BharatNotes
What is the IT Act, 2000?
The Information Technology Act, 2000 is India's primary legislation governing cybercrime, electronic commerce, and digital governance. It was notified on 17 October 2000 and is based on the UNCITRAL Model Law on Electronic Commerce, 1996. The Act provides legal recognition to electronic records and digital signatures, enabling e-governance and e-commerce in India.
The IT Act was significantly amended in 2008 to broaden its scope, adding provisions on data protection (Section 43A), cyber terrorism (Section 66F), identity theft (Section 66C), and the establishment of CERT-In (Section 70B). The 2011 Rules under the Act introduced the first intermediary guidelines. Subsequent amendments in 2021, 2023, 2025, and 2026 have progressively tightened obligations on digital platforms.
The most recent IT Amendment Rules, 2026 (effective 20 February 2026) represent a landmark shift, introducing comprehensive regulation of AI-generated content and deepfakes, mandatory labelling of synthetic content, and compressed 3-hour takedown timelines for unlawful content.
Key Features
| # | Feature | Details |
|---|---|---|
| 1 | Enacted | 9 June 2000 (notified 17 October 2000); based on UNCITRAL Model Law |
| 2 | Scope | Cybercrime, e-governance, digital signatures, data protection, intermediary liability |
| 3 | Section 43 | Penalty for unauthorised access to computer systems |
| 4 | Section 65 | Tampering with computer source documents |
| 5 | Section 66 | Computer-related offences (hacking); Section 66F — cyber terrorism (life imprisonment) |
| 6 | Section 69 | Government power to intercept, monitor, or decrypt information |
| 7 | Section 70B | Establishment of CERT-In as national cyber security nodal agency |
| 8 | Section 79 | Safe harbour for intermediaries — conditional on compliance with due diligence rules |
| 9 | 2008 Amendment | Added cyber terrorism, identity theft, data protection, CERT-In provisions |
| 10 | 2026 Rules | Deepfake regulation, mandatory AI labelling, 3-hour takedown, grievance redressal reform |
Current Status / Latest Data
- IT Amendment Rules, 2025 (effective 15 November 2025): Tightened takedown procedures — only officers of Joint Secretary rank or above can issue removal orders; orders must specify legal basis and exact content identifiers.
- IT Amendment Rules, 2026 (effective 20 February 2026): Introduced Synthetically Generated Information (SGI) definition; mandated 3-hour takedown for AI misinformation, 2-hour takedown for deepfake intimate imagery; required mandatory labelling of all AI-generated content.
- Platforms with 5 million+ users classified as Significant Social Media Intermediaries (SSMIs) with enhanced compliance obligations.
- The Digital Personal Data Protection Act, 2023 works alongside the IT Act to regulate personal data processing.
- The proposed Digital India Act (successor to IT Act 2000) is under development to provide a comprehensive legal framework for India's digital economy.
UPSC Exam Corner
Prelims: Key Facts
- IT Act enacted in 2000, based on UNCITRAL Model Law on E-Commerce, 1996
- Section 66F — cyber terrorism (punishable with life imprisonment)
- Section 69 — government's power to intercept/decrypt digital communications
- Section 70B — CERT-In; Section 79 — safe harbour for intermediaries
- 2008 Amendment was the most comprehensive overhaul of the original Act
Mains: Probable Themes
- Evaluate the IT Act 2000 as a framework for India's cyber security — is it adequate for the AI age?
- Balancing surveillance powers (Section 69) with the right to privacy (Puttaswamy judgment, 2017)
- Safe harbour provisions (Section 79) — should platforms bear greater responsibility for user content?
- Regulation of deepfakes and AI-generated content under the 2026 Amendment Rules
- Need for a new Digital India Act to replace the two-decade-old IT Act
Sources: MeitY — IT Act 2000, India Code — IT Act, Drishti IAS — IT Amendment Rules 2026, S.S. Rana — IT Rules 2026
