Internal Security

Basics of Cyber Security

Internal Security·Revision Notes

Cyber Laws and Regulations — Revision Notes

Constitution VerifiedUPSC Verified
Version 1Updated 7 Mar 2026

Explore This Topic

DefinitionDetailed ExplanationLegal PrecedentsSecurity FrameworkLegal ReformsUPSC ImportancePrelims StrategyMains StrategyPrelims MCQsMains QuestionsMCQ PracticePredicted 2026Revision NotesCurrent Affairs

⚡ 30-Second Revision

  • IT Act, 2000:Primary cyber law. Amended 2008.
  • Key Sections:S.43 (damage), S.66 (computer offences), S.67 (obscene material), S.69 (interception), S.70 (Protected System/CII), S.72 (confidentiality breach), S.79 (intermediary liability).
  • DPDP Act, 2023:Data protection law.
  • Key Concepts (DPDP):Data Fiduciary, Data Principal, Consent, Data Protection Board of India (DPBI).
  • Regulatory Bodies:CERT-In (incident response), NCIIPC (CII protection).
  • Landmark Cases:Shreya Singhal (2015 - S.66A struck down), Puttaswamy (2017 - Right to Privacy as fundamental).
  • International:Budapest Convention (India not signatory), UN GGE (norms).

2-Minute Revision

India's cyber legal framework is primarily built upon the Information Technology Act, 2000 (IT Act), which provides legal recognition for electronic transactions and addresses cybercrimes. The 2008 amendment significantly broadened its scope, introducing new offences and strengthening penalties.

Key sections to remember include S.43 (damage to computer), S.66 (computer-related offences), S.67 (obscene material), S.69 (government's power to intercept), S.70 (Protected Systems/Critical Information Infrastructure), **S.

72 (breach of confidentiality), and S.79** (intermediary liability, offering 'safe harbour').

Complementing this, the Digital Personal Data Protection Act, 2023 (DPDP Act), is a landmark legislation focused entirely on safeguarding digital personal data. It defines Data Fiduciaries (entities processing data) and Data Principals (individuals), emphasizing principles like consent, purpose limitation, and accountability. It also establishes the Data Protection Board of India (DPBI) for enforcement.

Operational agencies include CERT-In (Indian Computer Emergency Response Team) for incident response and NCIIPC (National Critical Information Infrastructure Protection Centre) for protecting vital digital assets.

Landmark Supreme Court judgments like Shreya Singhal v. Union of India (2015), which struck down Section 66A, and Justice K.S. Puttaswamy v. Union of India (2017), which declared the Right to Privacy a fundamental right, have profoundly shaped this legal landscape.

India, while not a signatory to the Budapest Convention, aligns with many international norms for cybersecurity.

5-Minute Revision

The evolution of India's cyber legal framework reflects a dynamic response to technological advancements and evolving threats. The Information Technology Act, 2000 (IT Act), initially focused on legalizing e-commerce and e-governance, was significantly bolstered by the 2008 amendment to address a wider array of cybercrimes.

Key provisions include Section 43 (civil penalties for damage to computer systems), Section 66 (criminal penalties for computer-related offences), Section 67 (publishing obscene material), Section 69 (government's power for interception and monitoring, a critical point for privacy debates), Section 70 (designation of Critical Information Infrastructure as 'Protected Systems' protected by NCIIPC), Section 72 (breach of confidentiality), and Section 79 (intermediary liability, providing 'safe harbour' to platforms under certain conditions).

The Digital Personal Data Protection Act, 2023 (DPDP Act), marks a paradigm shift towards a comprehensive, rights-based data protection regime. Driven by the Justice K.S. Puttaswamy judgment (2017), which declared the Right to Privacy a fundamental right, the DPDP Act introduces concepts like Data Fiduciary (data processor) and Data Principal (individual whose data is processed), emphasizing consent, data minimization, and accountability.

It also establishes the Data Protection Board of India (DPBI) for enforcement and allows cross-border data transfers to notified countries, balancing global trade with data security.

Operational cybersecurity is managed by CERT-In (Indian Computer Emergency Response Team), the national nodal agency for incident response, and NCIIPC (National Critical Information Infrastructure Protection Centre), dedicated to protecting vital national digital assets.

Judicial interpretations have been crucial, notably Shreya Singhal v. Union of India (2015), which struck down the controversial Section 66A, reinforcing freedom of speech. Challenges include keeping pace with emerging technologies (AI, blockchain), ensuring effective implementation across diverse sectors, and continuously balancing national security imperatives with fundamental rights, a core tension in India's digital governance.

Prelims Revision Notes

    1
  1. IT Act, 2000:Legal recognition for e-transactions, digital signatures. Amended 2008.
    2. 2
  2. Section 43:Civil penalty for unauthorized access, data theft, virus introduction (up to 5 lakh fine + compensation).
    3. 3
  3. Section 66:Criminal penalty for acts under S.43 (up to 3 years imprisonment, 5 lakh fine).
    4. 4
  4. Section 67:Publishing/transmitting obscene electronic material (imprisonment, fine).
    5. 5
  5. Section 69:Govt. power to intercept/monitor/decrypt for national security, public order, etc. (Controversial).
    6. 6
  6. Section 70:Protected System (Critical Information Infrastructure - CII). Unauthorized access: 10 years imprisonment.
    7. 7
  7. Section 70A:Establishes NCIIPC.
    8. 8
  8. Section 70B:Establishes CERT-In.
    9. 9
  9. Section 72:Breach of confidentiality and privacy (2 years imprisonment, 1 lakh fine).
    10. 10
  10. Section 79:Intermediary liability (safe harbour if due diligence followed).
    11. 11
  11. DPDP Act, 2023:Comprehensive data protection law.
    12. 12
  12. Data Fiduciary:Determines purpose/means of data processing.
    13. 13
  13. Data Principal:Individual whose data is processed.
    14. 14
  14. Key Principles (DPDP):Consent, purpose limitation, data minimization, accuracy, storage limitation, accountability.
    15. 15
  15. Data Protection Board of India (DPBI):Enforcement body for DPDP Act.
    16. 16
  16. Cross-border Data Flow (DPDP):Allowed to notified countries. No strict data localization.
    17. 17
  17. CERT-In:National nodal agency for cyber incident response.
    18. 18
  18. NCIIPC:Protects Critical Information Infrastructure (CII).
    19. 19
  19. Shreya Singhal v. Union of India (2015):Struck down IT Act Section 66A (offensive content), upheld free speech.
    20. 20
  20. Justice K.S. Puttaswamy v. Union of India (2017):Declared Right to Privacy as fundamental right (Article 21).
    21. 21
  21. Budapest Convention:International treaty on cybercrime. India is not a signatory but aligns with principles.
    22. 22
  22. Digital Evidence:Admissible under Indian Evidence Act (S.65A, 65B) with conditions (certificate, chain of custody).

Mains Revision Notes

    1
  1. Evolution of Framework:From IT Act 2000 (e-commerce, cybercrime) to DPDP Act 2023 (privacy-centric, rights-based). Highlight the shift from reactive to proactive, and from broad regulation to specific data protection.
    2. 2
  2. IT Act Core:Understand the purpose and implications of key sections (S.43, 66, 67, 69, 70, 72, 79). Analyze S.69 and S.79 for their impact on state power, privacy, and free speech.
    3. 3
  3. DPDP Act Significance:Rooted in Puttaswamy judgment (Right to Privacy). Focus on its principles (consent, accountability), roles (Data Fiduciary, Data Principal), and the DPBI. Discuss its balance between privacy and economic needs (cross-border data flow).
    4. 4
  4. Institutional Roles & Challenges:Differentiate CERT-In (incident response) and NCIIPC (CII protection). Analyze their effectiveness, coordination, and challenges (capacity, tech obsolescence, jurisdictional issues). The DPBI's role as an independent regulator is key.
    5. 5
  5. Balancing Act (Security vs. Privacy):This is a recurring theme. Use S.69 (surveillance) vs. Puttaswamy (privacy) and S.66A (struck down by Shreya Singhal for free speech) as examples. Discuss intermediary liability (S.79) in this context.
    6. 6
  6. Digital Evidence:Understand admissibility (Evidence Act S.65A/B), challenges (volatility, chain of custody), and legal safeguards.
    7. 7
  7. International Context:India's stance on Budapest Convention, engagement in UN GGE, and bilateral agreements for cyber cooperation.
    8. 8
  8. Emerging Challenges:Be prepared to discuss the regulatory implications of AI, blockchain, IoT, and quantum computing on existing laws.
    9. 9
  9. Vyyuha Analysis:Critically evaluate the framework's strengths (comprehensive, rights-based) and weaknesses (implementation gaps, tech lag, balancing competing interests). Propose solutions.

Vyyuha Quick Recall

Vyyuha Quick Recall: CYBER-LAWS Framework

C - Crimes (IT Act S.43, 66, 67) Y - Year (IT Act 2000, Amended 2008; DPDP Act 2023) B - Board (Data Protection Board of India - DPBI) E - Evidence (Digital Evidence, S.65A/B Evidence Act) R - Regulators (CERT-In, NCIIPC)

L - Landmark Judgments (Shreya Singhal, Puttaswamy) A - Access/Interception (IT Act S.69) W - Web Intermediaries (IT Act S.79 Liability) S - Security & Privacy (Core balance, DPDP Act)

Featured
🎯PREP MANAGER
Your 6-Month Blueprint, Updated Nightly
AI analyses your progress every night. Wake up to a smarter plan. Every. Single. Day.

Related Topics

Ad Space
🎯PREP MANAGER
Your 6-Month Blueprint, Updated Nightly
AI analyses your progress every night. Wake up to a smarter plan. Every. Single. Day.