Blog

Introduction The proposed amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 mark a significant shift in India’s digital regulatory framework. While aimed at strengthening accountability, enhancing compliance, and aligning with evolving data protection norms, these changes raise critical questions regarding their impact on privacy, free speech, and platform autonomy. By expanding state oversight and imposing additional obligations on intermediaries, the amendments blur the line between regulation and control. This rule-wise analysis examines the key provisions, highlighting both their potential benefits and the constitutional and practical concerns they may engender in the digital ecosystem. Proposed Rules 3(1)(g) and 3(1)(h): The following phrase is proposed to be added in both clauses: “without prejudice to any requirement relating to the preservation or retention of information applicable to intermediaries under the Act or any other law for the time being in force.” The proposed amendments enable application of other laws dealing with data retention and deletion requirements. The 180 days period prescribed under clauses (g) and (h) will not adversely affect the application of other laws. This is a welcome step as data retention requirements under other laws might vary. For instance, as per Rule 8(3) of the Digital Personal Data Protection Rules, 2025 (hereinafter referred to as ‘DPDP Rules’), data fiduciaries are obliged to retain personal data, associated traffic data and other logs of the processing for a minimum period of one year from the date of such processing. Therefore, the abovementioned amendment paves way for the application of other statutes like the DPDP Act and Rules. But in order to ensure safety and security of such personal data, all data fiduciaries including government entities must implement reasonable security safeguards as per Rule 6 of the DPDP Rules and standard data security practices in accordance with ISO 27001 standards. This will ensure that such data retention mandates do not pose risk to the right to privacy, recognised as a fundamental right under Article 21 in K.S. Puttaswamy v. Union of India (2017 10 SCC 1). Section 17(2)(a) of the DPDP Act, allows the Central Government to notify State instrumentalities to whom the provisions of the DPDP Act shall not apply. Such notification may be issued in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence. This exemption raises concerns regarding the efficacy of the Rule 6 mandate. Though the obligation of intermediaries is absolute but once such data is transferred to State authorities, such exemptions might allow them to process data without implementing security measures. In order to ensure proper and secure data handling, and compliance with privacy principles like data minimization, storage limitation and integrity of data, such exemptions must not give sweeping powers to the government. We suggest that the appropriate amendments must be made to the DPDP Act in order to impose an absolute obligation on every data fiduciary, including State instrumentalities to implement reasonable security safeguards and be liable for data breaches. This will ensure that such data retention mandates afford assurance of data security to the citizens. Proposed Rule 3(4): The following rule is proposed to be added: “Compliance with Clarifications, Advisories and Directions issued by the Ministry: (a) An intermediary shall comply with and give effect to any clarification, advisory, order, direction, standard operating procedure, code of practice or guideline issued by the Ministry, by order in writing, in relation to the implementation, interpretation or operationalisation of the requirements prescribed under this Part; (b) every such clarification, advisory, order, direction, standard operating procedure, code of practice or guideline referred to in clause (a) shall—         (i) be issued in writing;         (ii) clearly specify the statutory provision or legal basis under which it is issued;         (iii) specify the scope, applicability and compliance requirements in respect of the intermediary or class of intermediaries to whom it applies; and         (iv) be consistent with the provisions of the Act and these rules; (c) compliance with any clarification, advisory, order, direction, standard operating procedure, code of practice or guideline issued under clause (a) shall form part of the due diligence obligations of the intermediary under section 79 of the Act.” The abovementioned amendment obliges intermediaries to comply with every clarification, advisory, order, direction, standard operating procedure, code of practice or guideline issued by the Ministry. Further, clause (c) of the proposed Rule 3(4), makes compliance with the above a part of an intermediary’s due diligence obligations under Section 79(2)(c). Failure to comply with the same will lead to the loss of safe harbour protection of intermediaries. Firstly, the abovementioned amendment does not provide a publication mandate. As per clause (b) of the proposed Rule 3(4), the following conditions must be fulfilled while issuing a clarification, advisory, order, direction, standard operating procedure, code of practice or guideline: Issued in writing Specify the statutory provision or legal basis Specify the scope, applicability and compliance requirements Consistency with provisions of the Act and rules The abovementioned conditions do not impose any publication obligation upon the Ministry or its officers. In the absence of such publication or any other method of public accessibility of such documents, the legal basis of such actions will be non-transparent, which might allow the government to issue orders arbitrarily. This will curb freedom of speech and transparency of government decisions. Secondly, such a move would reduce platform accountability towards users as intermediaries will be able to justify takedowns by citing undisclosed government directions. In Shreya Singhal v. Union of India (AIR 2015 SC 1523), the Supreme Court noted, “The Rules further provide for a hearing before the Committee set up – which Committee then looks into whether or not it is necessary to block such information. It is only when the Committee finds that there is such a necessity that a blocking order is made. It is also clear from an examination of Rule 8 that it is not merely the intermediary