Last verified: 2026-05-08
In November 2023, a 14-second face-swap deepfake of a leading pan-Indian film actress went viral on Indian social media. Within hours it was reposted thousands of times across WhatsApp groups, X timelines, and regional Telegram channels. The woman in the clip had never recorded that footage. That single 14-second video became one of the public triggers for the IT Rules 2026. An FIR was filed under Section 66C of the Information Technology Act, 2000 (identity theft) and Section 66E of the Information Technology Act, 2000 (privacy violation), alongside Section 465 of the IPC (now BNS, 2023) and Section 469 of the IPC (now BNS, 2023) of the then-applicable IPC. The IT Minister told reporters the existing IT Rules 2021 already required platforms to act. They did not act fast enough, and within a fortnight the Centre had issued advisories to every major social media platform demanding a structural response.
Through 2024, the Delhi High Court issued a sustained string of personality-rights injunctions: for a senior actor’s likeness, a megastar’s voice, a singer’s voice, a senior journalist’s image, and (in October 2025) a yoga guru’s face. Each plaintiff hired counsel, drafted a plaint, sat through hearings, and waited for an injunction order to be served on the platforms. Courts tried to plug the gap. Each order was narrower than legislation could be, and each only protected the named figure. The structural problem stayed structural.
Then came April 2024. Industry reporting placed the volume of AI-generated voice-clone calls before the general election at over 50 million. Cheapfakes and deepfakes circulated at scale across regional languages. The Election Commission urged parties to abstain. Public debate hardened, and so did the Centre’s appetite. By 22 October 2025, the Ministry of Electronics and Information Technology (MeitY) published draft amendments. By 10 February 2026, India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, better known simply as the IT Rules 2026.
What changed on 20 February 2026 is structural, not cosmetic. Platforms that miss a three-hour takedown window now risk losing their Section 79 of the Information Technology Act, 2000 safe harbour. Synthetically generated information must carry a label covering at least 10% of the visual surface or the first 10% of audio duration. Significant social media intermediaries must obtain a pre-publication declaration from every uploader. The country’s largest legaltech challenge of 2026 has become this: how do you actually comply, and how does this rule survive the constitutional challenge that’s almost certainly coming?
The IT Rules 2026 amend India’s Intermediary Guidelines to regulate synthetically generated information, including deepfakes. Notified on 10 February 2026 and effective 20 February 2026, they require intermediaries to remove flagged deepfakes within three hours, label AI content covering at least 10% of visual or audio space, and verify user declarations on synthetic uploads, or lose Section 79 safe-harbour protection.
The rest of this post unpacks the verbatim rule text, the four-tier takedown timeline, the case-law backdrop that made these rules inevitable, the constitutional pressure points, and a practical 45-day playbook every intermediary, SSMI, AI tool provider, and content creator should be running right now.
What are the IT Rules 2026 and why were they introduced?
India had been trying to regulate online content for over two decades before deepfakes forced the question of synthetic media. The IT Rules 2026 are not a new statute. They are amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, made under the parent Section 79 of the Information Technology Act, 2000 of the IT Act, 2000. The amendments respond to a five-year build-up of deepfake harms, a wave of personality-rights litigation, and a regulatory bet that fast takedowns plus mandatory labels can suppress synthetic harms before they spread.
The short answer to “why now” is harm volume. According to a 2023 McAfee survey cited widely in regulatory submissions, 47% of Indians said they had been a victim of an AI voice scam or knew someone who had. Industry reports pegged a 550% increase in detected deepfake content in India between 2019 and 2024. None of this was hypothetical by the time MeitY released the draft.
So why a rule rather than a statute? Because Section 87 of the Information Technology Act, 2000 of the IT Act, 2000, empowers the Centre to prescribe due-diligence obligations on intermediaries by rule. The Centre used that power, and the result is a rule that does substantive regulatory work without going through Parliament.
A 12-year arc from the IT Act 2000 to synthetic content
The IT Act, 2000, gave intermediaries a safe harbour under Section 79, conditional on due diligence. The first IT (Intermediary Guidelines) Rules came in 2011. In 2015, the Supreme Court in Shreya Singhal v. Union of India, (2015) 5 SCC 1 read down Section 79: an intermediary loses safe harbour only on “actual knowledge” through a court order or government notification, not on a private complaint. That doctrine has shaped every intermediary obligation since.
The IT Rules 2021 added a three-tier structure for digital media, grievance officers, and traceability obligations on messaging intermediaries. A 2023 amendment introduced government-notified Fact-Checking Units. In September 2024, the Bombay High Court in Kunal Kamra v. Union of India, 2024 SCC OnLine Bom 3052 struck down the FCU amendment as ultra vires and inconsistent with Section 79 of the Information Technology Act, 2000. That was the immediate doctrinal context the deepfake amendment had to fit into.
What the new rules formally do
The IT Rules 2026 introduce a new definition of synthetically generated information under Rule 2(1)(wa), embed labelling obligations under Rule 3(3), tighten takedown windows under Rule 3(1)(d) and related provisions, and add Rule 4(1A) which places pre-publication user-declaration duties on Significant Social Media Intermediaries. The rules also clarify that the safe harbour under Section 79(2) is conditional on full compliance with these obligations.
In plain English, every platform offering Indian users a way to create, share, or host synthetic content now has a structured set of duties, and the cost of getting them wrong is exposure to civil and criminal liability under the IT Act and the Bharatiya Nyaya Sanhita.
The notification dates and the effective date
The draft was published on 22 October 2025 with a consultation deadline of 6 November 2025. The Centre notified the final rules on 10 February 2026. The effective date is 20 February 2026. There is no phased compliance window in the gazette text. Platforms that were not ready on 20 February were already in breach.
Worth flagging: the 10-day gap between notification and effect was the shortest compliance runway India has given on a major intermediary rule since 2011. Most law firms with technology practices were running emergency advisory calls between 11 and 19 February.
In practice, what experienced practitioners know is that the speed of notification reflects political pressure, not regulatory readiness. The C-DAC detection tools the rule presumes platforms will use were still in field-test stages at notification, and MeitY had not yet published a list of “approved” technical measures.
A common question on Reddit and practitioner forums is whether content posted before 20 February 2026 is grandfathered. The rule does not say so. The takedown obligation attaches when the intermediary receives a lawful order or notice, regardless of when the content was originally uploaded.
The pitfall most platforms missed in February: the rule applies to all intermediaries, not just SSMIs. A small Indian forum without 24/7 ops capacity is, in principle, subject to the same three-hour takedown window as Meta or YouTube, even if the rule’s enforcement reality will differ.
What is “synthetically generated information” (SGI) under Rule 2(1)(wa)?
The whole rule depends on this definition. If the content isn’t SGI, the labelling and takedown obligations do not attach. If it is, they do. So the boundary matters more than any other piece of the new framework.
The drafters chose a deliberately broad outline and then narrowed it through exclusions. In doing so, they imported a tension: the broad outline captures innocuous uses, while the narrow exclusions create interpretive hooks every platform’s legal team will lean on.
The verbatim Rule 2(1)(wa) definition
Per Rule 2(1)(wa) of the IT Rules 2021 (as amended), synthetically generated information means information that is “artificially or algorithmically created, generated, modified or altered using a computer resource, in a manner that appears reasonably authentic or true” and is “capable of being mistaken for an actual person or real-world event.”
Three words do all the heavy lifting. “Modified or altered” is what sweeps in everything from face swaps to filters. “Reasonably authentic or true” is the realism gate. “Capable of being mistaken” is the deception test that, in practice, will become the litigated frontier.
What counts as SGI in practice
A face-swap video, a voice clone, a fully AI-generated image of a real person, an AI-generated political ad with a synthetic voiceover, a morphed image used in non-consensual intimate imagery (NCII): these are uncontroversial examples of SGI. So is a video where the person’s lips are AI-modified to say something different from the original audio.
The harder edge cases are the ones platforms ask about most: a beautified selfie using a cosmetic filter; a colour-graded landscape; a podcast where AI was used to remove background noise; an AI-summarised news headline. The Centre’s clarifying language in the explanatory note signals these should not count, but the rule text itself doesn’t draw that line cleanly.
What does not count
The rule’s explanatory framework excludes basic editing operations: noise reduction, format conversion, image-quality enhancement, accessibility adjustments, and routine AI assistance for grammar or translation. The principle is that SGI requires an output that’s both AI-generated and capable of being mistaken for reality, not merely “touched by AI.”
That said, the line is not bright. Consider a Snapchat filter that swaps a face onto a celebrity body for satire. The intent is clearly satirical, but the output is, technically, “capable of being mistaken.” The rule offers no satire defence on its face. In practice, intermediaries will rely on context-and-intent assessments, which is exactly what creates the over-removal risk that civil-liberties critics flag.
Does the rule cover AI-generated text?
The conservative reading is yes; the practical answer in early 2026 is mostly no. The Rule 2(1)(wa) language refers broadly to “information.” However, the labelling obligation under Rule 3(3) refers to visual surface area or audio duration, and the explanatory note says PDFs and textual material with illustrations remain outside the immediate scope.
Bottom line: AI-generated text on its own is unlikely to trigger labelling. AI-generated text that is deceptively presented as the original work of an identifiable person (a fake quote, a fake column) probably does, especially when paired with the criminal provisions discussed in Section 11 below. And a common question creators on Quora ask is whether an AI-summarised news article counts as SGI. Under the current text, no, unless the summary fabricates content that appears to be authentic original reporting.
The pitfall here is narrowly reading “doesn’t count” as “doesn’t trigger any rule.” A meme template that combines AI-generated text with a real person’s image still triggers the rule on the image side. The text exclusion does not rescue the composite.
The 3-hour deepfake takedown rule, explained
The three-hour window is the rule’s most-cited provision and the most operationally consequential. Before 20 February 2026, the standard intermediary takedown SLA was 36 hours. The new floor is three hours, with a stricter two-hour floor for non-consensual intimate imagery. That’s a 92% compression on the headline SLA.
Why does this matter so much? Because deepfake virality is measured in minutes, not hours. A clip that gains 100,000 views in the first three hours often gains 10 million in the next 12. The rule is targeting the early-spread window, and that’s also the window where takedown errors do the most reputational damage.
What triggers the 3-hour clock
The three-hour clock starts when the intermediary receives a “lawful order or notice from the government or its authorised agencies” or a “court direction.” This phrasing tracks the Shreya Singhal v. Union of India, (2015) 5 SCC 1 formulation: the intermediary is not expected to determine illegality on its own, but to act swiftly when ordered.
The Sahyog portal, validated by the Karnataka High Court in X Corp v. Union of India, 2025 SCC OnLine Kar (Karnataka HC, 24 September 2025) in 2025, is the principal channel through which government takedown orders reach intermediaries. Receipt is acknowledged on portal, the clock starts at acknowledgement, and the takedown evidence is uploaded back through the same portal. Practitioners expect this workflow to become the de facto compliance template.
The four-tier takedown timeline
The full takedown framework now operates on four tiers, each tied to a different content category. The table below sets out the framework as practitioners now read it.
| Trigger | Content category | Removal window | Rule citation |
|---|---|---|---|
| Court or government order | Court-flagged or government-flagged unlawful synthetic content | 3 hours | Rule 3(1)(d), as amended |
| User complaint via specified channel | Non-consensual intimate imagery, morphed sexual content | 2 hours | Rule 3(2)(b), as amended |
| User complaint via specified channel | Impersonation, deception, fake credentials | 36 hours | Rule 3(2)(b), as amended |
| General user complaint | All other synthetic-content grievances | 7 days | Rule 3(2)(a), as amended |
Two observations. First, the two-hour NCII rule is the strictest synthetic-content takedown window in any jurisdiction in the world as of 20 February 2026. Second, the 7-day general-complaint window is unchanged in effect from the older 15-day SLA only because most intermediaries had already cut it to 7 in 2024 voluntary commitments.
What “act” actually means
The duty is to “remove or disable access to” the content. The rule does not require permanent erasure from the intermediary’s servers, only that the content stop being accessible to the public. Geo-blocking specific to India is acceptable for foreign platforms, provided the block is verifiable.
For an SSMI, “act” extends beyond the named URL. The intermediary is expected to use perceptual-hash or visual-fingerprint matching to identify and disable identical or near-identical re-uploads on its own platform within the window. This is the single biggest engineering ask in the rule.
What happens if a platform misses the window
The headline consequence is loss of the Section 79 of the Information Technology Act, 2000 safe harbour for that specific content item. The platform then becomes liable as a publisher for any harm the content has caused. Civil liability typically flows through tortious privacy, defamation, or personality-rights claims. Criminal exposure flows through Section 66C of the Information Technology Act, 2000, Section 66E of the Information Technology Act, 2000, and the relevant BNS provisions covering forgery, impersonation, and obscenity.
So is the three-hour window technically possible for a global platform? Honestly, only with serious automation. Tier-1 platforms have moved to 24/7 trust-and-safety operations, with takedown queues prioritised by content-category tags from the Sahyog portal. Smaller intermediaries that received their first government notice on 21 February were, by most accounts, scrambling.
The 10% AI labelling rule and provenance metadata
If the takedown rule is the rule’s stick, the labelling rule is its prevention strategy. The labelling obligation under Rule 3(3)(a)(ii) attempts something no other major jurisdiction has done at this scale: a quantitative threshold for label visibility, paired with a permanent metadata requirement.
But will it work? The honest answer is “partly, and only if MeitY publishes detection benchmarks the rule currently lacks.”
The visual 10% spec
For visual content, the synthetic-content label must “cover at least 10% of the visual surface area” of the displayed content. That’s a specific number, and it has design implications.
A small corner watermark won’t satisfy the rule. Practitioners advising platforms read this to require either a persistent overlay band along one edge of the frame, or a centred semi-transparent label that occupies a meaningful fraction of the screen. For short-form vertical video, where every pixel of attention matters, the 10% specification effectively forecloses the kind of subtle watermark creators have been used to.
The audio 10% spec
For audio content, the label must be “audible during at least 10% of the total duration.” The rule does not specify whether this can be back-loaded, distributed, or front-loaded.
The conservative reading, which most law firm advisories took in February, is that the audible disclosure should be at the start of the audio (the first 10% of duration) so listeners encounter the label before they form a perception of authenticity. A 60-second voice clone would carry an audible “This audio is synthetically generated” announcement for the first six seconds.
Permanent unique metadata identifier
Rule 3(3)(a)(ii) also requires SGI tools to “embed a permanent unique metadata identifier” at the point of generation. The label “must not be removable, suppressible, or alterable” by the user. The rule doesn’t prescribe a technical standard, but the practical reference point is the C2PA (Coalition for Content Provenance and Authenticity) framework, which most major AI vendors have already adopted.
The C-DAC (Centre for Development of Advanced Computing) under MeitY has been working on a verification toolchain that reads provenance metadata at intermediary level. Field-test data shared with industry bodies pegged tool accuracy at around 89% in lab conditions, with significant degradation on real-world transformations like screen capture, format conversion, and re-encoding.
What if the label is removed by re-upload
Here’s the operational edge case. A user takes a labelled AI-generated video, screen-records it (which strips the embedded metadata), and re-uploads. Is the platform liable?
Under the strict reading of Rule 3(3), an SSMI must “deploy reasonable and proportionate technical measures” to detect such re-uploads. That’s the platform’s obligation. The original SGI tool is not on the hook for the screen-capture circumvention. But the SSMI is, which is why the perceptual-hash and content-fingerprint infrastructure (mentioned in Section 3.3 above) is becoming the single most important compliance investment for tier-1 platforms.
A common question from compliance officers on practitioner forums: is 89% lab accuracy enough, when the rule’s safe-harbour consequence attaches to the platform’s failure to act? The honest answer is no, not yet. Most large platforms are running C-DAC detection alongside their own internal tools and treating the C-DAC output as one signal among several.
Compliance obligations by stakeholder type
The rule does different things to different actors. A regular intermediary’s obligations are not the same as an SSMI’s, and an SGI tool provider’s obligations are different again. The most common compliance error in February-March 2026 was a regular intermediary applying the SSMI checklist, or an SSMI applying the regular intermediary checklist. Both miss the right answer.
The table below sets out the four-stakeholder framework practitioners are now using.
| Stakeholder | Key obligation | Rule citation | Risk if non-compliant |
|---|---|---|---|
| Regular intermediary | Quarterly user warnings; takedown within prescribed window of lawful notice | Rule 3(1)(b), 3(1)(c), 3(1)(d) | Loss of Section 79 safe harbour for the specific item |
| Significant Social Media Intermediary (SSMI) | Pre-publication user declaration; verification; perceptual-hash detection | Rule 4(1A) | Loss of Section 79 safe harbour; reputational and regulatory escalation |
| SGI tool provider | Embed metadata at generation; 10% visible/audible label; cannot suppress | Rule 3(3)(a) | Loss of safe harbour for output content; downstream platform liability |
| Content creator / advertiser | Truthful upload declaration; flow-down to AI vendors | Rule 4(1A) (via SSMI) | Account-level enforcement; criminal liability under §66C/§66E and BNS |
Regular intermediaries
A regular intermediary is any service that hosts, transmits, or stores content provided by others. That covers web hosts, search engines, smaller forums, podcast hosting platforms, hosted email, niche marketplaces, and a long tail of SaaS-hosted user-generated-content services.
Their obligations under the IT Rules 2026 are essentially three. First, periodically (at least every three months under amended Rule 3(1)(c)) inform users of the rules and the consequences of non-compliance. Second, take down flagged synthetic content within the prescribed window after lawful notice. Third, cooperate with the Sahyog portal workflow.
What’s the catch? The catch is that small intermediaries don’t have the engineering or legal resources to staff a 24/7 takedown desk. In principle, they’re subject to the same three-hour window. In practice, MeitY enforcement is likely to be risk-based, but the legal exposure is unchanged. A small Indian forum that misses a takedown by an hour is, in principle, exposed to civil suits brought by aggrieved persons.
Significant Social Media Intermediaries (SSMIs)
The SSMI threshold under the IT Rules 2021 is 5 million registered Indian users. The major platforms (Meta, X, YouTube, Instagram, WhatsApp, Telegram, Snapchat, ShareChat, Moj) all qualify.
Rule 4(1A) is the heart of the SSMI obligation. It requires SSMIs to obtain a declaration from each user, at the time of uploading, stating whether the content is synthetically generated. The SSMI must then “deploy reasonable and proportionate technical measures” to verify the declaration. If the declaration is missing, false, or unverifiable, the SSMI must apply a synthetic-content label by default.
The verification piece is doing enormous work. In practice, SSMIs are running automated detection (their own model plus C-DAC) on every upload, comparing against the user declaration, and flagging mismatches for human review. This is a significant cost increase and an even more significant data-protection question.
SGI tool providers
An SGI tool provider is any service that “enables, permits, or facilitates” the creation of synthetic content. That covers generative-image platforms, voice-cloning APIs, video-generation tools, and the underlying foundation-model APIs that other applications build on.
Their core duty is at-source labelling under Rule 3(3)(a). Every output the tool produces must carry the 10% visible or audible label, plus the embedded permanent metadata identifier. The tool must also warn users that misuse for unlawful synthetic content (NCII, CSAM, forgery, impersonation) is prohibited, and the tool must take “reasonable” technical steps to prevent generation of those categories.
The hardest engineering question for SGI providers is not the labelling itself. It’s the prevention obligation under Rule 3(3)(a)(i): how do you train your model to refuse to generate unlawful synthetic content without breaking legitimate creative use? Most tier-1 vendors have moved to layered safety: input-prompt filtering plus output classifier plus user reporting plus identity-verification gating for high-risk feature use.
Content creators and advertisers
A creator’s obligation under the rule flows through the SSMI. When the creator uploads to an SSMI, the creator must answer the synthetic-content declaration truthfully. A false declaration triggers account-level enforcement (warning, content removal, account suspension) and exposes the creator to criminal liability under Section 66C of the Information Technology Act, 2000 (impersonation by AI) and the relevant BNS provisions.
For advertisers and agencies running AI-generated campaigns, the new compliance step is a flow-down clause in the contract with the AI vendor. The vendor must warrant compliant labelling, the agency must require the creator to upload truthfully, and the advertiser must verify before publication. Industry templates emerging in March 2026 typically add three to five new clauses: SGI declaration, label retention, takedown cooperation, ASCI/IRDAI cross-compliance, and indemnity for false-declaration claims.
A worked example
Consider a mid-size Indian video platform with 8 million users that hosts user-generated music videos, some of which use AI voice-cloning tools to remix vocals.
On 21 February 2026, this platform faced four immediate compliance changes. First, it had to deploy an upload-time SGI declaration UX with truthful-statement language and an audio recording of consent. Second, it had to integrate at least one automated detection tool to verify declarations on a sample basis. Third, it had to scope its quarterly user-notice cycle to include synthetic-content rules. Fourth, it had to redesign its grievance-officer SLA from a 15-day to a 7-day window, and add a separate 2-hour SLA for NCII complaints.
The cost? Industry estimates from NASSCOM submissions suggested an additional INR 4-12 crore annually in detection-tool licensing and trust-and-safety headcount for an SSMI of this size. Smaller intermediaries scaling those numbers down still face material spend.
Stakeholder Key obligation Rule citation
Regular intermediary
Quarterly user warnings; takedown within prescribed window of lawful notice; Sahyog portal cooperation.
Rule 3(1)(b), 3(1)(c), 3(1)(d)
Significant Social Media Intermediary (SSMI)
Pre-publication user declaration; automated verification; perceptual-hash detection on every upload.
Rule 4(1A)
SGI tool provider
Embed metadata at generation; 10% visible / 10% audible label; prevent generation of NCII, CSAM, deceptive impersonation.
Rule 3(3)(a)(i)-(ii)
Content creator / advertiser
Truthful upload declaration; flow-down clauses with AI vendors; pre-publication label verification.
via Rule 4(1A)
How the IT Rules 2026 interact with Section 79 safe harbour and Shreya Singhal
This is the section that will decide whether the rule survives constitutional challenge. The rule asks intermediaries to do things Section 79 of the Information Technology Act, 2000, as read down by Shreya Singhal v. Union of India, (2015) 5 SCC 1, arguably bars. Or arguably permits. That ambiguity is now the most-debated question in India’s tech-law academic and litigation community.
The Shreya Singhal “actual knowledge” doctrine
In 2015, the Supreme Court ruled that an intermediary may be required to act only on “actual knowledge through a court order or government notification.” Private complaints, social-media outrage, and direct user demands do not trigger the duty to act. Without that doctrine, intermediaries would face an untenable burden to adjudicate every claim of unlawful content.
The IT Rules 2026 are nominally compatible with this doctrine. The three-hour clock starts on a “lawful order or notice from the government or its authorised agencies.” That’s the Shreya Singhal trigger.
The Kunal Kamra v UoI FCU strikedown
The harder question is whether Rule 3(3)(a)’s prevention-obligation language imposes a constructive-knowledge duty that goes beyond Shreya Singhal. In September 2024, the Bombay High Court in Kunal Kamra v. Union of India, 2024 SCC OnLine Bom 3052 struck down the 2023 Fact-Checking Unit amendment for exactly this reason. The court held that requiring intermediaries to treat FCU-flagged content as actionable, without independent court or government notice, was inconsistent with Section 79 of the Information Technology Act, 2000.
That ruling is the most relevant precedent for the new rule’s prevention-obligation challenge. If a constitutional petition is filed (and most law firms expect one within 12-18 months), the petitioner’s strongest argument is: Rule 3(3)(a)’s “deploy reasonable and proportionate technical measures to prevent the circulation of unlawful synthetic content” imposes the same constructive-knowledge duty the FCU amendment did, just expressed in technical-language clothing.
The X Corp v UoI ruling on the Sahyog portal
In 2025, the Karnataka High Court in X Corp v. Union of India, 2025 SCC OnLine Kar (Karnataka HC, 24 September 2025) validated the Sahyog portal as a “facilitation mechanism” rather than a censorship instrument. The ruling preserved the Section 69A blocking framework and treated the portal as administrative plumbing, not new substantive authority.
That ruling matters here because the IT Rules 2026 use the Sahyog portal as the principal channel for the three-hour clock. If a future challenge attacks the Sahyog mechanism, it attacks the takedown enforcement architecture. The Karnataka HC ruling raises that bar.
The constructive-knowledge tension under Rule 3(3)
Bottom line: the takedown obligation (Rule 3(1)(d)) is on safer constitutional ground than the prevention obligation (Rule 3(3)(a)). The prevention obligation is where the litigation will concentrate. The Centre’s defence will be that “reasonable and proportionate technical measures” is a due-diligence standard within Section 79’s text, not a constructive-knowledge expansion. The petitioner’s reply will lean on Kunal Kamra v. Union of India, 2024 SCC OnLine Bom 3052 and the X Corp framing.
A second-order effect worth flagging: if the prevention obligation is struck down, the labelling and takedown obligations probably survive on their own. The rule isn’t a single-package framework. It’s a tiered set of duties, each separately defensible. That suggests partial-strikedown is a more likely outcome than wholesale invalidation.
Personality rights case law as the legislative trigger
To understand why these rules exist, look at the Delhi High Court docket between 2022 and 2025. In that window, the court issued a string of personality-rights orders against deepfake misuse that, taken together, mapped out exactly what a legislative framework would need to do. The IT Rules 2026 are, in significant part, the legislative response to a judicial body that had run out of doctrinal patience.
The 2022-23 baseline
The starting point is the Delhi High Court’s 2022 ruling in Amitabh Bachchan v. Rajat Nagi, 2022 SCC OnLine Del 4110. The court extended common-law personality rights to AI-driven misuse of likeness and voice, well before “deepfake” was a household word in India. The court treated the actor’s persona as a protectable right under Article 21 dignity jurisprudence and granted an ex-parte injunction against unauthorised AI-driven exploitation.
The doctrine matured in 2023 with Anil Kapoor v. Simply Life India & Ors., 2023 SCC OnLine Del 6914. Here the court issued an omnibus injunction against unnamed defendants using AI tools, face morphing, and GIFs to commercially exploit a senior actor’s likeness. The order’s breadth (covering technologies and parties not specifically identified) was the doctrinal innovation.
The 2024 expansion
In 2024, the court extended the doctrine to voice and catchphrase. Jackie Shroff v. The Peppy Store, 2024 SCC OnLine Del 3664 confirmed that a recognisable catchphrase, voice, and image are personality-rights territory. Soon after, the Bombay High Court in Arijit Singh v. Codible Ventures LLP, 2024 SCC OnLine Bom 2706 restrained AI tools from cloning a specific singer’s voice for commercial exploitation. Together, these two rulings closed the loop on voice-cloning misuse.
What’s striking about the 2024 cases is the speed of the orders. Multiple injunctions were issued ex parte within hours of filing. The courts were treating deepfake and voice-clone misuse as the kind of irreparable-harm scenario that demanded immediate relief. That’s exactly the kind of judicial signal that legislation tries to operationalise at scale.
The 2024-25 wave
The wave broadened beyond film celebrities. In late 2024 and through 2025, the Delhi High Court delivered Rajat Sharma v. Tamara Doc, CS(COMM) 1147/2024, extending personality rights to a senior journalist whose likeness was being misused in scam pharmaceutical ads. The order required Google to remove deepfake YouTube channels within 36 hours. Then in October 2025, the court ordered automatic takedown of deepfake ads misusing a yoga guru’s identity to promote cryptocurrency scams.
By October 2025, the doctrine covered actors, singers, journalists, and spiritual leaders. The variety of victims established that this was a structural problem, not a celebrity issue. That structural framing was what made legislative action politically urgent.
Why courts could not solve the problem alone
A common practitioner question is: if the courts already issued these orders, why was the IT Rules 2026 needed? The honest answer is that judicial orders are reactive, party-specific, and slow. By the time an aggrieved person hires counsel, drafts a plaint, files for ex-parte injunction, gets a hearing, and serves the order, the deepfake has already done its damage. And the order only protects the named party.
A legislative framework, even if it has constitutional vulnerabilities, gives every potential victim a structural remedy. It also shifts the cost of compliance to platforms (who have engineering capacity) instead of victims (who don’t). That’s why the personality-rights case wave produced legislation, not just more case law.
Constitutional risks: Article 19, prior restraint, and the chilling effect
Almost no Indian commentator believes the IT Rules 2026 will pass constitutional review without modification. The question is which provisions survive intact, which get read down, and which get struck. Let’s walk the four pressure points.
Article 19(1)(a) and the proportionality test
Article 19(1)(a) protects the freedom of speech and expression. Article 19(2) permits “reasonable restrictions” on grounds including public order, decency, and defamation. The Supreme Court’s modern proportionality test, articulated in K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 and refined in subsequent cases, requires that any restriction be (1) authorised by law, (2) pursue a legitimate aim, (3) be a suitable means, (4) be necessary, and (5) be proportional in the strict sense.
The IT Rules 2026 satisfy the first two prongs without serious dispute. The third and fourth are the contested terrain. Are three-hour takedowns a “necessary” tool, or would 24-hour windows with stricter post-hoc review be equally effective? Is the 10% labelling spec proportionate, or does it impose collateral harms (legitimate creators forced to disfigure their work) that exceed the rule’s benefits?
The prior-restraint critique
Prior restraint is the constitutional doctrine that disfavours pre-publication suppression of speech. The labelling obligation under Rule 3(3)(a)(ii), and especially the SSMI verification under Rule 4(1A), arguably involve a form of prior restraint: content cannot be published without an SGI declaration, and the SSMI may withhold publication pending verification.
The Centre’s reply will be that labelling is a disclosure requirement, not a suppression. That distinction has worked for advertising-disclosure rules and for tobacco-warning rules. Whether it works here depends on how aggressively SSMIs verify. If verification routinely delays uploads by hours or days, the prior-restraint critique sharpens. If verification is automated and near-instant, it weakens.
Vagueness in “modified or altered”
The Rule 2(1)(wa) phrase “modified or altered” is, frankly, the single most over-reaching word combination in the rule. It captures an enormous range of content that no one seriously thinks Parliament wanted to regulate.
The Centre’s likely response is that the qualifier “in a manner that appears reasonably authentic or true” narrows the reach. That’s textually correct, but in practice the qualifier requires platform-level judgment, which means platforms will over-apply rather than under-apply (because over-applying carries less safe-harbour risk). The over-application is the constitutional injury.
Self-censorship and over-removal incentives
The rule’s incentive structure rewards removal over caution. An intermediary that wrongly takes down legitimate content faces minimal direct legal risk (Rule 3(1)(b) protects voluntary removal). An intermediary that wrongly leaves up flagged content faces full safe-harbour loss. That asymmetry creates a structural over-removal incentive.
Civil-liberties groups have argued that this incentive is the rule’s largest cost. Whistleblower content, journalistic exposes using AI tools to anonymise sources, and political satire are the categories most at risk. The chilling effect is real, and second-order. Platforms will tune their detection thresholds conservatively, and creators will self-censor to avoid the risk.
A common question users on Reddit and free-speech forums raise: what’s the remedy if my legitimate content is wrongly taken down? The answer is the grievance officer process under Rule 3(2)(d), then appeal to the Grievance Appellate Committee. Both remedies exist, and both are slow. By the time relief comes, the original content’s news value is usually gone. That’s the chilling effect operationalised.
Global comparison: India vs EU vs China vs Singapore
India’s deepfake rule is now the strictest synthetic-media regime in any major jurisdiction. The table below sets out the comparison.
| Jurisdiction | Takedown window (deepfake) | Labelling spec | Safe-harbour treatment | Statute |
|---|---|---|---|---|
| India | 3 hours (court/govt order); 2 hours (NCII) | 10% visual / 10% audio + provenance metadata | Conditional Section 79 safe harbour | IT Rules 2026 |
| EU | 24 hours (court order under DSA) | Machine-readable metadata; no visible-area threshold | Conditional safe harbour under DSA Article 6 | EU AI Act (2024) + Digital Services Act |
| China | Real-time pre-publication blocking required | Persistent visible label + real-name verification of uploader | No formal safe harbour for deep synthesis | Deep Synthesis Provisions, 2023 |
| Singapore | 6 hours (POFMA + Online Safety Act) | Content classification + label for harmful content | Conditional safe harbour | Online Safety Act, 2022 |
EU AI Act and the Digital Services Act
The EU’s AI Act (effective in stages from 2024 to 2026) requires machine-readable provenance metadata on AI-generated content, but does not specify a visible-area or audible-duration threshold. The Digital Services Act handles the takedown side, with a 24-hour window for court-ordered removal and stronger structural obligations on Very Large Online Platforms (VLOPs).
The EU framework is, on most measures, less strict than India’s. But it has stronger procedural protections (Trusted Flagger system, transparency reports, statement-of-reasons requirements) that India’s rule largely lacks.
China’s Deep Synthesis Provisions (2023)
China’s 2023 Deep Synthesis Provisions, issued by the Cyberspace Administration of China, are stricter than India’s on some axes and looser on others. Stricter: real-name verification of uploaders is mandatory, and labelling is more aggressively enforced. Looser: there is no equivalent of the safe-harbour structure, because China does not operate on a safe-harbour model in the first place.
The labelling requirement in China is qualitative (“conspicuous”) rather than quantitative (10%). India’s quantitative spec is, on its face, more enforceable, though also more rigid.
Singapore’s Online Safety Act
Singapore operates a 6-hour takedown window for harmful content under the Online Safety Act. That’s twice India’s deepfake floor. Singapore also operates the Protection from Online Falsehoods and Manipulation Act (POFMA), which can compel takedowns and corrections.
The Singapore approach favours structural compliance partnerships with major platforms over bright-line numerical specs. India’s three-hour and 10% specs are an explicit move away from that flexibility.
What India does that no one else does
Three things make India’s framework unique. First, the two-hour NCII window is the strictest in any major jurisdiction. Second, the 10% labelling spec is the only quantitative-area threshold globally. Third, the SSMI pre-publication declaration under Rule 4(1A) imposes a verification duty that no other jurisdiction has formalised at the rule level.
Whether these distinctive features become global templates or constitutional liabilities will be answered, in part, by the Indian challenge that’s almost certainly coming.
A practical compliance playbook (45-day plan)
If you’re advising a platform, an SSMI, an SGI tool provider, or an in-house team, here’s the 45-day plan that’s emerged across law-firm advisories in March-April 2026. The plan assumes you’re starting from a baseline IT Rules 2021 compliance posture and need to upgrade to IT Rules 2026.
Days 1-7: gap assessment
Start with an honest inventory. Map every content category your platform hosts. For each, identify whether it’s potentially SGI under Rule 2(1)(wa), what your current takedown SLA is, and what your current labelling capability is. The output is a compliance heatmap with three columns: where you’re already compliant, where you’re partially compliant, and where you have nothing.
Most platforms in March 2026 found themselves between 30% and 60% compliant on day one. The biggest gaps were typically (a) absence of the upload-time SGI declaration UX, (b) takedown SLA still on 36-hour or 7-day cadence, and (c) no perceptual-hash detection infrastructure.
Days 8-21: engineering build
The two-week engineering sprint should prioritise the takedown queue. Rebuild the queue from priority-by-recency to priority-by-trigger-tag, with a dedicated three-hour SLA queue for government and court orders, and a separate two-hour queue for NCII. Integrate Sahyog portal acknowledgement and post-takedown evidence upload into the queue automatically.
In parallel, build the upload-time SGI declaration UX. The minimum viable spec is a binary toggle (“Is any part of this content synthetically generated?”), backed by a truthful-statement consent log. Mature implementations add a typology selector (image, audio, video, text) and a use-case tag (entertainment, advertising, education, news).
Days 22-35: policy and legal
Update the Terms of Service to reflect the SGI declaration obligation, the platform’s takedown SLA, and the consequences of false declarations. Update the privacy notice to disclose automated detection processing, in alignment with the Section 7 of the Digital Personal Data Protection Act, 2023 consent obligations.
Refresh the grievance officer SLA to reflect the new windows: 7 days for general complaints, 36 hours for impersonation, 2 hours for NCII. Document the audit trail requirements for each category. Run a tabletop exercise on a hypothetical takedown scenario to identify gaps in the workflow.
Days 36-45: vendor and contractual flow-down
Audit every AI vendor contract. Add the SGI flow-down clauses: warranty of compliant labelling at output, cooperation in takedown, indemnity for false declarations, audit rights. Update advertiser and agency contracts with parallel clauses on creator declarations.
Review insurance coverage. Most cyber-liability policies issued before February 2026 don’t explicitly cover safe-harbour-loss exposure. Renewal-time conversations with the insurer should add an explicit IT Rules 2026 endorsement.
Documentation an audit trail must capture
Every takedown decision should be logged with the following minimum data: the trigger (Sahyog portal order ID, court order, user complaint ID), the time of receipt, the time of action, the action taken (remove, disable, geo-block), the URL or content identifier, the perceptual-hash if applicable, the user notification log, and the post-takedown evidence reference.
This audit trail is what an aggrieved person’s lawyer will subpoena, what a regulator will request in any inquiry, and what an insurer will require for safe-harbour-loss claims. Treat it as the most important compliance artefact you produce.
Future-proofing for the Digital India Act
The Digital India Act is the long-pending replacement for the IT Act, 2000. Drafts have been circulating since 2023. Practitioners expect the Digital India Act to subsume major parts of the IT Rules 2026 into primary legislation, which would partially insulate the framework from constitutional challenge.
Building your compliance architecture with that future in mind matters. Two design choices pay off. First, store the audit trail in an exportable, vendor-neutral format. Second, treat the Sahyog portal integration as a Sahyog-or-equivalent integration: when the Digital India Act introduces its own portal, the migration cost should be an integration update, not a rebuild.
Interaction with the DPDP Act 2023 and other Indian laws
The IT Rules 2026 don’t operate in isolation. They sit alongside Section 4 of the Digital Personal Data Protection Act, 2023 consent rules, the Copyright Act personality-rights backdrop, and the BNS criminal-law layer. Understanding how these interact is the difference between a compliant framework and a paper one.
DPDP consent for SGI using personal data
If a synthetic-content tool generates content based on identifiable personal data (a person’s image, voice, name, biometric features), the DPDP Act consent regime applies. The data fiduciary (the SGI tool provider, in most cases) needs lawful basis under Section 4 of the Digital Personal Data Protection Act, 2023: consent, or a specified legitimate use.
The IT Rules 2026 labelling and takedown obligations don’t displace the DPDP Act. They stack on top. A tool that generates a deepfake without DPDP-compliant consent has at least two legal problems on day one: a DPDP consent failure and a Rule 3(3)(a) labelling failure. Both regulators (DPDP Board and MeitY) can act independently.
Copyright Act 1957 and the personality-rights interface
Personality rights in India are largely common-law constructs, not codified. But the Copyright Act, 1957, protects performances, voice recordings, and audio-visual works. A deepfake that uses an identifiable performance without licence triggers copyright infringement in addition to personality-rights misuse.
The practical lesson for advertisers and agencies is that the IT Rules 2026 compliance does not substitute for IP licensing. A correctly labelled AI-generated ad using an unlicensed voice clone is still a copyright violation, regardless of how prominent the SGI label is.
BNS 2023 criminal layer
The Bharatiya Nyaya Sanhita, 2023, replaced the IPC effective July 2024. The criminal provisions most relevant to synthetic-content misuse are forgery (Section 336 BNS), cheating by personation (Section 319 BNS), defamation (Section 356 BNS), and the various sexual-harassment provisions including 354A. Combined with Section 66C of the Information Technology Act, 2000 (impersonation by AI) and Section 66E of the Information Technology Act, 2000 (privacy violation), these are the primary criminal hooks.
A common question on practitioner forums is whether the IT Rules 2026 add new criminal liability. The honest answer is no. The criminal liability already exists under the BNS and IT Act. What the rule does is make the intermediary an enforcement actor, with safe-harbour loss as the consequence.
Section 69A blocking vs Rule 3(1)(d) takedown
The two takedown architectures coexist. Section 69A of the Information Technology Act, 2000 blocking is a structured executive process with notice, hearing, and review committee, used for content threatening sovereignty, integrity, public order, or relations with foreign states. Rule 3(1)(d) takedown is the day-to-day intermediary obligation triggered by lawful order or notice.
In practice, a single piece of harmful synthetic content can be addressed through both. A deepfake political ad threatening public order during an election could be subject to a §69A blocking order (executive route) and a Rule 3(1)(d) takedown (intermediary obligation route) simultaneously. Most enforcement actions in 2026 are expected to use the Rule 3(1)(d) route because it’s faster.
What this means for content creators, advertisers, and AI startups
The IT Rules 2026 create new obligations beyond the platform layer. Creators, ad agencies, and AI startups all need to update their practices on or before 20 February 2026, because the SSMIs they depend on are now passing through compliance flow-downs.
Creator-side declarations
For an individual content creator, the new world is a check-box at upload. Answer it truthfully. The temptation to default to “no” (because labels look bad on engagement metrics) is exactly what the rule is designed to detect, via the SSMI’s automated verification.
A practical recommendation: build the SGI label into the creative direction itself. Treat the label as a design constraint, not an afterthought. Creators who do this well in early 2026 are seeing minimal engagement drop. Creators who treat the label as ugly compliance overhead are seeing larger drop-offs because the label gets clipped on, looking pasted-in.
Advertiser and agency duty
Agencies running AI-generated campaigns now need three things in their internal workflow. First, a documented SGI declaration template that runs at every creator handoff. Second, a flow-down clause in every AI vendor contract requiring labelled outputs. Third, a pre-publication verification step that confirms labels are still present after the platform’s auto-encoding.
Worth flagging: a synthetic celebrity endorsement is a different beast. Even with a perfect SGI label, it’s almost certainly a personality-rights violation unless the celebrity has licensed the AI use. The IT Rules 2026 do not provide a synthetic-endorsement permission. They only require labelling.
AI startups and Rule 3(3) compliance
If you’re building an AI image, voice, or video generator and offering it to Indian users, Rule 3(3) compliance starts on day one. That means the labelling and metadata embedding must be in the v1 product, not retrofit. It means your trust-and-safety layer must include the Rule 3(3)(a)(i) prohibition categories (NCII, CSAM, false electronic records, deceptive impersonation) before launch. It means your vendor contracts with downstream platforms must reflect the labelling warranty.
For Indian-incorporated startups, the rule is straightforwardly applicable. For foreign-incorporated startups serving Indian users, the rule reaches you via the SSMI compliance chain: if the platforms you depend on (Apple App Store, Google Play, Meta integrations) are SSMIs, they will require Rule 3(3) compliance from you as a condition of distribution.
Career and market signals
The compliance burden is creating a new role category in Indian tech-legal employment: the synthetic-content compliance officer. Tier-1 platforms began hiring for this role in March-April 2026, and demand has been faster than supply. Compensation in NCR and Bengaluru is tracking 25-40% above general technology counsel salaries.
Practitioners expect a parallel legaltech vendor wave. The SaaS opportunity (takedown queue managers, SGI verification engines, audit-trail platforms) is similar in shape to the GDPR consent-management vendor wave that emerged in 2018-2019 in Europe. Indian legaltech firms with cyber-forensics depth are well-positioned for this market.
The second-order effect for cyber-law practitioners is straightforward: clients now need integrated advice across the IT Rules 2026, the DPDP Act, the Copyright Act, and the BNS. Single-statute expertise is increasingly insufficient. The skill premium accrues to practitioners who can map a client’s content workflow end-to-end across four-plus statutes simultaneously.
Frequently asked questions
What are the IT Rules 2026?
The IT Rules 2026 are amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, made under Section 87 of the Information Technology Act, 2000 of the IT Act, 2000. They introduce a new definition of synthetically generated information, a 10% labelling spec, a four-tier takedown timeline, and SSMI pre-publication verification duties under Rule 4(1A).
When did the IT Rules 2026 come into effect?
The Centre notified the rules on 10 February 2026. They became effective on 20 February 2026. There is no phased compliance window in the gazette text.
What is “synthetically generated information” or SGI?
Under Rule 2(1)(wa), SGI is information that is “artificially or algorithmically created, generated, modified or altered using a computer resource, in a manner that appears reasonably authentic or true” and is “capable of being mistaken for an actual person or real-world event.” The definition deliberately reaches beyond deepfakes to include voice clones, AI-generated images, and AI-modified video.
Does the IT Rules 2026 cover AI-generated text?
The labelling obligation under Rule 3(3) applies to visual surface area or audio duration, so pure AI-generated text typically falls outside its immediate scope. AI-generated text presented as the original work of an identifiable person, however, can trigger criminal liability under Section 66C of the Information Technology Act, 2000 and BNS provisions, even without an explicit labelling duty.
Who must comply with the IT Rules 2026?
All intermediaries serving Indian users must comply. The level of obligation differs: regular intermediaries (web hosts, search engines), Significant Social Media Intermediaries (SSMIs with 5 million+ Indian users), SGI tool providers (AI image, voice, video generators), and content creators each have different duty bundles, but no category is exempt.
Are foreign platforms like Meta, X, and YouTube covered?
Yes. The IT Rules 2021, as amended, apply to any intermediary providing services in India, regardless of where the entity is incorporated. All major foreign social media platforms qualify as SSMIs under the 5 million Indian-user threshold and are subject to the full Rule 4(1A) obligation set.
Are filters and basic edits covered as SGI?
The explanatory framework excludes basic editing operations: noise reduction, format conversion, image-quality enhancement, and routine AI assistance for grammar or translation. Cosmetic filters that beautify a real person’s image are generally outside scope. Filters that swap a face onto another person’s body, however, fall within the SGI definition.
Do the rules apply to satire, parody, and educational content?
The rule does not provide an explicit satire or parody defence. In practice, intermediaries will rely on context-and-intent assessments to distinguish protected satire from harmful misuse. Educational deepfakes (for instance, AI-generated voice clones used in tutoring) need to carry the SGI label, but are not otherwise prohibited.
What is the 3-hour takedown rule?
Under amended Rule 3(1)(d), an intermediary must remove or disable access to flagged synthetic content within three hours of receiving a court order or government notice through the Sahyog portal or other authorised channel. The shortest variant is a two-hour window for non-consensual intimate imagery (NCII).
What happens if a platform misses the 3-hour window?
The headline consequence is loss of Section 79 of the Information Technology Act, 2000 safe harbour for that specific content item. The platform then faces civil and criminal liability as a publisher. The exposure flows through tortious privacy and defamation claims, plus criminal liability under Section 66C of the Information Technology Act, 2000, Section 66E of the Information Technology Act, 2000, and applicable BNS provisions.
What is the 10% AI labelling rule?
Rule 3(3)(a)(ii) requires SGI tools to label synthetic content visibly or audibly. The label must cover at least 10% of the visual surface area or be audible for at least 10% of the audio duration. The label must be “prominent” and cannot be removed, suppressed, or altered by the user.
What labelling and provenance metadata must AI tools embed?
In addition to the visible or audible label, SGI tools must embed a permanent unique metadata identifier at the point of generation. The rule does not prescribe a specific technical standard, but practical compliance is converging on the C2PA (Coalition for Content Provenance and Authenticity) framework, with C-DAC verification at intermediary level.
IT Rules 2026 vs IT Rules 2021: what changed?
The IT Rules 2026 add Rule 2(1)(wa) defining SGI, expand Rule 3(3) to require labelling and prevention obligations on synthetic content, compress the takedown windows under Rule 3(1)(d) and 3(2)(b), and add Rule 4(1A) imposing pre-publication declaration and verification duties on SSMIs. The IT Rules 2021 baseline (grievance officer, traceability, three-tier digital-media oversight) remains in force.
India’s deepfake rule vs EU AI Act: which is stricter?
India’s rule is stricter on most measures. The takedown window is shorter (3 hours vs 24 hours under the DSA), the labelling spec is more rigid (a 10% area threshold vs the EU’s machine-readable metadata standard), and the SSMI pre-publication verification has no direct EU equivalent. The EU framework, however, has stronger procedural protections (Trusted Flagger, transparency reports) that India’s rule largely lacks.
Section 69A blocking vs Rule 3(1)(d) takedown: when does each apply?
Section 69A of the Information Technology Act, 2000 blocking is a structured executive process for content threatening sovereignty, integrity, public order, or foreign relations, with a formal notice-and-hearing committee. Rule 3(1)(d) takedown is the routine intermediary duty triggered by lawful order or notice, with no parallel committee. A single piece of harmful synthetic content can be addressed through both routes.
Can the IT Rules 2026 be challenged constitutionally?
Yes, and most law firms expect a challenge in the Bombay, Delhi, or Karnataka High Courts within 12-18 months. The strongest constitutional grounds are Article 19(1)(a) (chilling effect on legitimate speech), Article 14 (vagueness in the “modified or altered” definition), and the Shreya Singhal “actual knowledge” doctrine (whether Rule 3(3)(a) imposes constructive knowledge). The takedown obligation is on safer ground than the prevention obligation.
How does the rule interact with Section 79 safe harbour and Shreya Singhal?
The takedown obligation tracks the Shreya Singhal v. Union of India, (2015) 5 SCC 1 formulation: the clock starts on a court or government notice. The prevention obligation under Rule 3(3)(a), which arguably imposes constructive-knowledge duties, is harder to reconcile with Section 79 of the Information Technology Act, 2000 as read down by the Supreme Court. The Bombay High Court’s Kunal Kamra v. Union of India, 2024 SCC OnLine Bom 3052 strikedown is the most relevant precedent for that challenge.
What civil and criminal liability arises if an intermediary loses safe harbour?
Civil liability flows through tortious privacy, defamation, and personality-rights claims by aggrieved persons. Criminal exposure flows through Section 66C of the Information Technology Act, 2000 (identity theft), Section 66E of the Information Technology Act, 2000 (privacy violation), and BNS provisions covering forgery, cheating by personation, and defamation. The intermediary, having lost safe harbour, faces these as a publisher rather than a conduit.
References
Case Law
- Amitabh Bachchan v. Rajat Nagi, 2022 SCC OnLine Del 4110 (Delhi HC, 25 November 2022)
- Anil Kapoor v. Simply Life India & Ors., 2023 SCC OnLine Del 6914 (Delhi HC, CS(COMM) 652/2023, 20 September 2023)
- Arijit Singh v. Codible Ventures LLP, 2024 SCC OnLine Bom 2706 (Bombay HC, 2 September 2024)
- Jackie Shroff v. The Peppy Store, 2024 SCC OnLine Del 3664 (Delhi HC, 14 May 2024)
- K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (Supreme Court, 9-judge Constitution Bench, 24 August 2017)
- Kunal Kamra v. Union of India, 2024 SCC OnLine Bom 3052 (Bombay HC, 26 September 2024)
- Rajat Sharma v. Tamara Doc, CS(COMM) 1147/2024 (Delhi HC, 7 November 2024)
- Shreya Singhal v. Union of India, (2015) 5 SCC 1; AIR 2015 SC 1523 (Supreme Court, 24 March 2015)
- X Corp v. Union of India, 2025 SCC OnLine Kar (Karnataka HC, 24 September 2025)
Statutes
- Information Technology Act, 2000: sections cited 66C, 66E, 69A, 79, 87
- Bharatiya Nyaya Sanhita, 2023: sections cited 319, 336, 354A, 356 (and IPC 465, 469 historical)
- Digital Personal Data Protection Act, 2023: sections cited 4, 7
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as amended by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026 (notified 10 February 2026, effective 20 February 2026): Rule 2(1)(wa), Rule 3(1)(b), Rule 3(1)(c), Rule 3(1)(ca), Rule 3(1)(d), Rule 3(2)(a)-(b), Rule 3(2)(d), Rule 3(3)(a)(i)-(ii), Rule 4(1A).
Government and secondary sources
- MeitY explanatory note dated 22 October 2025: published draft amendments and consultation framework.
- MeitY notification dated 10 February 2026: final amendment in Gazette of India.
- Sahyog portal: operational since 2024, validated by the Karnataka High Court in X Corp v. Union of India, 2025 SCC OnLine Kar (Karnataka HC, 24 September 2025) (2025).
This article is for informational and educational purposes only and does not constitute legal advice. For specific legal guidance, consult a qualified legal professional.
