legalanswers.in logolegalanswers.in
Technology & Future Law

What do the IT Rules 2021 say about my privacy and content takedown rights?

Updated · 6 July 2026

The IT (Intermediary Guidelines) Rules, 2021 require platforms to remove unlawful content within 36 hours of court/govt order, non-consensual intimate imagery within 24 hours of user complaint, and provide a Grievance Officer who must respond in 24 hours.

What content can I get taken down under IT Rules 2021?

The IT Rules 2021 don't define unlawful content directly — they cross-reference existing law. In practice, the categories most commonly used for takedown are:

Content violating Indian laws — defamation (Section 356 BNS), hate speech (Sections 196, 297-298 BNS), obscenity (Sections 67/67A IT Act), threats (Section 351 BNS) and copyright infringement. Non-consensual intimate imagery attracts the tightest 24-hour takedown obligation and covers photos or videos of nudity or sexual acts shared without consent, morphed or deepfake nude images, voyeurism content (Section 77 BNS), revenge porn, and upskirt or downblouse photos. Content harmful to children includes CSAM, material harming minors and cyberbullying.

Misinformation harming public order, defence or national security can be directed for takedown by government, with the PIB Fact Check Unit's role expanding (and being challenged in court). Impersonation covers fake accounts of real persons and deepfakes (24-hour takedown under MeitY advisories — see our deepfake guide). IP infringement — copyright, trademark and patent — uses notice-takedown mechanisms.

Personal data breaches get a separate erasure right under DPDPA Section 12. Content threatening or instigating violence includes communal or religious hate, incitement to violence, and threats to public order. Other prohibited categories cover promoting prohibited substances, gambling where illegal, and child marriage. And every platform enforces its own community guidelines in parallel.

The Rules do not override fundamental rights — legitimate criticism, satire, journalism and art remain protected, and platforms cannot use the Rules as cover for arbitrary censorship of lawful speech.

How do I file a content takedown request?

Move systematically. Capture evidence first: screenshots with URL, timestamp and content visible; save the URL of the post and the user's profile; download videos legally where possible or use an archive.org snapshot; and note the specific harm caused. Identify the platform's reporting mechanism — most have in-app reporting under a three-dot menu with categories like impersonation, harassment, NCII, hate speech, CSAM and IP violation; choose the most accurate category. Submit the report through the platform, note the reference number, wait for the automated acknowledgement, then a human or automated review.

If unsatisfactory, escalate to the platform's Grievance Officer. Every platform must publish the Grievance Officer's email and address under Rule 3(2). Email with the URL and screenshots, describe the harm, cite the legal basis (specific BNS or IT Act sections), and demand takedown under IT Rules 2021. Acknowledgement within 24 hours is mandatory. Resolution timelines: 24 hours for non-consensual intimate imagery, 15 days for other complaints, 72 hours for emergency content.

Escalate further to the Grievance Appellate Committee (GAC) at gac.gov.in within 30 days of the platform's decision or non-decision — free and online, the GAC reviews and can direct takedown. For criminal content (CSAM, threats, defamation, deepfakes), file at cybercrime.gov.in or call 1930; the cyber cell can issue takedown directions.

For serious or repeated violations, seek a court order — file a suit or petition in the civil or High Court and ask for an interim injunction, often granted ex parte in 24-48 hours for egregious cases. Court orders bind all platforms to comply within 36 hours; John Doe orders handle re-uploads by anonymous users. Engage a reputable, specialised cyber-law lawyer for repeated violations or large-scale harm.

What is the Grievance Appellate Committee (GAC)?

The Grievance Appellate Committee (GAC) was constituted in early 2023 under amended IT Rules to hear appeals from users dissatisfied with platforms' grievance handling. Each GAC has a Chairperson (typically a serving or retired government official) and two independent members; three GACs were operational as of 2024.

Its jurisdiction covers appeals against decisions of social media intermediaries' Grievance Officers — Meta (Facebook, Instagram), X (Twitter), Google (YouTube, Maps), LinkedIn, Snapchat, Telegram, WhatsApp, Sharechat, Koo and others. News publishers and OTT platforms sit under a separate Code under Part III. Appeals must be filed within 30 days of the platform's decision or expiry of the resolution timeline — the limit is strict and delays are rarely condoned.

Procedure runs through the online portal at gac.gov.in, is free, and can be self-represented. You upload the original complaint to the platform, the platform's response, and your appeal grounds. The GAC issues notice to the platform, holds an online hearing, and decides within 30 days.

GAC powers include directing content takedown, restoration of wrongly removed content or suspended accounts, and specific compliance orders — binding on platforms. Effectiveness is mixed: some takedown orders are complied with quickly, others contested, but it remains a useful intermediate forum between platform grievance and court, cheaper and faster than litigation. Limitations: GAC cannot award compensation or quash criminal proceedings, and its remedy for criminal offences remains limited (an FIR is still needed). Constitutional challenges to the GAC are pending on concerns about executive overreach into speech.

Beyond the GAC, options include a writ petition in the High Court for systemic violations, a civil suit for damages, and a criminal complaint. For substantial cases, engage a reputable, specialised cyber-law lawyer. See our picture takedown guide for related procedure.

What additional rules apply to messaging platforms like WhatsApp?

Messaging platforms — WhatsApp, Telegram, Signal — face several additional obligations under IT Rules 2021.

The most contested is the traceability requirement in Rule 4(2): Significant Social Media Intermediaries providing messaging services must enable identification of the 'first originator' of information when required by court or government, but only for serious offences — sovereignty, security, public order, decency, morality, defamation, incitement to offences — and only on court order or competent authority direction. WhatsApp has challenged this in the Delhi High Court (pending), arguing it undermines end-to-end encryption and is fundamentally incompatible with the platform's architecture; government's counter is that use is limited to grave offences.

Structurally, messaging platforms must appoint a Chief Compliance Officer, Nodal Contact and Grievance Officer, all Indian residents. A Monthly Compliance Report — grievances received, actions taken, content removed and reasons, active users, account actions — must be published on the platform's website. Voluntary user verification creates layered accounts with a 'verified' badge, though it isn't mandatory. IT Rules don't expressly prohibit end-to-end encryption, but traceability creates tension with it, and the litigation over Rule 4(2) is ongoing.

Cooperation with law enforcement requires a 24×7 Nodal Contact, time-bound response to lawful requests, and information furnishing under lawful process (e.g. Section 91 BNSS). Platform-specific practices include forwarding limits that WhatsApp introduced itself to curb misinformation, scrutiny of mass forwarding, and limited liability for group admins — the Madras High Court in R. Rajendran v. State indicated group admins may face criminal liability if they knowingly permit criminal content.

DPDPA, 2023 applies alongside — right to access, correct and delete personal data, and consent for processing (see our data breach rights guide). Messaging platform compliance is the most contested area of the IT Rules; engage a reputable, specialised tech / constitutional lawyer for issues here.

How do news media, OTT and online gaming get regulated?

Part III of IT Rules 2021, together with the 2023 amendments, creates separate regimes for news, OTT and online gaming.

Digital news media must observe the 'Norms of Journalistic Conduct' of the Press Council and the Programme Code under Cable TV Network Rules, through a three-tier grievance system: self-regulation by publisher, self-regulation by industry body, and government oversight through an Inter-Departmental Committee. Government can direct content removal under emergency provisions. The Bombay High Court in The Leaflet v. Union of India (2021) stayed Rules 9(1) and 9(3) for online news media on free-speech grounds, and the expanded role of the PIB Fact Check Unit under the 2023 amendments has itself been challenged.

OTT platforms follow a Code of Ethics: content classification into U, U/A 7+, U/A 13+, U/A 16+ and A categories, parental locks, the same three-tier grievance mechanism, and self-classification with industry guidelines, with government oversight via the Inter-Departmental Committee. Scrutiny remains lower than broadcast TV, which is bound by a Programme Code.

Online gaming, added by the 2023 amendment, subjects Real Money Games (RMG) to Self-Regulatory Body (SRB) certification, with mandatory KYC, grievance redressal, time and spend limits, and restrictions on advertising games of chance — see our online gaming guide.

Other categories run under separate frameworks: e-commerce under the Consumer Protection (E-Commerce) Rules, 2020 (see our e-commerce guide); FinTech under RBI guidelines; EdTech under proposed regulations; HealthTech under proposed Digital Health Data Rules. Cross-cutting layers apply throughout — DPDPA 2023 for data protection, sectoral regulators (RBI, SEBI, IRDAI, TRAI, MIB), constitutional law (Articles 14, 19, 21), and criminal law (BNS, IT Act). The proposed Digital India Act is expected to consolidate and clarify much of this; draft awaited as of early 2026. Engage a reputable, specialised tech / media / data privacy lawyer.

Reference Citation: IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended 2022 and 2023); IT Act, 2000 (Section 79); DPDP Act, 2023

Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.