Candour Legal – Best Lawyers in Ahmedabad | Law firm in Ahmedabad
The Ministry of Electronics and Information Technology released the Draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Second Amendment Rules, 2026 on 30 March 2026, with the consultation period originally closing on 14 April 2026 and subsequently extended after industry and civil-society pushback. The IT Rules Second Amendment 2026, despite MeitY’s description of it as “clarificatory and procedural in nature”, makes ministerial advisories, standard operating procedures and guidelines an enforceable component of intermediary due diligence under Section 79 of the Information Technology Act, 2000. The immediate question for platforms is whether they retain safe harbour. The deeper question, which most coverage has bypassed, is what happens when this expanded compliance stack runs into the obligations under the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025.
Key Takeaways
- The Draft IT Rules Second Amendment 2026 was released by MeitY on 30 March 2026, with the consultation period extended from the original 14 April deadline following industry and civil-society representations.
- A new Rule 3(4) makes intermediary compliance with MeitY-issued clarifications, advisories, orders, directions, SOPs, codes of practice, and guidelines part of the due-diligence obligation under Section 79 of the IT Act, with non-compliance threatening loss of safe harbour.
- The amendment to the proviso of Rule 8(1) extends the Inter-Departmental Committee mechanism under Rule 14 to intermediaries hosting user-generated news and current affairs content, substantially expanding the Ministry of Information and Broadcasting’s content-oversight reach.
- Three petitions filed in February 2026, by Venkatesh Nayak, Nitin Sethi, and The Reporters Collective, are pending in the Supreme Court under Article 32 challenging Sections 17(1)(c), 17(2), 33(1), 36 and 44(3) of the DPDP Act and Rules 17 and 23(2) of the DPDP Rules.
- The retention obligations in the Draft Amendment sit awkwardly with the right to erasure under Section 8(7) of the DPDP Act, creating cumulative compliance duties that intermediaries must reconcile rather than choose between.
What the IT Rules Second Amendment 2026 Actually Changes
Three structural changes do most of the work. First, a newly inserted Rule 3(4) requires intermediaries to comply with, and give effect to, any clarification, advisory, order, direction, standard operating procedure, code of practice, or guideline issued by MeitY in writing for the implementation of the IT Rules. Compliance with these instruments forms part of the intermediary’s due-diligence obligation under Section 79 of the IT Act. The procedural guardrails MeitY has built in are real but limited: every such direction must be issued in writing, specify its legal basis, and remain consistent with the IT Act.
Second, the substituted proviso to Rule 8(1) brings intermediaries and users posting “news and current affairs” content under the oversight of Part III of the IT Rules. Until the amendment, Part III applied to intermediaries only for the purposes of content blocking under Rules 15 and 16. The amended proviso extends Part III’s reach to Rule 14, bringing intermediaries and user-generated news and current-affairs content within the jurisdiction of the Inter-Departmental Committee and the Ministry of Information and Broadcasting’s Code of Ethics framework.
Third, amendments to Rules 14(2) and 14(5) widen the Inter-Departmental Committee’s powers, allowing it to consider matters beyond complaints, including those referred by the Ministry. This is the procedural shift that civil-society commentators and the Editors Guild of India have flagged as the most significant, because it operationalises a content-review mechanism that does not depend on a complainant.
Amendments to Rules 3(1)(g) and 3(1)(h) further state that data retention obligations under the IT Rules are additional to retention requirements under any other law. The existing 180-day retention floor for user data, including removed content and associated records, becomes a minimum rather than a ceiling, with no maximum specified.
This is the second IT Rules amendment of 2026. The first amendment, notified on 10 February 2026 and effective from 20 February 2026, addressed AI deepfakes and synthetic media, introducing a three-hour takedown window for court or government orders, mandatory labelling for AI-generated content, and provenance metadata requirements for Significant Social Media Intermediaries.
The Safe Harbour Mechanics Under Section 79
Section 79 of the IT Act shields intermediaries from liability for user-generated content provided they observe due diligence and act on actual knowledge of unlawful content. The Supreme Court’s reading of Section 79(3)(b) in Shreya Singhal v. Union of India, (2015) 5 SCC 1, narrowed the source of “actual knowledge” to a court order or a government notification, a constitutional gloss intended to prevent extra-judicial pressure on platforms.
MeitY’s stated rationale for Rule 3(4) is legal certainty. Advisories and SOPs have been a routine regulatory tool for years, and the Ministry’s position is that an executive instrument issued under the IT Rules should be enforceable rather than ornamental. Industry commentators, including Kumar Deep of the Information Technology Industry Council, have suggested that the amendment also seeks to give retrospective sanctity to advisories that have already been issued.
A plain reading of new Rule 3(4) lowers the constitutional threshold that Shreya Singhal set. If failure to comply with a written advisory, SOP, code of practice, or guideline is itself a due-diligence default, then any executive instrument, issued without judicial scrutiny and often without public publication, can operate as the trigger for safe-harbour loss. The Supreme Court has held in Indian Express Newspapers v. Union of India, (1985) 1 SCC 641, that subordinate instruments cannot create new substantive obligations unanchored to the parent statute. Whether Rule 3(4) crosses that line is the operative question, and one that the Delhi High Court is already addressing in pending challenges to Part III of the existing IT Rules.
The practical consequence for intermediaries is asymmetric. The cost of contesting an advisory, in time and litigation exposure, is high; the cost of compliance is low. The rational platform response is over-removal, including of lawful satire, political commentary, and journalism. The widely reported restriction of stand-up comedian Pulkit Mani’s satirical Instagram reel on 18 March 2026, where users encountered a notice citing Section 79(3)(b) without published reasons, and the parallel withholdings of political parody accounts on X the same night, illustrate how the incentive structure is already shifting before the Draft Amendment is notified.
The DPDP Collision: Retention Versus Erasure
The Draft Amendment expands data retention obligations under the IT Rules and clarifies that these obligations operate “without prejudice to any other requirement under the Act or any other law.” This phrase carries the heaviest analytical weight in the entire draft. It establishes that IT Rules retention is cumulative with, not substitutive of, DPDP Act retention obligations. Intermediaries cannot treat IT Rules compliance as discharging their data-protection duties.
Section 8(7) of the DPDP Act mandates erasure of personal data when the data principal withdraws consent or when the specified purpose for processing is no longer being served. The carve-out is for retention required by any other law. The Draft Amendment, through its expanded retention provisions, generates exactly such a carve-out for at least 180 days after purpose limitation has been served, with extension permissible. The right to erasure that the DPDP Act enacts is therefore narrowed in operation by an executive instrument that platforms are simultaneously expected to comply with.
The reverse problem also obtains. Section 36 of the DPDP Act and Rules 22 and 23 of the DPDP Rules, 2025 empower the Central Government to require any data fiduciary or intermediary to furnish information for purposes specified in the Seventh Schedule, including the sovereignty and integrity of India and the security of the State. Rule 23(2) requires non-disclosure of the request to the data principal where disclosure is likely to prejudicially affect those interests. Read with new Rule 3(4) of the IT Rules, the architecture allows Ministry-issued advisories to direct platforms to surrender user data, and the same advisories, being executive instruments rather than judicial orders, operate outside the Shreya Singhal threshold while still binding the platform under safe-harbour pressure.
Compliance teams managing platforms now face contradictory primary duties: minimise and erase under DPDP, retain and surrender under the IT Rules. The Data Protection Board of India can fine up to ₹250 crore for failure to implement reasonable security safeguards under Section 8(5) of the DPDP Act, and up to ₹200 crore for failure to notify a breach. The IT Act exposes the platform to all third-party liability if Section 79 is lost. There is no clean way to satisfy both regimes simultaneously without a documented exception framework, and the Draft Amendment offers no statutory reconciliation.
The Constitutional Question Already Pending in the Supreme Court
Three writ petitions filed in early 2026 are pending before the Supreme Court of India under Article 32. The lead petition by Venkatesh Nayak, filed on 2 February 2026, challenges Sections 17(1)(c), 17(2), 33(1), 36 and 44(3) of the DPDP Act and Rules 17 and 23(2) of the DPDP Rules on the ground that they violate Articles 14, 19(1)(a) and 21 of the Constitution. Companion petitions by journalist Nitin Sethi and The Reporters Collective followed.
Two strands of the petitioners’ argument carry through to the IT Rules Second Amendment 2026 directly. The first is that Section 36 of the DPDP Act, by allowing the Central Government to call for information without statutory guidance, creates an unguided executive power over data fiduciaries and intermediaries. The second is that Rule 23(2) compels intermediaries not to disclose to the data principal the fact that information has been furnished to the government, where disclosure is likely to affect sovereignty and integrity of India or security of the State, without an independent appellate authority to test the executive’s claim.
If the Supreme Court were to read down or strike any of these provisions, the cascading effect on the new Rule 3(4) of the IT Rules, which lets MeitY-issued advisories trigger comparable demands without statutory framing, would be substantial. The amendment is being drafted into a regime whose constitutional foundations are themselves under judicial review.
Sectoral Pressure Points: Gaming, Education, Fintech, News Aggregators
The compliance stack now compresses several sectors simultaneously. Online gaming intermediaries, which become subject to the Promotion and Regulation of Online Gaming Rules, 2026 from 1 May 2026, face overlapping obligations under the Online Gaming Authority of India’s framework, the IT Rules’ Section 79 due-diligence regime, and DPDP retention and consent requirements. Edtech and digital education platforms, where data principal subjects often include minors, must reconcile the parental-consent verification under Rule 10 of the DPDP Rules with intermediary obligations under the new Rule 3(4) and the takedown timelines under the February amendment.
Fintech platforms operating as intermediaries, including payment gateways, neobanks, and lending applications, sit at the intersection of MeitY advisories, Reserve Bank of India directions, and DPDP obligations. Each regime carries its own retention, disclosure and security duties; under Rule 3(4) read with the Draft Amendment’s retention expansions, the burden of building cross-regime documentation has shifted to the platform.
For news aggregators and social media intermediaries hosting user-generated news and current-affairs content, the proviso to Rule 8(1) is the operative provision. Until 30 March 2026, the Ministry of Information and Broadcasting’s Code of Ethics framework reached publishers but not intermediaries. The amendment closes that gap, bringing every social media platform with a current-affairs feed within the same oversight architecture that governs digital news portals.
Looking Ahead
MeitY’s stated openness to industry consolidation, signalled by IT Secretary S. Krishnan’s 7 April remark that consolidating advisories into a single instrument is “a reasonable request”, suggests that the final notification may streamline the surface architecture even if the substantive expansion of executive power is preserved. The deadline extension buys time for stakeholder submissions but does not change the direction of travel.
What compliance teams should monitor over the next quarter: the final notification text, particularly whether the advisory categories listed in Rule 3(4) are tightened or anchored to Section 87 of the IT Act; the Supreme Court’s progress on the pending Article 32 petitions; and the first MeitY advisory issued after notification, which will set the practical precedent for what the new compliance stack looks like in operation. For intermediaries, the immediate work is to map cross-regime retention obligations, build documented exception frameworks for the DPDP–IT Rules conflict, and review consent and notice architecture against the layered requirements that will be live by mid-2026.
The Draft Amendment is not a marginal procedural tightening. It re-architects the relationship between executive action and platform liability in India, and it does so at the same moment that the DPDP Rules are entering their first phase of binding effect. The two regimes will co-exist whether or not the Ministry has reconciled them, and intermediaries will need to manage the contradictions on their own.
Frequently Asked Questions
What is the IT Rules Second Amendment 2026?
The IT Rules Second Amendment 2026 is a draft amendment to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 released by the Ministry of Electronics and Information Technology on 30 March 2026. The Draft Amendment introduces a new Rule 3(4) requiring intermediaries to comply with MeitY-issued clarifications, advisories, orders, directions, standard operating procedures, codes of practice, and guidelines as part of their due diligence under Section 79 of the IT Act. As of 28 April 2026, the consultation period has been extended beyond the original 14 April deadline and the Draft Amendment has not yet been notified in the Gazette of India.
How does the Draft Amendment affect safe harbour under Section 79 of the IT Act?
Under the Draft Amendment, failure to comply with any MeitY-issued advisory, SOP, or guideline forms part of a due-diligence default, exposing the intermediary to loss of safe harbour. Section 79 of the Information Technology Act, 2000 protects intermediaries from liability for user-generated content provided they observe due diligence. The Supreme Court’s decision in Shreya Singhal v. Union of India read down the “actual knowledge” requirement for safe-harbour purposes to a court order or government notification, and the Draft Amendment effectively introduces executive instruments below that constitutional threshold.
Does the Draft Amendment conflict with the DPDP Act, 2023?
The expanded data retention obligations under the Draft Amendment sit cumulatively with the right to erasure under Section 8(7) of the Digital Personal Data Protection Act, 2023. Intermediaries who are also data fiduciaries face contradictory primary duties: erasure on consent withdrawal under DPDP and retention under the IT Rules. The DPDP Act carves out retention required by other law, which the IT Rules amendment supplies, but the practical compliance cost falls on the intermediary to document and operationalise the conflict.
What is the role of the Inter-Departmental Committee under the amended Rule 14?
The Inter-Departmental Committee under Rule 14 of the IT Rules is a central body originally constituted to hear grievances against publishers of news and current-affairs content under Part III of the Rules. The Draft Amendment expands its scope by allowing it to consider matters referred by the Ministry of Information and Broadcasting beyond complaints, and substitutes the proviso to Rule 8(1) so that intermediaries and users posting news content also fall within its decisions.
Are there pending challenges to the DPDP Act in the Supreme Court?
Yes. Three writ petitions filed in early 2026, by Venkatesh Nayak, Nitin Sethi, and The Reporters Collective, are pending under Article 32 before the Supreme Court of India. They challenge Sections 17(1)(c), 17(2), 33(1), 36 and 44(3) of the DPDP Act and Rules 17 and 23(2) of the DPDP Rules on grounds that they violate Articles 14, 19(1)(a) and 21 of the Constitution. The outcome has direct relevance for the IT Rules Second Amendment 2026 because both instruments rely on overlapping executive demand-for-information powers.
This analysis was prepared by the Candour Legal team. Candour Legal is a full-service Indian law firm with offices in Ahmedabad, Mumbai and New Delhi, advising on cyber law, technology regulation, data protection, and platform compliance. The firm publishes analytical commentary on developments in Indian law at candourlegal.com.
Further reading on Candour Legal
- Online Gaming Rules 2026: A Comprehensive Guide to MeitY’s Light-Touch Framework for India — a closely related article on the gaming intermediary regime that now sits within the IT Rules compliance stack.
- Delhi Court’s Judgment Reiterates Right to be Forgotten in the Digital Era — judicial development on data privacy and personal information that informs the DPDP-IT Rules retention question.
- Meta v CCI: NCLAT Upholds Penalty but Relaxes Data Sharing Restrictions — competition law angle on platform data-sharing restrictions, complementing the safe harbour analysis.
