Proposed Draft of Electronic Commerce Act, 1998
An Act to establish the law relating to electronic commerce.
WHEREAS it is expedient to establish the law relating to electronic commerce;
PART
I - PRELIMINARY
1.
Short
Title, Extent and Commencement.
2.
Definitions
4.
Application.
5.
Variation
by Agreement.
PART II - ELECTRONIC RECORDS
AND SIGNATURES GENERALLY
10.
Admissibility
and Evidentiary Weight of Electronic Records and Electronic Signatures.
11.
Retention
of Electronic Records.
PART III -- SECURE ELECTRONIC RECORDS AND SIGNATURES
13.
Secure
Electronic Signature
14.
Presumptions
Relating to Secure Electronic Records and Signatures
PART IV -- ELECTRONIC CONTRACTS
16.
Effectiveness
Between Parties
17.
Attribution
18.
Acknowledgment
of Receipt.
19.
Time
and Place of Dispatch and Receipt
20.
Applicable
Law
PART V -- EFFECT OF DIGITAL SIGNATURES
21.
Secure
Electronic Record with Digital Signature.
22.
Digital
Signature as a Secure Electronic Signature.
23.
Unreliable
Digital Signatures
PART VI -- GENERAL DUTIES RELATING TO DIGITAL SIGNATURES
24.
Foreseeability
of Reliance on Certificates.
25.
Prerequisites
to Disclosure of Certificate
26.
Publication
for Fraudulent Purpose
27.
False
or Unauthorized Request.
PART VII - DUTIES OF CERTIFICATION AUTHORITIES
29.
Disclosure
by Certification Authorities.
31.
Representations
Upon Issuance of Certificate.
34.
Suspension
of Certificate.
35.
Revocation
of Certificate
PART VIII -- DUTIES OF SUBSCRIBERS
37.
Acceptance
of Certificate.
39.
Initiating
Suspension or Revocation.
PART IX -- REGULATION OF CERTIFICATION AUTHORITIES AND REPOSITORIES
40.
Appointment
of Controller and Other Officers
41.
Recognition
of Foreign Certification Authorities
42.
Recommended
Reliance Limit
43.
Liability
Limits for Certification Authorities
44.
Recognition
of Repositories.
45.
Liability
of Repositories.
PART X - GOVERNMENT USE OF ELECTRONIC RECORDS AND SIGNATURES
46.
Acceptance
of Electronic Filing and Issue of Documents.
PART
XI -- LIABILITY OF NETWORK SERVICE PROVIDERS
47.
Liability
of Network Service Providers
PART XII - COMPUTER CRIME
48.
Computer
Crime
49.
Penalities
50.
Forfeiture
PART
XIII -- GENERAL
51.
Confidentiality.
53.
Controller
May Give Directions for Compliance.
55.
Access
to Computers and Data.
56.
General
Penalty
57.
Power
to Exempt
58.
Power
of Central Government to make rules.
59.
Power
to remove difficulties.
THE ELECTRONIC COMMERCE SUPPORT ACT, 1998
Amendments
to the Indian Evidence Act, 1872
Amendments
to the Indian Contract Act, 1872.
Amendment
to the Indian Telegraph Act, 1885
Amendments
to the Banker's Books Evidence Act of 1891
Amendments
to the General Clauses Act, 1897
Amendments
to the Reserve Bank of India Act, 1934,
It is hereby enacted as follows:-- PART I - PRELIMINARY
1.
Short Title, Extent and Commencement.
(1)
This Act may be called the Electronic Commerce Act, 1998.
(2) This Act extends to the whole of India, except
the State of Jammu and Kashmir.
(3) This Act shall come into force on such date
as the Central Government may, by notification in the Official Gazette,
appoint in this behalf.
2.
Definitions. In
this Act, unless the context otherwise requires -
(a) "Asymmetric cryptosystem" means a computer-based system capable of generating and using a secure key pair, consisting of a private key for creating a digital signature and a public key to verify the digital signature. Comments: Asymmetric cryptography is the core of the current digital signature technology. An asymmetric cryptosystem is an information system utilizing an algorithm or series of algorithms that provide for a cryptographic key pair consisting of a private key and the corresponding public key. A secure key pair is a key pair that is cryptographically strong and is capable of reliably creating and verifying digital signatures.
(b) "Authentication" means a process used to ascertain the identity of a person or the integrity of specific information. For a message, authentication involves ascertaining its source and confirming that it has not been modified or replaced in transit.
(c) "Authorized officer" means any officer that has been authorized by the Controller to exercise the powers of the Controller under this Act as identified in Section 41 of this Act.
Comments: An Authorized Officer will have the authority, if delegated by the Controller (as defined herein), to perform the duties and obligations of the Controller as specified herein.
(d) "Certificate" means a record, that at a minimum: (i) identifies the certification authority issuing it; (ii) names or otherwise identifies its subscriber, or a device or electronic agent under the control of the subscriber; (iii) contains a public key that corresponds to a private key under the control of the subscriber; (iv) specifies its operational period; and (v) is digitally signed by the certification authority issuing it.
(e) "Certification authority" means a person who authorizes or causes the issuance of a certificate.
(f) "Certification practice statement" means a statement issued by a certification authority that specifies the policies or practices that the certification authority employs in issuing, managing, suspending and revoking certificates and providing access to them.
(g) "Computer" means an electronic, magnetic, electromagnetic, digital, optical, or other information processing system or device used for creating, generating, transmitting, receiving, storing, displaying, or otherwise processing information, together with any supporting software, input, output, or data storage devices used therewith. .
(h) "Computer network" means two or more computers in communication with or connected to each other.
(i) "Computer program" means a set of instructions or statements, and related data, to be used directly or indirectly in a computer or computer network in order to cause a certain result.
(j) "Computer security system" means the design, procedures or other measures that the person responsible for the operation and use of a computer employs to restrict the use of the computer to particular persons or uses, or that the owner or licensee of data stored or maintained by a computer in which the owner or licensee is entitled to store or maintain the data employs to restrict access to or protect the confidentiality of the data.
(k) "Computer virus" means any computer instruction, information, data or program that degrades the performance of a computer; disables, damages or destroys a computer; or attaches itself to another computer and executes when the host computer program, data or instruction is executed or when some other event takes place in the host computer, data or instruction.
(l) "Controller" means the Controller of Certification Authorities appointed under Section 41. Source: Singapore Electronic Transactions Act §2.
(m) "Correspond" in relation to private or public keys, means to belong to the same key pair.
(n) "Damage" means any destruction, alteration, disruption, deletion, addition, modification or other impairment to the integrity or availability of a computer, data, electronic record, a program, an information system or information.
Comment: The definition of "damage" is based on the definition contained in the United States Computer Fraud and Abuse Act, but includes a wider range of categories of impairment of computer resources.
(o) "Data" means a representation of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer. Source: Malaysia Computer Crimes Act §2.
(p) "Digital signature" means an electronic signature consisting of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can accurately determine: (i) whether the transformation was created using the private key that corresponds to the signer's public key and (ii) whether the initial electronic record has been altered since the transformation was made. .
(q) "Electronic" includes electrical, digital, magnetic, optical, electromagnetic or any other form of technology that entails capabilities similar to these technologies.
(r) "Electronic device" means a computer program or electronic record or other automated means configured or enabled by a person to independently initiate or respond to electronic records or performances on behalf of that person without review by an individual.
(s) "Electronic record" means a record generated, sent, received or stored by electronic means for use in an information system or for transmission from one information system to another.
(t) "Electronic signature" means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted with the intention of authenticating or approving the electronic record.
(u) "Hash function" means an algorithm mapping or translating one sequence of bits into another, generally smaller, set (the hash result) such that: (i) a record yields the same hash result every time the algorithm is executed using the same record as input; (ii) it is not feasible that a record can be derived or reconstituted from the hash result produced by the algorithm; and (iii) it is computationally infeasible that two records can be found that produce the same hash result using the algorithm.
(v) "Information" includes data, text, images, sound, codes, computer programs, software, databases and the like.
(w) "Information system" means a system for creating, generating, sending, receiving, storing, displaying or otherwise processing information.
(x)"Internet" means a global network of interconnected computer networks, each using the transmission control protocol/internet protocol or any combination thereof or such other standard network interconnection protocols as is used to transmit data that is directly or indirectly delivered to a computer.
(y) "Key pair" in an asymmetric cryptosystem, means a private key and its mathematically related public key, having the property that the public key can verify a digital signature that the private key creates.
(z) "Network service provider" means a person that provides the software, hardware, telecommunications facilities or any combination of the above, to facilitate access to the Internet or any other computer network, and includes a value added network service provider.
(aa) "Operational period of a certificate" begins on the date and time the certificate is issued by a certification authority (or on a later date and time if stated in the certificate), and ends on the date and time it expires as stated in the certificate or is earlier revoked or suspended.
(bb) "Private key" means the key of a key pair used to create a digital signature.
(cc)"Prescribed" means prescribed by rules made under this Act.
(dd) "Provide access" means, in relation to material provided by a third party, the provision of the necessary technical means by which such material may be accessed and includes the automatic and temporary storage of such material for the purpose of providing access.
(ee) "Public key" means the key of a key pair used to verify a digital signature.
(ff) "Record" means information that is inscribed, stored or otherwise fixed in a tangible medium or that is stored in an electronic or other intangible medium and may be retrieved in perceivable form.
(gg) "Repository" means a system for storing and retrieving certificates or other information relevant to certificates, including information related to the status of a certificate.
(hh) "Revoke a certificate" means to permanently end the operational period of a certificate from a specified time forward.
(ii) "Rule of law" includes any provision contained in an enactment or any rule derived from any other source of law.
(jj) "Security procedure" means a procedure for the purpose of: (i) verifying that an electronic record is that of a specific person or (ii) detecting error or alteration in the communication, content or storage of an electronic record since a specific point in time. A security procedure may require the use of algorithms or codes, identifying words or numbers, encryption, answer back or acknowledgment procedures, or similar security devices.
(kk) "Signed" or "signature," in relation to electronic records, includes any symbol executed or adopted, or any security procedure employed or adopted, using electronic means or otherwise, by or on behalf of a person with the intent to authenticate such record.
(ll) "Subscriber" means a person who is the subject named or identified in a certificate issued, who holds a private key that corresponds to a public key listed in that certificate and who is the person to whom digitally signed messages verified by reference to such certificate are to be attributed.
(mm) "Suspend a certificate" means to temporarily suspend the operational period of a certificate from a specified time forward.
(nn) "Third party" means, in relation to a network service provider, a person over whom the provider has no effective control.
(oo) "Trustworthy system or manner" means the use of, or adoption of any device involving the use of, computer hardware, software and procedures that, in the context in which they are used: (i) can be shown to be reasonably resistant to penetration, compromise and misuse; (ii) provide a reasonable level of reliability and correct operation; (iii) are reasonably suited to performing their intended functions or serving their intended purposes; (iv) comply with applicable agreements between the parties, if any; and (v) adhere to generally accepted security procedures
(pp) "Valid certificate" means a certificate that a certification authority has issued and that the subscriber listed in the certificate has accepted.
(qq) "Verify a digital signature" means to use a public key listed in a valid certificate to determine: (i) that the digital signature was created using the private key corresponding to the public key listed in the certificate and (ii) the electronic record has not been altered since its digital signature was created.
3. Purpose and Construction.
This
Act shall be construed consistently with what is commercially reasonable
under the circumstances and to effectuate the following purposes:
(a) To facilitate electronic communications by means of reliable electronic
records;
(b) To facilitate and promote electronic commerce, to eliminate barriers
to electronic commerce resulting from uncertainties over writing and signature
requirements, and to promote the development of the legal and business
infrastructure necessary to implement secure electronic commerce;
(c) To facilitate the electronic filing of documents with government agencies
and statutory corporations, and to promote efficient delivery of government
services by means of electronic records;
(d) To minimize the incidence of forged electronic records, intentional
and unintentional alterations of records, and fraud in electronic commerce
and other electronic transactions;
(e) To promote public confidence in the integrity and reliability of electronic
records, electronic signatures and electronic commerce;
(f) To establish uniform rules and standards regarding the authentication
and integrity of electronic records; and (g) To create a legal infrastructure
for the use of digital signatures.
4.
Application.
(a) Parts II or IV of this Act shall not apply to any law requiring writing
or signatures in any of the following circumstances:
(1) the creation or execution of a will;
(2) the execution of negotiable instruments;
(3) the creation, performance or enforcement of an indenture, declaration
of trust or power of attorney with the exception of constructive and resulting
trusts;
(4) any contract for the sale or other disposition of immovable property,
or any interest in such property;
(5) the conveyance of immovable property or the transfer of any interest
in immovable property;
(6) documents of title for movable or immovable property; or
(7) where such application would involve a construction of a rule of law
that is clearly inconsistent with the manifest intent of the lawmaking
body or repugnant to the context of the same rule of law, provided that
the mere requirement that information be "in writing," "written"
or "printed" shall not by itself be sufficient to establish
such intent.
(b) The Central Government may modify in the public interest, by notification
published in the Official Gazette, the provisions of section (a) by adding,
deleting or amending any class of transactions or matters specified in
that section.
(c) In relation to this Act, electronic records shall not be liable to
stamp duty under the Stamp Act, 1899.
(d) Notwithstanding anything contained in the Telegraph Act, 1885, or
rules made under this Act, it shall be lawful to transmit and receive
records electronically.
5.
Variation by Agreement. As between parties involved in generating,
sending, receiving, storing or otherwise processing electronic records,
any provision of Part II or IV of this Act may be varied by agreement
of the parties.
PART
II - ELECTRONIC RECORDS AND SIGNATURES GENERALLY
6.
Legal Recognition. Except as provided in Section 4 of this Act,
records and signatures shall not be denied legal effect, validity or enforceability
solely on the ground that they are in electronic form.
7.
Requirements of Writing. Except as provided in Section 4, where any
rule of law requires any matter to be in writing, that requirement sufficiently
is met by an electronic record if the matter contained therein is accessible
so as to be usable for subsequent reference.
8.
Electronic Signatures. Except as provided in Section 4, where any
rule of law requires that a record bear a signature, or provides for certain
consequences if a record is not signed, an electronic signature satisfies
that rule of law if:
(a) a method is used to identify the originator and to indicate the originator's
approval of the information contained in the electronic record; and
(b) that method is as reliable as was appropriate for the purpose for
which the electronic record was generated or communicated, in light of
all of the circumstances, including any relevant agreements among the
parties involved.
9.
Original Record. (a) Where a rule of law requires a record to be
presented or retained in its original form, that requirement is met by
an electronic record if:
(i) there exists reliable assurance as to the integrity of the record
from the time when it was first generated in its final form, as an electronic
record or otherwise; and
(ii) where it is required that a record be presented, that record is capable
of being displayed to the person to whom it is being presented.
(b) Subsection (a) applies whether the requirement referred to therein
is in the form of an obligation or whether the law simply provides consequences
for the record not being presented or retained in its original form.
(c) For the purposes of subsection (a)(i):
(i) the criteria for assessing integrity shall be whether the information
has remained complete and unaltered, apart from the addition of any endorsement
and any change which arises in the normal course of communication, storage
and display; and
(ii) the standard of reliability required shall be assessed in light of
the purpose for which the information was generated and in light of all
the relevant circumstances.
10.
Admissibility and Evidentiary Weight of Electronic Records and Electronic
Signatures.
(a) Nothing in the Indian Evidence Act, 1872 or any rules made under this
Act shall apply in any legal proceedings so as to deny the admissibility
of an electronic record or an electronic signature into evidence:
(i) on the sole ground that it is an electronic record or an electronic
signature; or
(ii) on the grounds that it is not in its original form or is not an original.
(b)
Information in the form of an electronic record shall be given due evidentiary
weight without regard to the fact that it is an electronic record. In
assessing the evidentiary weight of an electronic record or an electronic
signature, regard shall be given to:
(i) the reliability of the manner in which it was generated, stored or
communicated;
(ii) the reliability of the manner in which its integrity was maintained;
(iii) the manner in which its originator was identified or the electronic
record was signed; and
(iv) any other factor that may be relevant.
(c)
Nothing in this section shall be construed to affect the provisions of
Section 4 of this Act.
11.
Retention of Electronic Records.
(a) Where any law for the time being in force requires that certain documents,
records or information be retained, whether permanently or for a specified
period, that requirement is satisfied by retaining them in the form of
electronic records if the following conditions are fulfilled:
(i) the electronic record and the information contained therein remains
accessible so as to be usable for subsequent reference;
(ii) the electronic record is retained in the format in which it was originally
generated, sent or received, or in a format which can be demonstrated
to represent accurately the information originally generated, sent or
received; and
(iii) such information as enables the identification of the origin and
destination of an electronic record and the date and time when it was
sent or received, if any, is retained.
(b) An obligation to retain documents, records or information in accordance
with subsection (a) shall not extend to any data the sole purpose of which
is to enable the record to be sent or received.
(c) It shall be lawful for a person to satisfy the retention requirement
referred to in Section 11(a) by using the services of any other person,
if the conditions in Sections 11(a)(i) through (iii) are complied with.
(d) Nothing in this section shall preclude any department or ministry
of the Central Government, State Government or a statutory corporation
under Central or State Government from specifying additional requirements
for the retention of electronic records that are subject to its jurisdiction.
PART
III -- SECURE ELECTRONIC RECORDS AND SIGNATURES
12.
Secure Electronic Record.
(a)
If a prescribed security procedure or a commercially reasonable security
procedure agreed to by the parties involved has been applied to an electronic
record in a trustworthy manner and has been relied upon reasonably and
in good faith by the relying party to verify that the electronic record
has not been altered since a specified point in time, such record shall
be treated as a secure electronic record from such specified point in
time to the time of verification.
(b) For the purposes of this Section 12 and of Section 13, whether a security
procedure is commercially reasonable shall be determined in light of the
procedure used and the commercial circumstances prevailing at the time
the procedure was used, including:
(i) the nature of the transaction;
(ii) the sophistication of the parties;
(iii) the volume of similar transactions engaged in by the parties involved;
(iv) the availability of alternatives offered to but rejected by any party;
(v) the cost of alternative procedures; and
(vi) the procedures in general use for similar types of transactions.
(c) Whether reliance on a security procedure was reasonable and in good
faith shall be determined in light of all the circumstances known to the
relying party at the time of the reliance, with regard to:
(i) the information that the relying party knew or should have known of
at the time of reliance that would suggest that reliance was or was not
reasonable;
(ii) the value or importance of the electronic record, if known: (iii)
any course of dealing between the relying party and the purported sender
and the available indicia of reliability or unreliability apart from the
security procedure;
(iv) any usage of trade, particularly trade conducted by trustworthy systems
or other computer-based means; and
(v) whether the verification was performed with the assistance of an independent
third party.
13.
Secure Electronic Signature. If, through the application of a prescribed
security procedure or a commercially reasonable security procedure agreed
to by the parties involved, an electronic signature is executed in a trustworthy
manner and reasonably and in good faith is relied upon by the relying
party, such signature shall be treated as a secure electronic signature
at the time of verification to the extent that it can be verified that
said electronic signature satisfied, at the time it was made, the following
criteria:
(a) it was unique to the person using it;
(b) it was capable of being used to objectively identify such person;
(c) it was created in a manner or using a means under the sole control
of the person using it, that cannot be readily duplicated or compromised;
and
(d) it is linked to the electronic record to which it relates in a manner such that if the record was changed to electronic signature would be invalidated.
14.
Presumptions Relating to Secure Electronic Records and Signatures.
(a) In any civil proceedings involving a secure electronic record, it
shall be presumed, unless the contrary is proved, that the secure electronic
record has not been altered since the specific point in time to which
the secure status relates.
(b) In any civil proceedings involving a secure electronic signature,
the following shall be presumed unless the contrary is proved:
(i) the secure electronic signature is the signature of the person to
whom it correlates: and
(ii) the secure electronic signature was affixed by that person with the
intention of signing or approving the electronic record.
(c) In the absence of a secure electronic record or a secure electronic
signature, nothing in this Part shall create any presumption relating
to the authenticity and integrity of the electronic record or an electronic
signature.
(d) The effect of presumptions provided in this section is to place on
the party challenging the integrity of a secure electronic record or challenging
the genuineness of a secure electronic signature both the burden of going
forward with evidence to rebut the presumption and the burden of persuading
the trier of fact that the nonexistence of the presumed fact is more probable
than its existence.
(e) For the purposes of this section:
(i) "secure electronic record" means an electronic record treated
as a secure electronic record by virtue of Sections 12 or 21; and
(ii) "secure electronic signature" means an electronic signature
treated as a secure electronic signature by virtue of Sections 13 or 22.
PART IV -- ELECTRONIC CONTRACTS
15.
Formation and Validity.
(a) In the context of the formation of contracts, unless otherwise agreed
by the parties involved, an offer and the acceptance of an offer may be
expressed by means of electronic records.
(b) Where an electronic record is used in the formation of a contract,
that contract shall not be denied validity or enforceability on the sole
ground that an electronic record was used for that purpose.
(c) A contract may be formed by the interaction of electronic agents.
A contract is formed if the interaction results in the electronic agents'
engaging in operations that confirm or indicate the existence of a contract.
(d) A contract may be formed by the interaction of an electronic agent
and an individual. A contract is formed if the individual has reason to
know that the individual is dealing with an electronic agent and the individual
takes actions or makes a statement that the individual has reason to know
will cause the electronic agent to perform the subject of the contract,
or instruct a person or electronic agent to do so.
16. Effectiveness Between Parties. As between the originator and the addressee of an electronic record, a declaration of intent or other statement shall not be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic record.
17.
Attribution.
(a)
An electronic record is that of the originator if it was sent by the originator
himself.
(b) As between the originator and the addressee, an electronic record
is deemed to be that of the originator if it was sent:
(i) by a person who had the authority (pursuant to a document in a non-electronic
form) to act on behalf of the originator in respect of that electronic
record; or
(ii) by an information system programmed by or on behalf of the originator
to operate automatically.
(c) As between the originator and the addressee, an addressee is entitled
to regard an electronic record as being that of the originator and to
act on that assumption if:
(i) in order to ascertain whether the electronic record was that of the
originator, the addressee properly and in good faith applied a procedure
previously agreed to by the originator for that purpose; or
(ii) the data message as received by the addressee resulted from the actions
of a person whose relationship with the originator or with any agent of
the originator enabled that person to gain access to a method used by
the originator to identify electronic records as its own.
(d) Section 17(c) shall not apply:
(i) from the time when the addressee has both received notice from the
originator that the electronic record is not that of the originator, and
had reasonable time to act accordingly;
(ii) at any time when the addressee knew or should have known, had it
exercised reasonable care or used any agreed procedure, that the electronic
record was not that of the originator; or
(iii) if in all the circumstances of the case, it is unconscionable for
the addressee to regard the electronic record as that of the originator
or to act on that assumption.
(e) Where an electronic record is that of the originator or is deemed
to be that of the originator, or the addressee is entitled to act on that
assumption, then, as between the originator and the addressee, the addressee
is entitled to regard the electronic record received as being what the
originator intended to send, and to act on that assumption. The addressee
is not so entitled when the addressee knew or should have known, had the
addressee exercised reasonable care or used any agreed procedure, that
the transmission resulted in any error in the electronic record as received.
(f) The addressee is entitled to regard each electronic record received
as a separate electronic record and to act on that assumption, except
to the extent that the addressee duplicates the electronic record or the
addressee knew or should have known, had the addressee exercised reasonable
care or used any agreed procedure, that an electronic record received
from the originator was a duplicate.
(g) Nothing in this section shall affect the law of agency or the law
on the formation of contracts.
18.
Acknowledgment of Receipt. (a) Sections 18(b), (c) and (d) shall
apply where, on or before sending an electronic record, or by means of
that electronic record, the originator has requested or has agreed with
the addressee that receipt of the electronic record be acknowledged.
(b) Where the originator has not agreed with the addressee that the acknowledgment
be given in a particular form or by a particular method, an acknowledgment
may be given by:
(i) any communication by the addressee, automated or otherwise; or
(ii) any conduct of the addressee, sufficient to indicate to the originator
that the electronic record has been received.
(c) Where the originator has stated that the electronic record is conditional
on receipt of the acknowledgment, the electronic record is treated as
though it had never been sent until the acknowledgment is received.
(d) Where the originator has not stated that the electronic record is
conditional on receipt of the acknowledgment, and the acknowledgment has
not been received by the originator within the time specified or agreed,
or if no time has been specified or agreed within a reasonable time, the
originator:
(i) may give notice to the addressee stating that no acknowledgment has
been received and specifying a reasonable time by which the acknowledgment
must be received; and
(ii) if the acknowledgment is not received within the time specified in
Section 18(a), may, upon notice to the addressee, treat the electronic
record as though it has never been sent, or exercise any other rights
it may have.
(e) Where the originator receives the addressee's acknowledgment of receipt,
it is presumed, unless evidence to the contrary is adduced, that the related
electronic record was received by the addressee, but that presumption
does not imply that the content of the electronic record corresponds to
the content of the record received.
(f) Where the received acknowledgment states that the related electronic
record met technical requirements, either agreed upon or set forth in
applicable standards, it is presumed, unless evidence to the contrary
is adduced, that those requirements have been met.
(g) Except as it relates to the sending or receipt of the electronic record,
this section is not intended to address the legal consequences that may
flow either from that electronic record or from the acknowledgment of
its receipt.
19.
Time and Place of Dispatch and Receipt
(a) Unless otherwise agreed to between the originator and the addressee,
the dispatch of an electronic record occurs when it enters an information
system outside the control of the originator or the person who sent the
electronic record on behalf of the originator.
(b) Unless otherwise agreed between the originator and the addressee,
the time of receipt of an electronic record is determined as follows:
(i) if the addressee has designated an information system for the purpose
of receiving electronic records, receipt occurs:
(A) at the time when the electronic record enters the designated information
system; or
(B) if the electronic record is sent to an information system of the addressee
that is not the designated information system, at the time when the electronic
record is retrieved by the addressee.
(ii) if the addressee has not designated an information system, receipt
occurs when the electronic record enters an information system of the
addressee.
(c) Section 19(b) shall apply notwithstanding that the place where the
information system is located may be different from the place where the
electronic record is deemed to be received under Section 19(d).
(d) Unless otherwise agreed between the originator and the addressee,
an electronic record is deemed to be dispatched at the place where the
originator has its place of business, and is deemed to be received at
the place where the addressee has its place of business.
(e) For the purposes of this section:
(i) if the originator or the addressee has more than one place of business,
the place of business is that which has the closest relationship to the
underlying transaction or, where there is no underlying transaction, the
principal place of business;
(ii) if the originator or the addressee does not have a place of business,
reference is to be made to the usual place of residence; and
(iii) "usual place of residence" in relation to a body corporate,
means the place where it is incorporated or otherwise legally constituted.
(f)This section shall not apply to such circumstances as may be prescribed.
20
.Applicable Law. Where a contract to which this Act applies is
a transnational contract, and a dispute arises out of or in connection
with, such contract, the following provisions shall apply:
(a) The dispute shall be decided in accordance with the rule of law designated
by the parties as applicable to the substance of the dispute;
(b) Any designation by the parties of the law or legal system of a given
country shall be construed, unless otherwise expressed, as directly referring
to substantive law of that country and not to its conflict of laws rules;
(c) Failing any such designation of the law under subsection (a) by the
parties the court or arbitral tribunal shall apply the rules of law which
it considers to be appropriate given all the circumstances surrounding
the dispute;
(d) In all cases the court of tribunal shall decide in accordance with
the terms of the contract and shall take into account the usage of the
trade applicable to the transaction;
Explanation: In this section "transnational contract" means a contract in which at least one of the parties is (i) an individual who is a national of or habitually resident in any country other than India; (ii) a body corporate which is incorporated in any country other than India; (iii) a company or an association or a body of individuals whose central management and control is situated in any country other than India; or (iv) the Government of a foreign country.
PART V -- EFFECT OF DIGITAL SIGNATURES
21. Secure Electronic Record with Digital Signature. The portion of an electronic record that is signed with a digital signature shall be treated as a secure electronic record if the digital signature is a secure electronic signature by virtue of Section 13.
22.
Digital Signature as a Secure Electronic Signature. When any portion
of an electronic record is signed with a digital signature, the digital
signature shall be treated as a secure electronic signature with respect
to such portion of the record, if:
(a) the digital signature was created during the operational period of
a valid certificate and is verified by reference to the public key listed
in such certificate; and
(b) the certificate is considered trustworthy, in that it is an accurate
binding of a public key to a person's identity because the following requirements
have been fulfilled:
(i) the certificate was issued by a certification authority operating
in compliance with the rules made under this Act;
(ii) the certificate was issued by a certification authority outside India
recognized for this purpose by the Controller pursuant to rules made under
this Act;
(iii) the certificate was issued by a department or ministry of the Central
Government, State Government or a statutory corporation of Central or
State Government approved by Central Government to act as a certification
authority on such conditions as the Controller may by rules impose or
specify; or
(iv) the parties have expressly agreed between themselves (originator
and addressee) to use digital signatures as a security procedure, and
the digital signature was properly verified by reference to the originator's
public key.
23.
Unreliable Digital Signatures. Unless otherwise provided by a rule
of law or contract, a person relying on a digitally signed electronic
record assumes the risk that the digital signature is invalid as a signature
or authentication of the signed electronic record, if reliance on the
digital signature is not reasonable under the circumstances having regard
to the following factors:
(a) facts which the person relying on the digitally signed electronic
record knows or has notice of, including all facts listed in the certificate
or incorporated in it by reference;
(b) the value or importance of the digitally signed record, if known;
(c) the course of dealing between the person relying on the digitally
signed electronic record and the subscriber and any available indicia
of reliability or unreliability apart from the digital signature; and
(d) usage of trade, particularly trade conducted by trustworthy systems
or other electronic means.
PART VI -- GENERAL DUTIES RELATING TO DIGITAL SIGNATURES
24. Foreseeability of Reliance on Certificates. It may be presumed that persons relying on a digital signature also will rely on a valid certificate containing the public key by which the digital signature can be verified.
25.
Prerequisites to Disclosure of Certificate. A person shall not
publish a certificate or otherwise make it available to anyone known by
that person to be in a position to rely on the certificate or on a digital
signature that is verifiable with reference to a public key listed in
the certificate, if such person knows that:
(a) the certification authority listed in the certificate has not issued
it;
(b) the subscriber listed in the certificate has not accepted it; or (c)
the certificate has been revoked or suspended, unless such publication
is for the purpose of verifying a digital signature created prior to such
suspension or revocation.
26. Publication for Fraudulent Purpose. Any person who knowingly creates, publishes or otherwise makes available a certificate for any fraudulent or unlawful purpose shall be guilty of an offense and shall be liable on conviction to imprisonment for a term not exceeding 2 years or a fine not exceeding Rs.1,00,000 or both.
27. False or Unauthorized Request. Any person who knowingly misrepresents to a certification authority his identity or authorization for the purpose of requesting a certificate or for suspension or revocation of a certificate shall be guilty of an offense and shall be liable on conviction to imprisonment for a term not exceeding 6 months or a fine not exceeding Rs. 50,000 or both.
PART VII - DUTIES OF CERTIFICATION AUTHORITIES
28.
Trustworthy System. Except as otherwise conspicuously set forth
in its certification practice statement, a certification authority and
a person maintaining a repository must:
(a) maintain and utilize trustworthy systems and operate in a trustworthy
manner in performing its services;
(b) possess the reliability necessary for offering certification services;
(c) employ personnel which possess the expert knowledge, experience and
qualifications necessary for the offered services;
(d) record and retain records of all relevant information concerning a
certificate for an appropriate period of time, in particular to be able
to provide evidence of certification in the context of a dispute or lawsuit;
and
(e) publish all relevant information concerning the proper and secure
use of certification services and established procedures for complaints
and dispute resolution and settlement.
29.
Disclosure by Certification Authorities.
(a) A certification authority shall disclose the following:
(i) its certificate that contains the public key corresponding to the
private key used by that certification authority to digitally sign another
certificate (defined for purposes of this section as a certification authority
certificate);
(ii) any relevant certification practice statement;
(iii) notice of any revocation or suspension of its certification authority
certificate; and (iv) any other fact that materially and adversely affects
either the reliability of a certificate that the authority has issued
or the authority's ability to perform its services.
(b) In the event of an occurrence that materially and adversely affects
a certification authority's trustworthy system or its certification authority
certificate, the certification authority shall act in accordance with
procedures governing such an occurrence specified in its certification
practice statement or, in the absence of such procedures, use reasonable
efforts to notify any person who is known to be or reasonably foreseeably
will be affected by that occurrence.
30.
Issuing of Certificate. A certification authority may issue a certificate
to a prospective subscriber only after the certification authority has
received a request for issuance from the prospective subscriber and
(a) if it has a certification practice statement, complied with all of
the practices and procedures set forth in such certification practice
statement including procedures regarding identification of the prospective
subscriber; or
(b) in the absence of a certification practice statement addressing these
issues, or if the parties involved have not entered into an agreement
specifically providing otherwise, confirmed by itself or through an authorized
agent that the following is the case:
(i) the prospective subscriber is the person to be listed in the certificate
to be issued;
(ii) if the prospective subscriber is acting through one or more agents,
the subscriber authorized the agent to have custody of the subscriber's
private key and to request issuance of a certificate listing the corresponding
public key;
(iii) the information in the certificate to be issued is accurate;
(iv) the prospective subscriber rightfully holds the private key corresponding
to the public key to be listed in the certificate;
(v) the prospective subscriber holds a private key capable of creating
a digital signature; and
(vi) the public key to be listed in the certificate can be used to verify
a digital signature affixed by the private key held by the prospective
subscriber.
31.
Representations Upon Issuance of Certificate.
(a) By issuing a certificate, a certification authority represents, to
any person who reasonably relies on the certificate or a digital signature
verifiable by the public key listed in the certificate, that the certification
authority has processed, approved and issued, and will manage and if necessary
suspend or revoke the certificate, in accordance with any applicable certification
practice statement incorporated by reference in the certificate, or of
which the relying person has notice.
(b) In the absence of such a certification practice statement, the certification
authority represents that it has confirmed the following:
(i) the certification authority has complied with all applicable requirements
of this Act and other appropriate authority in issuing the certificate
and, if the certification authority has published the certificate or otherwise
made it available to such relying person, that the subscriber listed in
the certificate has accepted it;
(ii) the subscriber identified in the certificate holds the private key
corresponding to the public key listed in the certificate;
(iii) the certification authority has verified the identity of the subscriber
to the extent stated in the certificate or its applicable certification
practice statement or, in lieu thereof, that the certificate authority
has reasonably verified the identity of the subscriber;
(iv) the subscriber's public key and private key constitute a functioning
key pair;
(v) all information in the certificate is accurate, unless the certification
authority has stated in the certificate or incorporated by reference in
the certificate a statement that the accuracy of specified information
is not confirmed; and
(vi) that the certification authority has no knowledge of any material
fact which if it had been included in the certificate would adversely
affect the reliability of the representations in this section.
(c) Where there is an applicable certification practice statement which
has been incorporated by reference in the certificate, or of which the
relying person otherwise has notice, subsection (b) shall apply to the
extent that the representations are not inconsistent with the certification
practice statement.
(d) Certification authorities shall keep and maintain as current a publicly
accessible electronic register of certificates issued, indicating the
time when any individual certificate expires or when it was suspended
or revoked.
(e) Notwithstanding subsection (a) through (d), if a certification authority
issued the certificate subject to the laws of another jurisdiction, the
certification authority makes all warranties and representations, if any,
otherwise applicable under the law governing its issuance.
32.
Fiduciary Relationship. (a) A certification authority is a fiduciary
to a subscriber where a certification authority holds that subscriber's
private key or where provided by contract among the parties involved.
(b) A certification authority is not otherwise a fiduciary to a subscriber
and is not a fiduciary to any relying party, except where otherwise expressly
provided by contract or law.
33.
Financial Responsibility. A certification authority must have sufficient
financial resources: (a) to maintain its operations in conformity with
its duties; and
(b) to be reasonably able to bear its risk of liability to subscribers
and other relying parties relying on certificates issued by the certification
authority and digital signatures verifiable by reference to public keys
listed in such certificates.
34.
Suspension of Certificate. (a) Unless the certification authority
and the subscriber agree otherwise, the certification authority that issued
a certificate shall suspend the certificate as soon as possible after
receiving a request by a person whom the certification authority reasonably
believes to be one of the following:
(i) the subscriber listed in the certificate;
(ii) a person duly authorized to act for that subscriber; or
(iii) a person acting on behalf of that subscriber, who is unavailable.
(b) Except as otherwise specifically provided in its certification practice
statement, or unless the certification authority and the subscriber agree
otherwise, a certification authority that issued a certificate shall suspend
the certificate as soon as possible after confirmation by the certification
authority that:
(A) a material fact represented in the certificate is false;
(B) a material requirement for issuance of the certificate was not satisfied;
(C) the certification authority's private key or trustworthy system was
compromised in a manner materially affecting the certificate's reliability;
or
(D)the subscriber's private key has been compromised.
(c) Immediately upon suspension of a certificate by a certification authority,
the certification authority shall notify the subscriber and relying parties
in accordance with its certification practice statement or, in the absence
of such statement, shall promptly notify the subscriber, promptly publish
a signed notice of the suspension in the repository specified in the certificate
for publication of notice of suspension, and otherwise disclose the fact
of suspension on inquiry be any relying party. Where one or more repositories
are specified, the certification authority shall publish signed notices
of the suspension in all such repositories.
35.
Revocation of Certificate
(a) Except as otherwise specifically provided in its certification practice
statement, or unless the certification authority and the subscriber agree
otherwise, a certification authority shall revoke a certificate that it
issues upon the occurrence of the following:
(i) receiving a request for revocation by the subscriber named in the
certificate, and confirming that the person requesting revocation is the
subscriber or is an agent of the subscriber with authority to request
the revocation;
(ii) receiving a certified copy of the subscriber's death certificate,
or upon confirming by other verifiable evidence that the subscriber is
dead;
(iii) upon presentation of documents effecting a corporate dissolution
of the subscriber or upon confirming by other verifiable evidence that
the subscriber has been dissolved or has ceased to exist; or
(iv) confirmation by the certification authority that of the following
events has occurred, provided that no such revocation may be made until
the subscriber has had a reasonable opportunity for a hearing:
(A) a material fact represented in the certificate is false;
(B) a material requirement for issuance of the certificate was not satisfied;
(C) the certification authority's private key or trustworthy system was
compromised in a manner materially affecting the certificate's reliability;
or
(D)the subscriber's private key has been compromised.
(b) Upon effecting such a revocation, the certification authority shall
immediately provide notice as follows:
(i) immediately upon revocation of a certificate by a certification authority,
the certification authority shall promptly notify the subscriber listed
in the revoked certificate (if not deceased, dissolved or ceased to exist)
and any relying parties in accordance with its certification practice
statement or, in the absence of such statement, shall promptly notify
the subscriber, promptly publish a signed notice of the revocation in
the repository specified in the certificate for publication of notice
of revocation, and otherwise disclose the fact of revocation on inquiry
by a relying party; and
(ii) where one or more repositories are specified, the certification authority
shall publish signed notices of the revocation in all such repositories.
PART VIII -- DUTIES OF SUBSCRIBERS
36.
Generating A Key Pair.
(a) If the subscriber generates the key pair whose public key is to be
listed in a certificate issued by a certification authority and accepted
by the subscriber, the subscriber shall generate that key pair using a
trustworthy system.
(b) This section shall not apply to a subscriber who generates the key
pair using a system approved by the certification authority. 37. Obtaining
A Certificate. All material representations made by the subscriber to
a certification authority for purposes of obtaining a certificate, including
all information known to the subscriber and represented in the certificate,
shall be accurate and complete to the best of the subscriber's knowledge
and belief, regardless of whether such representations are confirmed by
the certification authority.
37.
Acceptance of Certificate.
(a) A subscriber shall be deemed to have accepted a certificate if that
subscriber:
(i) publishes or authorizes the publication of a certificate in one of
the following ways:
(A) to one or more persons; or
(B) in a repository; or
(ii) otherwise demonstrates approval of a certificate while knowing or
having notice of its contents.
(b) By accepting a certificate issued by a certification authority, the
subscriber listed in the certificate certifies to all who reasonably rely
on the information contained in the certificate as follows:
(i) that the subscriber rightfully holds the private key corresponding
to the public key listed in the certificate;
(ii) that all material representations made by the subscriber to the certification
authority and material to the information listed in the certificate are
true; and
(iii) that all information in the certificate that is within the knowledge
of the subscriber is true.
38.
Control of Private Key.
(a) By accepting a certificate issued by a certification authority, the
subscriber identified in the certificate assumes a duty to exercise reasonable
care to retain control of the private key corresponding to the public
key listed in such certificate and to prevent its disclosure to any person
not authorized to create the subscriber's digital signature.
(b) Such duty shall continue during the operational period of the certificate
and during any period of suspension of the certificate.
39. Initiating Suspension or Revocation. A subscriber who has accepted a certificate shall as soon as possible notify the issuing certification authority and request said authority to suspend or revoke the certificate if the private key corresponding to the public key listed in the certificate has been compromised.
PART IX -- REGULATION OF CERTIFICATION AUTHORITIES AND REPOSITORIES
40.
Appointment of Controller and Other Officers
(a) The Central Government shall appoint a Controller of Certification
Authorities for the purpose of this Act and, in particular, for the purposes
of licensing, certifying, monitoring and overseeing the activities of
certification authorities.
(b) The Controller may, after consultation with the Central Government,
appoint such number of Deputy and Assistant Controllers of Certification
Authorities and officers as the Controller considers necessary to exercise
and perform all or any of the powers and duties of the Controller under
this Act or rules made under this Act, except for the Controller's power
to direct compliance as set forth in Section 54 of this Act.
(c) The Controller, the Deputy and Assistant Controllers and officers
appointed by the Controller under Section 41 shall exercise, discharge
and perform the powers, duties and functions conferred on the Controller
under this Act or any rules made under this Act, subject to such written
directions as may be issued by the Central Government to the Controller
and subject to Section 54 of this Act.
(d) The Controller shall maintain a publicly accessible database containing
a certification authority disclosure record for each certification authority
which shall contain all the particulars required under the rules made
under this Act.
(e) The Controller may investigate complaints or other information indicating
violations of rules adopted under this Act, and may refer for prosecution
any suspected or alleged violations to the appropriate government agency.
(f) In the application of the provisions of this Act to certificates issued
by the Controller and digital signatures verified by reference to those
certificates, the Controller shall be deemed to be a certification authority.
(g) The Controller, the Deputy, Assistant Controller and officers appointed
by the Controller shall be deemed to be public servants for the purposes
of the Penal Code.
(h) In exercising any of the powers under this Act, any officer appointed
by the Controller shall on demand produce to the person against whom he
is acting the authority issued to him by the Controller.
41.
Recognition of Foreign Certification Authorities
(a) Certificates issued by a foreign certification authority, and signatures
and records complying with the laws of another jurisdiction relating to
digital or other electronic signatures, are recognized as legally equivalent
to certificates issued by certification authorities operating under this
Act, and to the signatures and records complying with this Act, if the
laws of the other jurisdiction and the practices of the foreign certification
authority require a level of reliability at least equivalent to that required
for such certificates, records and signatures under this Act.
(b) Notwithstanding the preceding paragraph, the Controller and parties
to commercial and other transactions may specify that a particular certification
authority, class of certification authorities or class of certificates
must be used in connection with messages or signatures submitted to them.
(c) The determination of equivalence described in subsection (a) may be
made by a published determination of the Controller in the Official Gazette
or through bilateral or multilateral agreement with other jurisdictions.
The determination of equivalence, shall be made with regard to the following
factors:
(i) financial and human resources, including existence of assets within
jurisdiction;
(ii) trustworthiness of hardware and software systems; (iii) procedures
for processing of certificates and applications for certificates and retention
of records;
(iv) availability of information to subscribers identified in certificates
and to potential relying parties;
(v) regularity and extent of audit by an independent body;
(vi) the existence of a declaration by the jurisdiction, an accreditation
body or the certification authority regarding compliance with or existence
of the foregoing;
(vii) susceptibility to the jurisdiction of the courts of the enacting
jurisdiction; and
(viii) the degree of discrepancy between the law applicable to the liability
of the certification authority and the law of the enacting jurisdiction.
42.
Recommended Reliance Limit
(a) A certification authority may, in issuing a certificate to a subscriber,
specify a recommended reliance limit in the certificate.
(b) The certification authority may specify different limits in different
certificates as it deems appropriate.
43.
Liability Limits for Certification Authorities. Unless a certification
authority expressly waives the application of this section, a certification
authority shall not be liable for the following:
(a) For any loss caused by reliance on a false or forged digital signature
of a subscriber if, with respect to the false or forged digital signature,
the certification authority complied with the requirements of this Act
and applicable regulations; and
(b) For an amount in excess of the amount specified in the certificate
as its recommended reliance limit for either:
(i) a loss caused by reliance on a misrepresentation in the certificate
of any fact that the certification authority is required to confirm; or
(ii) intentional or knowing failure to comply with any provisions of this
Act in issuing the certificate, unless such failure to comply was done
intentionally or knowingly.
44.
Recognition of Repositories.
(a) The Controller may recognize one or more repositories after determining
that a repository to be recognized satisfies the requirements prescribed
in the regulations made under this Act.
(b) The Controller shall publish a list of recognized repositories in
such form and manner as he may determine.
45.
Liability of Repositories.
(a) Notwithstanding any disclaimer by the repository or any contract to
the contrary between the repository and a certification authority or a
subscriber, a repository shall be liable for a loss incurred by a person
reasonably relying on a digital signature verified by the public key listed
in a suspended or revoked certificate, if loss was incurred more than
one business day after receipt by the repository of a request to publish
notice of the suspension or revocation, and the repository had failed
to publish the notice when the person relied on the digital signature.
(b) Unless waived, a recognized repository or the owner or operator of
a recognized repository:
(i) shall not be liable for failure to record publication of a suspension
or revocation, unless the repository has received notice of publication
and one business day has elapsed since the notice was received;
(ii) shall not be liable under subsection (a) in excess of the amount
specified in the certificate as the recommended reliance limit;
(iii) shall not be liable under subsection (a) for:
(A) punitive or exemplary damages; or
(B) damages for pain or suffering;
(iv) shall not be liable for misrepresentation in a certificate published
by a certification authority;
(v) shall not be liable for accurately recording or reporting information
which a certification authority, a court or the Controller has published
as required or permitted under this Act, including information about the
suspension or revocation of a certificate; and
(vi) shall not be liable for reporting information about a certification
authority, a certificate or a subscriber, if such information is published
as required or permitted under this Act or is published by order of the
Controller in the exercise of his powers under this Act.
PART X - GOVERNMENT USE OF ELECTRONIC RECORDS AND SIGNATURES
46.
Acceptance of Electronic Filing and Issue of Documents.
(a) Any department or ministry of Central Government, State Government
or a statutory corporation under Central or State Government that, pursuant
to any enactment:
(i) accepts the filing of documents or requires that documents be created
or retained;
(ii) issues any permit, license or approval; or
(iii) provides for the method and manner of payment, may, notwithstanding
anything to the contrary in such enactment:
(A) accept the filing of such documents, or the creation or retention
of such documents, in the form of electronic records;
(B) issue such permit, license or approval in the form of electronic records;
or
(C) make such payment in electronic form.
(b) In any case where a department or ministry of Central Government,
State Government or a statutory corporation under Central or State Government
decides to perform any of the functions in subsection (a)(i), (ii), or
(iii), such agency may specify:
(i) the manner and format in which such electronic records shall be filed,
created, retained or issued;
(ii) where such electronic records are required to be signed, the type
of electronic signature required (including, if applicable, a requirement
that the sender use a secure electronic signature);
(iii) the manner and format in which such signature shall be affixed to
the electronic record, and the identity of or criteria that shall be met
by any certification authority used by the person filing the document;
(iv) control processes and procedures as appropriate to ensure adequate
integrity, security and confidentiality of electronic records or payments;
and
(v) any other required attributes for electronic records or payments that
are currently specified for corresponding paper documents.
(c) Nothing in this Act shall by itself compel any department or ministry
of the Central Government, State Government or a statutory corporation
under Central or State Government to accept or issue any document in the
form of electronic records.
PART XI -- LIABILITY OF NETWORK SERVICE PROVIDERS
47.Liability
of Network Service Providers. (a) A network service provider shall
not be subject to any civil or criminal liability under any rule of law
in respect of third party material in the form of electronic records to
which such provider merely provides access if such liability is founded
on:
(i) the making, publication, dissemination or distribution of such materials
or any statement made in such material; or
(ii) the infringement of any rights subsisting in or in relation to such
material.
(b) Nothing in this section shall affect:
(i) any obligation of the network service provider founded on principles
of contract law;
(ii) the obligation of a network service provider as such under a licensing
or other regulatory regime established under any enactment for the time
being in force; or
(iii) any obligation imposed under any enactment for the time being in
force or by a court to remove, block or deny access to any material;
(iv) the provisions of Section 52 of this Act.
(c) Nothing in clause (a) of this section shall render a network service
provider immune from liability for any violation of law for the time being
in force (including provisions of this Act) committed intentionally or
knowingly.
PART XII - COMPUTER CRIME
48.
Computer Crime. For the purpose of this Act, any person who commits
any of the following acts is guilty of an offense of computer crime:
(a) Intentionally accesses, damages or conceals, or attempts to access,
damage or conceal, temporarily or permanently, any computer data base,
computer, information system or computer network, without permission from
the owner, in order to either:
(i) wrongfully control, obtain, make use of or prevent others from deriving
the benefits of money, property, data or electronic records;
(ii) copy or destroy any data or electronic records;
(iii) use or disrupt any functions of computers, computer networks or
information systems; or
(iv) commit any act that is an offense under the Indian Penal Code.
(b) Knowingly, and with the intent to defraud, obtains or attempts to
obtain any computer services by false representation, false statement
or unauthorized charging to the account of another, by installing or tampering
with any facilities or equipment, or by any other means.
(c) Intentionally or recklessly introduces or allows the introduction
of any computer virus into any computer, computer system or computer network
without permission of the owner.
49.
Penalities
(a) Any person who commits the offense of computer crime as set forth
in the provisions of Section 49(a) of this Act is punishable as follows:
(i) For the first offense that does not result in damage, by imprisonment
up to 1 year or by a fine not to exceed Rs. 1,00,000 or both;
(ii) For second or subsequent offenses, or in cases where damage occurs,
by imprisonment up to three years or by a fine up to Rs. 2,00,000, or
by both, and if government or public property is injured, by imprisonment
up to three years or by a fine up to Rs. 5,00,000 or both;
(b) Any person who commits offense as under Section 49(b) of this Act
shall be punishable as follows :
(i) For the first offense which does not result in damage, and where the
value of the computer services used does not exceed Rs. 10,000, by a fine