Please click here to download the Prism as a PDF.
Evolving safe harbour framework for intermediaries under the proposed amendments to the information technology rules
On March 30, 2026, and in quick succession to the February 10, 2026 amendments introduced to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”), Ministry of Electronics and Information Technology (“MeitY”) has proposed further revisions, albite with scope for consultation from the industry, to revise the approach it would adopt vis-à-vis content moderation by intermediaries.
Analysis of the operational implications of the proposed amendments for intermediaries
Data preservation mandate
Under Rule 3 (1) (g) and (h) of the IT Rules, when an intermediary removed or disabled access to any information, it was required to preserve the content and related records for 180 (one hundred and eighty) days, or longer if directed by a court or authorised agency, for investigation purposes. User information collected at registration was retained for 180 (one hundred and eighty) days after any cancellation or withdrawal of registration. The proposed amendment clarifies that “without prejudice to any other requirement….under the Act or any other law…” the 180 (one hundred and eighty) days is the minimum retention period. , Data may be stored longer, if other regulations, such as sector specific regulations permit.
Business impact: There is a direct and unresolved regulatory tension for intermediaries, between compliance under the Digital Personal Data Protection Act, 2023 (“DPDPA”) and the IT Rules. While the DPDPA simultaneously mandates data minimisation and purpose limitation, requiring deletion of personal data once the purpose for collection is fulfilled. In practical terms, intermediaries will now need to formulate a legally defensible refusal framework for erasure requests, grounded in the ‘legal obligation’ exception under the DPDPA, in order to balance obligations under the proposed amendments and DPDPA.
MeitY direction – mandatory not discretionary
A new sub-rule 3(4) of the IT Rules has been introduced that stipulates that intermediaries are required to comply with and give effect to any clarification, advisory, order, direction, standard operating procedure, code of practice or guideline issued by the MeitY, in relation to the implementation, interpretation or operationalising the due diligence requirements of an intermediary, by order in writing. These communications will include inter alia statutory provision or legal basis under which it is issued. Notably, failure to adhere to such written communications could jeopardise safe harbour afforded to intermediaries.
Business impact: Intermediaries will now need to track and implement MeitY advisories in real time. What was previously reputational pressure has now become an express due diligence obligation, failing which could result in the intermediary risking safe harbour. Compliance teams will need a formal intake process for MeitY communications, legal review of each direction, and documented implementation. Separately, since this amendment requires directions to be consistent with the Information Technology Act, 2000 and IT Rules, a direction that overreaches could be vulnerable to challenge under Article 226 of the Constitution of India, 1950. Accordingly, compliance teams should be advised, not only to implement such directions but also assess each direction against this consistency requirement. Such assessment should be properly documented to create a paper trail for any future challenge.
Part III – Blocking regulations extended to all intermediaries
Part III of the IT Rules governs digital news media and sets up the 3 (three) tier structure of self-regulation, self-regulatory bodies, and the Inter-Departmental Committee (“IDC”) oversight. This oversight has now been extended to apply to intermediaries, and any news and current affairs content hosted, displayed, uploaded, modified, published, transmitted, stored, updated or shared on the computer resources of intermediaries by users who are not publishers, in each case, for the purposes of implementation of blocking rules as prescribed under Rule 15 and 16 of the IT Rules. The IDC includes the Ministry of Home Affairs, the Ministry of Defence, the Ministry of External Affairs, apart from MeitY.
Business impact: This amendment targets platforms such as social media that may be utilised by users to publish news and current affairs, thereby now permitting the IDC to summon the intermediary potentially on its content moderation decision and subject it to emergency blocking orders, which was previously applicable to publishers.
Conclusion
While safe harbor architecture remains intact in name, the proposed amendments seek to limit its perimeter to ongoing compliance with executive communications rather than a fixed set of published rules. For legal and compliance teams, the immediate priorities are: (a) establishing a formal register for MeitY directions under new Rule 3(4) of the IT Rules; (b) reviewing data retention policies across all applicable laws given the carve-out clarification; (c) assessing exposure under the expanded proviso to Rule 8(1) of the IT Rules if the platform hosts user-generated news content; and (d) monitoring IDC proceedings given the broadened referral scope under Rule 14 of the IT Rules.
This Prism has been prepared by:
Probir Roy Chowdhury |
Rachana Rautray |
For more details, please contact [email protected].
