Often I have been asked by victims, stakeholders and students of law about the jurisdictions of the courts and court system as a whole under the Information Technology Act, 2000 (Amended in 2008). This query carries great significance especially at a time when subscribers, consumers and civil society members are facing numerous problems due to data theft, data diddling, and data leaking etc. by the body corporate, intermediary and service providers themselves. Such issues of piercing the veil of cyber security and data privacy due to inefficient data protection mechanism of the body corporate may in turn help individual predators and even criminal gangs to target individuals including women and children to make it a large scale offence. Let us consider the case of Facebook facial recognition case in the US : even though Facebook as a company has been strongly contesting the case, the federal appeals court has given a green signal for this class suit whereby Facebook can be prosecuted for infringement of data privacy and would be liable to pay a huge compensation to the petitioners. What we understand from here is, such cases in the field of cyber law, may be dealt by courts in the nature of civil cases as well as in the nature of criminal cases.
In India, the primary regulatory provision for cyber issues is the Information Technology Act, 2000(amended in 2008) (IT Act, 2000, amended in 2008). This provision indicates that there are two types of authorities and tribunals/courts who may handle cases in the nature of civil and criminal liabilities, i.e., civil and criminal court and tribunals . We may understand this typology by understanding the nature of the cases under the Information Technology Act first, which is as follows:
In the issue of civil nature of cases, the administrative tribunal system under the IT Act has three tiers.
As may be seen from the above flow chart, at the grass-root level is the Certifying Authorities. A licensed Certifying Authority (CA) who has been granted licence under S.24, issues the digital signature certificates. CAs are controlled by Controllers, who are appointed by central government under S.17 of the Act. This provision also mentions about the appointment deputy /assistant controllers who should work under the instructions of the Controller.
Functions and responsibilities of the controller can be discussed under three broader heads:
S.18 of the IT Act provides essential functions of the Controller. Apart from S.18, there are certain other provisions under the IT Act, which speaks about other responsibilities and powers of the Controller. The functions under S.18 are as under:
- Exercising supervision over the activities of the Certifying Authorities;
- Certifying public keys of the Certifying Authorities;
- Laying down the standards to be maintained by the Certifying Authorities;
- Specifying the qualifications and experience which employees of the Certifying Authority should possess;
- Specifying the conditions subject to which the Certifying Authorities shall conduct their business;
- Specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of an Electronic Signature Certificate and the public key;
- Specifying the form and content of an Electronic Signature Certificate and the key;
- Specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;
- Specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them;
- Facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems;
- Specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers;
- Resolving any conflict of interests between the Certifying Authorities and the subscribers;
- Laying down the duties of the Certifying Authorities;
- Maintaining a database containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public.
As such, other than the functions mentioned above, the Controller may also have the following powers and functions:
- Controller may also recognize the foreign certifying authorities with prior approval from the government under S.19.
- Controller is the authority to suspend license of the CA in case of any discrepancies in the function of the CA under S.25
- Controller has power investigate contraventions or authorize any officer to do the same under S.28.
- Controller may also access to computer and data under S.29 if he has reasonable cause to suspect for any contravention of the provisions etc.
Apart from this, controller also has powers for dispute resolution: As such, .controllers can take over matter for regulating and resolving any conflict of interests between the Certifying Authorities and the subscribers.
Adjudicators along with the controllers form the second tier of tribunal system for civil nature of cases under the IT Act. Adjudicating officers are appointed by the Central Government under S.46 of the IT Act for holding inquiry (in the manner prescribed by the Central Government) in cases where any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made thereunder which renders him liable to pay penalty or compensation. Such officer should not be below the rank of a Director to the Government of India or an equivalent officer of a State Government.S.46 clearly mentions that no person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and legal or judicial experience as may be prescribed by the Central Government. The adjudicating officer appointed under S.46(1) are empowered to exercise jurisdiction to adjudicate matters in which the claim for injury or damage does not exceed rupees five crore. In case the jurisdiction in respect of claim for injury or damage exceeds Rs. five crore, the jurisdiction to try such cases then shall vest with the competent court. Every adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal under sub-section (2) of section 58. As such, all proceedings before the adjudicator (a) shall be deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code; (b) shall be deemed to be a civil court for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973. And (c) shall be deemed to be a Civil Court for purposes of order XXI of the Civil Procedure Code, 1908
But, the adjudicating officer cannot fix the quantum of punishment (especially fines, damages and compensation) at his own whimsies and fancies. S.47 says while adjudging the quantum of compensation under Chapter IX, the adjudicating officer shall have due regard to the following three factors, namely –
- the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
- the amount of loss caused to any person as a result of the default;
- the repetitive nature of the default
As such, adjudicators are responsible to handle cases of data infringement, unauthorised access to computer, offences to the computer (of civil nature), and fraudulent data leaking cases etc. under chapter IX of the IT Act.
At the top tier of the tribunals for dealing with cases of civil nature under the Information Technology Act, 2000(amended in 2008) exists the Cyber Appellate Tribunal. S.48 of the Information Technology Act, 2000 (amended in 2008) stated that the central government shall by notification establish one or more appellate tribunals to be known as Cyber Appellate Tribunal. However, it has been observed by several cyber law practitioners that the Cyber Appellate Tribunals in some places in India were not functioning properly. As such, since 2017 The Telecom Disputes Settlement and Appellate Tribunal (TDSAT) established under section 14 of the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), (TRAI Act) has substituted CAT & working as Appellate Tribunal for the purposes of IT Act. It also exercises the jurisdiction, powers and authority conferred on it by or under IT Act. The TDSAT shall consist of a Chairperson, and not more than two members to be appointed by the Central Government. Prior to the coming into existence of TDSAT within the meaning of Appellate tribunal under the IT Act, online High Court judges could qualify to be appointed as Chairpersons of the cyber appellate tribunal as per S.50 of the IT Act. However, presently as per S.4 of the TRAI Act, the Chairperson and other members of the Authority shall be appointed by the Central Government only if such candidate has special knowledge of, and professional experience in, telecommunication, industry, finance, accountancy, law, management or consumer affairs. Further, a person who is, or has been, in the service of Government shall not be appointed as a member unless such person has held the post of Secretary or Additional Secretary, or the post of Additional Secretary and Secretary to the Government of India or any equivalent post in the Central Government or the State Government for a period of not less than three years (as per Proviso to S.4 of the TRAI Act). s. 57, IT Act, 2000(amended in 2008) speaks about the jurisdiction & limitations of the Appellate authority , which to large extent is practiced by the TDSAT now. According to S.57, any person aggrieved by an order made by controller or an adjudicating officer under this Act may prefer an appeal to Appellate Tribunal having jurisdiction in the matter. However, no appeal shall lie to the Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties. Every appeal under 57(1) shall be filed within a period of forty-five days from the date on which a copy of the order made by the Controller or the adjudicating officer is received by the person aggrieved and it shall be in such form and be accompanied by such fee as may be prescribed. Appellate Tribunal may entertain an appeal after the expiry of the said period of forty-five days if it is satisfied that there was sufficient cause for not filing it within that period.
Court for dispute resolution of criminal nature: Information Technology Act, 2000(amended in 2008) does not specifically mention about any court which may handle cases of criminal nature under this Act. But S.77A of the Information Technology Act is mentionable here, which speaks about compounding of offences According to S.77A of the IT Act, 2000(amended in 2008), a court of competent jurisdiction may compound offences, other than offences for which the IT Act provides punishment for life or imprisonment for a term exceeding three years. As per S.77A, the court however, shall not compound offences falling under the categories as below:
- Where the accused is, by reason of his previous conviction, liable to either enhanced punishment or to a punishment of a different kind:
- Where such offence affects the socio economic conditions of the country.
- Has been committed against a child below the age of 18 years or a woman.
S.77A(2) of the IT Act states that a person accused of an offence under this Act may file an application for compounding in the court in which offence is pending for trial and the provisions of sections 265B and 265C of the Code of Criminal Procedure, 1973 (2 of 1974) shall apply. From the above discussion, it may be inferred that any competent criminal court under Cr.P.C which are competent to handle cases involving offences and punishments as has been prescribed under Chapter XI under the IT Act, may be considered as competent court for the purpose of this Act. Now, the question which may arise is, which criminal courts may handle cases of criminal nature under IT Act, 2000 (amended in 2008). For this, we may need to understand the patterns of punishments under Chapter XI of the IT Act, 2000 (amended in 2008). These can be listed as below:
- Imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
- Imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both
- Imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
- Imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both
- Imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
- Imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
- Imprisonment extending to imprisonment for life.
- Imprisonment in first conviction of either description for a term which may extend to three years and with fine which may extend to five lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.
- On first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees
- Life imprisonment
Now, to find the answer as which court may try cases of criminal nature under the IT Act, the above mentioned list has to be matched with the powers of various criminal courts under Ss.28 & 29 of Cr.P.C. The powers of the courts under the Cr.P.C can thus be categorized as follows:
As such it may be understood that cybercrimes and offences recognised under Chapter XI with various degrees of punishment may be dealt by various criminal courts as has been discussed under Ss.28 and 29 of the Criminal Procedure Code. But, in such cases also, the aggrieved party (including the offender) may make an appeal to the appropriate courts including the Session’s court, High Court and also to Supreme court. However, in case the offence includes any offence targeting children, then along with Information Technology Act, 2000(amended in 2008), provisions of Protection of Children from sexual offences Act may also be applied. In such cases, the offence may necessarily be dealt with by courts designated under POCSO Act : such courts may be Special Court or Children’s Court or the Sessions court itself.
Note: Please do not violate the copyright of this writeup. If you wish to use this writeup for your report/assignment/project etc, please refer it as Halder Debarati (2019) Court system under Information Technology Act, 2000 (amended in 2008). Published in http://www.internetlegalstudies.com on 12-08-2019
 For example see @https://www.theguardian.com/technology/2019/aug/09/facebook-facial-recognition-lawsuit-can-proceed-us-court?CMP=share_btn_fb&fbclid=IwAR3RvbLbL9TmFCkeBgypZORu4dRYnQNFvbWuFfIoQN1m-n80UlFO8_26qIk
 see http://dot.gov.in/actrules/telecom-regulatory-authority-indiatrai-act-1997