3.1 The Four Pillars of Cyber Criminal Law
Post July 1, 2024, cyber criminal law in India rests on four interconnected statutes. Understanding their distinct domains — and crucial overlaps — is essential for effective practice.
These four statutes are not alternatives — they work together. A single cyber incident typically invokes: IT Act (specific offence), BNS (general offence elements), BNSS (procedure), and BSA (evidence). Mastering their interplay is the mark of a skilled cyber lawyer.
3.2 IT Act vs BNS: Which Law Applies?
The fundamental question: when a cyber offence could fall under both IT Act and BNS, which takes precedence? The answer lies in the principle of generalia specialibus non derogant — special law prevails over general law.
The Precedence Rule
IT Act is special law for computer-related offences. Where IT Act specifically covers conduct, it takes precedence over BNS general provisions. However, where IT Act is silent or the conduct has additional non-cyber elements, BNS applies.
Comparative Offence Mapping
| Offence | IT Act Provision | BNS Provision | Which Applies? |
|---|---|---|---|
| Hacking / Unauthorized Access | Section 66 | No direct equivalent | IT Act S.66 |
| Identity Theft (Cheating by Personation) | Section 66C | Section 319 (Cheating by personation) | IT Act S.66C (specific to electronic identity) |
| Cyber Fraud / Phishing | Section 66D | Section 318 (Cheating), 319 | IT Act S.66D + BNS for enhanced punishment |
| Online Defamation | — | Section 356 (Defamation) | BNS S.356 (IT Act silent) |
| Cyber Stalking | Section 67 (if obscene) | Section 78 (Stalking) | Both may apply — BNS S.78 for stalking, IT Act if obscene content |
| Obscene Content | Section 67 | Section 294 (Obscene acts) | IT Act S.67 (electronic medium specific) |
| Child Sexual Abuse Material | Section 67B | POCSO Act | Both — IT Act S.67B + POCSO |
| Cyber Terrorism | Section 66F | Section 113 (Terrorist act) | IT Act S.66F (specific) — can add BNS S.113 |
| Data Theft (by Employee) | Section 43, 66 | Section 316 (Criminal breach of trust) | IT Act for access + BNS for breach of trust element |
| Online Extortion / Ransomware | Section 66 (damage) | Section 308 (Extortion) | Both — IT Act for cyber element, BNS S.308 for extortion |
┌─────────────────────────────────────┐
│ CYBER OFFENCE COMMITTED │
└──────────────┬──────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Is there a SPECIFIC IT Act section │
│ covering this exact conduct? │
└──────────────┬──────────────────────┘
│ │
YES NO
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ IT ACT APPLIES │ │ BNS APPLIES │
│ (Special Law) │ │ (General Law) │
└─────────┬──────────┘ └────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Does the conduct have ADDITIONAL │
│ non-cyber criminal elements? │
│ (e.g., extortion, breach of trust) │
└──────────────┬──────────────────────┘
│ │
YES NO
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ BOTH APPLY │ │ IT ACT ALONE │
│ IT Act + BNS │ │ SUFFICIENT │
│ (Multiple charges) │ │ │
└────────────────────┘ └────────────────────┘
For prosecution: Charge under both IT Act and BNS where possible. If one charge fails, the other may succeed. For defence: Argue specificity — if IT Act covers the conduct, additional BNS charges may constitute multiplicity.
3.3 BNSS: The New Procedural Framework
BNSS 2023 (Bharatiya Nagarik Suraksha Sanhita) replaces the Code of Criminal Procedure, 1973. It introduces significant digital-era procedures that every cyber lawyer must master.
Key Section Mapping: CrPC → BNSS
BNSS Digital Provisions
| Provision | BNSS Section | Key Feature | Practice Implication |
|---|---|---|---|
| Zero FIR | S.173 | FIR at any station; transfer within 15 days | File where convenient; jurisdiction determined later |
| Electronic FIR | S.173(1) | FIR via electronic means permitted | Online complaint portals now legally valid |
| Mandatory Forensics | S.176(3) | Forensic team mandatory for 7+ year offences | Defence: Challenge if forensics not done |
| Video Recording | S.176 | Search & seizure must be videographed | No video = challenge seizure admissibility |
| Electronic Summons | S.64 | Summons via electronic means valid | Email/SMS summons legally enforceable |
| Virtual Hearings | S.532 | Video conferencing for trials permitted | Accused can appear virtually in some cases |
Section 176(3) BNSS mandates forensic evidence collection for offences punishable with 7+ years imprisonment. Most serious cyber offences qualify. If prosecution fails to follow forensic protocols, argue: (1) Violation of mandatory procedure, (2) Adverse inference against prosecution, (3) Exclusion of evidence collected improperly.
3.4 BSA Section 63: Electronic Evidence Admissibility
BSA 2023 (Bharatiya Sakshya Adhiniyam) replaces the Indian Evidence Act, 1872. Section 63 (successor to S.65B) governs electronic evidence admissibility — the most litigated provision in cyber cases.
Section Transition: Evidence Act → BSA
BSA Section 63: Four Conditions
For electronic evidence to be admissible under Section 63 BSA, all four conditions must be satisfied:
- Regular Use: The computer output must be produced during regular use of the device/system
- Regular Data Input: Information was regularly fed into the computer in the ordinary course
- Proper Operation: The computer was operating properly during the material period (or if not, the malfunction didn't affect accuracy)
- Accurate Reproduction: The output reproduces or is derived from information fed into the computer
The Certificate Requirement
A certificate identifying the electronic record and describing the manner of its production, signed by a person occupying a responsible position in relation to the operation of the device or management of the relevant activities, shall be evidence of the matters stated therein. This certificate is mandatory for admissibility.
Key Case Law on Electronic Evidence
| Case | Citation | Principle |
|---|---|---|
| Anvar P.V. v. P.K. Basheer | (2014) 10 SCC 473 | S.65B certificate mandatory; no waiver; overruled relaxation in Navjot Sandhu |
| Arjun Panditrao Khotkar | (2020) 7 SCC 1 | Certificate can be produced at trial stage; procedural non-compliance at FIR stage curable |
| Shafhi Mohammad v. State of HP | (2018) 2 SCC 801 | If original device produced, certificate not required (later doubted) |
| Tomaso Bruno v. State of UP | (2015) 7 SCC 178 | Electronic evidence without certificate has no probative value |
┌─────────────────────────────────────┐
│ ELECTRONIC EVIDENCE TENDERED │
└──────────────┬──────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Is the ORIGINAL DEVICE produced │
│ in court? │
└──────────────┬──────────────────────┘
│ │
YES NO
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ PRIMARY EVIDENCE │ │ SECONDARY EVIDENCE │
│ (S.57 BSA) │ │ S.63 BSA applies │
│ Directly │ │ │
│ admissible │ └─────────┬──────────┘
└────────────────────┘ │
▼
┌─────────────────────────────┐
│ Is S.63(4) CERTIFICATE │
│ produced? │
└──────────────┬──────────────┘
│ │
YES NO
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ Are ALL 4 │ │ INADMISSIBLE │
│ conditions met? │ │ (Anvar P.V.) │
└─────────┬──────────┘ └────────────────────┘
│ │
YES NO
│ │
▼ ▼
┌──────────────┐ ┌────────────────────┐
│ ADMISSIBLE │ │ CHALLENGE │
│ │ │ specific condition │
└──────────────┘ └────────────────────┘
For Prosecution: (1) Obtain S.63(4) certificate immediately; (2) Identify certificate signatory before charge sheet; (3) Ensure signatory available for cross-examination.
For Defence: (1) Always challenge certificate absence at first opportunity; (2) Cross-examine signatory on four conditions; (3) Object to chain of custody gaps; (4) Challenge if device handling compromised integrity.
3.5 Practical Statute Selection
Let's apply the interplay principles to real scenarios. These examples demonstrate how to select the optimal statutory combination for different cyber incidents.
Scenario Analysis
Facts
IT Manager downloads company trade secrets to personal drive, resigns, joins competitor. Company discovers through forensic audit.
Statutory Selection
IT Act: S.43 (unauthorized access to computer) + S.66 (computer-related offence) + S.72A (disclosure in breach of lawful contract)
BNS: S.316 (Criminal breach of trust) + S.318/319 (Cheating, if misrepresentation involved)
BNSS: S.173 (FIR), S.176(3) (mandatory forensics — serious offences)
BSA: S.63 (certificate for forensic audit report)
Facts
Accused sends fake bank emails, victims enter credentials on spoof site, ₹50 lakhs siphoned from multiple accounts.
Statutory Selection
IT Act: S.66 (computer-related offence) + S.66C (identity theft) + S.66D (cheating by personation using computer)
BNS: S.318 (Cheating) + S.319 (Cheating by personation) + S.61(2) (Criminal conspiracy)
BNSS: S.173 (Zero FIR at any station), S.176(3) (forensics mandatory), S.193 (chargesheet timeline)
BSA: S.63 (for email headers, IP logs, transaction records)
Facts
Hospital systems encrypted, ransom demanded in cryptocurrency, patient records inaccessible, one patient dies due to delayed treatment.
Statutory Selection
IT Act: S.66 (hacking) + S.43 (damage to computer system) + S.66F (cyber terrorism — if critical infrastructure)
BNS: S.308 (Extortion) + S.105 (Culpable homicide not amounting to murder — if death linked)
DPDPA: Breach notification under Rules (if personal data compromised)
Constitutional: Article 21 (patients' right to life)
BNSS: S.176(3) (mandatory forensics), video recording of seizure
BSA: S.63 (malware samples, ransom notes, blockchain traces)
Notice how each scenario invokes all four pillars plus potentially DPDPA and constitutional provisions. This is the "Mesh Theory" from Part 1 in action. A single cyber incident is never one-dimensional — analyze every angle.
🎯 Key Takeaways
- Four Pillars: IT Act (special cyber offences) + BNS (general criminal law) + BNSS (procedure) + BSA (evidence)
- Special > General: IT Act prevails where it specifically covers conduct; BNS fills gaps
- BNSS S.176(3): Mandatory forensics for 7+ year offences — challenge if not done
- BSA S.63: Certificate requirement continues from S.65B — no certificate = inadmissible
- Zero FIR: Now statutory under BNSS S.173 — file anywhere, transferred within 15 days
- Electronic FIR: Valid under BNSS — online complaint portals legally recognized
- Mesh Analysis: Every cyber incident should be analyzed through all four pillars + DPDPA + Constitution
📝 Part 3 Assessment Quiz
Test your understanding of statutory interplay in cyber law.
The principle generalia specialibus non derogant means special law prevails over general law. IT Act is special law for computer offences; where it specifically covers conduct, it takes precedence over BNS general provisions.
Under BNSS Section 173, Zero FIR can be registered at any police station regardless of jurisdiction. It must be transferred to the police station having jurisdiction within 15 days.
BSA Section 63 replaces Indian Evidence Act Section 65B, continuing the certificate requirement for electronic records admissibility with refined conditions.
BNSS Section 176(3) mandates forensic evidence collection only for offences punishable with 7 years or more imprisonment. IT Act S.66 carries maximum 3 years — mandatory forensics doesn't apply, though best practice would still involve forensic examination.
Under BSA S.63(4), the certificate must be signed by a person occupying a responsible position in relation to the operation of the relevant device or management of relevant activities. This continues the Anvar P.V. requirement.
Phishing involves S.66C (fraudulently using electronic signature, password, or unique identification — identity theft) and S.66D (cheating by personation using computer resource). Note: S.66A is unconstitutional (Shreya Singhal).
CrPC Section 482 → BNSS Section 528. This provision preserves the High Court's inherent powers to make orders to prevent abuse of process or secure ends of justice, including quashing FIRs.
BSA S.63 requires: (1) Regular use, (2) Regular data input, (3) Proper operation, (4) Accurate reproduction. Hash value verification by CERT-In is not a statutory condition — though it's best forensic practice, it's not mandated by S.63.
If death results from the ransomware attack and prosecution can establish causal link between the encryption and death (delayed treatment), BNS Section 105 (Culpable homicide) could apply — the most serious charge given the death. S.308 (Extortion) and IT Act S.66F (cyber terrorism) would also apply.
BNSS Section 173(1) expressly permits electronic FIR — information can be given by electronic means. This legitimizes online complaint portals and gives legal validity to electronically filed FIRs for all offences, not just cyber crimes.