UNIT-2

Certifying Authorities Under the Information Technology Act, 2000, and Their
Roles and Functions
The Information Technology Act, 2000 (IT Act) establishes Certifying Authorities (CAs) as
critical entities in India’s digital ecosystem, responsible for issuing and managing electronic
signatures, including digital signatures, to ensure secure and legally valid electronic
transactions. CAs are licensed by the Controller of Certifying Authorities (CCA) and play a
pivotal role in maintaining trust, security, and reliability in the electronic signature regime.
Below is a detailed explanation of Certifying Authorities, their roles, functions, duties, and
powers, based on the provided text.

What are Certifying Authorities?

A Certifying Authority is a legal entity in India, duly licensed by the Controller of Certifying
Authorities under the provisions of the Information Technology Act, 2000, as amended. Their
primary function is to issue Electronic Signature Certificates (ESCs), including Digital Signature
Certificates (DSCs), which authenticate electronic records and ensure their legal validity. CAs act
as trusted third parties that verify the identity of subscribers and link their public keys to their
identities, facilitating secure e-commerce, e-governance, and other digital transactions.

 Legal Framework: The IT Act, particularly Sections 30-39, outlines the mandatory
procedures, duties, and responsibilities of CAs to ensure security, compliance, and public
trust.

 Examples: Licensed CAs in India include e-Mudhra, CCA India, and others authorized by
the CCA.

Roles and Functions of Certifying Authorities

Certifying Authorities are entrusted with a range of roles, functions, duties, and powers under
the IT Act, 2000, to support the electronic signature ecosystem. These are detailed below, based
on the provided text:

1. Issuance of Electronic Signature Certificates (Section 35)

 Role: CAs are responsible for issuing Electronic Signature Certificates (ESCs), including
Digital Signature Certificates (DSCs), to subscribers who apply for them.

 Process:
 o Application: A subscriber must submit an application in the prescribed form, as
per Section 35(1) and Rule 23(a) of the IT (Certifying Authorities) Rules, 2000.
The form, outlined in Schedule IV, varies for individuals, Hindu Undivided
Families (HUFs), local authorities, and government organizations, requiring
details like identity proof, contact information, date of birth, credit card details,
PAN number, and bank details.

o Fees: The application must include a fee, not exceeding ₹25,000, as prescribed by
the Central Government (Section 35(2)). Different fees may apply for different
classes of applicants to align with social justice goals.

o Certification Practice Statement (CPS): As per Section 35(3), the application

must be accompanied by a CPS or other specified particulars, detailing the CA’s
practices and procedures.

o Approval or Rejection: The CA has discretion to accept or reject the application

after reviewing the CPS and conducting necessary inquiries (Section 35(4)). If
rejected, the CA must provide written reasons and give the applicant an
opportunity to respond, adhering to principles of natural justice.

o Certificate Issuance: Upon approval, the CA issues the ESC/DSC, ensuring

compliance with Rules 23-27 (e.g., no interim DSCs are issued, and certificates
are generated only upon validated requests).

 Significance: This function ensures that subscribers can authenticate electronic records
securely, supporting e-commerce, e-governance, and legal transactions.

2. Ensuring Security and Reliability (Section 30)

 Role: CAs must maintain secure systems and reliable services to preserve trust in the
electronic signature regime.

 Functions:

o Secure Hardware and Software: Under Section 30(a), CAs are mandated to use
hardware, software, and procedures that are secure from intrusion and misuse.
This is critical to prevent compromise of the CA’s systems, which could
undermine the entire electronic signature framework.

o Reliable Services: Section 30(b) requires CAs to provide a reasonable level of

reliability in their services, suited to their intended functions, to build trust
among subscribers and the public.
 o Privacy and Secrecy: Section 30(c) mandates CAs to implement security
procedures to ensure the secrecy and privacy of electronic signatures, protecting
sensitive data like private keys.

o Repository of Certificates: Section 30(ca) designates CAs as the repository for all
ESCs issued under the IT Act, maintaining a database of issued certificates.

o Publication of Information: Section 30(cb) requires CAs to publish details about

their practices, ESCs, and the current status of certificates (e.g., active,
suspended, or revoked).

o Compliance with Standards: Section 30(d) mandates adherence to additional

standards prescribed by regulations under the IT Act.

 Significance: These measures ensure the integrity and trustworthiness of the electronic
signature system, preventing unauthorized access and fostering public confidence.

3. Representations Upon Issuance of Digital Signature Certificates (Section 36)

 Role: CAs must make mandatory representations when issuing DSCs to certify their
compliance and the functionality of the certificates.

 Functions:

o Compliance Certification: CAs must certify compliance with the IT Act, 2000, IT
Rules, 2000, and other regulations.

o Publication or Availability: CAs must certify that the DSC has been published or
made available to the subscriber or relying parties, and that the subscriber has
accepted it.

o Key Pair Functionality: CAs must certify that the subscriber holds a private key
corresponding to the public key listed in the DSC, and that the key pair is
functional (Section 36(a)-(cb)).

o Accuracy of Information: CAs must ensure and certify that the information in the
DSC is accurate and that no material facts affecting reliability are omitted
(Section 36(d)).

 Significance: These representations build trust by ensuring that DSCs are issued with
verified, accurate, and functional key pairs, supporting secure authentication.

4. Compliance with the IT Act and Regulations

 Role: CAs are responsible for ensuring full compliance with the IT Act, 2000, and its
associated rules, regulations, and orders.
  Functions:

o Employee Compliance: CAs must ensure that all employees or engaged persons
comply with the provisions of the IT Act, 2000, and related rules during their
tenure.

o Adherence to Procedures: CAs must follow all mandatory procedures under

Section 30 to maintain security and reliability, avoiding the risk of license
suspension or revocation.

 Significance: Compliance ensures the legal and operational integrity of CAs, preventing
misuse and maintaining the credibility of the electronic signature regime.

5. Display of License (Section 32)

 Role: CAs must publicly display their license to enhance transparency and trust.

 Function:

o Section 32 mandates that CAs display their license, issued by the CCA, at a
conspicuous place in their business premises, visible to the public.

o This ensures that visitors and potential subscribers can verify the CA’s legitimacy,
reinforcing trust in the electronic signature system.

 Significance: Public display of the license promotes accountability and assures

subscribers of the CA’s authorization, fostering confidence in the digital ecosystem.

6. Surrender of License (Section 33)

 Role: CAs must surrender their license to the CCA if it is suspended or revoked.

 Functions:

o Section 33(1) requires immediate surrender of the license upon suspension or

revocation.

o Section 33(2) imposes penalties for non-compliance, including imprisonment up

to 6 months, a fine up to ₹10,000, or both, for the person responsible for the
CA’s operations.

 Significance: This ensures regulatory control over CAs, preventing unauthorized

operations and maintaining the integrity of the certification process.

7. Statutory Disclosures (Section 34)

  Role: CAs are required to make statutory disclosures to inform the public about their
operations and practices.

 Function:

o Section 34 mandates CAs to disclose details about their business of issuing ESCs,
including practices, certificate statuses, and other relevant information, as
specified by regulations.

o These disclosures must be accessible to the public to enhance transparency and

trust.

 Significance: Disclosures ensure that subscribers and the public are informed about the
CA’s authenticity, practices, and reliability, strengthening the electronic signature regime.

8. Suspension of Digital Signature Certificates (Section 37)

 Role: CAs have the authority to suspend DSCs under specific conditions, ensuring the
integrity of the certification process.

 Functions:

o Grounds for Suspension:

 At the request of the subscriber or an authorized person (Section 37(1)

(a)).

 In the public interest, if the CA deems suspension necessary (Section

37(1)(b)), though “public interest” is not defined in the Act and relies on
existing legal interpretations.

o Duration and Process: Suspension cannot exceed 15 days unless the subscriber is
given an opportunity to be heard, adhering to principles of natural justice. If
justified, the suspension may be extended, with no maximum period specified.

o Notice of Suspension: Section 39 requires CAs to publish a notice of suspension

in the designated repository specified in the DSC, as per Rule 23(d).

 Significance: Suspension powers allow CAs to address potential misuse or security

breaches promptly, protecting the electronic signature ecosystem.

9. Revocation of Digital Signature Certificates (Section 38)

 Role: CAs are empowered to revoke DSCs under specific circumstances to maintain trust
and security.

 Functions:
 o Grounds for Revocation:

 At the request of the subscriber or an authorized person (Section 38(1)

(a)).

 Upon the death of the subscriber, dissolution of a partnership firm, or

winding up of a company (Section 38(1)(b)-(d)).

 Suo moto by the CA, if deemed necessary, subject to Section 38(2)

conditions (e.g., public interest or non-compliance).

o Process: Revocation requires compliance with principles of natural justice,

including giving the subscriber an opportunity to be heard (Section 38(3)). The
CA must record written reasons for revocation, especially if based on public
interest.

o Notice of Revocation: Section 39 mandates publishing a notice of revocation in

the designated repository, as per Rule 23(d).

o Communication: Section 38(4) requires the CA to inform the subscriber of the

revocation.

 Significance: Revocation powers ensure that invalid or compromised DSCs are removed
from circulation, preventing misuse and maintaining trust.

10. Powers and Discretion

 Discretionary Powers:

o CAs have discretion to accept or reject ESC applications after reviewing the CPS
and conducting inquiries (Section 35(4)).

o They can suspend or revoke DSCs based on subscriber requests, public interest,
or specific events like death or dissolution (Sections 37, 38).

 Regulatory Oversight: The CCA oversees CAs, ensuring compliance and granting or
revoking licenses, which reinforces their accountability.

 Significance: These powers enable CAs to maintain the integrity and reliability of the
electronic signature system while balancing subscriber rights and public interest.

Challenges in the Role of Certifying Authorities

While CAs are critical to the electronic signature regime, they face challenges that impact their
effectiveness:
 1. Security Risks: Ensuring hardware, software, and procedures are secure from intrusion
and misuse is challenging, as any breach could compromise the entire CA system.

2. Cost and Infrastructure: Maintaining secure systems and reliable services requires
significant investment, which may increase costs for subscribers.

3. Compliance Burden: Adhering to the IT Act, rules, and regulations, including employee
compliance, can be resource-intensive.

4. Public Trust: Building and maintaining public trust requires consistent transparency,
reliable services, and robust security practices.

5. Scalability: High computational demands of digital signature processes may limit

scalability for large-scale applications.

Conclusion

Certifying Authorities under the Information Technology Act, 2000, are pivotal entities licensed
by the Controller of Certifying Authorities to issue and manage Electronic Signature
Certificates, including Digital Signature Certificates. Their roles and functions include issuing
certificates, ensuring security and reliability, making statutory disclosures, and managing
suspension and revocation processes. By adhering to Sections 30-39 and related rules, CAs
ensure compliance with the IT Act, maintain the secrecy and integrity of electronic signatures,
and foster trust in India’s digital ecosystem. Their responsibilities, such as certifying key pair
functionality, publishing certificate statuses, and complying with natural justice principles, are
critical for supporting e-commerce, e-governance, and cybersecurity. Despite challenges like
security risks and compliance burdens, CAs play an indispensable role in enabling secure and
legally valid electronic transactions, aligning with India’s digital transformation goals.

Controller of Certifying Authorities Under the Information Technology Act, 2000:

Appointment and Functions
The Controller of Certifying Authorities (CCA) is a pivotal entity under the Information
Technology Act, 2000 (IT Act), tasked with overseeing and regulating the operations of
Certifying Authorities (CAs) in India. The CCA ensures the integrity, security, and reliability of
the electronic signature regime, particularly for issuing and managing Digital Signature
Certificates (DSCs) and Electronic Signature Certificates (ESCs). Below is a detailed explanation
of the CCA, its appointment, roles, duties, obligations, and powers, based on the provided text.

Who is the Controller of Certifying Authorities?

The Controller of Certifying Authorities (CCA) is a statutory authority appointed by the Central
Government under Section 17 of the IT Act, 2000, to license and regulate Certifying Authorities
(CAs) that issue digital and electronic signatures for authenticating electronic records. The CCA
plays a central role in promoting e-commerce and e-governance by ensuring the widespread
and secure use of digital signatures in India.

 Establishment: The Office of the CCA was established on November 1, 2000, following
the implementation of the IT Act on October 17, 2000.

 Root Certifying Authority of India (RCAI): Under Section 18(b), the CCA operates the
RCAI, which digitally signs the public keys of CAs using its own private key. This enables
users to verify that a certificate is issued by a licensed CA, ensuring trust in the digital
signature ecosystem.

 Repository: The CCA maintains a Repository of Digital Certificates, containing all

certificates issued to CAs in India, enhancing transparency and accessibility.

Significance: The CCA ensures the smooth functioning of the electronic signature regime,
fostering trust and security in digital transactions, which is critical for India’s digital economy
and governance initiatives.

Appointment of the Controller of Certifying Authorities (Section 17)

The appointment of the CCA is governed by Section 17 of the IT Act, 2000, with the following
details:

1. Appointment Process:

o The Central Government appoints the CCA through a notification in the Official
Gazette.

o The first CCA, Mr. Kailash Nath Gupta, was appointed on October 17, 2000,
coinciding with the IT Act’s implementation.

o The Central Government may also appoint Deputy Controllers, Assistant

Controllers, and other officers or employees as deemed necessary.
 2. Supervision and Control:

o The CCA operates under the general control, direction, and superintendence of
the Central Government (Section 17(2)).

o Deputy and Assistant Controllers work under the supervision and control of the
CCA, performing duties assigned by the Controller.

3. Qualifications and Terms:

o The qualifications, experience, and terms of employment for the CCA, Deputy
Controllers, Assistant Controllers, and other officers are prescribed by the Central
Government via notification.

o These requirements ensure that appointees have the expertise needed to

manage the complex technical and legal aspects of the electronic signature
regime.

4. Office Location:

o The Central Government designates the Head Office and Branch Office of the
CCA. Currently, the CCA’s office is based in Delhi.

Significance: The structured appointment process ensures that the CCA is a competent
authority capable of regulating CAs effectively, maintaining the integrity of the digital signature
framework.

Functions of the Controller of Certifying Authorities

The CCA is entrusted with a wide range of functions, duties, and powers under Sections 18-29
of the IT Act, 2000, to ensure the effective implementation and regulation of the electronic
signature regime. These functions, as detailed in Section 18 and other provisions, are outlined
below:

1. Supervision of Certifying Authorities (Section 18(a))

 The CCA exercises supervision and control over the activities of CAs to ensure
compliance with the IT Act, 2000, and related rules and regulations.

 This includes monitoring CA operations, security practices, and certificate issuance

processes to maintain the integrity of the electronic signature regime.

 Significance: Supervision ensures that CAs adhere to legal and technical standards,
preventing misuse and fostering public trust.
2. Certifying Public Keys of CAs (Section 18(b))

 The CCA operates the Root Certifying Authority of India (RCAI), which digitally signs the
public keys of CAs using its own private key.

 This certification enables users to verify that a DSC or ESC is issued by a licensed CA,
ensuring authenticity and reliability.

 Significance: By certifying CA public keys, the CCA establishes a chain of trust, critical for
secure digital transactions.

3. Laying Down Standards for CAs (Section 18(c))

 The CCA specifies technical and operational standards that CAs must maintain,
including security procedures, hardware, and software requirements.

 These standards ensure uniformity and reliability across all CAs, promoting a secure
electronic signature ecosystem.

 Significance: Standardized practices enhance the interoperability and trustworthiness of

CAs, supporting e-commerce and e-governance.

4. Specifying Employee Qualifications (Section 18(d))

 The CCA defines the qualifications and experience required for CA employees to ensure
they have the expertise to manage certificate issuance and security processes.

 This promotes consistency and professionalism in CA operations.

 Significance: Qualified staff enhance the reliability and security of CA services, reducing
risks of errors or breaches.

5. Specifying Business Conditions (Section 18(e))

 The CCA outlines conditions under which CAs conduct their business, such as
compliance with security protocols and operational guidelines.

 Significance: These conditions ensure that CAs operate within a regulated framework,
maintaining trust and accountability.

6. Regulating CA Advertisements and Materials (Section 18(f))

 The CCA specifies the content of written, printed, or visual materials and
advertisements related to ESCs and public keys.

 This ensures that CA communications are accurate, transparent, and not misleading.
  Significance: Regulated materials prevent false claims, enhancing public confidence in
CAs.

7. Specifying Form and Content of ESCs (Section 18(g))

 The CCA defines the form and content of ESCs and associated keys to ensure consistency
and compliance with legal standards.

 Significance: Standardized certificate formats facilitate interoperability and legal

recognition across platforms.

8. Specifying Accounting Practices (Section 18(h))

 The CCA prescribes the form and manner in which CAs maintain their accounts, ensuring
transparency and financial accountability.

 Significance: Proper accounting practices prevent financial mismanagement and support

regulatory oversight.

9. Appointing Auditors (Section 18(i))

 The CCA specifies the terms, conditions, and remuneration for auditors appointed to
audit CA operations.

 This ensures independent verification of CA compliance and financial integrity.

 Significance: Audits enhance accountability and trust in CA operations.

10. Facilitating Electronic Systems (Section 18(j))

 The CCA facilitates the establishment and regulation of electronic systems by CAs, either
individually or jointly, to support certificate issuance and management.

 Significance: This promotes efficient and secure digital infrastructure for electronic
signatures.

11. Regulating CA-Subscriber Interactions (Section 18(k))

 The CCA specifies the manner in which CAs interact with subscribers, ensuring fair and
transparent dealings.

 Significance: This protects subscribers from unfair practices and ensures consistent
service delivery.

12. Resolving Conflicts of Interest (Section 18(l))

 The CCA resolves conflicts of interest between CAs and subscribers, ensuring equitable
outcomes.
  Significance: This maintains fairness and trust in the electronic signature ecosystem.

13. Laying Down CA Duties (Section 18(m))

 The CCA defines the duties of CAs, such as ensuring compliance with the IT Act,
maintaining security, and publishing certificate statuses.

 Significance: Clear duties ensure CAs operate responsibly and reliably.

14. Maintaining a Public Database (Section 18(n))

 The CCA maintains a publicly accessible database containing disclosure records of CAs,
Cross Certifying Authorities, and Foreign Certifying Authorities. This database includes:

o Names, directors, business nature, PAN, addresses, contact details, and

authorized representatives.

o Public keys used by CAs to sign DSCs.

o Current and past versions of Certification Practice Statements (CPS).

o Timestamps for events like license grants, revocations, suspensions, and

commercial operations.

 The database is available 24/7 through a website, as mandated by Section 26(2).

 Significance: Public access to this database ensures transparency and enables

verification of CA legitimacy and certificate statuses.

15. Recognition of Foreign Certifying Authorities (Section 19)

 The CCA has the discretionary power to recognize Foreign Certifying Authorities to
issue ESCs in India, subject to prior approval from the Central Government.

 Recognition is granted via notification in the Official Gazette or Electronic Gazette.

 Significance: This enables international interoperability, supporting cross-border e-

commerce and digital transactions.

16. Issuance and Renewal of CA Licenses (Sections 21, 23, 24)

 Issuance (Section 21):

o The CCA evaluates applications from individuals, partnership firms, or companies

to become CAs, requiring a minimum capital of ₹5 crores and a net worth of ₹50
crores for firms/companies (Rule 8).
 o Applicants must submit a detailed application, including a Certification Practice
Statement (CPS) and proof of qualifications, expertise, manpower, and
infrastructure (Rule 10).

o The CCA grants licenses after verifying compliance with technical and operational
standards.

 Renewal (Section 23):

o CA licenses are valid for 5 years, and renewal applications must be submitted at
least 45 days before expiry, accompanied by a ₹5,000 fee.

o The Central Government may prescribe the renewal form, but no specific
proforma is currently stipulated.

 Grant or Rejection (Section 24):

o The CCA has discretionary power to grant or reject license applications after
reviewing documents and other factors.

o Rejection requires giving the applicant a reasonable opportunity to present their

case.

 Significance: Licensing ensures that only qualified entities operate as CAs, maintaining
the integrity of the electronic signature regime.

17. Suspension and Revocation of CA Licenses (Section 25)

 Suspension:

o The CCA can suspend a CA’s license pending an inquiry into contraventions, via a
written order.

 Revocation:

o The CCA may revoke a license if:

1. The CA made false or incorrect statements in its application.

2. The CA suppressed material facts.

3. The CA failed to comply with license terms and conditions.

4. The CA failed to maintain prescribed standards.

o Revocation requires a proper inquiry and satisfaction of one of the above

conditions, adhering to principles of natural justice.
  Notice (Section 26):

o The CCA must publish notices of suspension or revocation in the public database,
accessible 24/7 via a website, and may further publicize the contents at its
discretion.

 Significance: These powers ensure regulatory control, preventing non-compliant or

fraudulent CAs from operating.

18. Investigation of Contraventions (Section 28)

 The CCA or its authorized officer is mandated to investigate contraventions of the IT Act,
2000, IT Rules, or regulations.

 The CCA has powers similar to those of income-tax authorities under Sections 131-136
of the Income Tax Act, 1961, including:

o Entry, survey, search, and seizure.

o Calling for information and preserving records.

 Investigations are deemed judicial proceedings under Sections 193, 228, and 196 of the
Indian Penal Code, and the CCA is considered a civil court for Section 195 purposes (but
not for Chapter XXVI of the Code of Criminal Procedure, 1973).

 Significance: These powers enable the CCA to enforce compliance and address violations
effectively.

19. Access to Computers and Data (Section 29)

 The CCA or its authorized officer can access computer systems and data if there is
reasonable cause to suspect a contravention of the IT Act or rules, supported by prima
facie evidence.

 The CCA can direct technical assistance from system operators to facilitate searches or
data access.

 Significance: This power ensures the CCA can investigate potential breaches, maintaining
the security of the electronic signature regime.

20. Issuing Directions for Compliance (Section 68)

 The CCA can direct CAs or their employees to take specific measures or cease activities
to ensure compliance with the IT Act, rules, or regulations.

 Non-compliance is a penal offense, punishable with imprisonment up to 2 years, a fine

up to ₹1 lakh, or both.
  Significance: This ensures CAs adhere to legal and security standards, with penalties for
non-compliance.

21. Power to Delegate (Section 27)

 The CCA can delegate its powers to Deputy Controllers, Assistant Controllers, or other
officers via written communication.

 Delegated officers can exercise powers under Chapter VI of the IT Act, as if they were
the CCA.

 Significance: Delegation decentralizes operations, enabling efficient management of the

CA ecosystem.

Conclusion

The Controller of Certifying Authorities (CCA), appointed under Section 17 of the Information
Technology Act, 2000, is a central authority responsible for licensing and regulating Certifying
Authorities (CAs) to ensure a secure and reliable electronic signature regime in India. Appointed
by the Central Government through a notification, the CCA operates under its supervision and
oversees the Root Certifying Authority of India (RCAI) and a public database of CA certificates.
Its functions include supervising CAs, certifying their public keys, setting standards, issuing and
renewing licenses, investigating contraventions, and resolving conflicts. The CCA’s powers, such
as suspending or revoking licenses, accessing data, and issuing compliance directions, ensure
regulatory control and trust in the digital signature ecosystem. By performing these roles, the
CCA supports India’s e-commerce and e-governance initiatives, aligning with global standards
and fostering a secure digital economy.

Cyber Appellate Tribunal Under the Information Technology Act, 2000:

Establishment, Powers, and Functions
The Cyber Appellate Tribunal (CAT) is a specialized adjudicatory body established under the
Information Technology Act, 2000 (IT Act) to handle appeals against orders or decisions made
by the Controller of Certifying Authorities (CCA) or Adjudicating Officers under the Act. It plays
a critical role in resolving disputes related to cybercrimes, electronic transactions, and digital
signatures, ensuring fair and efficient adjudication in India’s digital ecosystem. Below is a
detailed explanation of the CAT, its establishment, composition, powers, and functions, based
on the provided text and relevant sections of the IT Act, supplemented by web sources where
applicable.

What is the Cyber Appellate Tribunal?

The Cyber Appellate Tribunal (CAT), also referred to as the Cyber Regulations Appellate
Tribunal, was established under Section 48 of the IT Act, 2000, to provide a forum for hearing
appeals against orders passed by Adjudicating Officers or the CCA. It is a quasi-judicial body,
meaning it has powers similar to those of a civil court but operates with greater flexibility and is
not bound by the strict procedural rules of the Code of Civil Procedure, 1908. The CAT was
created to address legal challenges arising from the digital age, such as cybercrimes, electronic
transactions, and disputes involving digital signatures, ensuring speedy and specialized
resolution.

 Establishment: The CAT was established in 2006 by the Central Government via
notification, as mandated by Section 48(1). The first and only CAT in India is
headquartered in New Delhi, as specified by Rule 13 of the Cyber Regulation Tribunal
Rules, 2000, though the Chairperson may authorize sittings at other locations if
necessary.

 Jurisdiction: The CAT has appellate jurisdiction across India, covering appeals against
decisions or orders related to contraventions of the IT Act, such as issues involving digital
signatures, cybercrimes, or data protection. The Central Government specifies the
matters and places under the CAT’s jurisdiction via notification.

 Current Status: The CAT is currently defunct, with its functions transferred to the
Telecom Disputes Settlement and Appellate Tribunal (TDSAT), as noted in some
sources. However, this response focuses on the CAT’s establishment and functions as
defined in the IT Act, 2000.

Significance: The CAT was designed to provide an independent and specialized forum for
resolving cyber-related disputes, ensuring the effective implementation of the IT Act and
protecting the rights of individuals and businesses in the digital landscape.

Composition of the Cyber Appellate Tribunal (Section 49)

The composition of the CAT is outlined in Section 49 of the IT Act, 2000, and has evolved over
time:
  Original Structure: Initially, the CAT was a single-member body led by a Presiding
Officer, appointed by the Central Government via notification.

 Amended Structure: The Information Technology (Amendment) Act, 2008, transformed

the CAT into a multi-member body, comprising a Chairperson and additional members
as notified by the Central Government in the Official Gazette.

o The Chairperson and members are appointed by the Central Government in

consultation with the Chief Justice of India (Section 49(2)).

o Benches: The CAT’s jurisdiction and powers may be exercised through Benches,
each constituted by the Chairperson with one or two members, as deemed fit.
The Central Government specifies the areas of jurisdiction for each Bench via
notification. The Chairperson may transfer members between Benches or assign
complex cases to a larger Bench (Section 49(3)-(5)).

 Headquarters: The primary location for CAT hearings is New Delhi, but the Chairperson
may direct sittings at other places if circumstances warrant (Rule 13, Cyber Regulation
Tribunal Rules, 2000).

Significance: The multi-member structure and flexible Bench system enhance the CAT’s ability
to handle complex cyber disputes efficiently, with expertise in both legal and technical domains.

Qualifications for Appointment (Section 50)

Section 50 of the IT Act, 2000, specifies the qualifications for the Presiding Officer (or
Chairperson and members post-2008 amendment):

1. High Court Judge: The individual must be, have been, or be qualified to be a Judge of a
High Court, ensuring deep legal expertise.

2. Indian Legal Service: Alternatively, the individual must be or have been a member of the
Indian Legal Service and have held a Grade I post for at least three years.

3. Information Technology Expertise: For members, the individual must be a citizen of

India with experience in information technology law or practice or have served as a
High Court Judge, Secretary to the Government of India, or equivalent for at least seven
years.

4. Term of Office:

o The Chairperson serves for five years or until the age of 65, whichever is earlier.

o Other members serve for three years.

 5. Removal: The Central Government may remove the Chairperson or members for reasons
such as:

o Misconduct or misbehavior (e.g., corruption, dishonesty).

o Incompetence or inefficiency.

o Negligence in performing duties.

o Unsoundness of mind or physical infirmity affecting duties.

o Removal requires an inquiry by a Supreme Court Judge, ensuring the individual

has an opportunity to defend themselves (Section 48(5), Section 87(2)(s)).

Significance: These stringent qualifications ensure that the CAT is led by individuals with legal
and technical expertise, capable of addressing complex cyber disputes. The removal process
upholds principles of natural justice.

Powers of the Cyber Appellate Tribunal (Section 58)

The CAT is endowed with significant powers under Section 58 of the IT Act, 2000, to discharge
its appellate functions effectively. These powers align with those of a civil court under the Code
of Civil Procedure, 1908, but the CAT operates with greater procedural flexibility:

1. Not Bound by Code of Civil Procedure:

o Section 58(1) states that the CAT is not bound by the Code of Civil Procedure,
1908, but is guided by the principles of natural justice (e.g., fair hearing,
impartiality).

o The CAT has the authority to regulate its own procedure, including the location
of hearings, providing flexibility to adapt to case-specific needs.

2. Civil Court Powers:

o The CAT has the same powers as a civil court under the Code of Civil Procedure,
1908, in the following matters (Section 58(2)):

 Summoning and enforcing attendance of any person and examining

them on oath.

 Requiring the discovery and production of documents or electronic

records.

 Receiving evidence on affidavits.

  Issuing commissions for the examination of witnesses or documents.

 Reviewing its own decisions.

 Dismissing an application for default or deciding it ex-parte.

 Any other matter prescribed by the Central Government.

o Significance: These powers enable the CAT to conduct thorough and fair
proceedings, ensuring access to evidence and witnesses.

3. Judicial Proceedings:

o Proceedings before the CAT are deemed judicial proceedings under Sections
193, 228, and 196 of the Indian Penal Code, ensuring legal sanctity (e.g.,
penalties for false evidence or contempt).

o The CAT is considered a civil court for the purposes of Section 195 and Chapter
XXVI of the Code of Criminal Procedure, 1973, reinforcing its authority in
handling evidence-related matters.

4. Appellate Jurisdiction:

o The CAT has the authority to exercise appellate jurisdiction over decisions or
orders passed by the Controller of Certifying Authorities or Adjudicating
Officers, both on facts and law (Section 57).

o It can investigate the accuracy, legality, and propriety of such decisions, ensuring
comprehensive review.

o Significance: This appellate power ensures oversight and correction of errors in

lower-level decisions, promoting fairness.

5. Review of Own Orders:

o The CAT can review its own orders, allowing it to correct mistakes or reconsider
decisions based on new evidence or legal grounds (Section 58(2)).

6. Exclusivity of Jurisdiction:

o No civil court can entertain suits or proceedings on matters that the IT Act
empowers the CAT or Adjudicating Officer to handle, nor can it grant injunctions
against actions taken under the Act (Section 61).

o Significance: This ensures that cyber-related disputes are handled by specialized

bodies, avoiding delays in general courts.
 7. Appeal to High Court:

o Any person aggrieved by a CAT decision can appeal to the High Court within 60
days (extendable by another 60 days for sufficient cause) on matters of fact or
law (Section 62).

o The CAT is the final fact-finding authority, with the High Court serving as the
second appellate forum.

o Significance: This provides a mechanism for further review, ensuring justice while
maintaining the CAT’s specialized role.

Significance: The CAT’s powers, combining civil court authority with procedural flexibility,
enable it to efficiently resolve complex cyber disputes while adhering to principles of natural
justice.

Functions of the Cyber Appellate Tribunal

The CAT’s primary function is to serve as an appellate body for disputes under the IT Act, 2000.
Its key functions, derived from the Act and web sources, include:

1. Hearing Appeals (Section 57):

o The CAT hears appeals from any person aggrieved by an order of the Controller
of Certifying Authorities or an Adjudicating Officer under the IT Act.

o Appeals must be filed within 45 days of the order, as per Section 57.

o The CAT examines the accuracy, legality, and propriety of the order, both on
facts and law, ensuring comprehensive review.

o Significance: This function provides a mechanism for aggrieved parties to

challenge decisions, ensuring fairness and accountability.

2. Adjudicating Cyber-Related Disputes:

o The CAT addresses disputes related to cybercrimes, electronic transactions,

digital signatures, and data protection, leveraging its technical and legal
expertise.

o Significance: Specialized adjudication ensures that complex digital issues are

resolved by experts familiar with IT law.

3. Regulating Its Own Procedure (Section 58):

 o The CAT has the authority to regulate its own procedure, including determining
the location of hearings, guided by principles of natural justice.

o Significance: This flexibility allows the CAT to adapt to the unique needs of cyber
cases, ensuring efficient dispute resolution.

4. Ensuring Access to Evidence and Witnesses:

o The CAT can summon witnesses, enforce their attendance, examine them on
oath, and compel the production of documents or electronic records (Section
58(2)).

o Significance: This ensures that the CAT has access to all necessary evidence to
make informed decisions.

5. Maintaining Public Trust:

o By adhering to principles of natural justice (e.g., right to a fair hearing), the CAT
ensures impartial and transparent proceedings, fostering public confidence in the
digital legal framework.

o Significance: Public trust is critical for the adoption of e-commerce and e-

governance initiatives.

6. Supporting E-Commerce and E-Governance:

o The CAT facilitates the resolution of disputes related to electronic transactions

and digital signatures, supporting the growth of India’s digital economy and
governance initiatives under the National e-Governance Plan (NeGP).

o Significance: By resolving disputes efficiently, the CAT promotes a secure and

reliable digital ecosystem.

Additional Notes on the CAT’s Status

 Defunct Status: As of recent sources, the CAT is no longer operational, and its functions
have been transferred to the Telecom Disputes Settlement and Appellate Tribunal
(TDSAT).

 Finality of Orders: Section 55 prohibits judicial review of the Central Government’s

order constituting the CAT or its proceedings based on flaws in its composition, ensuring
uninterrupted operations.
  Principles of Natural Justice: The CAT’s adherence to natural justice ensures that parties
are heard before decisions are made, aligning with fair judicial practices.

Conclusion

The Cyber Appellate Tribunal (CAT), established under Section 48 of the Information
Technology Act, 2000, serves as a specialized quasi-judicial body to hear appeals against orders
of the Controller of Certifying Authorities or Adjudicating Officers. Headquartered in New
Delhi, it comprises a Chairperson and additional members with legal or IT expertise, appointed
by the Central Government. The CAT’s powers, outlined in Section 58, include summoning
witnesses, compelling document production, and reviewing its own orders, with the flexibility to
regulate its own procedures while adhering to principles of natural justice. Its functions include
adjudicating cyber-related disputes, ensuring fair hearings, and supporting e-commerce and e-
governance. Although currently defunct with its responsibilities transferred to the TDSAT, the
CAT’s framework under the IT Act remains a cornerstone for addressing digital disputes,
ensuring a robust legal framework for India’s digital ecosystem.