Scroll Top


IT Rules 2021 are said to be a revolutionary set of rules in the world of cyber laws, in this blog article I will delve into the nuances brought forth by IT rules 2021, what was the need for the rules, emerging challenges due to the introduction of the new rules and the amendments made it. India


IT Rules 2021[1] are said to be a revolutionary set of rules in the world of cyber laws, in this blog article I will delve into the nuances brought forth by IT rules 2021, what was the need for the rules, emerging challenges due to the introduction of the new rules and the amendments made it. India being the world’s largest emerging economy with investors from across the world planning to expand their business in the country, stands at 2nd position for its internet usage, thanks to the affordable data which is accessible to the people. That being said, the abovementioned facts bought it to the attention of the government that the internet is being misused with various types of explicit content being shared which contains child pornography, content related to the commission of heinous crimes, offensive videos, messages which may incite communal violence and various other types of triggering content. It was the need of the hour that after the 2011 IT amendment[2], we required stronger legislation which served the needs of the changing times.


Before the detailed explanation of the IT Rules 2021, it is necessary to understand the historical background of the IT act. The IT act 2000 came into force as a primary information technology governing legislation in the year 2000 after the United Nations Commission on International Trade Law (UNCITRAL)[3] adopted a model law on e-commerce and digital intricacies, which also made it compulsory for every nation to have its laws on e-commerce and cyber-crimes. The introduction of the IT Act 2000[4] made India the 12th country to adopt a cyber act. In the years to come this act served as a benchmark for governing information technology and cybercrimes in the country.

In the year 2008, the IT Act 2000 was amended by the Information Technology (Amendment) Act, 2008 which bought sections 66A, 67, 67A, and 43A[5]. section 43A and Section 72A[6], which criminalizes intentional personal data breach, which requires the maintenance of reasonable security practises and procedures by bodies corporate that possess, deal with, or handle any sensitive personal data or information and provides compensation for failure to protect such data. Even though Section 43A stated that “sensitive personal data or information” would pertain to personal information that would be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit, the above-mentioned amendment did not define either personal data or sensitive personal data. With effect from March 28, 2012, India acquired its first legislative framework for data privacy thanks to the 2011 Rules, which were drafted in accordance with the instructions provided to the Central Government under Section 87(2)[7] by the virtue of its rule-making power. The objective of section 43A is that (a) a body corporate that processes sensitive personal data or information in a computer resource under its ownership or control must maintain reasonable security practices and procedures and (b) if it is negligent in doing so it causes wrongful loss to any person on account of such negligence, the body corporate shall be liable to compensate the person so affected by the damage. It is often understood that section 43A only refers to ‘sensitive personal data or information’ and will not apply to non-sensitive personal data. However, upon diligently reading the text of the IT Rules 2011, one can conclude that the phrase ‘personal information or sensitive personal data or information’ is a lot more mainstream. Rule 3 of IT Rules 2011 categorises personal data into sensitive personal data in 8 categories which are as follows-

  1. Passwords,
  2. Sexual orientation
  3. Medical records and history
  4. Financial information for eg. Bank account, debit/credit other payment details
  5. Biometric information
  6. Any abovementioned detail provided to a body corporate
  7. Any abovementioned information received by corporate for processing, stored under lawful contract or otherwise.[8]

Over the years various types of social media and video content-sharing platforms emerged which became very popular amongst the youth culture and the people of the country at large which has drastically changed the definition of sensitive data and personal data all these changes required a new set of rules and changing the dynamics of how information technology and cyber laws are perceived at large.

IT ACT 2021

The IT act 2021[9] was enacted as a replacement for the 2011 IT rules. The IT Rules 2021 put forth greater accountability on the intermediaries to operate in alignment with the social, moral, and political fabrication of the country, soon after amendments were introduced to these rules which will be discussed further. As per the trends released by the Press Information Bureau, approx. 530 million people use WhatsApp actively in India, 410 million active youtube users, 210 million active Facebook, and Instagram users and various other uncountable social media users. Social media in today’s era has become a medium of communication as well as a source of expression of views and opinions of people. For framing the new IT Rules 2021 the government has referred to the Prajjwala Case 2018 wherein the Supreme Court had observed the government must frame necessary guidelines to eliminate child pornography, gang rape and rape videos, and sites from content sharing platforms. The government released the rules upon amending them in 2022.

The following table explains various definitions and nuances that the IT Rules 2021 have provided-

Sr. No.




News Aggregator

“an entity who, performing a significant role in determining the news and current affairs content being made available, makes available to users a computer resource that  enables  such  users  to  access  the  news  and  current  affairs  content  which  is  aggregated, curated and presented by such entity.” [Rule 2(o)]


Publisher of news and current affairs content

an online paper, news portal, news aggregator, news agency and such other entity called by whatever name, which is functionally similar  to  publishers  of  news  and  current  affairs  content  but  shall  not  include  newspapers, replica e-papers of the newspaper and any individual or user who is not transmitting content in the course of systematic business, professional or commercial activity;” [Rule 2(t)]


Publisher of online curated content

“Means a publisher who, performing a significant role in determining  the  online  curated  content  being  made  available,  makes  available  to  users  a computer resource that enables such users to access online curated content over the internet or computer  networks,  and  such  other  entity  called  by  whatever  name,  which  is  functionally similar to publishers of online curated content but does not include any individual or user who is not transmitting online curated content in the course of systematic business, professional or commercial activity;” [Rule 2(u)]


Significant social media intermediary

“a social media intermediary having the number of registered users in India above such threshold as notified by the Central Government.” [Rule 2(v)]


Social media intermediary

“an intermediary which primarily or solely enables online interaction between two or more users and allows them to create,  upload, share, disseminate, modify or access information using its services. [Rule 2(w)]



The following points discuss the criticism –

  • The rules were passed haphazardly, without proper hearing in the parliament.
  • The rules seem to be unconstitutional and violative of the K S Puttaswamy judgment[10] and violative of the right to privacy which was established in the Aadhar Judgement.
  • The introduction of the new rules has increased the censorship of internet content and also mandates data sharing with the government as and when required.
  • Subordinate legislation being a limited rule-making power cannot be used by the legislation to make primary legislation by enacting the IT Rules 2021 the parliament has increased the scope of subordinate legislation.
  • The new rules also propose to regulate digital news media which is again violative of the right to free speech and expression under article 19 (1) (a)[11].
  • The new rules also provide for the filing of cases if a person has grievances related to the content on social media.
  • Big social media intermediaries such as Facebook, WhatsApp, etc., have to appoint chief compliance officers who are residents of India along with a nodal officer for coordinating with law enforcement agencies.
  • The rules provide for storing the user data by the intermediaries for some time to be used by the government agencies in case some crime or offending activity has been committed.
  • The Rules upon the judicial order obtained by the government require the intermediaries to trace the originator and identify the source of the message or the graphic content. It also raises a few fundamental questions that the right to privacy is infringed and is contrary to the end-to-end encryption as guaranteed by the intermediaries.
  • The new rules categorise the intermediaries into two categories i) small-social media intermediaries and ii) large intermediaries. This bifurcation imposes a compulsion on the digital news sites to be registered with the Ministry of Information and Broadcasting but not the digital news services, further OTT platforms are also required to agree to a government-supervised, “self-regulatory system”.


IT Rules 2021 are said to be a revolutionary set of rules in the world of internet content regulation and governance and they are a much-needed set of legislation, especially in this globalization era where everything is connected to the internet.

Author(s) Name: Ishita (Maharashtra National Law University, Aurangabad)


[1] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

[2] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or information Rules, 2011

[3] UNCITRAL (1996), <>, accessed on January 07, 2023

[4] Information Technology Act, 2000

[5] Information Technology (Amendment) Act, 2008, s. 66A, 67, 67A, 43A

[6] Information Technology (Amendment) Act, 2008, s. 72A

[7] Information Technology Act, 2000, s. 87(2)

[8] IT Rules, 2011, Rule 3

[9] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

[10] (2019) 1 SCC 1

[11] The Constitution of India, art. 19 (1) (a)