Section 27

Section 27 confers on the Controller the power to delegate his IT Act functions to the Deputy Controller, in writing and subject to conditions and limitations the Controller specifies. Delegation is standard administrative law practice: a single officer cannot personally exercise all regulatory functions at the scale India's PKI ecosystem requires, and the Deputy Controller and Assistant Controllers appointed under Section 17 need statutory authority to act on the Controller's behalf. The written delegation requirement prevents verbal or informal assertions of delegated authority — delegated powers under the IT Act must be exercised under documented authority. The important carve-out: the power under Section 30 (power to investigate contraventions) cannot be delegated. Section 30 is the most powerful investigatory tool in the Controller's arsenal — it allows the Controller to investigate any contravention of the IT Act by a CA or its officers. Parliament's decision to keep this power personal to the Controller (non-delegable) reflects the sensitivity of investigations into licensed CAs, which are significant institutions with commercial interests that could be adversely affected by an investigation.