← Back to all briefings
Compliance 5 min read Published Updated Credibility 91/100

India Issues Intermediary and Digital Media Rules

India’s 2021 Intermediary Guidelines and Digital Media Ethics Code impose traceability, rapid takedown SLAs, resident compliance officers, grievance escalation, and content-classification controls on social platforms, messaging services, and digital publishers as conditions for retaining safe-harbor protections.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

India’s 2021 Intermediary Guidelines and Digital Media Ethics Code overhaul safe-harbor conditions for social platforms, messaging services, and digital publishers by imposing traceability, takedown speed, compliance staffing, grievance escalation, and content classification duties that must be operational within tight timelines.

Core obligations for significant social media intermediaries

  • Compliance officers and 24×7 contact point. Significant social media intermediaries (SSMIs) must appoint an Indian resident Chief Compliance Officer (CCO), a nodal contact for law enforcement, and a resident Grievance Officer, publishing their contact details and reporting structures.
  • Timely takedown and continuous monitoring. Platforms must remove or disable access to unlawful content within 36 hours of a government or court order, and within 24 hours for content depicting nudity or sexual acts involving children. They must deploy automated tools to early identify child sexual abuse material (CSAM) and certain repeat content.
  • Traceability and first-originator identification. Messaging services with end-to-end encryption must be able to identify the first originator of flagged messages when ordered by a competent court for specified offenses—driving architectural assessments, metadata retention, and minimization controls.
  • Complaint resolution and appeal. Acknowledgement is required within 24 hours and resolution within 15 days for user grievances, with additional escalation for content takedowns. Regular transparency reports must disclose complaints received, actions taken, and automated detection efforts.
  • User safety and repeat-offender controls. Provide a mechanism for users to voluntarily verify identities, label verified accounts, and disable persistent access for repeat violators while preserving due process and auditability.

Non-compliance risks loss of safe-harbor protections under Section 79 of the Information Technology Act, exposing platforms to direct liability for user content alongside potential criminal exposure for the CCO.

Digital media publishers and OTT streaming services

  • Content classification and age gating. Publishers of online curated content must classify titles by age rating (U, U/A 7+, 13+, 16+, A), provide content descriptors, and implement reliable parental locks for 13+ and above as well as age verification for “A” content.
  • Three-tier grievance system. Level I self-regulation (publisher), Level II self-regulatory body (independent with a retired judge or eminent person), and Level III oversight by the Ministry of Information and Broadcasting (MIB) with powers to issue advisories, warnings, or blocking directions for non-compliance.
  • Publisher duties. Appoint a Grievance Officer in India, acknowledge complaints within 24 hours, resolve within 15 days, and maintain records of action. Establish content takedown and age-restriction workflows aligned to the Code’s program and Advertisement Code principles.
  • Governance setup. Form an India compliance task force spanning legal, policy, security, engineering, and customer support. Define single-threaded owners for CCO obligations, traceability response, and transparency reporting.
  • Traceability architecture. Conduct a design review of messaging protocols to determine how to identify first originators while preserving encryption. Document minimal metadata retention, hashing strategies for viral content detection, and safeguards to prevent content scraping or privacy overreach. Maintain court-order intake and validation checklists.
  • Content moderation SLAs. Implement workflows to meet 24/36-hour removal clocks: queue prioritization, automation for child safety content, and staffed escalation for legal orders. Maintain audit trails for each takedown and appeals to show due process.
  • Grievance redressal system. Localize grievance portals with 24-hour acknowledgement, 15-day resolution timers, and user-notification templates. Capture evidence, decision rationale, and reviewer IDs for defensibility in court challenges.
  • Transparency reporting. Automate quarterly reporting on volume and type of complaints, preventive removals, law-enforcement requests, traceability orders received/processed, and average response times. Validate metrics with internal audit before publication.
  • OTT and publisher controls. For streaming services, embed age labels, descriptors, parental controls, and geo-aware enforcement. Maintain catalog metadata and logs linking each asset to rating decisions and edits.

Enforcement outlook and cross-border considerations

The Ministry of Electronics and Information Technology and MIB have signaled closer scrutiny of late or incomplete compliance, issuing notices to several major platforms since 2021. Teams should anticipate stepped-up audits of traceability readiness, residency of officers, and transparency reports. Preserve privilege around legal assessments while preparing external-facing evidence to show sustained compliance.

Multinational services must reconcile India-specific obligations with global architectures. Where end-to-end encryption is retained, document the technical impossibility or severe privacy impacts of certain traceability requests and be ready to propose narrowly tailored alternatives. Align data-retention schedules with the strictest applicable requirement while minimising over-collection.

Coordinate with APAC public policy and litigation teams to monitor court challenges and interim orders that may narrow or clarify obligations, particularly around encryption and safe-harbor implications.

Law-enforcement interfaces. Create a secure intake and authentication process for government orders, verifying jurisdiction, applicable offenses, and scope before actioning. Maintain an escalation path to counsel for ambiguous or overbroad demands, and record decisions for audit and litigation defense.

Business continuity and incident response. Integrate Code obligations into incident runbooks. During outages or cyber incidents, ensure grievance and takedown SLAs remain met; pre-stage alternate workflows and staffing to avoid breaching statutory timelines.

Vendor management. Flow down relevant obligations to moderators, contractors, and cloud vendors handling Indian user data or grievance processing. Include confidentiality, data localization (if applicable), and audit rights to substantiate compliance in regulator reviews.

Training and audits. Run quarterly training for moderators, support agents, and engineers handling Indian user data, emphasizing statutory timelines and recordkeeping. Schedule internal audits to sample takedown, grievance, and traceability cases, documenting remediation for any SLA drift.

Continuous improvement. Track false positives from automated filters, user appeal outcomes, and law-enforcement satisfaction rates to refine processes and show proportionality.

Similar analysis

Additional analysis covering similar themes.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
91/100 — high confidence
Topics
Content Regulation · India · Intermediary Liability
Sources cited
3 sources (meity.gov.in, pib.gov.in, iso.org)
Reading time
5 min

Further reading

  1. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — meity.gov.in
  2. Government notifies Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 — pib.gov.in
  3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization
  • Content Regulation
  • India
  • Intermediary Liability
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.