Post

Navigating the Nexus: DPDPA and IT Rules for Indian Intermediaries

Posted
By DataLaws Editorial
5 min read
Navigating the Nexus: DPDPA and IT Rules for Indian Intermediaries

The Digital Personal Data Protection Act, 2023 (DPDPA), now fully in effect with its accompanying Rules, marks a significant shift in India’s data privacy landscape. For intermediaries – from social media platforms to e-commerce sites and cloud service providers – this new regime doesn’t replace existing obligations but rather layers upon them, most notably those under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021). Understanding this intricate interplay is crucial for compliance and risk management in May 2026.

DPDPA’s Broad Embrace of Intermediaries

The DPDPA casts a wide net, defining “Data Fiduciary” as any person who determines the purpose and means of processing personal data. Most intermediaries, in their direct interactions with users, will fall squarely within this definition. Even those acting purely as “Data Processors” (processing data on behalf of another Data Fiduciary) will indirectly be subject to DPDPA’s principles through contractual obligations and the Data Fiduciary’s duty to ensure compliance.

Key DPDPA obligations for intermediaries acting as Data Fiduciaries include:

  • Lawful Processing: Ensuring personal data is processed only for a specified, lawful purpose for which the Data Principal has given consent (Section 6) or for certain legitimate uses (Section 7).
  • Notice and Transparency: Providing clear and itemised notice about the personal data being collected and the purpose of processing (Section 5).
  • Data Principal Rights: Facilitating the exercise of rights such as access, correction, erasure, and grievance redressal (Sections 13-16).
  • Security Safeguards: Implementing reasonable security safeguards to prevent data breaches (Section 9).
  • Data Retention: Erasing personal data once its purpose has been fulfilled and retention is no longer necessary for legal or business purposes (Section 9(4)).
  • Breach Notification: Notifying the Data Protection Board of India and affected Data Principals in the event of a personal data breach (Section 17).

Furthermore, “Significant Data Fiduciaries” (SDFs), a category many large intermediaries are likely to fall into, face enhanced obligations, including appointing a Data Protection Officer (Section 10(2)(b)) and conducting Data Protection Impact Assessments (Section 10(2)(c)).

IT Rules 2021: Content and Due Diligence Focus

The IT Rules 2021, enacted under the Information Technology Act, 2000, primarily focus on due diligence for intermediaries, content moderation, and user safety. They mandate specific actions for intermediaries to avoid liability for third-party content.

Relevant provisions include:

  • Due Diligence: Rule 3(1) outlines general due diligence requirements, such as publishing rules and regulations, privacy policy, and user agreement, and informing users not to host prohibited content.
  • Privacy Policy: Rule 3(1)(i) specifically requires intermediaries to inform users about the collection, storage, usage, and sharing of personal information and ensure consent.
  • Grievance Redressal: Rule 3(2) mandates the appointment of a Grievance Officer to address user complaints.
  • Significant Social Media Intermediaries (SSMIs): Rule 4 imposes additional obligations on SSMIs, such as appointing a Chief Compliance Officer, a Nodal Contact Person, and a Resident Grievance Officer, and enabling identification of the first originator of information for specific purposes.

Synergy and Strategic Overlaps

While DPDPA focuses on personal data protection and IT Rules 2021 on content and intermediary liability, there are significant points of synergy. Both legal frameworks demand robust grievance redressal mechanisms. The DPDPA’s requirement for an SDF to appoint a Data Protection Officer (Section 10(2)(b)) can complement the IT Rules’ mandate for a Grievance Officer (Rule 3(2)(a)), potentially streamlining user complaint handling. Both also necessitate clear, accessible privacy policies, though DPDPA’s requirements for notice (Section 5) are more granular and prescriptive regarding the specifics of data processing.

The IT Rules’ emphasis on reasonable security practices (Rule 3(1)(g)) aligns with DPDPA’s broader obligation for security safeguards (Section 9). Similarly, the IT Rules’ requirement for consent for data collection (Rule 3(1)(i)) is now superseded and significantly strengthened by DPDPA’s comprehensive consent framework (Sections 6 and 7).

The DPDPA, by virtue of being a specific law for personal data protection, will likely take precedence where there is direct conflict or where its standards are higher. For instance, while IT Rules mention consent, DPDPA provides a much more detailed and stringent definition of valid consent. Intermediaries must adhere to DPDPA’s higher standard for processing personal data.

A nuanced area involves data retention. IT Rules might imply retention for specific purposes (e.g., Rule 3(1)(j) for law enforcement). DPDPA (Section 9(4)) mandates deletion once the purpose is served, unless retention is “required by law.” This “required by law” clause provides an important reconciliation point, allowing intermediaries to retain data as mandated by IT Rules or other sectoral laws (like those from RBI, SEBI, IRDAI, which DPDPA Section 41 states are not derogated by the Act), while otherwise adhering to DPDPA’s data minimisation and retention limits.

Unlike the GDPR’s unified approach to data protection, India’s framework for intermediaries remains multi-layered. DPDPA provides the overarching data protection principles, while IT Rules 2021 offer specific operational guidelines for content and platform governance. Sectoral regulators further add specific data handling and cybersecurity norms, particularly for financial or insurance intermediaries.

Practical Takeaway

Indian businesses operating as intermediaries must adopt a harmonised compliance strategy. Prioritise DPDPA’s stringent standards for personal data protection, which will generally encompass and elevate the privacy-related aspects of the IT Rules. Review and update privacy policies to meet DPDPA’s detailed notice requirements (Section 5). Consolidate and strengthen grievance redressal mechanisms, ensuring a clear pathway for Data Principals to exercise their rights under DPDPA (Sections 13-16) and for users to address content-related issues under IT Rules. Invest in robust security safeguards (DPDPA Section 9) that meet both frameworks’ expectations. Finally, for SDFs, proactive appointment of a DPO and conducting DPIAs (Section 10) will be critical to navigating this complex, yet increasingly mature, regulatory environment.

analysis, india
DPDPA IT Rules 2021 Intermediaries Data Privacy India Law india-focused
This post is licensed under CC BY 4.0 by the author.