Introduction
Jurisdiction is the foundational question of any legal system: which authority has the power to make law, adjudicate disputes, and enforce decisions in a given situation? In physical space, jurisdiction is primarily territorial, defined by geographic boundaries enforced by states. In cyberspace, jurisdiction becomes profoundly ambiguous. A cybercriminal operating from one jurisdiction may use infrastructure located in a second, target victims in a third, route transactions through financial systems in a fourth, and communicate with co-conspirators in a fifth. Each element of the offence may be subject to different legal systems, different criminal codes, and different enforcement capacities.
For India, this jurisdictional complexity has practical and urgent consequences. The I4C (Indian Cybercrime Coordination Centre) receives millions of cybercrime complaints annually through its centralised portal at cybercrime.gov.in. The vast majority of these complaints involve an international dimension: fraudulent call centres operating from Cambodia, Myanmar, and elsewhere targeting Indian victims; investment scam rings operating across Southeast Asia; ransomware operators based in Eastern Europe; romance fraud operations with infrastructure in multiple African jurisdictions. Investigating and prosecuting these crimes requires navigating a patchwork of bilateral agreements, inter-agency relationships, and international legal instruments that are slow, inconsistently honoured, and frequently overwhelmed by the volume of requests.
This article examines the statutory framework for cybercrime jurisdiction in India, the operation of mutual legal assistance treaties in the cybercrime context, the interaction of Indian jurisdictional claims with the US CLOUD Act, the domestic confusion about territorial competence for cybercrime prosecutions, and the structural reforms that would improve investigative and prosecutorial effectiveness.
Legal Framework
Section 1(2) of the IT Act, 2000 establishes India’s jurisdictional claim in sweeping terms: the Act extends to the whole of India and, save as otherwise provided, applies to any offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system, or computer network located in India. This extraterritorial reach is among the broadest of any Indian statute, essentially asserting jurisdiction wherever the Indian digital infrastructure is implicated.
In practice, this provision is more aspirational than operational. Exercising jurisdiction over a person located in a foreign country requires either that the person enters Indian territory (enabling arrest), that India’s extradition treaty with the relevant country applies to the offence charged and the extradition request is honoured, or that the foreign country prosecutes the person under its own laws with Indian cooperation. None of these pathways is available for the majority of cybercriminals targeting India, who operate from jurisdictions with no extradition treaty with India, weak domestic cybercrime enforcement, or active institutional tolerance of certain forms of cybercrime.
The Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS), which replaced the Code of Criminal Procedure, addresses territorial jurisdiction for offences committed outside India in Sections 3, 4, and 5. It extends jurisdiction for offences against Indian citizens committed anywhere, and for offences committed on Indian ships or aircraft. The BNSS does not specifically address cybercrime jurisdiction in a manner that goes beyond the IT Act’s provisions, leaving the primary jurisdictional framework unchanged.
Within India, Section 177 of the BNSS (the successor to Section 177 CrPC) provides that every offence shall ordinarily be inquired into and tried by a court within whose local jurisdiction it was committed. For cybercrimes, this raises the question of where the offence was committed: at the server where the intrusion occurred, at the victim’s location, at the accused’s location, or at the place where the financial transaction was executed? Different High Courts have taken different views on this question, producing a patchwork of precedents that creates forum confusion for investigating officers, prosecutors, and victims seeking to file complaints.
India’s mutual legal assistance treaty (MLAT) framework consists of bilateral treaties with approximately 40 countries, including the United States, United Kingdom, Australia, Canada, France, and several others. These treaties create formal mechanisms for exchanging evidence, executing search warrants, serving process, and taking witness statements across borders. The multilateral Convention on Cybercrime (Budapest Convention), which India has declined to accede to, would provide a harmonised framework for these requests among the 65+ signatory states, but India’s position has been that the Convention does not adequately reflect the interests of developing nations and was negotiated without their meaningful participation.
Judicial Developments
The question of territorial jurisdiction in cybercrime cases has produced significant judicial activity. The Supreme Court in Vikram Singh v. State of Punjab (2017) addressed the jurisdiction question in computer-related offences and affirmed that courts have jurisdiction where the offence “was committed” or where its effects are felt. This effects doctrine, familiar from international private law, provides a basis for victim-state courts to assert jurisdiction over cybercrimes whose perpetrators are elsewhere, but it does not resolve the practical problem of enforcement against persons outside India’s territory.
The High Courts have grappled with the within-India jurisdiction question, addressing which court within India has competence to try a cybercrime where the victim, the accused, and the infrastructure are in different states. The Bombay High Court in Sharat Babu Digumarti v. Govt. of NCT of Delhi (2017, Supreme Court appeal) addressed related jurisdictional questions in the context of obscene online content. The general trend in High Court decisions has been to adopt a liberal approach to territorial jurisdiction, finding that courts in the victim’s location have competence to try cybercrimes even when the technical acts occurred elsewhere.
The challenge of obtaining foreign evidence has been the subject of several High Court decisions in the context of criminal trials where electronic evidence stored by foreign service providers was sought. Courts have generally held that the MLAT mechanism is the appropriate pathway for such evidence and that domestic process (summons to a foreign company’s Indian entity) cannot compel production of data stored outside India. This creates a significant investigative gap: Indian investigators cannot compel production of data from US cloud providers through domestic process, and must use the MLAT pathway, which is slow.
Contemporary Issues and Analysis
The MLAT process is, for practical investigative purposes, often too slow to be useful in cybercrime cases. The average processing time for an MLAT request to the United States has been reported at between 12 and 24 months. Cybercrime investigations move on timescales measured in weeks; by the time MLAT-obtained evidence arrives, the accused may have fled, evidence may have been destroyed, and statute of limitations concerns may have arisen. This mismatch between the pace of the legal assistance mechanism and the pace of digital evidence has been identified as a central obstacle to effective cybercrime prosecution by law enforcement across multiple jurisdictions.
The US CLOUD Act of 2018 creates a bilateral agreement mechanism that could potentially accelerate this process. Under the CLOUD Act, the US can enter bilateral executive agreements with foreign governments that allow law enforcement in each country to obtain data directly from providers in the other country through domestic legal process, without going through the MLAT channel. Several countries have negotiated CLOUD Act agreements with the US: the UK concluded the first such agreement in 2019, Australia followed, and the EU is in negotiations. India has not yet entered a CLOUD Act agreement with the US, meaning that Indian investigators must still use the MLAT route for data from US providers. Negotiating a CLOUD Act agreement, with appropriate human rights and procedural safeguards on both sides, would significantly accelerate evidence exchange in cybercrime investigations.
The I4C’s centralised complaint portal has succeeded in providing a single national entry point for cybercrime reporting, processing millions of complaints since its inception. However, complaints on the portal are routed to state police forces for investigation, and the investigation quality and capacity vary dramatically across states. Many complaints, particularly smaller-value online frauds, are not investigated at all due to resource constraints. The portal has produced valuable national data on cybercrime patterns and volumes, which CERT-In and the Home Ministry have used for policy analysis, but the translation of complaints into successful prosecutions remains limited.
The jurisdictional confusion within India about which police station and which court has competence over a cybercrime has significant practical consequences. Victims in states where a cybercrime occurred may be directed to file complaints in the state where the fraudster’s bank account is located, and vice versa. Investigating officers from different states may investigate the same case without coordination, leading to duplicated effort and potential evidentiary conflicts. The BNSS provides the general framework but does not specifically address cybercrime jurisdiction in a manner that resolves these coordination failures.
The phenomenon of “cyber slavery” in Southeast Asia, where Indian nationals are trafficked into scam call centres in Cambodia, Myanmar, and Laos and forced to conduct cyber fraud against Indian victims, presents a particularly complex jurisdictional and diplomatic challenge. These operations involve victims who are also, in a sense, forced perpetrators. The Indian government has conducted rescue operations and repatriated some victims, but the criminal networks operating these centres are beyond the reach of Indian law enforcement, and the host country governments have limited capacity or willingness to prosecute operators.
Comparative and International Perspective
The Budapest Convention on Cybercrime, adopted by the Council of Europe in 2001 and subsequently opened for accession by non-member states, provides the most comprehensive multilateral framework for cybercrime jurisdiction and mutual assistance. Its 65+ signatories have committed to harmonising their substantive cybercrime laws, implementing procedural tools for digital evidence preservation and disclosure, and providing expedited mutual assistance on an “as expeditious as possible” basis. The Convention includes a provision (Article 29) for expedited preservation requests, allowing a party to request that a foreign state preserve specific digital evidence for 60 to 90 days while a formal MLAT request is processed.
India’s non-accession to the Budapest Convention is a deliberate policy choice, but it has a practical cost: India cannot benefit from the expedited assistance mechanisms available to Convention parties, and the absence of harmonised cybercrime offence definitions complicates prosecutions involving Convention-party jurisdictions.
The EU’s approach to cross-border digital evidence is being modernised through the e-Evidence Regulation, adopted in 2023, which allows law enforcement in any EU member state to obtain production and preservation orders directly from service providers established in other member states, without going through an MLAT. This dramatically accelerates digital evidence collection within the EU’s 27 member states and provides a model for how bilateral or multilateral agreements could streamline the process.
INTERPOL’s Global Complex for Innovation in Singapore serves as the coordination hub for international cybercrime investigations involving multiple Asian jurisdictions, and India has benefited from this coordination in several high-profile cases. However, INTERPOL’s role is coordination and intelligence sharing, not enforcement, and actual evidence collection still requires bilateral processes.
Practical and Policy Implications
For Indian prosecutors and investigating officers, the jurisdictional and evidence-gathering challenges in cybercrime cases require early engagement with international liaison mechanisms. The I4C coordinates with INTERPOL and bilateral liaison officers; investigators should use these channels rather than attempting to obtain foreign evidence through informal requests or domestic process.
For victims of international cybercrime, the realistic prospect of prosecution and recovery through criminal channels is limited. Civil remedies (asset recovery, third-party freezing orders) may in some cases be more effective than criminal prosecution, particularly where fraudulent proceeds have been passed through Indian financial institutions before exiting the country. The use of urgent injunctions to freeze suspected fraud proceeds in Indian accounts is an underutilised tool.
The Central Bureau of Investigation (CBI) handles cases with significant international dimensions under its treaty functions, but its resources for cybercrime are limited. State cybercrime police units vary enormously in capacity. Capacity building, both technical and legal, across state cybercrime units is a precondition for effective cybercrime enforcement.
Suggestions and Reforms
India should prioritise negotiating a CLOUD Act bilateral agreement with the United States, which would enable Indian law enforcement to obtain data from US service providers through domestic Indian court orders without the MLAT delay. The agreement should include robust human rights safeguards and reciprocal rights for US law enforcement accessing data in India.
A Cyber Court Act should be enacted to create specialised cybercrime courts with clearly defined territorial jurisdiction rules and trained judicial officers. The Act should establish that cybercrime cases may be filed in the court of the jurisdiction where the victim is located, the court of the jurisdiction where the accused is found, or the court of the jurisdiction where the financial transaction occurred, at the complainant’s election, with a mechanism for consolidation where multiple jurisdictions are involved.
India should reconsider its position on the Budapest Convention, or alternatively develop a template for bilateral cybercrime assistance agreements that incorporates the Convention’s best elements (expedited preservation, harmonised offence definitions) while addressing India’s concerns about the Convention’s governance process. Bilateral agreements with major source jurisdictions for cybercrime targeting India (Cambodia, Myanmar, Nigeria) should be pursued urgently.
Conclusion
The jurisdictional framework for cybercrime in India is characterised by broad statutory claims and limited enforcement capacity. The gap between the IT Act’s expansive extraterritorial reach and the practical ability to investigate and prosecute cybercriminals operating from non-cooperative jurisdictions is not a failure of law as such but of the international cooperative infrastructure that effective cybercrime enforcement requires.
India has made real progress through the I4C, bilateral law enforcement cooperation, and INTERPOL coordination. However, the structural reforms of a CLOUD Act agreement, a dedicated Cyber Court Act, and strategic engagement with international legal assistance frameworks would significantly improve outcomes. The scale of cybercrime harm to Indian victims justifies treating these reforms as national priorities.