This article is written by Nidhi Singh, student at Fairfield Institute of Management and Technology affiliated with Guru Gobind Singh Indraprastha University.
The rapid digitalisation of communication, commerce and public life is forcing the law relating to Indian information technology into a crossroads. Two issues predominate in the current debate: (1) how to share legal responsibility between users and intermediaries (platforms, hosting services and social media) for third party content, and (2) how to regulate the collection, processing and protection of personal data in a way that balances innovation, national security and individual privacy. Recent rule-making by the Ministry of Electronics & Information Technology (MeitY), landmark court decisions and the passage of the Digital Personal Data Protection (DPDP) Act, 2023 has by no means amalgamated on their own to alter both the intermediary safe-harbours and data protection obligations — along with important implications for platforms, users and regulators.
This article discusses the legal architecture that governs the role of intermediaries and data protection in India, some of the important developments in the system of laws from a judiciary perspective, and reflect on the existing tensions in the real world between the preservation of free expression, along with the accountability of platforms and privacy.
Intermediary liability: Commentary & statute
Section 79 of Information Technology Act, 2000 provides for a conditional safe-harbour given to intermediaries: An intermediary shall not, in general be liable for the content posted by the third party on its platform, if the intermediary observes certain statutorily prescribed due diligence and lacks “actual knowledge” of unlawful content. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “2021 Rules”), expanded and concretised the aforementioned due diligence obligations — i.e. grievance redressal officers, traceability directions (in certain cases), periodic compliance reports, and a host of other obligations — became mandatory for Significant Social Media Intermediaries (SSMIs). These rules brought new and heavy burdens of compliance to the operation of large platforms.
The stress at the centre of intermediary regulation is well reflected: either safe-harbours are too broad and the spread of unlawful content (including in the form of defamation, copyright infringement or incitement) will flourish unchecked, or too narrow – and intermediaries must become either private censors, or face legal offside. The Rules of 2021 tried to tip the balance in favour of greater platform accountability, in requiring proactive systems and human grievance processes for SSMIs. Critics argue that certain obligations — e.g. traceability — go against privacy and encryption and that proponents argue that they are necessary to effective law-enforcement and consumer protection.
Data protection DPDP Act Behind Private and Public Data Processing: A new framework — DPDP Act, 2023
India’s DPDP Act, 2023 is the India’s first comprehensive law that is dedicated towards the Personal Data. It prescribes obligations for those entities that perform the processing of digital personal data (data fiduciaries), it emphasises the purpose limitation and data minimisation and requires (in many particular cases) the reception of an informed consent for the processing, incorporates special techniques for ensuring the safety of data on minors, and includes penalties and compliance modes. DPDP Act applies to processing within India and subject to certain tests, processing outside India which is targeted at Indian individuals. The Act thus provides a statutory starting point of data protection requirements which interacts with (and, sometimes, displaces), Sectoral rules (IT Act, and subordinate rules) and.
Whether it’s the implementation of the DPDP Act has been followed by rule-making and regulatory action. Recent moves in policy (November 2025) reflect activities of continuing regulatory evolution (such as focussing more on data collection minimisation and breach notification) helping to illustrate just that India’s data protection regime is now in active operational mode. These developments have rendered the compliance terms obligatory for the Indian companies and also for the international working platforms in India.
Case Laws
Below are relevant and influential court order making it way for interplay between intermediary liability and cybercrimes law in India.
1. Shreya Singhal v. Union of India (2015)
Supreme Court struck down the ‘sexting’ provision (Section 66 A) of IT Act (penalises for ‘offensive’ online content) on unconstitutional grounds viz. vagueness and chilling effect on the free speech. The Court was also able to elucidate the contours of intermediary liability under Section 79, and to read down some of the procedural rules for the sake of protecting free expression in the online domain.
2. MySpace Inc Vs Super Cassettes Industries Ltd. (Delhi High Court, 2016)
In copyright related litigation, the Delhi High Court decided on whether MySpace could claim safe-harbour under Section 79 if it was alerted time and again about violative content. The case put an emphasis on loss of safe-harbour where intermediaries had actual knowledge of infringement and failed to take action on notice — and this is the basis for the notice and take-down dynamics of platform liability.
3. State of Tamil Nadu v. Suhas Katti (2004)
One of the first cases in India on the issue of cyber harassment is the case of Suhas Katti that laid down some of the ground rules on the treatment of online defamation and harassment as cognisable offences under criminal law. The case showed that the classical offences (defamation, criminal intimidation) can apply to conduct in cyberspace – ln consolidated police investigatory powers in relation to cyber conduct.
These decisions, with the addition to the 2021 Rules and DPDP Act, a multilevel legal system that, through interpretation of particular cases, defines the limits implicit in the validity of the Rules, and the procedural operational duties defined in the Rules and elsewhere require some of the provisions of the DPDP Act to be operational and the substantive standard making legal standards to define the substantive duty of active, woman sensitive choices.
Behind in Tensions and Trends is practically
There are a number of tensions and trends worth mentioning:
- Privacy vs. traceability: When traceability provisions included in the 2021 Rules (as well as the requests of law enforcement authorities for metadata) are taken into account, they may lead to privacy concerns, especially if they involve encryption. Data-protection law responds in the form of e g principles of purpose limitation and minimisation, assertions which are, however, subject to still present operational tensions.
- Platform governance vs. constitutional freedoms: Overbroad Restrictions on Speech: Post-Shreya Singhal, come to justice. At the same time, platforms are being asked to do more to take down unlawful — as well as possible for under-enforcement, or over-censorship.
- Global platforms, local rules: The territorial scope of DPDP Act and the expectation to comply with the Rules in 2021 implies the need for global companies to calibrate their processes, flow of data and grievance mechanisms for the Indian market. Operational rules of the regulators related with data collection are one of the indicators of ongoing supervisory attentions.
Conclusion
Indian cyber law is stating a shift from being an evolving patchwork towards being more of a structured law. The DPDP Act, the 2021 Intermediary Rules and important Supreme Court Verdicts are aimed at finding a balance between the fundamental right (speech and privacy) and accountability (for harmful content and misuse of personal data). Yet there are still some practical tensions: on how to balance traces and encryption, platform obligations and free expression, and the cross-border data flows and local enforcement, for example. For lawyers, politicos and platform operators the way forward will be through rule making by layers in an iterative process with technology sensitive jurisprudence and international co-ordination.
FAQs
Q1: Can an intermediary be considered frustrated by user content?
A1: Yes. If an intermediary neglects the requirements of due diligence or does not act after it gains actual knowledge that there is unlawful content they can be forfeited from their safe harbour protection and held liable.
Q2: Does DPDP Act unilaterally includes a provision to store all the data in India?
A2: No. The Act does not require blanket data localisation, but certain sectors or rules which will be followed in future may do so.
Q3: What are the rights available under DPDP Act to the individuals?
A3: Individuals have access to, corrections to and the right to ask for data deletion/withdrawal of consent and must be informed of breaches 9.)
Q4: Do the platforms need to remove content as soon as they receive a complaint?
A4: Grievance time-lines should be met in accordance with the Rules for Platforms created in 2021 and these platforms abide by government or court lawful orders, but these takedowns must abide by free-speech principles.
References (Links)
- Shreya Singhal v. Union of India (2015) 5 SCC 1
Link: https://indiankanoon.org/doc/110813550/ - Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (MeitY PDF).
Link: https://www.meity.gov.in/static/uploads/2024/02/Information-Technology-Intermediary-Guidelines-and-Digital-Media-Ethics-Code-Rules-2021-updated-06.04.2023-.pdf - Digital Personal Data Protection Act, 2023 — PRS/analyses and summaries.
Links: https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 and https://www.azbpartners.com/bank/digital-personal-data-protection-act-2023-key-highlights/ - MySpace Inc. v. Super Cassettes Industries Ltd. (2017) 236 DLT 478 (DB) (Delhi High Court — case discussion).
Link: https://indiankanoon.org/doc/12972852/ - State of Tamil Nadu v. Suhas Katti CC No. 4680 of 2004 — case brief and analysis (cyber-harassment precedent).
Link: https://www.legalserviceindia.com/legal/article-13351-case-analysis-on-state-of-tamil-nadu-v-s-suhas-katti-2004-.html - Recent operational rules and reporting on India’s evolving data rules (Nov 2025).
Link: https://www.reuters.com/sustainability/boards-policy-regulation/india-strengthens-privacy-law-with-new-data-collection-rules-2025-11-14/
