As is the case with most other statutes, certain situations warrant intensive government oversight. This Part is especially important, since we understand how much power the State has, under what conditions, and what legal remedies (if any) are available. It also bridges into broader discussions on privacy, encryption, and state surveillance. They are read with the following:
- Information Technology. (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 – ("Blocking Rules 2009")
- Information Technology. (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 – ("Monitoring Rules 2009")
- Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 – ("Traffic Data Rules 2009")
IT Act: Sections 69-70B
Interception and Decryption – Section 69
Section 69 empowers the Central or State Governments, or their authorised officers, to direct the interception, monitoring, or decryption of any information generated, transmitted, received, or stored in a computer resource. The provision is triggered only when such action is deemed necessary or expedient in the interest of India's sovereignty, defence, security, friendly foreign relations, public order, or for preventing or investigating cognizable offences.
Directions under this section must be issued in writing and intermediaries or service providers are legally required to assist. Failure to comply can lead to imprisonment of up to seven years. Importantly, Rule 4 of the Monitoring Rules specifies that only Secretary-level officers in the Ministry of Home Affairs (or the relevant State Home Department) may issue such directions. Orders are subject to post-facto scrutiny by a Review Committee to ensure compliance with the law and protection of fundamental rights.
Blocking Public Access – Section 69A
Section 69A is perhaps the most controversial and widely used provision under the IT Act. It enables the Central Government or its authorised officers to direct any agency or intermediary to block public access to specific information through any computer resource. The grounds largely mirror those in Section 69: national security, public order, sovereignty, and prevention of cognizable offences.
The process is laid down in the Blocking Rules 2009. Each ministry or department has a Nodal Officer who evaluates requests. The Designated Officer at MeitY then places the request before an Inter-Departmental Committee comprising representatives from law, home, I&B, and CERT-In. Wherever possible, a hearing is granted to the originator or host of the content. The Secretary, Ministry of Electronics and IT, must approve the final order. Emergency blocking without a hearing is permitted under Rule 9 but must be reviewed within 48 hours.
Section 69A is unique in that it allows proactive blocking of content before harm occurs, unlike traditional post-facto takedown models. Any intermediary failing to comply is punishable under Section 69A(3).
Monitoring of Traffic Data – Section 69B
Section 69B allows the Central Government to authorise agencies to monitor and collect traffic data or information generated, transmitted, received, or stored in any computer resource. The object is to enhance cybersecurity, detect intrusion, track cyber incidents, and prevent unauthorised access.
Only authorised officers with appropriate security clearance may conduct such monitoring. The Monitoring Rules 2009 limit access to metadata and enforce strict confidentiality requirements. Once the purpose is served, data must be securely destroyed.
Protection of Critical Infrastructure – Section 70
Section 70 authorises the Central Government to declare any computer resource as a "Protected System" if it directly impacts national security, the economy, or public health. Only authorised individuals are allowed access to such systems. Unauthorised access is a criminal offence punishable with up to 10 years' imprisonment. These powers are directly relevant to India's Critical Information Infrastructure (CII), which includes power grids, stock exchanges, defence networks, and other sensitive systems. The National Critical Information Infrastructure Protection Centre (NCIIPC), established through executive notification, acts as the nodal agency for protecting such infrastructure. As discussed earlier, Section 70B empowers the CERT-In to collect data and analyse, forecast and prevent cyber-harms.
Procedural Safeguards
Section 87 of the IT Act empowers the Central Government to make rules to operationalise these powers. Accordingly, separate sets of rules have been notified for interception (2009), blocking (2009), and traffic data monitoring (2009). These rules impose specific authorisation requirements, hearing and review procedures, confidentiality obligations, and destruction protocols. Together, they seek to balance executive authority with constitutional safeguards.
Since these provisions impose limitations on privacy of communication and data, understanding how the judiciary has limited the powers granted to the government becomes important.
In 1997, the Supreme Court in PUCL v. UoI AIR 1997 SC 568 was discussing a matter involving tapping of the telephone of a politician under Section 5 of the Telegraph Act, and unequivocally recognized that the right to privacy, while not explicitly mentioned in the Constitution, would form a component of Article 21 (the right to life and liberty) which could not be violated except by a procedure set out under law. Furthermore, such laws should also set out adequate protections, ensuring that breach of fundamental right is done in accordance to constitutionally set out limitations. The SC found that the tap of the politician's phone was not in accordance to set procedures, and held evidence collected through such tap to be inadmissible. However, the section itself was held to be constitutionally valid subject to the constitutional safeguards being upheld.
This was taken one step further by the SC in Justice (retd.) K.S. Puttuswamy v. UoI (2017) 10 SCC 1 where the Court unanimously held the Right to Privacy to be a fundamental right, and introduced a three-pronged test to determine whether a restriction would be reasonable:
- The intrusion must be by procedure outlined under law.
- The intrusion must be in pursuance of a legitimate state objective.
- There must be a rational nexus between the intrusion and the objective, and the extent of interference must be proportionate to the need.
This section continues with detailed coverage of Blocking Rules 2009, Monitoring Rules 2009, and Traffic Data Rules 2009...
Made with Bullet