Post

Navigating the Dual Mandate: DPDPA and IT Rules for Indian Intermediaries

Navigating the Dual Mandate: DPDPA and IT Rules for Indian Intermediaries

The Indian digital landscape, as of July 2026, is shaped by a powerful confluence of regulations. With the Digital Personal Data Protection Act, 2023 (DPDPA), and the Digital Personal Data Protection Rules, 2025 (DPDP Rules), now fully operational, intermediaries find themselves operating under a dual mandate, significantly impacting their operations and compliance strategies. The established Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021), designed to regulate online content and grievance redressal, now interact intricately with the DPDPA’s comprehensive framework for personal data processing.

The Evolving Landscape for Intermediaries

The DPDPA fundamentally redefines how personal data is handled in India. It casts a wide net, designating any entity that determines the purpose and means of processing personal data as a “Data Fiduciary” (Section 2(j)). Most online intermediaries, from social media platforms to e-commerce sites and cloud service providers, will invariably fall under this definition, as they collect and process user data. Furthermore, many larger intermediaries, particularly those handling significant volumes of sensitive personal data or operating critical digital infrastructure, will likely be designated as “Significant Data Fiduciaries” (SDFs) under Section 10 of the DPDPA, attracting enhanced obligations. This is a critical shift from the IT Act, 2000, which largely focused on the intermediary’s role in content moderation and safe harbour provisions. While the IT Rules 2021 introduced specific due diligence requirements, DPDPA adds a layer of accountability focused squarely on data protection.

Harmonising Obligations: Data Fiduciary Meets Intermediary Due Diligence

Many provisions of the DPDPA and IT Rules 2021 are complementary, creating a more robust framework for user protection. The IT Rules 2021, particularly Rule 3(1)(a), mandate that intermediaries publish privacy policies and user agreements that inform users about the types of information collected, the purpose of collection, and security practices. The DPDPA strengthens this significantly by requiring Data Fiduciaries to provide clear and itemised notice to Data Principals (users) about the purpose of processing their personal data (Section 5(1)) and their rights. This moves beyond mere disclosure to active transparency and empowerment.

Similarly, on security, IT Rules 3(1)(g) requires intermediaries to observe “reasonable security practices.” The DPDPA elevates this by obligating Data Fiduciaries to implement “reasonable security safeguards to prevent personal data breach” (Section 8(5)). For SDFs, this extends to conducting Data Protection Impact Assessments (DPIAs) and periodic audits (Section 8(3), (4)), which will likely necessitate a higher standard of security infrastructure and protocols than previously envisioned. This aligns with global best practices, reminiscent of the GDPR’s emphasis on appropriate technical and organisational measures.

Grievance redressal is another area of strong synergy. IT Rules 3(1)(d) and 4(1)(c) (for Significant Social Media Intermediaries or SSMIs) outline specific requirements for a Grievance Officer and a time-bound resolution mechanism. The DPDPA reinforces this by requiring Data Fiduciaries to establish an effective grievance redressal mechanism (Section 8(1)) and, for SDFs, to appoint a Data Protection Officer (DPO) who will serve as the point of contact for Data Principals for grievance redressal (Section 8(2)). This ensures a unified, accessible channel for users to exercise their rights under both frameworks.

While largely complementary, certain aspects require careful navigation. The DPDPA’s core principle is data minimisation and purpose limitation (Section 7(1)), requiring personal data to be erased once its purpose is fulfilled or consent is withdrawn (Section 7(3)). However, IT Rules 3(1)(j) mandates intermediaries to retain information for 180 days for investigation purposes. Intermediaries must reconcile these requirements, ensuring that data retained for legal obligations under IT Rules is clearly segregated, protected, and erased promptly once the statutory retention period expires and no other lawful basis for processing exists under DPDPA.

Another critical intersection lies in requests for information from government agencies. IT Rules 6 obliges intermediaries to assist law enforcement. The DPDPA includes exemptions for processing personal data for law enforcement and national security (Section 17(1)(a)), but crucially, it underpins these with principles of necessity and proportionality. While not explicitly stated in the IT Rules, the DPDPA introduces a framework that could lead to greater scrutiny of such requests, potentially requiring agencies to justify the necessity and proportionality of data access, aligning India closer to global privacy standards.

Practical Takeaway

For Indian businesses operating as intermediaries, particularly those designated as SDFs or SSMIs, a fragmented compliance approach is no longer viable. The DPDPA and IT Rules 2021 demand an integrated strategy. General Counsels and Data Protection Officers must collaborate to ensure that privacy policies and user agreements comprehensively address DPDPA’s notice and consent requirements (Sections 5, 6) alongside IT Rules’ disclosures. Security frameworks must be robust enough to meet DPDPA’s “reasonable security safeguards” (Section 8(5)) and, for SDFs, support DPIAs and audits. Grievance mechanisms should be streamlined to handle data principal rights requests under DPDPA (Sections 13-15) and content-related complaints under IT Rules. Finally, a clear data retention policy is paramount, balancing DPDPA’s erasure obligations with IT Rules’ statutory retention periods, ensuring data is kept only as long as legally necessary and securely processed throughout its lifecycle. Proactive integration of these compliance pillars is key to mitigating regulatory risk and building user trust in India’s evolving digital economy.

This post is licensed under CC BY 4.0 by the author.