top of page

The impact of India's new criminal codes on digital businesses

India is in the midst of an unprecedented regulatory overhaul. In the Winter Session of the Indian Parliament that commenced on December 4, 2023, 18 new laws were taken up for consideration! The list included three consequential criminal law bills, the Bharatiya Nyaya Sanhita, 2023 (“New Penal Code”/ “BNS”), Bharatiya Sakshya Adhiniyam 2023 (“New Evidence Code”/ “BSA”)) and Bharatiya Nagarik Suraksha Sanhita, 2023 (“New Criminal Procedure Code”/ “BNSS”). These laws are poised to replace the Indian Penal Code, 1860, Indian Evidence Act, 1872, and the Code of Criminal Procedure, 1973, respectively. On December 25, 2023, the three bills attained President’s assent, laying the foundation for a new criminal justice ecosystem in India. 

The three new codes have used technology as the fulcrum on which this foundational transition is to be leveraged. From the introduction of cybercrimes and electronic registration of FIRs to mandatory virtual recording of seized property, the new criminal laws have set about digitising the Indian criminal system in the hopes of achieving efficiency, speed and equity in the delivery of justice to citizens.  

We discuss noteworthy provisions of the new criminal codes and their implications for digital businesses.

New Criminal Code

Modernising Colonial Verbiage

Given that the old Indian Penal Code was first written in 1860, one of the driving impulses behind the overhaul was to replace outdated words with their modern counterparts. Some of these replacements have to do with modern sensitivities (replacing the term “idiot”, for example). In certain other cases, however, the use of newer terminology may be more about visuals than substance.

The crime of ‘sedition’, for example, was set down under Section 124A of the old Indian Penal Code. While this now stands repealed, Section 152 of the new code is conspicuously similar[1]. Also interesting to note is that ‘electronic communication’ has been inserted to recognize modern channels or tools used by an individual who “excites… or encourages separatist feelings[2]. This express inclusion of electronic communication, read with proposals under the new Telecommunications Act, 2023, raise concerns around online culpability and privacy. Under the Telecommunications Act, online communication service providers are required to “intercept, detain, disclose or suspend any message[3] even if that requires infringing on end-to-end encryption standard put in place for user privacy. This raises questions around the extent of data protection and respect of privacy that can be offered to users, and also suggests a marked transition in the modus operandi of communication service providers in the future.

Penalising Cybercrimes and False Information

In an indication that online crimes will be policed stringently, Section 111 of the New Penal Code classifies ‘cybercrime’ as a class of ‘organised crime’.[4] Section 197(d) of the BNS also penalises the creation and publication of ‘false information’[5]. These offences are quite widely worded and it would be more legally sustainable if precise definitions are attributed to such offences. How social media platforms and e-commerce platforms will fit into this formulation is still unlcear; what is also unclear is the extent of liability that such platforms will be susceptible to. Online platforms may have to recalibrate their User Agreements, T&Cs, and Community Guidelines, as well as make changes to their monitoring systems, to ensure that they are protected from liability for any malicious or illegal actions of their users.

New Criminal Procedure Code

Inspection and Seizure of Electronic Devices

The New Criminal Procedure Code enhances the powers available to law enforcement while investigating matters. It provides for seizure of any electronic device or record that is ‘likely’ to contain digital evidence, and persons other than the accused may also be directed to produce such records[6]. A police officer is allowed to search and seize an individuals’ property, without written orders, if they have reasonable grounds to believe that such property will not be obtained without undue delay.[7]

Interestingly, Indian courts have in the past reasoned that “right against self-incrimination is limited to information given from personal knowledge[8]. That said, the enhanced powers available to law enforcement may be consequential in investigations against companies or corporations, where it is much more likely that electronic devices will be available for seizure. This increases the risk that local India offices of MNCs will bear, even in cases where the main business activity is carried out overseas. This could potentially impact business operations, confidentiality, and reputation. Companies might need to strengthen their digital security protocols and legal compliance strategies to navigate these challenges.  

Witness Protection Scheme

Section 398 of the new procedure code directs each state government to create a witness protection scheme for ensuring witness’ safety.[9] While recognising the importance of a ‘Protection Scheme’,  the code is silent on how such a scheme would apply to corporate whistle blowers considering that SEBI regulations with regards to whistle blowing apply in a limited scope with regards to insider trading only.

Seen from that perspective, the new criminal laws are a missed opportunity to codify protections for whistle blowers, something that is available in all modern economies. Readers will remember that while the Whistle Blowers Protection Act, 2014 was passed by the Parliament of India in 2014, it has not been notified as of yet and is not currently enforceable law.

New Evidence Code

Use of Electronic Evidence

Under the New Evidence Code, electronic or digital records have been assigned the same “legal effect, validity and enforceability[10] as a physical document. Since such records also include data stored, recorded or copied in the memory of a communications device, electronic communications too are deemed to be documents.[11] The language seems to indicate that electronic records can be served as primary evidence.

While electronic evidence is allowed, not all procedural barriers have been removed. Section 63 of the code imposes conditions on the validity of digital evidence based on computer output to ensure its credibility.[12] This means that even though certification is not mandated for every digital record submitted, there are still excessive prescriptive conditions that need to be followed for admissibility. Only statements that are submitted in the digital form are required to carry a certificate as prescribed under section 63(4).[13] This is in contrast to the Indian Evidence Act where a certificate under 65B was mandated for admissibility of all electronic records.[14] 

Key Takeaways for Digital Businesses

(i) Intersection of Data and Self-incrimination

Every single technological reform brought under the new criminal laws has in some shape or form impacted the right to privacy. Blanket seizures without content-specific proportionality tests go against the grain of constitutional rights to privacy and self-incrimination.[15] Strict procedural and regulatory guidelines will need to be issued to limit the extent and duration to which data can be accessed and devices can be held in custody. But this presents an issue for businesses in India, as well. At the very least, guidelines for how corporations store or manage their users’ and employees’ data are imperative, given their implications now.

(ii) Privacy and Personal Data Protection

With the State’s increased access to private data arises an increased responsibility to protect this data. Electronic devices or records in the custody of the Police are the State’s responsibility, and as such a committee/authority should be instituted to monitor the operation and handling of electronic records and devices. Clarifications as to whether the exemptions provided to the Central Government and its agencies under the new Digital Personal Data Protection Act, 2023[16] would extend to the Police, and who shall be regulating the breach of digital personal data held by law enforcement and in what manner, need to be issued.

Collection of data, such as under registration of e-FIR, should be standardised and carried through secure, state specified and regulated portals. Absence of provisions that provide for the security or proper maintenance of the electronic evidence raises severe privacy and safety concerns. This, along with the sensitive data collected under the Criminal Procedure (Identification) Act, 2022 necessitates a strong digital infrastructure to prevent data leaks.

(iii) Enhancement of Police Powers

There is a substantial increase in the discretionary powers given to the Police under the new codes with respect to registering of FIRs for a non-cognizable offence after conducting preliminary inquiry, attachment of property, arresting without a warrant and so on. Stronger procedural powers have long been an ask of law enforcement agencies. Proper guidelines need to be issued wherever such discretion has been granted to prevent the abuse of power. A stricter and more comprehensive code of conduct should be framed to ensure greater accountability on part of law enforcement agencies.


[1] Section 152 - “Whoever, purposely or knowingly, by words, either spoken or written, or by signs, or by visible representation, or by electronic communication or by use of financial means, or otherwise, excites or attempts to excite, secession or armed rebellion or subversive activities, or encourages feelings of separatist activities or endangers sovereignty or unity and integrity of India; or indulges in or commits any such act shall be punished with imprisonment for life or with imprisonment which may extend to seven years and shall also be liable to fine.”

[2] Ibid 1.

[3] Section 20(2)(a) of Telecommunications Act, 2023

[4] Section 111 of Bharatiya Nyaya (Second) Sanhita, 2023

[5] Section 197(d) of Bharatiya Nyaya (Second) Sanhita, 2023 – “makes or publishes false or misleading information jeopardising the sovereignty unity and integrity or security of India”.

[6] Section 94.

[7] Section 185.

[8] State of Bombay v. Kathi Kalu Oghad (1961), 1961 AIR 1808, 1962 SCR (3) 10

[9] Section 398 – “Every State Government shall prepare and notify a Witness Protection Scheme for the State with a view to ensure protection of the witnesses.”

[10] Section 61 – “Nothing in this Adhiniyam shall apply to deny the admissibility of an electronic or digital record in the evidence on the ground that it is an electronic or digital record and such record shall, subject to section 63, have the same legal effect, validity and enforceability as other document.

[11] Section 63(1) – “Notwithstanding anything contained in this Adhiniyam, any information contained in an electronic record which is printed on paper, stored, recorded or copied in optical or magnetic media or semiconductor memory which is produced by a computer or any communication device or otherwise stored, recorded or copied in any electronic form (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible.

[12] Section 63(2) and Section 63(3) of Bharatiya Sakshya (Second) Adhiniyam, 2023

[13] Section 63(4) of Bharatiya Sakshya (Second) Adhiniyam, 2023

[14] Section 65B of Evidence Act, 1872

[15] Soutik Banerjee, ‘Constitutional Principles Go for a Toss in the Criminal Law of Search and Seizure’ (Supreme Court Observer 13 December 2023) <> accessed 5 January 2024.

[16] Section 17 of Digital Personal Data Protection Act, 2023


bottom of page