CASE LAWS IN INDIA: A COMPREHENSIVE GUIDE

Complete Analysis by Adv (Dr.) Prashant Mali, Ph.D. in Cyber Law

Important Cyber Law Case Laws in India: Landmark Judgments Every Citizen Must Know

The digital revolution in India has created unprecedented legal challenges. From constitutional recognition of privacy as a fundamental right to groundbreaking judgments on the Right to be Forgotten, Indian courts have progressively shaped the cyber law landscape through landmark decisions. As a practicing cyber lawyer at the Bombay High Court with over 25 years of experience - having personally argued and won several of the landmark cases discussed in this article - I offer not just academic analysis but insights from the courtroom trenches.

This comprehensive guide analyzes the most important cyber law case laws in India under the Information Technology Act, 2000, the Indian Penal Code, and the new Bharatiya Nyaya Sanhita (BNS). I have included cases I personally handled to provide practitioners with practical insights that only come from having argued these matters before the courts.

Part I: Constitutional Foundations of Cyber Law in India

1. Justice K.S. Puttaswamy vs. Union of India (2017) - The Privacy Judgment

Citation: (2017) 10 SCC 1

Court: Supreme Court of India (9-Judge Bench)

Key Sections: Article 14, 19, 21 of Constitution

Facts of the Case:

Justice K.S. Puttaswamy, a retired Karnataka High Court judge, challenged the constitutional validity of the Aadhaar scheme, arguing that mandatory biometric collection violated the right to privacy. The case required settlement of a fundamental question: Is privacy a fundamental right under the Indian Constitution?

Judgment:

In a unanimous, historic decision, the nine-judge bench declared that the Right to Privacy is a fundamental right protected under Articles 14, 19, and 21 of the Constitution. The Court explicitly overruled previous judgments in M.P. Sharma and Kharak Singh that had held otherwise.

Key Legal Principles Established:

• Privacy includes bodily integrity, personal autonomy, and informational privacy

• The right extends to protection of personal data in the digital age

• Any restriction must meet the tests of legality, necessity, and proportionality

• Privacy is not absolute but can only be curtailed through just, fair, and reasonable procedure

Dr. Prashant Mali's Expert Analysis:

The Puttaswamy judgment is the constitutional bedrock upon which all data protection law in India now rests. Having argued data protection matters before various High Courts, I can confirm that this judgment fundamentally transformed how courts approach cyber privacy cases. Before Puttaswamy, companies could argue that users had no enforceable privacy rights in their data. Post-Puttaswamy, every data breach, every unauthorized data sharing, and every surveillance overreach must be tested against the proportionality doctrine. The Digital Personal Data Protection Act, 2023 (DPDPA) is a direct legislative response to this judgment. In fact, I successfully relied on Puttaswamy principles in the landmark ABC vs. Union of India case (discussed below) to establish the Right to be Forgotten in India.

Practical Implications:

• Forms the legal basis for challenging government surveillance

• Establishes liability framework for corporate data breaches

• Underpins consent requirements in DPDPA 2023

• Foundation for Right to be Forgotten jurisprudence


2. Shreya Singhal vs. Union of India (2015) - The Free Speech Landmark


Citation: AIR 2015 SC 1523

Court: Supreme Court of India

Key Sections: Section 66A, 69A, 79 of IT Act; Article 19(1)(a) of Constitution

Facts of the Case:

In 2012, two young women were arrested in Mumbai for posting Facebook comments questioning the city shutdown following a political leader's death. One posted the comment; the other merely "liked" it. Both were arrested under Section 66A of the IT Act, which criminalized sending "offensive" or "menacing" messages through computers. Shreya Singhal, a 21-year-old law student, filed a PIL challenging the constitutional validity of Section 66A.


[Bold] Judgment: [End Bold]

The Supreme Court struck down Section 66A in its entirety as unconstitutional, holding it void ab initio (as if it never existed). The Court found the provision vague, overbroad, and having a "chilling effect" on free speech.


[Bold] Key Legal Principles Established: [End Bold]

• Online speech enjoys the same constitutional protection as offline speech

• Vague laws that can be arbitrarily applied violate Article 19(1)(a)

• The "chilling effect" doctrine applies to cyber law in India

• Section 79 (intermediary liability) read down to require actual knowledge

• Section 69A (blocking) upheld but requires reasoned order


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

I was closely following this case during its hearings, and I can say with confidence that Shreya Singhal is to cyber law what Maneka Gandhi is to administrative law - a judgment that expanded constitutional protections into new domains. The genius of this judgment lies in three aspects. First, it introduced the American "chilling effect" doctrine into Indian jurisprudence, recognizing that vague laws deter legitimate speech even before prosecution. Second, it distinguished between "discussion," "advocacy," and "incitement" - only the last can be penalized. Third, by reading down Section 79, the Court created a workable intermediary liability framework that balances platform responsibility with free expression. However, practitioners must note: Section 66A continues to be invoked by police across India. I have personally handled cases where FIRs under Section 66A were registered even in 2024. Always file for quashing such FIRs citing this judgment.


[Bold] Practical Implications: [End Bold]

• Social media posts cannot be prosecuted merely for being "offensive"

• Intermediaries like Facebook, Twitter not liable without actual knowledge

• Police cannot arrest for online speech without meeting Article 19(2) exceptions

• Section 66A FIRs are liable to be quashed


================================================================================


[H2]

Part II: Landmark Cases Handled by Dr. Prashant Mali - Setting Precedents in Indian Cyber Law


[H3]

3. ABC vs. Union of India (2019) - India's Right to be Forgotten Landmark [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] Writ Petition, Bombay High Court

[Bold] Court: [End Bold] Bombay High Court

[Bold] Key Sections: [End Bold] Article 21 of Constitution; Right to Privacy; IT Act 2000

[Bold] Counsel for Petitioner: [End Bold] Adv (Dr.) Prashant Mali


[Bold] Facts of the Case: [End Bold]

The petitioner (identity protected as "ABC") had been acquitted by a Magistrate's Court in a criminal matter. However, his name and case details remained publicly visible on the eCourts website. When potential employers conducted background checks, this acquittal record appeared in searches, causing the petitioner to lose job opportunities repeatedly. Despite being legally innocent, he was being punished by digital permanence - his acquittal was being treated as equivalent to conviction in the court of public opinion.


[Bold] The Legal Challenge: [End Bold]

I drafted and filed the Writ Petition arguing that the continued display of acquittal records on public databases violated the petitioner's fundamental Right to Privacy under Article 21 (as established in Puttaswamy). I argued that the "Right to be Forgotten" - recognized in European jurisprudence under GDPR - must be read into Indian constitutional law as a facet of informational privacy and the right to dignity.


[Bold] Judgment: [End Bold]

In a historic first-of-its-kind order, the Bombay High Court accepted my arguments and directed the eCourts administration to remove the petitioner's case data from the public website and mobile application. The Court recognized that the Right to Privacy includes the right to control one's digital footprint, especially when past legal proceedings (resulting in acquittal) unfairly prejudice future opportunities.


[Bold] Key Legal Principles Established: [End Bold]

• Right to be Forgotten is part of Right to Privacy under Article 21

• Acquitted persons have a right to have their records removed from public databases

• Digital permanence cannot be allowed to defeat the purpose of acquittal

• Background check prejudice is a valid ground for invoking privacy rights

• Courts can direct government websites to remove personal data


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

This case remains close to my heart because it addressed an injustice that thousands of acquitted Indians face daily. Our legal system presumes innocence, but our digital systems presume permanent searchability. The petitioner had done nothing wrong - he was acquitted - yet he was being denied employment because HR departments found his name on eCourts. When I argued this matter, I emphasized that the Right to Privacy recognized in Puttaswamy must evolve with technology. Just as we expunge criminal records in certain cases, we must allow expunction of digital records when they serve no legitimate purpose but cause substantial harm. The Court agreed. This judgment has since been cited in numerous subsequent Right to be Forgotten matters and informed the DPDPA 2023's provisions on data erasure. For practitioners seeking to file similar petitions, the key is demonstrating concrete prejudice - job loss, social stigma, or reputational harm - from the continued availability of the data.


[Bold] Practical Implications: [End Bold]

• Acquitted persons can seek removal of records from eCourts

• Right to be Forgotten is now recognized in Indian law

• Privacy rights extend to control over digital information

• Precedent for DPDPA erasure rights

• Model for similar petitions nationwide


================================================================================


[H3]

4. Dhule Vikas Sahakari Bank vs. AXIS Bank (2025) - The Rs. 1.76 Crore Bank Liability Landmark [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] Adjudication Officer Order under IT Act, 2000

[Bold] Court: [End Bold] Adjudication Officer (Civil Court) under IT Act, 2000

[Bold] Key Sections: [End Bold] Section 43A IT Act (Compensation for failure to protect data)

[Bold] Counsel for Complainant: [End Bold] Adv (Dr.) Prashant Mali


[Bold] Facts of the Case: [End Bold]

Dhule Vikas Sahakari Bank, a cooperative bank, suffered unauthorized transactions totaling Rs. 2.06 crores due to lapses in AXIS Bank's cybersecurity measures. The critical failure: AXIS Bank had not implemented proper Two-Factor Authentication (2FA) for high-value transactions. The fraudsters exploited this vulnerability to siphon funds.


[Bold] The Legal Arguments: [End Bold]

I argued that AXIS Bank failed to implement "reasonable security practices and procedures" as mandated under Section 43A of the IT Act. The absence of 2FA for transactions of this magnitude was a glaring violation of RBI cybersecurity guidelines and international best practices. I presented technical evidence showing how proper 2FA would have prevented the fraud, and legal arguments establishing that banks owe a duty of care to implement security measures commensurate with the risk.


[Bold] Judgment: [End Bold]

The Adjudicating Officer delivered a historic ruling for accountability:

• Rs. 1.76 crore compensation with 18% compound interest

• Rs. 50 lakh for mental agony and harassment suffered

• Rs. 3 lakh for legal costs

• Total award exceeding Rs. 2.5 crores


The Order established that banks cannot escape liability by blaming customers when their own security measures are inadequate.


[Bold] Key Legal Principles Established: [End Bold]

• Banks must implement reasonable security practices under Section 43A

• Absence of 2FA is a security failure attributable to the bank

• Compound interest can be awarded on compensation

• Mental agony damages available in cyber fraud cases

• Banks liable for systemic security failures, not just individual negligence


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

This judgment is a watershed moment for banking cyber security in India. For too long, banks have blamed customers for cyber frauds while maintaining inadequate security themselves. The RBI has repeatedly issued cybersecurity guidelines, but enforcement has been lax. This Order sends a clear message: Section 43A has teeth, and banks will pay dearly for security failures. The 18% compound interest is particularly significant - it ensures that delayed justice does not become denied justice. For practitioners handling banking cyber fraud cases, the key is technical evidence. You must demonstrate the specific security failure and show how proper measures would have prevented the fraud. I engaged forensic experts to establish the absence of 2FA and its causal connection to the fraud. This technical precision was crucial to the judgment. For banks: this is your wake-up call. Implement proper security or face massive liability.


[Bold] Practical Implications: [End Bold]

• Section 43A provides meaningful remedy against banks

• Security audits are essential for establishing breach

• Compound interest significantly enhances recovery

• Mental agony damages expand compensation scope

• Precedent for all banking cyber fraud cases


================================================================================


[H3]

5. Bennett Coleman and Co. Ltd. (Times of India) vs. Abdul Aleem Sayed & Ors. - Corporate Data Theft Injunction [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] Suit for Injunction, Bombay High Court

[Bold] Court: [End Bold] Bombay High Court

[Bold] Key Sections: [End Bold] Section 43, 65, 66 IT Act; Copyright Act; Contract Act

[Bold] Counsel for Plaintiff: [End Bold] Adv (Dr.) Prashant Mali


[Bold] Facts of the Case: [End Bold]

Times Pro (a Times of India EdTech company) discovered that their proprietary business data was being stolen by ex-employees who had joined a competitor, Jaro Education. The data - including student databases, course materials, pricing strategies, and business processes - was being systematically extracted by forwarding emails from corporate accounts to personal email IDs before resignation.


[Bold] The Legal Challenge: [End Bold]

I was engaged to obtain urgent injunctive relief to stop the ongoing data theft and prevent further damage. The challenge was establishing prima facie case for interim injunction when the defendants could claim they were merely using "knowledge gained during employment."


[Bold] Legal Strategy and Arguments: [End Bold]

I argued that this was not mere use of knowledge but systematic theft of trade secrets and confidential information. The act of forwarding proprietary data to personal email IDs before resignation demonstrated premeditation and dishonest intention. I invoked Section 43(b) IT Act (downloading data from computer), Section 65 (tampering with source documents), and Section 66 (computer-related offenses), along with breach of confidentiality agreements and copyright infringement.


[Bold] Judgment: [End Bold]

The Bombay High Court granted ad interim injunction in the very first hearing, restraining the defendants from:

• Accessing, downloading, or forwarding any data illegally extracted

• Using the stolen data in any manner

• Sharing the data with third parties including the competitor company


[Bold] Key Legal Principles Established: [End Bold]

• Pre-resignation data forwarding demonstrates dishonest intent

• Trade secrets in digital form protected under IT Act

• Courts will grant urgent injunctions for ongoing data theft

• Combination of IT Act, Copyright, and Contract remedies available

• Ex-employees bound by confidentiality even after resignation


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

Corporate data theft by departing employees is an epidemic in India's competitive business environment. The traditional challenge was proving theft - unlike physical property, data can be copied without depleting the original. The key breakthrough in this case was forensic evidence of email forwarding patterns. We demonstrated that the defendants had forwarded thousands of emails containing confidential information to personal accounts in the weeks before resignation - a pattern inconsistent with legitimate use. For companies facing similar situations, my advice is: act fast. The moment you suspect data theft, engage forensic experts to preserve evidence, and file for injunction immediately. Delay allows defendants to claim the data was already in public domain or delete evidence. The Times of India case succeeded because we moved within days of discovery. Also, ensure your employment contracts have robust confidentiality clauses - they significantly strengthen your legal position.


[Bold] Practical Implications: [End Bold]

• Pre-resignation data forwarding is evidence of theft

• Urgent injunctions available for data protection

• IT Act provisions strengthen corporate remedies

• Forensic evidence crucial for success

• Employee confidentiality survives employment


================================================================================


[H3]

6. SVC Co-operative Bank Ltd. vs. Shaktil Neelkanth Kubal & Ors. - Bank Customer Data Theft [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] Civil Suit, Bombay High Court

[Bold] Court: [End Bold] Bombay High Court

[Bold] Key Sections: [End Bold] Section 43(b), 66 IT Act; Section 379, 420 IPC

[Bold] Counsel for Plaintiff Bank: [End Bold] Adv (Dr.) Prashant Mali


[Bold] Facts of the Case: [End Bold]

India's second-largest cooperative bank discovered that customer data was being stolen and leaked by an employee working in collusion with a union leader. The data included sensitive customer information - account details, transaction histories, and personal identification - which was being extracted for unknown purposes.


[Bold] Legal Strategy: [End Bold]

I filed a comprehensive suit seeking compensation and damages under Section 43(b) of the IT Act (which covers unauthorized downloading and extraction of data), along with injunctive relief. Simultaneously, I advised the bank to file a criminal complaint under Section 66 IT Act and relevant IPC provisions at the Cyber Police Station to establish criminal liability.


[Bold] Judgment: [End Bold]

The Bombay High Court granted ad interim injunction barring the defendants from accessing, downloading, forwarding, sharing, or transmitting any customer data in their custody. The Court also restrained them from deleting any evidence.


[Bold] Key Legal Principles Established: [End Bold]

• Banks can sue employees for data theft under IT Act

• Customer data is protected "computer resource" under IT Act

• Union leaders have no immunity for data theft

• Parallel civil and criminal remedies available

• Evidence preservation orders essential


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

This case highlights a growing threat: insider data theft in financial institutions. Unlike external hacking which can be defended through perimeter security, insider threats exploit legitimate access. The defendant here had authorized access to customer data - the crime was extracting and sharing it for unauthorized purposes. For financial institutions, this case underscores the need for Data Loss Prevention (DLP) systems that monitor and log all data access and extraction. In this case, the bank's IT systems had logs showing unusual data access patterns, which became crucial evidence. The combination of civil injunction and criminal FIR creates maximum pressure on defendants - they face both financial liability and potential imprisonment. For practitioners, always pursue both tracks in serious data theft cases.


[Bold] Practical Implications: [End Bold]

• Insider data theft actionable under IT Act

• DLP systems create evidence trail

• Parallel civil-criminal strategy effective

• Union affiliation no defense to data theft

• Evidence preservation orders critical


================================================================================


[H3]

7. State vs. J. Sudhakar Reddy & Ors. - The Loan App Case [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] MM Court, Mumbai

[Bold] Court: [End Bold] Metropolitan Magistrate Court (Cyber Police Station case)

[Bold] Key Sections: [End Bold] Section 66, 66C, 66D IT Act; Sections 384, 385, 506, 509 IPC

[Bold] Counsel for Accused No. 18: [End Bold] Adv (Dr.) Prashant Mali


[Bold] Facts of the Case: [End Bold]

This was the infamous "Loan App" case that made national headlines - one of the first major prosecutions against predatory lending apps that harassed borrowers with threats, morphed photos, and calls to contacts. 18 accused were arrested including my client, who was the CEO of Mahagram Payments Private Limited, a fintech company.


[Bold] The Legal Challenge: [End Bold]

The prosecution alleged that my client's company was involved in the loan app operations. However, my client was actually an intermediary - a payment gateway provider who processed transactions but had no control over the lending operations or collection practices.


[Bold] Legal Arguments: [End Bold]

I argued extensively that my client qualified as an "intermediary" under Section 2(1)(w) of the IT Act and was entitled to safe harbour protection under Section 79. The company merely provided payment processing services - it did not design the apps, set lending terms, conduct collections, or engage in harassment. I presented evidence showing the company's limited role and argued that the principles from the Shreya Singhal judgment (reading down Section 79 to require actual knowledge) applied.


[Bold] Judgment: [End Bold]

In a landmark order - the first of its kind in Loan App cases - the Court granted bail to my client, accepting the intermediary defense. The other defense lawyers had asked me to argue first so they could rely on my legal research and arguments.


[Bold] Key Legal Principles Established: [End Bold]

• Payment gateway providers can claim intermediary status

• Safe harbour under Section 79 applies to fintech intermediaries

• Actual knowledge test applies - mere processing not sufficient

• Distinction between platform operators and service providers

• Technical role determines liability, not mere association


Dr. Prashant Mali's Expert Analysis:

The Loan App phenomenon represented a perfect storm of technology, predatory lending, and regulatory gaps. Thousands of Indians were harassed, threatened, and driven to suicide by these apps. The prosecution's instinct to arrest everyone connected to the apps was understandable but legally problematic. Not everyone in a technology chain bears criminal liability - intermediaries have protection for good reason. My client ran a legitimate payment gateway used by thousands of merchants. The fact that some merchants were illegal loan apps did not make my client a criminal any more than a road builder is liable for accidents. The Court's acceptance of the intermediary defense sets an important precedent for the fintech industry. It clarifies that service providers who lack knowledge of and control over illegal activities by their users are not criminally liable. However, this protection requires demonstrable due diligence - companies must have KYC processes for onboarding merchants and respond to complaints appropriately.


Practical Implications:

• Intermediary defense available in fintech prosecutions

• Payment gateways not automatically liable for merchant crimes

• Section 79 safe harbour extends to new technology contexts

• Due diligence documentation crucial for defense

• Precedent for all Loan App cases nationwide


================================================================================


[H3]

8. Sanjay Dhande vs. ICICI Bank and Vodafone India - IIT Director's Retirement Fraud [HANDLED BY DR. PRASHANT MALI - PRO BONO]


[Bold] Citation: [End Bold] Complaint before Adjudication Officer; Appeal to TDSAT

[Bold] Court: [End Bold] Adjudication Officer (IT Act) and TDSAT, Delhi

[Bold] Key Sections: [End Bold] Section 43, 43A IT Act

[Bold] Counsel for Complainant: [End Bold] Adv (Dr.) Prashant Mali (Pro Bono)


[Bold] Facts of the Case: [End Bold]

Professor Dr. Sanjay Dhande, former Director of IIT Kanpur and Padma Shri awardee, lost over Rs. 19 lakhs - his retirement savings - in a sophisticated SIM swap fraud. The fraudsters obtained a duplicate SIM card using forged KYC documents (including a forged passport with the photograph of Hon. IT Minister Mr. Dayanidhi Maran and the victim's wife's details - a brazen mockery of the system). Using this duplicate SIM, they bypassed the OTP verification and siphoned the money.


[Bold] Why I Took This Case Pro Bono: [End Bold]

When Professor Dhande approached me, I was struck by the audacity of the fraud and the systemic failures it exposed. Here was a distinguished academic, a Padma Shri recipient who had served the nation, being victimized because banks and telecom companies failed to implement basic security. I took this case pro bono because it represented everything wrong with our cybersecurity ecosystem - and winning it could set precedents to protect lakhs of other potential victims.


[Bold] Legal Strategy: [End Bold]

I argued that both ICICI Bank and Vodafone India failed to maintain "reasonable security practices" under Section 43A. The telecom company issued a duplicate SIM on clearly forged documents (the KYC had a male minister's photo with female details!). The bank processed high-value transactions on a newly-swapped SIM without additional verification. Both failures were necessary for the fraud to succeed.


[Bold] Judgment: [End Bold]

The Adjudicating Officer held both ICICI Bank and Vodafone liable and ordered compensation. Unhappy with the quantum, both companies filed appeals before TDSAT, Delhi. ICICI Bank hired a full team of lawyers and made a one-hour presentation showcasing their "excellent" security practices. After extensive hearings - during which I had to translate Marathi police documents into English in real-time for the Delhi bench - TDSAT upheld our victory. Faced with a deposit requirement of Rs. 50,000, Vodafone chose to withdraw its appeal entirely, accepting liability.


[Bold] Key Legal Principles Established: [End Bold]

• Both banks and telecom companies liable for SIM swap frauds

• KYC verification failures attract Section 43A liability

• Joint and several liability for contributing parties

• Appellate remedies don't reduce original orders

• Pro bono representation can achieve landmark results


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

The Sanjay Dhande case exposed the Swiss cheese model of security failures. Multiple layers - telecom KYC, SIM issuance verification, bank transaction monitoring, OTP reliance - all had holes. When the holes aligned, the fraud succeeded. The judgment's significance lies in establishing that every party whose failure contributed to the fraud shares liability. Banks cannot blame telecom companies; telecom companies cannot blame banks. Both must maintain reasonable security, and both pay when they don't. For victims of SIM swap fraud, this case provides a clear template: file complaints against both the bank and the telecom company before the Adjudication Officer under the IT Act. The procedure is simpler than consumer forums and the IT Act's Section 43 provides specific remedies for unauthorized access and data breach.


[Bold] Practical Implications: [End Bold]

• Dual liability for SIM swap frauds established

• Section 43A effective against financial institutions

• Telecom KYC failures independently actionable

• TDSAT appellate route for IT Act matters

• Pro bono cases can achieve landmark results


================================================================================


[H3]

9. Rohit Maheshwari vs. Vodafone India - CDR as Sensitive Personal Data [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] Complaint before Adjudication Officer, Mumbai

[Bold] Court: [End Bold] Adjudication Officer under IT Act, 2000

[Bold] Key Sections: [End Bold] Section 43A IT Act; IT (Reasonable Security Practices) Rules

[Bold] Counsel for Complainant: [End Bold] Adv (Dr.) Prashant Mali


[Bold] Facts of the Case: [End Bold]

The complainant's mobile phone bill - including Call Detail Records (CDR) - was shared online by his estranged business partner without permission. Vodafone India had failed to protect this data from unauthorized access.


[Bold] Legal Arguments: [End Bold]

I argued a novel proposition: CDR constitutes "sensitive personal data" under the IT Act because call logs reveal intimate details of a person's life. Whom you call reveals your doctors (and therefore health conditions), your lawyers (and therefore legal troubles), your personal relationships, and your business associations. A call to an oncologist suggests cancer; repeated calls to a divorce lawyer suggest marital problems. CDR is as intimate as medical records.


[Bold] Judgment: [End Bold]

The Adjudicating Officer accepted this argument - the first time CDR was formally recognized as sensitive personal data in India. Vodafone was held liable and ordered to pay Rs. 10,000 as token compensation for the privacy breach.


[Bold] Subsequent Developments: [End Bold]

Vodafone appealed to TDSAT. However, when the TDSAT bench indicated it would require a deposit of Rs. 50,000 and expressed skepticism about the appeal, Vodafone chose to withdraw rather than risk an adverse precedent at the appellate level. By withdrawing, they implicitly accepted the Adjudication Officer's finding that CDR is sensitive personal data.


[Bold] Key Legal Principles Established: [End Bold]

• CDR (Call Detail Records) is sensitive personal data

• Privacy extends to communication metadata, not just content

• Telecom companies owe duty to protect CDR

• Even nominal damages establish the principle

• Appellate withdrawal strengthens original precedent


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

This case may seem small (Rs. 10,000 compensation), but its principle is enormous. In the age of metadata surveillance, what we call can be as revealing as what we say. Intelligence agencies know this - they track patterns of communication rather than content because metadata is often more valuable. The recognition of CDR as sensitive personal data means telecom companies must implement the same security standards for call logs as they would for medical records. This has implications for everything from law enforcement access to CDR to data breach notifications. For practitioners, remember: the value of a case is not always in the damages awarded but in the principles established. I fought this case not for Rs. 10,000 but to establish a precedent that protects millions of Indians' communication privacy.


[Bold] Practical Implications: [End Bold]

• CDR now classified as sensitive personal data

• Telecom companies must secure CDR

• Communication metadata has privacy protection

• Precedent for data breach cases involving CDR

• Foundation for future communication privacy litigation


================================================================================


[H2]

Part III: Other Landmark IT Act and Cyber Crime Judgments


[H3]

10. Avnish Bajaj vs. State (NCT of Delhi) (2008) - The Bazee.com Case


[Bold] Citation: [End Bold] 150 (2008) DLT 769

[Bold] Court: [End Bold] Delhi High Court

[Bold] Key Sections: [End Bold] Section 67, 79 IT Act; Section 292 IPC


[Bold] Facts of the Case: [End Bold]

An obscene MMS clip was listed for sale on Bazee.com (owned by eBay) by a third-party user who was an IIT Kharagpur student. Avnish Bajaj, the CEO of Bazee.com, was arrested and charged under Section 67 IT Act and Section 292 IPC even though the company had removed the listing within 38 hours of becoming aware.


[Bold] Judgment: [End Bold]

The Delhi High Court discharged Avnish Bajaj from criminal liability, holding that intermediaries cannot be held vicariously liable for content posted by third-party users unless they have actual knowledge and fail to act.


[Bold] Key Legal Principles Established: [End Bold]

• Intermediaries are not publishers of third-party content

• Safe harbour applies if intermediary removes content upon notification

• CEOs cannot be automatically prosecuted for user-generated content

• Mens rea (guilty mind) required for criminal liability


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

The Bazee.com case was a watershed moment for India's e-commerce industry. At the time, there was genuine fear that every platform founder could be jailed for user content. The Delhi High Court's nuanced interpretation saved India's nascent internet economy. I have relied on this judgment extensively in the Loan App case discussed above, arguing that payment intermediaries enjoy similar protection. The key takeaway is the "actual knowledge" test - platforms must act expeditiously once they have actual knowledge of illegal content, but they are not required to proactively monitor all content.


[Bold] Practical Implications: [End Bold]

• E-commerce platforms have safe harbour protection

• Quick takedown upon notification preserves immunity

• Platform executives not automatically liable

• Forms basis for IT Rules 2021 intermediary guidelines


================================================================================


[H3]

11. Sharat Babu Digumarti vs. Govt. of NCT of Delhi (2017) - IT Act as Complete Code


[Bold] Citation: [End Bold] (2017) 2 SCC 18

[Bold] Court: [End Bold] Supreme Court of India

[Bold] Key Sections: [End Bold] Sections 67, 67A, 67B IT Act; Section 292 IPC


[Bold] Facts of the Case: [End Bold]

This was an appeal arising from the Bazee.com case. The Supreme Court was asked to determine whether the accused could be tried under both Section 292 IPC and Section 67 IT Act for the same transaction.


[Bold] Judgment: [End Bold]

The Supreme Court held that Chapter XI of the IT Act (Sections 67 through 67B) constitutes a "complete code" for offenses relating to obscene material in electronic form. Therefore, when obscenity is transmitted in electronic form, only IT Act provisions apply, not IPC Section 292.


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

This Supreme Court clarification resolved a long-standing confusion. The "complete code" doctrine means that for any cyber obscenity case, only IT Act provisions should be invoked. This is significant because IT Act penalties are often higher than corresponding IPC provisions. In my practice, I use this judgment both offensively and defensively - to ensure proper charges are framed by prosecution, and to seek quashing when IPC is wrongly invoked for purely electronic offenses.


[Bold] Practical Implications: [End Bold]

• Only IT Act applies to electronic obscenity

• IPC Section 292 charges can be challenged in cyber cases

• Clearer sentencing framework

• Prosecution must frame charges correctly


================================================================================


[H3]

12. Shapoorji Pallonji Pvt. Ltd. vs. State of Maharashtra, MHADA, NIC & Ors. - E-Tender Technology Case [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] Writ Petition, Bombay High Court

[Bold] Court: [End Bold] Bombay High Court

[Bold] Key Sections: [End Bold] IT Act 2000; Contract Act; Administrative Law

[Bold] Counsel: [End Bold] Adv (Dr.) Prashant Mali with Sr. Counsel Iqbal Chagla and Ravi Kadam


[Bold] Facts of the Case: [End Bold]

This was India's biggest redevelopment project - the Rs. 11,000 crore BDD Chawls Redevelopment in Mumbai. The e-tender for this massive project was challenged on technical grounds related to the e-tendering platform, server configurations, and digital signature verification.


[Bold] The Legal Challenge: [End Bold]

I appeared as techno-legal expert counsel, arguing complex technical issues related to e-tendering technology, timestamp authentication, server log analysis, and digital signature infrastructure for 8 consecutive days.


[Bold] Judgment: [End Bold]

The Bombay High Court passed a landmark order in my client's favour - the first case of its kind dealing comprehensively with e-tendering technology and its legal implications.


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

This case demonstrated that cyber law is not just about crimes - it encompasses the entire digital infrastructure of modern governance. E-tendering, e-governance, digital signatures, and server authenticity are all cyber law issues. For the legal profession, this case underscores the need for techno-legal expertise. Arguments had to cover IT infrastructure, server architecture, digital signature PKI, and timestamp authentication - alongside traditional contract and administrative law. The future of litigation will increasingly require such hybrid expertise.


[Bold] Practical Implications: [End Bold]

• E-tendering systems subject to legal challenge

• Technical evidence crucial in e-governance disputes

• Digital signature infrastructure can be questioned

• Techno-legal expertise increasingly essential


================================================================================


[H2]

Part IV: Electronic Evidence and Procedure


[H3]

13. Anvar P.V. vs. P.K. Basheer (2014) - The Electronic Evidence Judgment


[Bold] Citation: [End Bold] (2014) 10 SCC 473

[Bold] Court: [End Bold] Supreme Court of India

[Bold] Key Sections: [End Bold] Section 65B Indian Evidence Act


[Bold] Judgment: [End Bold]

The Supreme Court held that electronic evidence is admissible only if accompanied by a certificate under Section 65B(4) from a person occupying a responsible position in relation to the operation of the relevant device.


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

The Anvar P.V. judgment is both a blessing and a curse for cyber law practitioners. On one hand, it ensures integrity of electronic evidence. On the other hand, the strict requirement often derails legitimate cases. I have seen numerous cyber crime prosecutions fail because investigating officers didn't obtain proper 65B certificates. For police and prosecutors: obtain 65B certificate at the time of seizure itself. For defense lawyers: always challenge electronic evidence lacking proper certification.


[Bold] Practical Implications: [End Bold]

• Section 65B certificate is mandatory

• Without certificate, evidence inadmissible

• Affects prosecution of cyber crimes

• Defense strategy to challenge uncertified evidence


================================================================================


[H3]

14. Arjun Panditrao Khotkar vs. Kailash Kushanrao Gorantyal (2020)


[Bold] Citation: [End Bold] (2020) 7 SCC 1

[Bold] Court: [End Bold] Supreme Court of India


[Bold] Judgment: [End Bold]

The Supreme Court held that while Section 65B certificate is mandatory, it can be produced at any stage of the proceedings before judgment. The Court also clarified that if the original device is produced, Section 65B certificate is not required.


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

Arjun Panditrao provided much-needed relief to prosecutors and civil litigants who had obtained electronic evidence but failed to get immediate certification. However, this should not be taken as license for sloppy evidence collection. The golden rule remains: obtain 65B certificate contemporaneously with seizure.


================================================================================


[H2]

Part V: Banking and Cyber Fraud Adjudications


[H3]

15. Chander Kalani & Smt. Romi Kalani vs. SBI & Ors. - NRI Fraud Case [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] Complaint before Adjudication Officer; Appeal to TDSAT

[Bold] Key Sections: [End Bold] Section 43, 43A IT Act


[Bold] Facts of the Case: [End Bold]

The complainants were senior citizens and NRIs doing business in Lagos, Nigeria. They held a joint NRE account with SBI and Fixed Deposits. While visiting the bank, they discovered their FD had been fraudulently transferred to another account in London without their knowledge or authorization - the transactions were done only via email without proper verification.


[Bold] Legal Arguments: [End Bold]

I argued that SBI failed to implement reasonable security by accepting email instructions for high-value transactions without telephone verification, alternate email confirmation, or physical visit requirement. The bank's own policies required additional verification for such transactions, which was not followed.


[Bold] Judgment: [End Bold]

The Adjudicating Officer held both parties partly responsible but awarded Rs. 40,00,000 to the complainants. SBI appealed to TDSAT.


[Bold] TDSAT Proceedings: [End Bold]

SBI argued that the complainants hadn't updated their mobile number. I counter-argued that precisely because the mobile wasn't working, the bank should have been more cautious about email-only instructions. The bank should have rejected the suspicious request rather than process it blindly.


[Bold] Outcome: [End Bold]

The TDSAT dismissed SBI's appeal and upheld the order.


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

This case highlights the vulnerability of NRIs who cannot physically visit banks. Banks must implement additional safeguards for overseas customers - video KYC, callback verification, transaction cooling periods. The email-only authorization that SBI accepted would be laughable security by any standard. For NRIs: ensure your registered mobile and email are always current. For banks: email authentication alone is never sufficient for high-value transactions.


[Bold] Practical Implications: [End Bold]

• Banks liable for inadequate verification

• Email-only instructions insufficient for high-value transfers

• NRI accounts require enhanced security

• TDSAT upholds consumer-friendly interpretations


================================================================================


[H3]

16. Daffodils Furnishing vs. Idea Cellular, RBL Bank, ICICI Bank - SIM Swap Fraud


[Bold] Citation: [End Bold] Complaint before Adjudication Officer

[Bold] Key Sections: [End Bold] Section 43A IT Act


[Bold] Facts of the Case: [End Bold]

The complainant's SIM was blocked by unknown fraudsters who obtained a duplicate SIM using forged KYC documents. The fraud was committed through Idea Cellular's failure to verify documents properly before issuing duplicate SIM.


[Bold] Judgment: [End Bold]

The Adjudicating Officer ordered Idea Cellular to pay Rs. 8,50,000 with 12% compound interest.


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

SIM swap fraud is an epidemic because telecom companies prioritize speed over security in SIM issuance. This judgment and others I've obtained establish that telecom companies bear primary liability for verifying KYC before issuing duplicate SIMs. The 12% compound interest ensures meaningful compensation for victims.


================================================================================


[H2]

Part VI: Domain Name and Intellectual Property


[H3]

17. Safe Securities Inc. (Lucideus) vs. Tmotius Michael - WIPO Domain Dispute [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] WIPO Case No. D2021-3236

[Bold] Forum: [End Bold] World Intellectual Property Organization (WIPO) Arbitration

[Bold] Counsel for Complainant: [End Bold] Adv (Dr.) Prashant Mali


[Bold] Facts of the Case: [End Bold]

Safe Securities Inc. (formerly Lucideus Inc.), a Delaware-incorporated cybersecurity company, discovered that the domain lucideus.com had been registered by an unauthorized party. The company had been using the LUCIDEUS trademark since 2016 with both US and Indian trademark registrations.


[Bold] Legal Arguments: [End Bold]

I filed a complaint under WIPO's Uniform Domain-Name Dispute-Resolution Policy (UDRP), demonstrating: (1) the domain was identical to the complainant's trademark, (2) the respondent had no rights or legitimate interests in the domain, and (3) the domain was registered and being used in bad faith.


[Bold] Judgment: [End Bold]

The WIPO Panel ordered the domain lucideus.com to be transferred to the complainant.


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

Domain disputes require understanding of both trademark law and UDRP procedure. The WIPO process is faster and cheaper than litigation - decisions typically come within 60 days. For brand owners, monitoring domain registrations and acting quickly is essential. Cybersquatters count on trademark owners not noticing or not pursuing remedies. The WIPO route provides efficient redress for legitimate trademark holders.


[Bold] Practical Implications: [End Bold]

• WIPO provides efficient domain dispute resolution

• Trademark registration strengthens domain claims

• Bad faith registration can be challenged internationally

• 60-day timeline for resolution


================================================================================


[H3]

18. Technoarete vs. Technoarete International & IFERP World - WIPO Domain Dispute [HANDLED BY DR. PRASHANT MALI]


[Bold] Citation: [End Bold] WIPO Case No. D2022-0937

[Bold] Forum: [End Bold] WIPO Arbitration


[Bold] Facts of the Case: [End Bold]

Chennai-based academic conference organizers Technoarete Research and Development Association discovered that their domain names technoarete.com and iferp.org had been registered by respondents in Odisha using proxy registration services to mask their identity.


[Bold] Judgment: [End Bold]

The WIPO Panel ordered both disputed domains to be transferred to the complainants.


[Bold] Dr. Prashant Mali's Expert Analysis: [End Bold]

The use of "Domains by Proxy LLC" to hide registrant identity is a red flag for bad faith. Legitimate domain registrants rarely need to hide their identity. For practitioners, always check WHOIS records - proxy registration combined with trademark infringement almost always indicates cybersquatting.


================================================================================


[H2]

Part VII: Emerging Cyber Law Developments


19. Internet and Mobile Association of India vs. RBI (2020) - Cryptocurrency Judgment

Citation:(2020) SCC Online SC 275

Court: Supreme Court of India

Judgment: 

The Supreme Court struck down the RBI circular banning cryptocurrency as disproportionate and violative of Article 19(1)(g). The Court held that while RBI had power to regulate cryptocurrencies, an outright ban without evidence of harm was excessive.


Dr. Prashant Mali's Expert Analysis: 

The IAMAI judgment is a masterclass in applying constitutional principles to emerging technology. Post-judgment, India has not banned crypto but taxes it at 30% and requires exchanges to register with FIU-IND. For clients in crypto space, my advice is clear: comply with all AML/KYC requirements, maintain proper records, pay taxes, and your trading is lawful.


20. The DPDPA 2023 and BNS 2023 Framework

The Digital Personal Data Protection Act, 2023 and Bharatiya Nyaya Sanhita, 2023 represent legislative recognition that cyber law requires comprehensive, dedicated frameworks.

DPDPA Key Features: 

• Consent-based data processing

• Data principal rights (access, correction, erasure)

• Data fiduciary obligations

• Penalties up to Rs. 250 crores

BNS Cyber Provisions:

• Section 78: Cyber stalking (gender-neutral)

• Section 318: Online cheating

• Section 336: Electronic document forgery

• Section 356: Electronic defamation


Dr. Prashant Mali's Expert Analysis:

My successful argument in ABC vs. Union of India (Right to be Forgotten) directly influenced DPDPA's erasure rights provisions. The legislative developments validate the judicial precedents we established through courtroom battles. The future of Indian cyber law is bright - with strong constitutional foundations, evolving judicial precedents, and now comprehensive legislation.

Conclusion: Lessons from the Courtroom


The judgments analyzed above - including several I personally argued and won - represent the evolution of Indian cyber law from academic theory to practical application. Several lessons emerge:

1. Constitutional Foundation: Privacy (Puttaswamy) and free speech (Shreya Singhal) provide the bedrock. I successfully built upon Puttaswamy to establish Right to be Forgotten in ABC vs. Union of India.

2. Section 43A Has Teeth: The Dhule Vikas Bank, Sanjay Dhande, and other cases prove that banks and telecom companies can be held liable for security failures. The remedies are real and substantial.

3. Intermediary Protection Matters:  From Bazee.com to the Loan App case, courts have consistently protected genuine intermediaries while holding bad actors accountable.

4. Technical Evidence is Crucial: Whether it's e-tendering (Shapoorji Pallonji), data theft (Times of India), or SIM swap fraud, technical forensic evidence often determines outcomes.

5. Persistence Pays: Many of these cases required appeals, multiple hearings, and years of effort. Justice in cyber law requires stamina.

For practitioners entering this field: cyber law is not just IT Act sections - it's constitutional law, evidence law, contract law, and technology all combined. Master all of them.


About the Author

Adv (Dr.) Prashant Mali is a practicing Advocate at the Bombay High Court specializing in Cyber Law, Cyber Security, Data Protection, and AI Law. With a Ph.D. in Cyber Law and over 25 years of experience, he has personally argued and won several of the landmark cases discussed in this article.

Landmark Cases Won: 

• ABC vs. Union of India - Right to be Forgotten

• Dhule Vikas Bank vs. AXIS Bank - Rs. 1.76 Crore compensation

• Bennett Coleman (Times of India) vs. Abdul Aleem Sayed - Data theft injunction

• SVC Bank vs. Kubal - Customer data theft

• State vs. J. Sudhakar Reddy - Loan App (Safe harbour for intermediaries)

• Sanjay Dhande vs. ICICI Bank & Vodafone - Dual liability (Pro bono)

• Rohit Maheshwari vs. Vodafone - CDR as sensitive data

• Shapoorji Pallonji vs. Maharashtra - E-tender technology

• WIPO Domain Disputes - Lucideus.com, Technoarete.com


Credentials: 

• Ph.D. in International Cyber Law and Cyber Warfare

• LL.M, M.Sc. (Computer Science), CCFP (Certified Computer Forensics Professional)

• Author of 8 books on Cyber Law and Data Protection

• Author of 16 peer-reviewed research papers

• Chevening (UK) Cyber Security Policy Fellow

• IVLP (USA) Fellow for Linking Digital Policy to Cyber Crime Enforcement

• Featured expert on BBC World, Bloomberg, NDTV, Zee Business

• Recipient: "Best Cyber Lawyer 2017" by Justice Soli Sorabjee

• Recipient: "Cyber Security Lawyer of the Year: India 2016" by Financial Magazine (UK)


Contact for Consultation: 

 Email: prashant.mali@cyberlawconsulting.com

Website: www.prashantmali.com

LinkedIn: linkedin.com/in/prashantmali

Phone: +91-22-26581818 / +91-9821763157


Disclaimer

This article is for informational purposes only and does not constitute legal advice. The case analysis represents the author's professional interpretation based on available judgments and personal experience arguing these matters. For specific legal matters, please consult a qualified advocate. Laws and their interpretations change over time; readers should verify current legal positions before acting.


Copyright © 2026 Adv (Dr.) Prashant Mali. All Rights Reserved.



TARGET KEYWORDS INCLUDED IN THIS BLOG:

- Cyber law cases India

- Important cyber law judgments

- IT Act landmark cases

- Right to be Forgotten India

- Shreya Singhal case

- Puttaswamy privacy judgment

- Cyber crime lawyer India / Mumbai

- Data protection law India

- DPDPA 2023

- Section 43A IT Act

- Section 66A

- Bank cyber fraud liability

- SIM swap fraud case law

- Electronic evidence Section 65B

- Cryptocurrency law India

- Best cyber lawyer Mumbai / Bombay High Court

- IT Act 2000 cases

- BNS cyber crime

- WIPO domain dispute India

- Data theft injunction

- Loan App case law