The Information Technology Act establishes a safe harbour regime for intermediaries for copyright infringements. Section 79 of the Act provides intermediaries with qualified immunity for unlawful content as long as they follow the prescribed due diligence requirements and do not conspire, abet or aid an unlawful act. However, the protection lapses if an intermediary with "actual knowledge" of any content used to commit an unlawful act or, on being notified of such content, fails to remove or restrict access to it.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021 establish a safe harbour regime beyond intermediaries for copyright infringement. According to Rule 3.1(d), an intermediary, after receiving 'actual knowledge' through a court order or by being notified by a government agency, must remove information that is prohibited by law in relation to the interest and sovereignty of India, the security of the state, friendly relations with foreign states, public order, decency or morality, contempt of court, defamation, incitement to an offence or information which violates any law which is in force. Such information has to be removed within thirty-six hours from receipt of actual knowledge by the intermediary.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.

According to the Regulation on the Use of Aadhaar e-KYC Service of the Unique Identity Authority of India (UIDAI) for Issuing New Mobile Connections and Re-Verification of Existing Subscribers via OTP-Based Authentication, Indian citizens are required to register their SIM card with their Aadhaar Card (a type of national identity card). Foreigners have to provide their passport, a photocopy of their Indian visa/ travel permit, a passport-sized photo and contact details.

According to Art. 3.3 of the Information Technology Intermediaries Guidelines Rules, intermediaries are required to deploy technology-based automated tools or appropriate mechanisms with appropriate controls for proactively identifying and removing or disabling public access to unlawful information or content.

In April 2018, the Reserve Bank of India (RBI) issued a one-page directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.
Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction so as to allow payment firms to store data offshore as long as a copy was kept in India. The RBI has further clarified that for cross-border transaction data consisting of a foreign component and a domestic component, a copy of the domestic component may be stored abroad if required.
With respect to the processing of payment transactions outside India, the RBI requires that the data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity, such as settlement processing after payment processing done outside India, must be undertaken on a real-time basis, pursuant to which the data must be stored only in India.
The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad. Still, with respect to domestic payment transactions, the data must be stored only in India.

According to the Insurance Regulatory and Development Authority of India (IRDAI) Maintenance of Insurance Records Regulations, 2015 (Regulation 3.9), "Insurers are required that [...] (ii) the records pertaining to policies issued and claims made in India (including the records held in electronic form) are held in data centres located and maintained in India." In addition, the 2017 Regulations on Outsourcing of Activities by Indian Insurers provide that Indian insurers, even in cases where they outsource their services outside India, must retain all original records in India.

India has ratified the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Rule 7 of Information Technology Rules 2011 states that the export of sensitive personal data or information within or outside India is permissible, provided that the same standards of data protection required in India are adhered to and that transfer is necessary for the performance of a lawful contract or has been consented to by the provider of the information. Sensitive personal information includes passwords, financial information such as bank account or credit/debit card details, sexual orientation, physical and mental health condition, and biometric information, among others.

India lacks a comprehensive framework in place that provides effective protection of trade secrets, but there are limited measures addressing some issues related to them. As per the decision of the Delhi High Court in 1995, a trade secret is defined as any information with commercial value that is not available in the public domain and the disclosure of which would cause significant harm to the owner. Moreover, Indian courts and tribunals have upheld the protection of trade secrets under other laws such as contract law, copyright law, principles of equity, and common law action of breach of confidence (which is basically a breach of an obligation to keep a piece of information secret). In addition to the above, the Information Technology Law of 2000 also sets legal means of protection for confidential information in the form of electronic records.

India has not joined any agreement with binding commitments to open transfers of data across borders.

It is reported that there is an obligation for passive infrastructure sharing in India to deliver telecom services to end users, and it is practised in both the mobile and fixed sectors based on commercial agreements.

India has not yet enacted specific legislation concerning data protection. Currently, the regulation of personal data processing is primarily governed by the Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, which were promulgated under the Act. Additionally, sector-specific laws, such as those applicable to the financial services and telecommunications sectors, contribute to the regulatory framework.
The Digital Personal Data Protection Act was enacted on 11 August 2023 and will come into force on a date to be notified by the Government of India. As of February 2024, the Act has not yet become effective. Once in effect, the Act is expected to establish a comprehensive data protection regime in India.

According to Section 6.2.14 of the 2020 Consolidated Foreign Direct Investment (FDI) Policy Circular, full foreign direct ownership is permitted in the telecommunications sector (including Category-I Telecommunications Infrastructure Providers). However, government approval is required for FDI above 49%. This regulatory requirement has been in effect since the enactment of the Consolidated FDI Policy Circular 2013 (Section 6.2.15).

Section 5 of Direction No. 20(3)/2022-CERT-In mandates data centres, virtual private server providers, cloud service providers, and virtual private network service providers to mandatorily collect and retain certain subscriber-related information accurately for a minimum period of five years after the subscriber is no longer availing the underlying services. These data sets include subscriber names, period of hire including dates, IPs allocated and used, e-mail address along with IP and time stamp used at time of registration, purpose of availing the services, verified address and contact numbers, and ownership pattern of subscribers. Virtual asset service providers, virtual asset exchange providers and custodian wallet providers must also maintain KYC information and records of financial transactions for a period of 5 years. Specific to transaction records, Direction No. 20(3)/2022-CERT-In states that information must be maintained accurately in such a way that individual transactions can be reconstructed along with the relevant constituents such as IP addresses, time zones, transaction ID, public keys or equivalent identifiers, addresses or accounts involved, nature and date of transaction, amount transferred, etc.

Bharat Sanchar Nigam Limited, the incumbent, is fully owned by the Government of India. BSNL (Bharat Sanchar Nigam Ltd.) provides all types of telecom services, namely telephone services on landlines, Wireless Local Loop and GSM mobile, Broadband, Internet, leased circuits and long-distance telecom services.