TL;DR for founders
Section 79 of the Information Technology Act, 2000 gives your platform immunity from user liability — but only if you run a compliant due-diligence process. Publish a Rule 3(1)(a) Terms of Service, appoint a Grievance Officer (resident in India if you have 50 lakh+ registered users), remove content within 36 hours of a court order or a Joint Secretary-rank / DIG-rank reasoned intimation, resolve grievances within 15 days, and report cyber incidents to CERT-In within 6 hours. Ignore a private complaint without a court order or government notification — Shreya Singhal protects you. First step: classify your platform as Intermediary, SMI or SSMI today — every downstream obligation turns on that.
Who this playbook is for
In scope:
- Internet service providers (ISPs), search engines, webhosts that transmit or store electronic records on behalf of users.
- Social Media Intermediaries (SMIs) — platforms that enable online interaction between two or more users (Rule 2(1)(w) IT Rules 2021).
- Significant Social Media Intermediaries (SSMIs) — SMIs with more than 50 lakh registered users in India (Rule 2(1)(v) IT Rules 2021; threshold notified vide MeitY notification dated 25 February 2021).
- E-commerce marketplaces, app stores, cloud / SaaS / PaaS platforms to the extent they host user-generated content, user messages or user files.
- Online real-money gaming intermediaries under Rule 4A IT Rules 2021 (post-April 2023 consolidation).
- Cyber cafes (Rule 3 IT Rules 2021 has separate obligations).
Not in scope:
- Publishers of news and current affairs content and OTT curated-content publishers — regulated by Part III of the IT Rules 2021 (Code of Ethics, three-tier grievance mechanism). They do not get Section 79 immunity for their own editorial output.
- Private messaging between two identified contracting parties where the platform is not a third-party conduit (peer-to-peer email between own domains).
- Internal enterprise knowledge bases with no external user-generated content.
Prerequisites
Documents needed:
- Terms of Service (ToS) and Privacy Policy conforming to Rule 3(1)(a) IT Rules 2021 — last updated within the last 12 months.
- User-facing list of prohibited content under Rule 3(1)(b) IT Rules 2021.
- Grievance redressal mechanism document (Rule 3(2) IT Rules 2021) with timelines.
- Monthly / periodic compliance report template for SSMIs (Rule 4(1)(d) IT Rules 2021).
- CERT-In incident-reporting runbook (Direction No. (ii) of the CERT-In Directions dated 28 April 2022 ('CERT-In Directions 2022')).
- DPDP Section 8(6) personal-data-breach notification SOP and Form B template (Rule 7 DPDP Rules, 2025).
- Internal adjudication register for Section 79(3)(b) takedown decisions.
Roles required:
- Grievance Officer — every intermediary, mandatory (Rule 3(2) IT Rules 2021).
- Resident Grievance Officer ('RGO') — SSMIs only; must be resident in India (Rule 4(1)(c) IT Rules 2021).
- Chief Compliance Officer ('CCO') — SSMIs only; key managerial personnel or senior employee resident in India; personally liable for Rule 3 / Rule 4 violations (Rule 4(1)(a) IT Rules 2021).
- Nodal Contact Person ('NCP') — SSMIs only; 24x7 coordination with law-enforcement agencies (Rule 4(1)(b) IT Rules 2021).
- Data Protection Officer ('DPO') — if the platform is a Significant Data Fiduciary under Section 10 DPDP Act (expected SDF notification during the 18-month window expiring 13 May 2027).
- CERT-In point of contact — for 6-hour incident reporting.
Approvals needed:
- Board resolution under the Companies Act, 2013 authorising ToS / Privacy Policy; appointment resolutions for GO / RGO / CCO / NCP.
- Internal information-security committee sign-off on the takedown SOP.
- Legal opinion on initial Section 79 posture at go-live.
Step-by-Step Compliance Process
Step 1: Classify your intermediary status
What: Decide whether you are a plain Intermediary, a Social Media Intermediary, or a Significant Social Media Intermediary. Where: Internal policy document; update user-count metric monthly. How: Count registered users resident in India (not monthly active users). If > 50 lakh, you are a SSMI and Rule 4 obligations trigger within three months of crossing the threshold. For messaging intermediaries with end-to-end encryption, Rule 4(2) traceability obligations additionally apply only if you are a SSMI. Maintain a dated "classification note" in the Board-papers binder. Templates: Annex A — Intermediary Classification Note. Common mistakes: Treating MAU as the metric (Rule 2(1)(v) uses "registered users"); failing to re-run the count after viral growth; assuming B2B SaaS is out of scope because of the enterprise customer base (it is not — your enterprise's end-users still count).
Step 2: Publish a Rule 3(1)(a)-compliant Terms of Service and Privacy Policy
What: Publish ToS, Privacy Policy, and user agreement on the platform and prominently link from the home page. Where: Website / app footer; user-onboarding consent flow; email on each material change. How: The Rule 3(1)(a) ToS must specifically prohibit the eleven categories of unlawful content in Rule 3(1)(b), including (i) defamatory / obscene / paedophilic content; (ii) content that violates another's privacy, infringes intellectual property, or is intended to cheat or defraud; (iii) content threatening the unity, integrity, defence, security or sovereignty of India; (iv) software viruses and malicious code; (v) patently false or misleading information intended to cause injury; (vi) (post Feb 2026 amendment) unlabelled synthetically generated content. Include a Rule 3(1)(f) reservation of termination rights. Templates: Annex B — Rule 3(1)(a) ToS skeleton (see Section 6 of this playbook). Common mistakes: Copying a US Section 230 template (it does not track Rule 3(1)(b) categories); missing the eleventh "misleading information" prong inserted by the April 2023 consolidation; failing to push the ToS update through the consent flow — a change without affirmative consent is not binding for litigation purposes.
Step 3: Push Rule 3(2) periodic user notification
What: Inform registered users at least once every year, and each time the rules / agreement changes, that the agreement prohibits the Rule 3(1)(b) categories and that the intermediary may, for non-compliance, terminate access or remove content. Where: In-product notification, email, and (where technically supported) SMS. How: Use a structured "annual due-diligence reminder" template. Log the send date, recipient count, delivery success rate, and retain logs for six months. Templates: Annex C — Annual Rule 3(2) user notification. Common mistakes: Treating the original ToS acceptance as a substitute for the annual reminder — Rule 3(2) requires periodic reminder in addition to initial acceptance.
Step 4: Stand up the grievance mechanism
What: Publish GO name, email and complaint portal; acknowledge every complaint within 24 hours; resolve within 15 days (Rule 3(2)(a)(i) IT Rules 2021). Where: Platform help-centre page; named email; inbound ticket system. How: Build a ticket system with (i) acknowledgement timer (24 hours), (ii) resolution timer (15 days), (iii) priority lanes — NCII / deepfake-of-private-person complaints to a 24-hour SLA under Rule 3(2)(b), standard complaints to the 15-day SLA. Appeal queue to the Grievance Appellate Committee ('GAC') set up under Rule 3A IT Rules 2021 (notified by MeitY in February 2023; appeals filed on gac.gov.in within 30 days of GO decision). Templates: Annex D — Grievance acknowledgement letter. Common mistakes: Confusing the 24-hour acknowledgement clock with the 36-hour takedown clock; failing to preserve the original complaint and the GO's reasoned response together (both are needed at GAC and in writ review).
Step 5: Build the Takedown Standard Operating Procedure
What: Operationalise the Section 79(3)(b) IT Act actual-knowledge gate in a hard-coded workflow. Where: Trust-and-safety operations centre. How: The trigger gates are only two:
- A court order from a court of competent jurisdiction, specifying content and URL.
- A reasoned intimation from the Appropriate Government or its agency under Rule 3(1)(d) IT Rules 2021 (as amended 15 November 2025) — issued by a Joint Secretary-rank or equivalent Director officer (for civil authorities) or a Deputy Inspector General of Police (DIG), specially authorised (for police authorities), citing the statutory provision, the nature of the unlawful act, and the specific URL.
Non-trigger events (private user complaint, NGO demand, competitor DMCA-style notice, foreign-court order not enforced in India) go through the grievance queue under Rule 3(2) — not the Section 79 takedown queue.
Once a valid trigger is received, remove within the applicable clock:
- 36 hours for standard removal (Rule 3(2)(b) IT Rules 2021).
- 24 hours for non-consensual intimate imagery ('NCII') and deepfakes of a private person, following a Rule 4(2) compliant user complaint (Rule 3(2)(b) IT Rules 2021).
- Expeditious / near-real-time for synthetic-media labelling compliance under the 20 February 2026 amendment to Rule 3(1)(b).
Templates: Annex E — Takedown SOP skeleton (see Section 6). Common mistakes: Acting on vague police emails from a sub-inspector — these do not meet the Rule 3(1)(d) rank threshold post-15 November 2025; removing content on a private NCII complaint without verifying the complainant's Rule 4(2) compliant identity; missing the 24-hour NCII clock because the complaint was routed to the 15-day grievance queue.
Step 6: Appoint and disclose the Grievance Officer (and SSMI-specific officers)
What: Appoint GO (every intermediary) plus CCO / NCP / RGO (SSMIs). Publish name, designation, physical address, contact number and email on the platform. Where: Website "Grievance Officer" page; app "About" screen. How: Board resolution appointing each officer; publication on platform; written acceptance-of-appointment letter; update on every change within seven days (Rule 4(5) IT Rules 2021). CCO, NCP and RGO must all be resident in India for SSMIs. Templates: Annex F — Board resolution for SSMI officer appointments. Common mistakes: Appointing an overseas counsel as GO; assigning GO role to a US-based privacy lead for an SSMI (fails Rule 4 residency); listing a PO box rather than a physical address.
Step 7: Handle Grievance Appellate Committee escalations
What: Respond to appeals filed against the intermediary's GO decisions before the GAC set up on gac.gov.in. Where: gac.gov.in filings. How: GAC panels consist of a Chairperson and two members appointed by the Central Government (Rule 3A IT Rules 2021). Appeal to be disposed of within 30 days. The intermediary's reply must be filed within 14 days. Appoint a senior counsel point-of-contact. Maintain a docket of GAC orders and compliance status. Templates: Annex G — GAC response skeleton. Common mistakes: Missing the 14-day reply window because the notice was routed to the wrong internal team; treating GAC orders as optional — GAC orders are binding subject only to writ review.
Step 8: Build Rule 4(2) traceability readiness (SSMI messaging platforms only)
What: For SSMIs providing messaging services, enable identification of the "first originator" of an information on the platform upon receipt of a court order passed by a court of competent jurisdiction or an order under Section 69 IT Act. Where: Platform-side key-management / metadata infrastructure. How: Rule 4(2) IT Rules 2021 confines traceability requests to specified serious-offence categories — offences relating to sovereignty and integrity of India, security of State, friendly relations with foreign States, public order, rape, sexually explicit material, child sexual abuse material, offences punishable with imprisonment for five years or more. The court-order / 69 order must specify the message. End-to-end encryption is not required to be broken; metadata-based traceability is the intended mechanism. The WhatsApp LLC v. Union of India, W.P.(C) 7284/2021, Delhi HC challenge on proportionality and Puttaswamy grounds remains pending. Templates: Annex H — Rule 4(2) compliance note. Common mistakes: Treating every law-enforcement request as a Rule 4(2) request (it is not — a court order under Section 69 IT Act or a judicial order is required); re-encrypting metadata before retention periods elapse.
Step 9: Publish the SSMI monthly compliance report
What: Publish a periodic compliance report (monthly under Rule 4(1)(d) IT Rules 2021) listing complaints received, action taken, and content proactively removed using automated tools. Where: SSMI transparency page on the platform. How: Report must cover: (i) number of grievances received; (ii) action taken; (iii) number of specific communication links / information removed or disabled; (iv) URLs removed using automated monitoring. Publish by the tenth day of the following month. Templates: Annex I — SSMI monthly report template. Common mistakes: Delaying publication past the 10th; aggregating across multiple products without segmentation.
Step 10: Offer voluntary user verification
What: Provide users a voluntary mechanism to verify their accounts and display a visible verification mark (Rule 4(7) IT Rules 2021). Where: Account settings; display on posts. How: Verification must be voluntary (not paywall-gated in a way that coerces). Accept a verifiable identifier such as a mobile number tied to an OTP flow. Maintain an audit log of verification events. Templates: Not required. Common mistakes: Tying verification to a monetisation tier — regulators read this as indirect coercion.
Step 11: Maintain content-moderation records for 180 days
What: Retain information removed or disabled and associated metadata for a minimum of 180 days for investigation purposes (Rule 3(1)(g) IT Rules 2021) — or longer if a law-enforcement request is pending. Where: Cold-storage systems; access-controlled. How: Implement automated archival on every takedown; log access events; coordinate with DPDP retention rules — Section 8(7) DPDP Act requires erasure on purpose-end, but the IT Rules 2021 law-enforcement retention exception under Section 17 DPDP Act governs. Templates: Annex J — retention policy matrix. Common mistakes: Deleting the original content on takedown without archival — breaks the law-enforcement cooperation obligation and the platform's own litigation evidence position.
Step 12: Run the CERT-In + DPDP incident-reporting rails
What: For every cyber-security incident (including data breaches) — notify CERT-In within 6 hours; for every reportable personal-data breach — notify the Data Protection Board of India within 72 hours (or sooner where Rule 7(3) DPDP Rules 2025 applies). Where: cert-in.org.in (CERT-In) and dpdpb.gov.in (DPDP Board). How: CERT-In incident reporting follows Annexure I of the CERT-In Directions 2022 (20 incident categories). The form includes time of detection, systems affected, actions taken. DPDP breach reporting uses Form B under Rule 7 DPDP Rules, 2025 — intimation to affected data principals "without delay" and to the Board within 72 hours. Templates: Annex K — CERT-In incident report; Annex L — DPDP Form B. Common mistakes: Starting the 6-hour clock from internal reporting completion rather than "noticing"; treating a personal-data breach as only a DPDP event (it is both a CERT-In cyber incident and a DPDP breach).
Timeline
| Milestone | Statutory deadline | Realistic timeline |
|---|---|---|
| ToS + Privacy Policy publication | Before operations (IT Rules 2021 go-live: 25 Feb 2021) | 2-3 weeks from counsel engagement |
| GO / RGO / CCO / NCP appointment (SSMI) | Within 3 months of crossing 50 lakh users (Rule 4 onboarding) | Budget 6-8 weeks to identify India-resident candidates |
| First Rule 4(1)(d) monthly report | By the 10th day of the month following SSMI onboarding | 4 weeks from go-live to calibrate reporting schema |
| Standard takedown post-trigger | 36 hours from court order / Rule 3(1)(d) intimation | Target 12-24 hours internally; reserve the rest of the 36-hour window for edge cases |
| NCII / private-person deepfake takedown | 24 hours from Rule 4(2)-compliant grievance | Target 6-12 hours internally |
| Grievance acknowledgement | 24 hours | Automate (target < 1 hour) |
| Grievance resolution | 15 days | Target 5-10 days |
| CERT-In cyber incident report | 6 hours | Runbook dispatch within 3-4 hours |
| DPDP breach notification — Board | 72 hours (Rule 7 DPDP Rules 2025) | Within 24 hours internally before polish |
| GAC appeal reply | 14 days from appeal service | Draft in 5-7 days |
Template Clauses
Template — Rule 3(1)(a) ToS User Obligation Clause (Annex B)
By using [Platform], you agree that you will not host, display, upload, modify, publish,
transmit, store, update or share any information that:
(a) belongs to another person and to which you do not have any right;
(b) is obscene, paedophilic, invasive of another's privacy including bodily privacy,
insulting or harassing on the basis of gender, libellous, racially or ethnically
objectionable, relating or encouraging money laundering or gambling, promoting enmity
between classes, or otherwise inconsistent with or contrary to the laws in force;
(c) is harmful to a child;
(d) infringes any patent, trademark, copyright or other proprietary rights;
(e) violates any law for the time being in force;
(f) deceives or misleads the addressee about the origin of such messages or knowingly and
intentionally communicates any misinformation or information which is patently false
and untrue or misleading in nature;
(g) impersonates another person;
(h) threatens the unity, integrity, defence, security or sovereignty of India, friendly
relations with foreign States, or public order, or causes incitement to the commission
of any cognisable offence or prevents investigation of any offence or is insulting
other nation;
(i) contains software virus or any other computer code, file or program designed to
interrupt, destroy or limit the functionality of any computer resource;
(j) is in the nature of an online game not verified as a permissible online game;
(k) is in the nature of advertisement or surrogate advertisement or promotion of an online
game that is not a permissible online game;
(l) [post 20 Feb 2026] is a synthetically generated information that is not labelled or
identified as such in accordance with Rule 3(1)(b) of the IT Rules 2021.
[Platform] reserves the right, at its sole discretion and without notice, to remove any
content that violates this clause or to terminate your access to the Platform. This
clause is incorporated in accordance with Rule 3(1)(b) of the Information Technology
(Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
Template — Takedown SOP Skeleton (Annex E)
1. Receipt: All inbound removal requests enter the Trust & Safety Intake Queue.
2. Classification:
(a) Court order → Tier 1 (36-hour clock).
(b) Rule 3(1)(d) reasoned intimation from Joint Secretary-rank / DIG officer → Tier 1
(36-hour clock). Validate: (i) sender rank and authorised-agency designation;
(ii) statutory provision cited; (iii) nature of unlawful act; (iv) specific URL.
Reject and return for cure if any of (i)-(iv) missing.
(c) User grievance (non-NCII) → Tier 2 (15-day clock under Rule 3(2)(a)(i)).
(d) User grievance (NCII / private-person deepfake; Rule 4(2)-compliant) → Tier 1+
(24-hour clock under Rule 3(2)(b)).
(e) Private party / foreign order / NGO demand → Tier 3 (ToS-based review; no Section 79
impact). Log and respond.
3. Decision: Tier 1 — remove and document actual-knowledge trigger. Tier 2 — resolve under
grievance SOP. Tier 3 — ToS-compliance review only.
4. Archival: Removed content and associated metadata retained for a minimum of 180 days
under Rule 3(1)(g). Access logged.
5. Recordation: Takedown register entry (complaint ID, trigger class, URL, statute,
decision, removal timestamp). Retained for 7 years.
6. User notice (Rule 3(1)(c)): Where practicable, notify the uploader of removal and
provide a mechanism to challenge (internal appeal; GAC; writ).
Internal Audit Checklist
- Classification note (Intermediary / SMI / SSMI) current within last 90 days.
- ToS and Privacy Policy last updated within 12 months; annual Rule 3(2) reminder sent on schedule.
- GO name, address, email published and matches Board resolution.
- RGO / CCO / NCP appointed, resident in India, disclosed (SSMIs only).
- Takedown register shows 100% of Tier 1 actions completed within the applicable 36 / 24-hour clock.
- No Tier 3 actions erroneously logged as Section 79 events.
- Sender-rank validation log populated for every Rule 3(1)(d) intimation received after 15 November 2025.
- Monthly SSMI compliance report published by the 10th of the following month.
- 180-day retention confirmed on a sampled 1% of takedowns.
- Voluntary verification mechanism operating (SSMIs).
- CERT-In 6-hour incident report log shows average dispatch time ≤ 4 hours.
- DPDP Form B breach notification template tested in a tabletop exercise within last 6 months.
- GAC appeal docket current; no missed 14-day replies in the last 12 months.
- Rule 4(2) traceability readiness review done in the last 12 months (messaging SSMIs).
- Litigation register shows every writ / injunction relating to takedowns is tracked for SOP impact.
What If Things Go Wrong
Failure 1 — Ex-parte injunction from a district court ordering global takedown
- Symptom: District-court order directing removal of content globally, overbroad language.
- Likely cause: Litigant obtaining urgent civil relief without the platform being heard.
- Action: Comply partially — geo-block the URL in India within 36 hours to preserve Section 79; file an intervention / vacating application within 7 days citing Shreya Singhal overbreadth and the need for Article 19(2) tethering; move the High Court under Article 226 if district court refuses to narrow the order.
Failure 2 — Rule 3(1)(d) intimation from a sub-inspector post-15 November 2025
- Symptom: Police email from a sub-inspector demanding URL takedown.
- Likely cause: Law-enforcement team not yet aligned with the amended Rule 3(1)(d) rank threshold.
- Action: Do not remove under Section 79 rails. Return the intimation in writing citing the amended Rule 3(1)(d) requirement of DIG-rank authorisation; offer to process under the Rule 3(2) grievance track if the intimation can be reissued by a DIG-rank officer; preserve correspondence for litigation.
Failure 3 — Loss of safe harbour in a criminal matter
- Symptom: FIR against the intermediary for alleged offences under Sections 67 / 67A IT Act.
- Likely cause: Failure to act on a properly issued Rule 3(1)(d) intimation within 36 hours; or CCO named under Section 85 IT Act.
- Action: Move a Section 528 BNSS (formerly Section 482 CrPC) quashing petition in the High Court; plead that the intermediary acted in good faith on the takedown SOP; annex the takedown register and sender-rank validation log. Obtain interim protection for CCO under Section 85(2) IT Act (no offence if the CCO did not have knowledge).
Failure 4 — Personal-data breach mid-takedown cycle
- Symptom: Reportable personal-data breach during pending takedown SOP build.
- Likely cause: Operational incident.
- Action: Trigger parallel CERT-In (6 hours) and DPDP (72 hours) tracks. File Form B to the DPDP Board; notify affected data principals. Breach reporting is independent of the Section 79 takedown SOP and must not be delayed by ongoing platform remediation.
Failure 5 — CCO receives personal summons under Section 85 IT Act
- Symptom: Summons to the CCO in a criminal matter for the intermediary.
- Likely cause: Non-compliance with a Rule 4 obligation.
- Action: Section 85(2) IT Act requires proof that the CCO had knowledge and did not exercise due diligence. Assemble the classification note, Rule 4 monthly report, and takedown register; obtain senior counsel's written opinion; engage the High Court for interim protection.
Founder checklist
- Classify your platform this week — Intermediary, SMI or SSMI — and document the metric in a Board-minuted classification note.
- Publish compliant ToS, Privacy Policy, and GO details by 30 June 2026; push the Rule 3(2) annual reminder in the same sprint.
- Stand up the two-tier takedown queue — Section 79 rails (court order / Rule 3(1)(d) intimation only) versus grievance rails — and include sender-rank validation post-15 November 2025.
- Calendar the 6-hour / 24-hour / 36-hour / 72-hour / 15-day clocks in your trust-and-safety operations console; every clock maps to a specific statute.
- Budget ₹10-25 lakh for year-one build (legal, engineering, compliance audit) and ₹5-12 lakh/year ongoing; if you are a SSMI, add India-resident CCO / NCP / RGO headcount plus monthly reporting engineering.
FAQ
Am I an intermediary or a publisher under the IT Act, 2000?
Section 2(1)(w) of the Information Technology Act, 2000 ('IT Act') defines an "intermediary" as any entity that, on behalf of another person, receives, stores or transmits an electronic record or provides any service with respect to that record. If your platform hosts user-generated content or transmits user communications, you are an intermediary. If you originate, commission or edit the content (including an OTT platform that curates its own programming), you are a "publisher" under Part III of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ('IT Rules 2021') and do not get Section 79 immunity for your own content.
Does Section 79 IT Act protect me against criminal prosecution?
Yes — in principle. Section 79(1) IT Act exempts intermediaries from liability for third-party information, subject to the conditions in Section 79(2) (passive conduit role, no modification) and Section 79(3) (due diligence + no conspiracy or abetment + expeditious removal on actual knowledge). The Supreme Court in Shreya Singhal v. Union of India, (2015) 5 SCC 1, read down Section 79(3)(b) IT Act to require "actual knowledge" via a court order or government notification. Officer-in-default liability under Section 85 IT Act may still attach where the intermediary itself conspires with or abets an offence.
Can I rely on a Terms of Service breach to take down user content?
Yes for contractual purposes — a ToS violation is a valid private-law basis for removal under the intermediary's own Rule 3(1)(a) IT Rules 2021 community standards. It is not, however, a Section 79(3)(b) IT Act trigger. Safe-harbour loss under Section 79(1) is only triggered by "actual knowledge" via a court order or a reasoned intimation from the Appropriate Government or its agency under Rule 3(1)(d) IT Rules 2021 (as amended 15 November 2025). Document ToS-based takedowns in the grievance register, but do not treat them as safe-harbour events.
How does *Shreya Singhal* change the actual-knowledge test I must operate to?
Paragraphs 117-118 of Shreya Singhal v. Union of India, (2015) 5 SCC 1, read Section 79(3)(b) IT Act to mean that an intermediary acquires "actual knowledge" only when (i) a court of competent jurisdiction directs removal of specified content, or (ii) the Appropriate Government or its agency issues a notification on Article 19(2) grounds. Private user complaints, NGO demands or competitor DMCA-style notices do not constitute actual knowledge. This reading has not been disturbed by any subsequent Supreme Court decision, the IT Rules 2021, the October 2025 Rule 3(1)(d) amendment, or the February 2026 synthetic-media amendment.
How does an intermediary's Section 79 SOP interact with DPDP data-principal rights such as erasure?
Section 12 of the Digital Personal Data Protection Act, 2023 ('DPDP Act') confers a right on a data principal to seek correction and erasure of personal data held by a data fiduciary. Where an intermediary is also a data fiduciary (which it typically is for signed-in users), an erasure request is not a Section 79 "takedown" event — it is a DPDP request that must be actioned under the DPDP Rules, 2025 regardless of Section 79. The intermediary must therefore run two queues: (a) a Rule 3(1)(d) IT Rules 2021 takedown queue, and (b) a Section 12 DPDP Act data-principal request queue, with clearly distinct evidence trails. Over-use of the erasure right as a Section 79 takedown lever is challengeable under Section 33 DPDP Act.
Sources
- Information Technology Act, 2000 — Section 79 (consolidated text): https://www.indiacode.nic.in/handle/123456789/1999
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (consolidated to April 2023) — MeitY: https://www.meity.gov.in/static/uploads/2024/02/Information-Technology-Intermediary-Guidelines-and-Digital-Media-Ethics-Code-Rules-2021-updated-06.04.2023-1-2.pdf
- IT Rules Amendment Rules, 2025 (Rule 3(1)(d)) — PIB Release ID 2181719 (23 October 2025): https://www.pib.gov.in/PressReleasePage.aspx?PRID=2181719
- IT Rules Synthetic Media Amendment (10/20 February 2026) — MeitY FAQ: https://www.meity.gov.in/static/uploads/2025/10/065b6deb585441b5ccdf8be42502a49c.pdf
- CERT-In Directions dated 28 April 2022 under Section 70B(6) IT Act: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
- Digital Personal Data Protection Act, 2023 (MeitY PDF): https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
- DPDP Rules, 2025 (G.S.R. 846(E), 13 November 2025) — MeitY: https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf
- Shreya Singhal v. Union of India, (2015) 5 SCC 1 — Supreme Court of India: https://main.sci.gov.in/
- MeitY Acts and Policies landing page: https://www.meity.gov.in/documents/act-and-policies
- Grievance Appellate Committee portal (Central Government): https://gac.gov.in/