IT Act, 2000 is India's primary legislation governing electronic commerce, electronic governance, cybercrime, and digital signatures, providing legal recognition to electronic records and transactions conducted through electronic means. Under Indian law, the Information Technology Act, 2000 (Act No. 21 of 2000) was enacted to give effect to the UNCITRAL Model Law on Electronic Commerce, and serves as the foundational statute for India's cyber law framework, substantially amended in 2008 to address emerging digital challenges.
Legal definition
The Information Technology Act, 2000 was enacted by Parliament and received Presidential assent on 9 June 2000. The Preamble states its purpose:
"An Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as 'electronic commerce', which involve the use of alternatives to paper-based methods of communication and storage of information... and for matters connected therewith or incidental thereto."
The Act is structured across 13 chapters and 90 sections covering:
- Chapter II (Sections 3-3A): Digital signatures and electronic signatures — legal validity and authentication
- Chapter III (Sections 4-10A): Electronic governance — legal recognition of electronic records, electronic filings with government agencies, and retention of electronic records
- Chapter V (Sections 14-16): Certifying Authorities — licensing and regulation of entities issuing digital signature certificates
- Chapter IX (Sections 43-47): Penalties and adjudication — civil liability for unauthorised access, damage to computer systems, and compensation
- Chapter XI (Sections 65-78): Offences — criminal provisions for hacking, data theft, identity fraud, cyber terrorism, publishing obscene material, breach of confidentiality, and related offences
- Section 79: Safe harbour for intermediaries — immunity from liability for third-party content subject to due diligence obligations
- Section 69: Power of the government to issue directions for interception, monitoring, or decryption of electronic information in the interest of national security
Key amendments:
The Information Technology (Amendment) Act, 2008 was the most significant revision, inserting Sections 66A-66F (new cybercrime offences), Section 67A-67C (enhanced content-related offences), Section 69A-69B (power to block websites and monitor traffic), and overhauling Section 79 (intermediary safe harbour). The 2008 Amendment also introduced the concept of "Cyber Appellate Tribunal" (since replaced by the Telecom Disputes Settlement and Appellate Tribunal) and strengthened penalty provisions.
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — issued under Section 87 read with Sections 79(2) and 69A — created detailed due diligence obligations for social media intermediaries, including significant social media intermediaries with 50 lakh or more registered users.
How courts have interpreted this term
Shreya Singhal v. Union of India [(2015) 5 SCC 1]
The Supreme Court bench of Justices J. Chelameswar and R.F. Nariman examined the constitutional validity of Section 66A of the IT Act (punishment for sending offensive messages). The Court struck down Section 66A as unconstitutional, holding it violated Article 19(1)(a) — the right to freedom of speech and expression. The judgment held that Section 66A was void for vagueness, as terms like "grossly offensive" and "menacing character" were subjective and overbroad. Simultaneously, the Court upheld Section 69A (website blocking) and Section 79 (intermediary safe harbour) as constitutionally valid, subject to procedural safeguards.
Avnish Bajaj v. State (NCT of Delhi) [(2008) 150 DLT 769]
In the "Bazee.com" case, the Delhi High Court examined the liability of an intermediary (the CEO of an e-commerce platform) for the sale of obscene material by a third-party seller. The Court distinguished between the liability of the platform (as intermediary) and its individual officers, holding that the Section 79 safe harbour was available to the platform provided it acted diligently upon notice. This case was instrumental in shaping the interpretation of intermediary liability under the IT Act.
Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal [(2020) 7 SCC 1]
A three-judge bench of the Supreme Court settled the law on admissibility of electronic evidence, holding that the certificate under Section 65B(4) of the Indian Evidence Act (now Section 63 of the Bharatiya Sakshya Adhiniyam, 2023) is a mandatory requirement for the admissibility of electronic records. This ruling has direct implications for cybercrime prosecutions under the IT Act, as all digital evidence — including emails, call records, server logs, and screenshots — must be accompanied by a valid Section 65B certificate.
Why this matters
The IT Act, 2000 is the bedrock of India's digital legal infrastructure. It provides the legal foundation for every electronic transaction — from e-commerce purchases and digital payments to e-filing of tax returns and electronic court filings. Without the IT Act's provisions on legal recognition of electronic records (Section 4) and electronic signatures (Section 3A), the entire digital economy would lack legal certainty.
For businesses operating online, the IT Act creates a dual regime of obligations: compliance with Section 43A (now substantially replaced by the DPDP Act, 2023) for data protection, and compliance with the intermediary guidelines under Section 79 for platforms hosting user-generated content. E-commerce platforms, social media companies, search engines, and cloud service providers must understand their obligations under both the parent Act and the 2021 Intermediary Guidelines to maintain their safe harbour protection.
For practitioners, the IT Act intersects with nearly every area of modern legal practice. Criminal lawyers encounter IT Act offences in cybercrime prosecutions; corporate lawyers advise on electronic contracts and digital signature validity; IP lawyers address domain name disputes and online infringement; and constitutional lawyers engage with surveillance powers under Section 69 and free speech implications of content regulation. The Act's relationship with the newer DPDP Act, 2023 requires careful navigation — the DPDP Act replaces Section 43A and the IT Rules of 2011 on data protection, but the IT Act's criminal provisions and intermediary liability framework remain in force.
A significant ongoing development is the proposed Digital India Act, which the government has indicated will eventually replace the IT Act with a more comprehensive framework suited to the realities of artificial intelligence, Web 3.0, and platform regulation. Until that legislation is enacted, the IT Act, 2000 (as amended in 2008) remains the primary cyber law statute.
Related terms
Key provisions and concepts:
Related framework:
Frequently asked questions
Is the IT Act 2000 still in force?
Yes. The Information Technology Act, 2000, as substantially amended in 2008, remains in force and is the primary legislation governing cyber law in India. While the DPDP Act, 2023 has replaced Section 43A and the IT Rules of 2011 on data protection, all other provisions of the IT Act — including criminal offences (Sections 65-78), intermediary liability (Section 79), and government interception powers (Section 69) — continue to apply. The government has indicated plans for a Digital India Act as a comprehensive replacement, but no bill has been introduced yet.
What was Section 66A and why was it struck down?
Section 66A of the IT Act (inserted by the 2008 Amendment) criminalised sending "offensive" or "menacing" messages through a computer or communication device, with imprisonment up to 3 years and a fine. The Supreme Court in Shreya Singhal v. Union of India (2015) 5 SCC 1 struck it down as unconstitutional, holding that the provision was vague, overbroad, and chilled free speech in violation of Article 19(1)(a). The terms "grossly offensive," "menacing," and "causing annoyance" were found to be subjective and not covered by the reasonable restrictions in Article 19(2).
Does the IT Act apply to offences committed outside India?
Yes. Section 75 of the IT Act provides for extra-territorial jurisdiction: if any person, irrespective of their nationality, commits an offence or contravention under the Act outside India, the provisions of the Act shall apply if the offence involves a computer, computer system, or computer network located in India. This extra-territorial provision has been invoked in cases involving cross-border data theft, hacking, and online fraud targeting Indian systems or citizens.
What is the relationship between the IT Act and the DPDP Act?
The DPDP Act, 2023 replaces the data protection provisions of the IT Act — specifically Section 43A (compensation for failure to protect data) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. However, the IT Act's criminal provisions (Sections 65-78), intermediary liability framework (Section 79), government surveillance powers (Section 69), and electronic governance provisions (Sections 4-10A) remain fully operative. The two statutes now operate in parallel, with the DPDP Act governing data protection and the IT Act governing cybercrime, intermediary regulation, and electronic governance.
This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.
Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.