial limitation and to the Constitution of the country. Revenue interest of country may govern

19 | P a g e
 Vaibhav Salunkhe

the fiscal policy of the sovereign and in e-commerce there being no territory as part of any
sovereignty, it is impossible to lay down a universal formula, in the absence of an International
Charter.

20 | P a g e
 Vaibhav Salunkhe

E-contracts and its validity in India

Electronic contracts are the contracts which take place through e-commerce, without meeting of the
parties to the contract. These contracts are generally very similar to the paper based commercial
contracts in which the commercial transactions conducted and concluded electronically. With the
advancement of technology and the globalization, it has accelerated the presence of e-commerce
companies throughout the world.
Kinds of E-Contracts
1. Browse Wrap Agreements
This agreement is considered as a browse wrap agreement which is intended to be binding
upon the contracting party by the use of the website. These include the user policies and
terms of service of websites such as Flipkart or E-bay and are in the form of a “terms of use”,
a “user agreement” or “terms of service”, which can be used as the links at the corner or
bottom of website.
2. Shrink Wrap Contracts
These contracts are the license agreement by which the terms and conditions of the
contract are enforced upon the contracting parties and are usually present on the plastic or
in manuals accompanying with the software products which the consumer buys.
3. Click Wrap Agreements
These agreements require the user to give his consent to the terms and conditions which are
known as end user agreement and governs the licensed usage of the software by clicking
“Ok” or “I agree” button. There are certain kinds of check which ensures that the terms of
the agreement are binding upon the contracting parties. These are as follows:
1. The user agreement or the terms of service must be specifically conveyed to the party. By
simply inserting a link to the terms on the website without drawing any attention of the user
shall not be considered as the intimation to user. Therefore, if the user continues to use the
website after the intimation of the terms shall be considered as the acceptance of the
contract.
2. The terms of the agreement should not be changed if the user has given his assent for the
particular action.
3. The changes made to the terms of the agreement must be specifically intimated to the
user which providers a user to give a fresh consent for the modifications in the terms. In
case the user does not agree to the changes then he has the option to leave the website at
that very moment

21 | P a g e
 Vaibhav Salunkhe

Execution of E-contracts
The recognition and regulation to E-Contracts is provided by various laws such as Information
Technology Act, 2000 and the Indian Evidence Act, 1872. The provisions in the I.T. Act mention about
the attribution, acknowledgement and dispatch of electronic records and secured electronic
procedures.
The IT Act recognizes the basic features of the contract such as the communication of the proposals,
acceptance of proposals, revocation of proposals and acceptances, as the case may be which could
be expressed either in electronic form or by means of an electronic record.
Further, the recognition of a contract is accorded under the Indian Evidence Act, by which the
term “document” includes any information contained in an electronic record which is printed on a
paper, stored, recorded or copied in optical or magnetic media produced by a computer. Such
information are in conformity with the conditions of Section 65B of the Act which shall be admissible
in any proceedings, without any further proof or production of the original document before the
concerned authority and shall be regarded as an evidence of any content of the original or any fact
stated therein of which direct evidence would be admissible.

Electronic Signatures
The Information Technology (Amendment) Act, 2008 has substituted the term ‘digital signature’ with
the term ‘electronic signature’. A digital signature is the technology specific and is irreversibly unique
to both the document and the signer. However, an electronic signature is technology unbiased and
general in nature. However, there is no standard for electronic signature. It can be either a typed
name or digitized image of hand written signature. The substitution of the term ‘digital signature’
with ‘electronic signature’ is meant to expand the scope of E-contracts in an e-commerce world.
Recognizing the change in the execution of commercial transactions the Supreme Court disregarded
the argument that exchanges over e-mail did not qualify as contracts and held that “Once the
contract is concluded orally or in writing, the mere fact that a formal contract has to be prepared and
initialled by the parties would not affect either the acceptance of the contract so entered into or
implementation thereof, even if the formal contract has never been initialled.”Thus, the e-mails
which convey the clear intention of the contracting parties can be treated as a binding contract

Validity of Electronic Contracts in India

The Indian Contract 1872 has recognized the traditional agreements which include the oral contracts
made by the free consent of the contracting parties who are competent to contract for the lawful
consideration with a lawful object and are not expressly declared to be void. Hence, there is no

22 | P a g e
 Vaibhav Salunkhe

provision in this Act which prohibits the enforceability of electronic agreements provided that the
essential elements of the valid contract must be present in such agreements.
The free consent is considered as the main characteristics of the valid contract. Generally, there is no
scope for negotiation on E-contracts. The option of “take it or leave it” transaction is always
available to the user.
There are various cases where the Indian Courts have dealt with validity of the e-contracts such as
negotiation of the terms of the contract. In the case of LIC India vs. Consumer Education and
Research Centre, the Supreme Court had held that “In dotted line contracts there would be no
occasion for a weaker party to bargain as to assume to have equal bargaining power. He has either
to accept or leave the service or goods in terms of the dotted line contract. His option would be either
to accept the unreasonable or unfair terms or forgo the service forever.”
Trimex International FZE vs Vedanta Aluminium Limited, India, 2010 (1) SCALE 574

23 | P a g e
 Vaibhav Salunkhe

Cyber Appellate Tribunal

Introduction

The Cyber Appellant Tribunal was created under the Information Act of 2000. The tribunal solely has
appellant jurisdiction, as its name implies. As a result, it has the ability to exercise its appellant
jurisdiction over a judgment or order made by the Controller of Certifying Authorities or the
adjudicating official, both on the facts and in law. In other words, it has the legal authority to
investigate the decision or order’s accuracy, legality, and propriety. The Central Government has
created the country’s first and only Cyber Appellate Tribunal in line with the terms of Section 48(1)
of the Information Technology Act, 2000.

Establishment of the Tribunal (Section 48)

This Section explains how the Cyber Appellant Tribunal will be established. The central government
will issue a notification establishing one or more appellant tribunals. The Central Government also
lists all of the subjects and locations that come under the Tribunal’s jurisdiction in the
announcement.

Composition (Section 49)

This Section explains that the Presiding Officer of the Cyber Appellate Tribunal, who will be
nominated by the Central Government, will be the sole member of the Cyber Appellate Tribunal. The
appellant tribunal has been transformed into a multi-member body. The Tribunal will henceforth be
composed of a Chairperson and as many additional members as the Central Government may
designate by publication in the Official Gazette. The Central Government, in collaboration with the
Chief Justice of India, selects the Chairperson and Members of the Tribunal. The Tribunal’s Presiding
Officer is now known as the Chairperson.
Qualifications for appointment (Section 50)
Section – A person cannot be appointed as the Presiding Officer of a Cyber Appellate Tribunal unless
he or she has the following qualifications:
(a) Is, or has been, or is qualified to be, a Judge of a High Court; or
(b) Is or was a member of the Indian Legal Service, and now holds or has held a Grade I position in
that service for at least three years.

24 | P a g e
 Vaibhav Salunkhe

The Term of Office (Section 51)

Section – The Presiding Officer of a Cyber Appellate Tribunal serves for five years from the date of
appointment or until he reaches the age of 65, whichever comes first.

Resignation and removal (Section 54)

Section – The chairperson or a member of the cyber appellant tribunal might resign by writing to the
federal government and informing them of their decision. Provided, however, that the Presiding
Officer shall continue to hold office until the expiration of three months from the date of receipt of
such notice, or until a person duly appointed as his successor enters upon his office, or until the
expiration of his term of office, whichever comes first unless he is permitted by the Central
Government to relinquish his office sooner.
The Central Government has the authority to dismiss the Presiding Officer of the Cyber Appellate
Tribunal if there is evidence of misbehaviour or inability. However, only after a Supreme Court Judge
has conducted an investigation and the Presiding Officer has been informed of the accusations
against him and has had a sufficient opportunity to defend himself. The method for investigating
misbehaviour or incompetence of the Presiding Officer might be regulated by the Central
Government.

Finality of Orders (Section 55)

Section 55 of the Information Technology Act of 2000 prohibits judicial review of two matters: an
order of the Central Government designating any individual as the Chairperson of the CAT, and any
procedure before a CAT based solely on a flaw in the CAT’s constitution. This provision assures the
smooth and uninterrupted operation of the Tribunal by making the decision creating the CAT
definitive and prohibiting judicial review of any Tribunal proceedings based on a flaw in the
Tribunal’s constitution.

Staff of the Cyber Appellant Tribunal (Section 56)

Section – All the staff, employees and other officers are provided by the central government, as it
will think fit. All the officers and employees will work under the superintendence of the chairperson.
The central government will prescribe the salaries, allowances and all other conditions of services of
the employees and officers.

25 | P a g e
 Vaibhav Salunkhe

Appeal to Cyber Appellant Tribunal (Section 57)

Section – If a person is dissatisfied with the Controller’s or Adjudicating Officer’s decision, he or she
may file a complaint with the Cyber Appellate Tribunal, which has jurisdiction over the case. An
order rendered by an adjudicating official with the permission of the parties, however, is not subject
to appeal to the Cyber Appellate Tribunal. The individual must file, along with the specified fees,
within 25 days after receiving the order from the Controller or Adjudicating Officer. If the Tribunal is
satisfied with the grounds for the delay in submitting the appeal, it may hear it even after the 25-day
period has passed.
The Cyber Appellant Tribunal shall transmit a copy of every order to all parties to the appeal as well
as the appropriate Controller or adjudicating official. The tribunal will also make every effort to
resolve the appeal within six months of receiving it.
In Chappan v/s Moidin Kutti, It was claimed that the presence of a superior and interior court
relationship, as well as the capacity of the former to review two judgments of the latter, are two
requirements for appellant jurisdiction.

Power and procedure of the Cyber Appellant Tribunal (Section 58)

The Cyber Appellate Tribunal’s method and powers are laid forth in Section 58 of the Information
Technology Act, 2000
Sub-clause (1) Section 58 states that the Cyber Appellate Tribunal is not bound by the Code of Civil
Procedure, 1908, but rather by the principles of natural justice and that the Cyber Appellate
Tribunal, subject to the other provisions of this Act and any rules, has the authority to regulate its
own procedure, including the location of its hearings.
Clause (2) Section 58 stipulates that, for the purposes of executing its responsibilities under this Act,
the Cyber Appellate Tribunal shall have the same powers as a civil court under the Code of Civil
Procedure, 1908, while trying an action, in respect of the following matters:
(a) Summoning and enforcing the attendance of any person and examining him on oath;
(b) Requiring the discovery and production of documents or other electronic records;
(c) Receiving evidence on affidavits;
(d) Issuing commissions for the examination of witnesses or documents;
(e) Reviewing its decisions;
(f) Dismissing an application for default or deciding it ex parte;
(g) Any other matter which may be prescribed.

26 | P a g e
 Vaibhav Salunkhe

Clause (3) Section 58 states that any proceeding before the Cyber Appellate Tribunal is deemed to
be a judicial proceeding for the purposes of Sections 193 and 228 of the Indian Penal Code, and the
Cyber Appellate Tribunal is deemed to be a civil court for the purposes of Section 195 and Chapter
XXVI of the Code of Criminal Procedure, 1973.
In Union of India v. T. R. Verma, It is claimed that it is established law that courts must observe the
law of natural justice, which states that a party must be given the chance to present any relevant
evidence on which he relies. Evidence should be taken in the presence of the parties, and cross-
questioning should be allowed.

Right to Legal Representation (Section 59)

Section – The appellant has the option of appearing in person or appointing one or more legal
representatives to represent him before the tribunal.
Limitation (Section 60)
The limitations restrictions of the Limitation Act of 1963 apply to Tribunal appeals.
Civil Court not to have jurisdiction (Section 61)
Section – No civil court can consider a suit or action in that area if the IT Act of 2000 authorizes the
adjudicating officer or the Cyber Appellate Tribunal to deal with particular concerns. Furthermore,
no court can issue an injunction against any conduct taken by a person in the exercise of any
authority conferred by the Act.

Appeal to the High Court (Section 62)

Section – A person aggrieved by the CAT’s decision or order may submit an appeal to the HC within
sixty days of the date of notification of the Tribunal’s decision or order to him on any point of fact or
law arising out of such order, according to Section 62 of the IT Act. The HC may if satisfied that the
appellant was prevented from submitting the appeal within the specified term by sufficient cause,
allow it to be submitted within an additional period of not more than sixty days.
Recovery of Penalty (Section 64)
If a penalty issued under this Act is not paid, it is collected as land revenue arrears. Furthermore,
until the penalty is paid, the license or digital signature certificate is suspended.

Conclusion
The purpose of enacting the I.T. Act was straightforward. The government wanted to offer and
support electronic, digital transactions while also safeguarding against all types of cybercrime.
Because of the quantity of traffic on the internet and the amount of money individuals transact

27 | P a g e
 Vaibhav Salunkhe

through online means, it was critical to strengthen the cyber world. Although the cyber world is
vastly different from the actual world, it has the capability to participate in crimes that occur in the
real world. The Cyber Appellant Tribunal was created to combat cybercrime and punish individuals
involved. The effectiveness of the Cyber Appellant Tribunal may be improved by increasing public
and government knowledge, as well as attempts to deploy enough staff. It is critical to improving
technical capability in order to deal with any circumstance that may arise. Integrity, secrecy, and
authenticity of communication routes and procedures are required.
Certain sorts of offenses necessitate the use of tribunals that can make decisions more quickly. The
judgment is likely to be made quickly if it follows the natural justice system rather than the C.P.C.
In M/s. Gujarat Petrosynthese Ltd. and Mr. Rajendra Prasad Yadav v. Union of India it sought for a
direction to the Respondent to designate a Chairperson to the Cyber Appellate Tribunal (CAT) in
order to guarantee that the tribunal’s hearings were convened on a regular basis. In court, it was
said that the department would take all necessary steps to fill the position of chairman within the
time limit of six months, and that attempts would be made to appoint the chairperson even before
the time limit expired, in the public interest. On these grounds, the petition was dismissed. Despite
the above judgment, no appointment to the cyber appellate tribunal has been made as of yet, and it
has been inactive since 2011.

28 | P a g e
 Vaibhav Salunkhe

Cyber Regulations
Rules and regulations framed under the IT Act regulate different aspects of cyber security as follows:
 Information Technology (The Indian Computer Emergency Response Team and Manner of
Performing Functions and Duties) Rules, 2013 (2013 rules), established the Computer Emergency
Response Team (CERT-In) as the administrative agency responsible for collecting, analysing and
disseminating information on cyber security incidents, and taking emergency response measures.
These rules also put in place obligations on intermediaries and service providers to report cyber
security incidents to the CERT-In.
 Directions on information security practices, procedure, prevention, response and reporting
of cyber incidents for a safe and trusted internet, issued in 2022 by the CERT-In, add to and modify
existing cyber security incident reporting obligations under the 2013 rules.
 Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011 (SPDI rules) require companies that process, collect, store
or transfer sensitive personal data or information to implement reasonable security practices and
procedures.
 The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code
Rules, 2021) require intermediaries to implement reasonable security practices and procedures to
secure their computer resources and information, maintaining safe harbour protections.
Intermediaries are also mandated to report cyber security incidents to the CERT-In.
 Information Technology (Information Security Practices and Procedures for Protected
System) Rules, 2018, oblige companies that have protected systems – as defined under the IT Act –
to put in place specific information security measures.

Other laws that contain cyber security-related provisions include the Indian Penal Code 1860, which
punishes offences committed in cyberspace (such as defamation, cheating, criminal intimidation and
obscenity), and the Companies (Management and Administration) Rules 2014 which require
companies to ensure that electronic records and systems are secure from unauthorised access and
tampering. There are also sector-specific rules issued by regulators and agencies, including the
Reserve Bank of India, the Insurance Regulatory and Development Authority of India, the
Department of Telecommunications, the Securities Exchange Board of India, the National Health
Authority of India, among others, which mandate cyber security standards to be maintained by their
regulated entities

29 | P a g e
 Vaibhav Salunkhe

Cyber security of critical information infrastructure (CII) – defined as any computer resource that can
have a debilitating impact on national security, the economy, public health or safety if incapacitated
or destroyed – is regulated by guidelines issued by the National Critical Information Infrastructure
Protection Centre (NCIIPC).
Under the IT Act, the government may notify any computer resource that affects the facility of CII to
be a protected system, prescribing cyber security obligations for companies handling protected
systems. Designated CII sectors include transport, telecoms, banking and finance, power, energy and
e-governance. Within these sectors, the appropriate authority can notify certain computer systems
as protected systems. Sectorial regulators and agencies, including the Central Electricity Authority,
have also formulated rules and guidelines on cyber security and CII.

Institutional Framework
Since cyber security is a cross-cutting issue, India has a complex inter-ministerial and inter-
departmental institutional framework for cyber security, with several ministries, departments and
agencies performing key functions. For instance, the Ministry for Electronics and Information
Technology (MeitY) deals with policy relating to IT, electronics and the internet, including cyber laws.
It set up the CERT-In as a nodal agency for co-ordination and handling of cyber incident response
activities.
The Ministry of Home Affairs looks at internal security, including cyber security. For this purpose, it
has set up the cyber and information security division, comprising a cybercrime wing, cyber security
wing and monitoring unit. To combat cybercrime, it also established the Indian Cyber Crime Co-
ordination Centre in 2018. The NCIIPC, the nodal agency for CII, is set up under the National Security
Adviser. The National Cyber Security Co-ordinator is the nodal officer for cyber security, functioning
under the Prime Minister’s Office and co-ordinating with various agencies at federal level.

Security Measures
At the federal level, the IT Act places security obligations on organisations handling sensitive
personal data. These are laid out in SPDI rules requiring companies to institute managerial, technical,
operational and physical security control measures. The rules are also subject to ISO/IEC 27001
international standards on information security management, with body corporate subject to audit
checks by an independent government-approved auditor at least once a year, or as and when they
significantly upgrade processes and computer resources.
Sectoral regulators and nodal agencies also prescribe security measures. The Reserve Bank of India
prescribes standards for banks, including setting a mechanism for dealing with and reporting

30 | P a g e
 Vaibhav Salunkhe

incidents, cyber crisis management, and arrangements for continuous surveillance of systems and
the protection of customer information. It also mandates banks to follow the ISO/IEC 27001 and
ISO/IEC 27002 standards.
A similar framework is applicable to non-banking finance companies. The Securities Exchange Board
of India requires stock exchanges, depositories and clearing corporations to follow standards such as
ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.

Cyber Incident Reporting

The 2013 rules require organisations to report incidents to the CERT-In within a reasonable time.
Incidents include denial of service attacks, phishing and ransomware incidents, website
defacements, and targeted scanning of networks or websites.
In April 2022, the CERT-In issued a new directive modifying obligations under the 2013 rules,
including requirements to report cyber security incidents within six hours, syncing system clocks to
the time provided by government servers, maintaining security logs in India, and storing additional
customer information. The IT Rules 2021 also require intermediaries to notify the CERT-In of security
breaches as part of their due diligence obligations.
Various sector-specific reporting obligations also apply. For instance, in the financial services sector,
every bank is required to report incidents within two to six hours of detection. Similarly, insurance
companies must report cyber security incidents to the Insurance Regulatory and Development
Authority within 48 hours of detection. Telecom licensees are required to establish a facility for
monitoring intrusions, attacks and frauds on their technical facilities, and to provide reports of such
incidents to the Department of Telecommunication.

Cybercrimes
Traditional criminal actions such as theft, fraud, forgery, defamation and mischief – all of which are
covered under the Indian Penal Code, 1860 – might be included in cybercrimes. The IT Act addresses
modern offences such as tampering, hacking, publishing obscene information, unauthorised access
to protected systems, breach of confidentiality and privacy, and publishing false digital signature
certificates. Sending threatening messages by email, defamatory messages by email, forgery of
electronic records, cyber fraud, email spoofing, web-jacking and email abuse are also punishable
offences.

31 | P a g e
 Vaibhav Salunkhe

Future Path
The federal government, through the National Cyber Security Co-ordinator, is formulating a new
national cyber security strategy. This aims to address certain gaps in India’s cyber security
framework and enhance the country’s overall cyber security posture.
The government is also considering revamping the IT Act to align with advances in the global and
domestic digital and technology environment. This may change the existing cybercrime, incident
reporting, and security measures and standards framework.

32 | P a g e