INDIA
Reported in 2018, last reported in 2025
Pillar Quantitative trade restrictions for ICT goods and online services |
Indicator Other import restrictions, including non-transparent/discriminatory import procedures
Lack of transparency in customs procedures
Exporters have raised concerns regarding India’s application of customs valuation criteria to import transactions. Reports indicate that Indian customs officials occasionally reject the declared transaction value of imports, particularly for products with established benchmark prices in India. This practice can potentially increase export costs beyond the expected levels based on India's applied tariff rates. Companies have also reported extensive searches and seizures of imports, which do not seem to be risk-based. Additionally, India's customs authority typically demands extensive clearance documentation, resulting in prolonged processing delays.
Coverage Horizontal
INDIA
Since December 2015
Pillar Domestic data policies |
Indicator Minimum period for data retention
Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015
As per the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, a listed entity (i.e. an entity which is listed on the stock market) is required to have a policy for the preservation of documents. The SEBI Listing Regulations require that records, books, papers and documents of the company be preserved as per the following classifications:
- Schedule I - to be preserved permanently. Documents listed under this schedule include incorporation documents, share certificates, register of minutes of board meetings, register of members, etc.
- Schedule II – to be preserved for eight years. Documents listed under this schedule include books of accounts, attendance register of board meetings, register for debenture holders, etc.
- Schedule III – to be preserved for a minimum period of five years or such higher period as may be determined by the board of directors of the company. Documents listed under this schedule include a register of stock options, a register of directors and key managerial personnel, disclosures made under applicable company laws, etc.
As per the SEBI Listing Regulations, documents set out in Schedule I and II can be kept in electronic mode. The complete list of documents under each schedule is set out in the SEBI Listing Regulations.
- Schedule I - to be preserved permanently. Documents listed under this schedule include incorporation documents, share certificates, register of minutes of board meetings, register of members, etc.
- Schedule II – to be preserved for eight years. Documents listed under this schedule include books of accounts, attendance register of board meetings, register for debenture holders, etc.
- Schedule III – to be preserved for a minimum period of five years or such higher period as may be determined by the board of directors of the company. Documents listed under this schedule include a register of stock options, a register of directors and key managerial personnel, disclosures made under applicable company laws, etc.
As per the SEBI Listing Regulations, documents set out in Schedule I and II can be kept in electronic mode. The complete list of documents under each schedule is set out in the SEBI Listing Regulations.
Coverage Listed (Public) Companies
INDIA
Since August 2023, entry into force in May 2027
Pillar Domestic data policies |
Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Digital Personal Data Protection Act, 2023
Pursuant to Section 10 of the Digital Personal Data Protection Act, a significant data fiduciary must appoint a data protection officer based in India, who is responsible, inter alia, for conducting periodic data protection impact assessments comprising a description of the rights of data principals, the purposes for which their personal data are processed, an evaluation and management of risks to those rights, and any additional matters prescribed in relation to such assessments. Under Section 2, a data fiduciary is defined as any person who, alone or jointly with others, determines the purposes and means of processing personal data; a significant data fiduciary refers to any data fiduciary, or class thereof, designated as such by the Central Government under Section 10; and a data principal denotes the individual to whom the personal data relate.
Coverage Horizontal
INDIA
Since February 2021
Pillar Domestic data policies |
Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
Under Rule 4 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021, a "significant" social media intermediary (defined as a social media intermediary having number of registered users in India above 5,000,000) must appoint a Chief Compliance Officer who must ensure compliance with the Rules and will be liable in any proceedings relating to any relevant third-party information, data or communication link made available or hosted by that intermediary where he/she fails to ensure that such intermediary observes due diligence while discharging its duties under the Rules.
Coverage Significant social media intermediaries
INDIA
Since June 2000, as amended in October 2009, last amended in August 2023
Since October 2009
Since October 2009
Since October 2009
Since October 2009
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Information Technology Act, 2000
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009
Under Section 69 of the Information Technology Act, both central and state governments are empowered to instruct any government agency to intercept, monitor, or decrypt electronic information. This authority can be exercised on the following grounds: in the interest of India's sovereignty or integrity; for the security of the State; to maintain friendly relations with foreign states; for public order; or to prevent or investigate the commission of an offence. Additionally, under Section 69B, the government is authorised to permit any agency to monitor and collect traffic data or information exchanged through a computer resource.
The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules of 2009 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules of 2009, both promulgated under the Information Technology Act, provide procedural guidelines for carrying out such interception and monitoring. For example, Rule 3 of the latter Rules permits the collection and/or monitoring of traffic data or information via a computer resource for several purposes, including: forecasting imminent cyber incidents; monitoring network applications; identifying and determining viruses or computer contaminants; tracking cybersecurity breaches or incidents; identifying individuals who have breached or are suspected of breaching cybersecurity measures; conducting forensic analyses as part of investigations or internal audits of information security practices; accessing stored data for the enforcement of cybersecurity law; or addressing any other cybersecurity-related issues.
The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules of 2009 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules of 2009, both promulgated under the Information Technology Act, provide procedural guidelines for carrying out such interception and monitoring. For example, Rule 3 of the latter Rules permits the collection and/or monitoring of traffic data or information via a computer resource for several purposes, including: forecasting imminent cyber incidents; monitoring network applications; identifying and determining viruses or computer contaminants; tracking cybersecurity breaches or incidents; identifying individuals who have breached or are suspected of breaching cybersecurity measures; conducting forensic analyses as part of investigations or internal audits of information security practices; accessing stored data for the enforcement of cybersecurity law; or addressing any other cybersecurity-related issues.
Coverage Horizontal
Sources
- https://web.archive.org/web/20211115020524/https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
- https://web.archive.org/web/20231005133242/https://www.meity.gov.in/writereaddata/files/Information%20Technology%20(Procedure%20and%20Safeguards%20for%20Interception,%20Monitoring%20and%20Decryption%2...
- https://web.archive.org/web/20221223012141/https://upload.indiacode.nic.in/showfile?actid=AC_CEN_45_76_00001_200021_1517807324077&type=rule&filename=ru_cen_45_0_00028_1519711141735.pdf
- https://www.dataguidance.com/notes/india-third-country-assessment
- https://web.archive.org/web/20231221030143/https://www.gp-digital.org/world-map-of-encryption/
- Show more...
INDIA
Since December 2023
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Telecommunications Act, 2023
Pursuant to Art. 20(2) of the Telecommunications Act, 2023, in the event of a public emergency or in the interest of public safety, the Central Government, a State Government, or any officer specifically authorised by either, may issue an order—if deemed necessary or appropriate—directing that any message or category of messages, whether sent or received by any person or group of persons, through any telecommunication equipment or network, and relating to any specific subject, be prohibited from transmission, intercepted, detained, or disclosed in an intelligible format to the designated officer identified in the order. It is not clear whether a court order is required to access the data.
Coverage Horizontal
INDIA
Since June 2000, entry into force in October 2000, last amended in August 2023
Pillar Intermediary liability |
Indicator Safe harbour for intermediaries for copyright infringement
Information Technology Act, 2000
The Information Technology Act establishes a safe harbour regime for intermediaries for copyright infringements. Section 79 of the Act provides intermediaries with qualified immunity for unlawful content as long as they follow the prescribed due diligence requirements and do not conspire, abet or aid an unlawful act. However, the protection lapses if an intermediary with "actual knowledge" of any content used to commit an unlawful act or, on being notified of such content, fails to remove or restrict access to it.
Coverage Internet intermediaries
Sources
- https://web.archive.org/web/20231204123614/https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMjk4NzY=
- https://web.archive.org/web/20241127192721/https://www.mondaq.com/india/social-media/1088968/intermediary-liability-in-india--moving-goalposts
- https://web.archive.org/web/20231210112408/https://www.forbesindia.com/article/iim-calcutta/indias-tryst-with-intermediary-liability-from-2000-to-2021-changing-paradigms-in-the-social-media-age/69121/...
- Show more...
INDIA
Since February 2021
Pillar Intermediary liability |
Indicator Safe harbour for intermediaries for any activity other than copyright infringement
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021 establish a safe harbour regime beyond intermediaries for copyright infringement. According to Rule 3.1(d), an intermediary, after receiving 'actual knowledge' through a court order or by being notified by a government agency, must remove information that is prohibited by law in relation to the interest and sovereignty of India, the security of the state, friendly relations with foreign states, public order, decency or morality, contempt of court, defamation, incitement to an offence or information which violates any law which is in force. Such information has to be removed within thirty-six hours from receipt of actual knowledge by the intermediary.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.
Coverage Internet Intermediaries
Sources
- https://web.archive.org/web/20230923205328/https://wilmap.stanford.edu/entries/information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
- https://web.archive.org/web/20230929034953/https://sflc.in/analysis-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021/
- https://web.archive.org/web/20231208000516/https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
- Show more...
INDIA
Since October 2017
Pillar Intermediary liability |
Indicator User identity requirement
Regulation on the Use of Aadhaar e-KYC Service of the Unique Identity Authority of India (UIDAI) for Issuing New Mobile Connections and Re-Verification of Existing Subscribers via OTP-Based Authentication
According to the Regulation on the Use of Aadhaar e-KYC Service of the Unique Identity Authority of India (UIDAI) for Issuing New Mobile Connections and Re-Verification of Existing Subscribers via OTP-Based Authentication, Indian citizens are required to register their SIM card with their Aadhaar Card (a type of national identity card). Foreigners have to provide their passport, a photocopy of their Indian visa/ travel permit, a passport-sized photo and contact details.
Coverage Telecommunications sector
Sources
- https://web.archive.org/web/20220125013040/https://dot.gov.in/sites/default/files/OTP%20Based%20Reverification.PDF?download=1
- https://web.archive.org/web/20231204204245/https://www.indiatoday.in/information/story/heres-how-an-indian-citizen-and-a-foreign-national-can-buy-a-sim-card-in-india-1841117-2021-08-15
INDIA
Since December 2018
Pillar Intermediary liability |
Indicator Monitoring requirement
Information Technology Intermediaries Guidelines (Amendment) Rules, 2018
According to Art. 3.3 of the Information Technology Intermediaries Guidelines Rules, intermediaries are required to deploy technology-based automated tools or appropriate mechanisms with appropriate controls for proactively identifying and removing or disabling public access to unlawful information or content.
Coverage Internet intermediaries
Sources
- https://web.archive.org/web/20220120082414/http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf
- https://web.archive.org/web/20220201093401/https://www.medianama.com/wp-content/uploads/Draft_Intermediary_Amendment_24122018.pdf
- https://web.archive.org/web/20201031191759/https://law.asia/intermediary-liability-rules-not-safe-harbour/
- Show more...
INDIA
Since June 2000, entry into force in October 2000, last amended in August 2023
Pillar Intermediary liability |
Indicator Monitoring requirement
Information Technology Act, 2000
Section 69 of the Indian Information Technology Act (IITA) requires intermediaries to extend all facilities and technical assistance to intercept, monitor or decrypt information as well as to provide information stored in a computer or provide access to a computer resource when called upon to do so by certain agencies. This extends to online intermediaries, which are required to designate an officer to facilitate the execution of such orders. Intermediaries that fail to meet these obligations may be punished with imprisonment of up to seven years.
Coverage Internet intermediaries
INDIA
Since February 2021
Pillar Intermediary liability |
Indicator Monitoring requirement
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
According to Art. 4.2 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021, a significant social media intermediary (defined as a social media intermediary having a number of registered users in India above five million) providing messaging services must enable identification of the first originator of the information on its computer resource as may be required by a judicial order or an order passed by a competent authority. In complying with an order for the identification of the first originator, a significant social media intermediary will not be required to disclose the contents of the electronic message related to the first originator or other users. No order must be passed in cases where there are less intrusive means of identifying the originator of the information.
Coverage Social media
Sources
- https://web.archive.org/web/20231005153411/https://www.meity.gov.in/writereaddata/files/Information%20Technology%20(Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code)%20Rules%2C%202021...
- https://web.archive.org/web/20230929034953/https://sflc.in/analysis-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021/
INDIA
N/A
Pillar Cross-border data policies |
Indicator Participation in trade agreements committing to open cross-border data flows
Lack of participation in agreements with binding commitments on data flows
India has not joined any agreement with binding commitments to open transfers of data across borders.
Coverage Horizontal
INDIA
Since June 2000, entry into force in October 2000, last amended in August 2023
Since October 2009
Since October 2009
Pillar Content access |
Indicator Blocking or filtering of commercial web content
Information Technology Act, 2000
Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009
Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009
Section 69A of the Information Technology Act empowers the Central Government, or any officer expressly authorised by it for this purpose, to issue directions for the blocking of public access to information where it is satisfied that such action is necessary or expedient. Such directions may be issued in the interests of the sovereignty and integrity of India, the defence of India, the security of the State, friendly relations with foreign States, public order, or for the prevention of incitement to the commission of any cognisable offence relating to these grounds. Where these conditions are met, the Government may, for reasons recorded in writing, order any government agency or intermediary to block, or to cause the blocking of, public access to any information that is generated, transmitted, received, stored, or hosted in any computer resource.
Pursuant to Section 69A of the Information Technology Act, read together with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules:
- TikTok, WeChat, and 57 other applications of Chinese origin were banned in India with effect from 29 June 2020, with the blocking orders remaining in force as of 2025.
- 14 messaging applications were blocked in early May 2023, with the restrictions remaining in place as of 2025. Subsequent court proceedings clarified that these blocking orders were, in fact, geographically limited to Jammu and Kashmir. The Delhi High Court upheld the ban on Briar primarily on the basis that its application was confined to the Union Territory of Jammu and Kashmir.
Pursuant to Section 69A of the Information Technology Act, read together with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules:
- TikTok, WeChat, and 57 other applications of Chinese origin were banned in India with effect from 29 June 2020, with the blocking orders remaining in force as of 2025.
- 14 messaging applications were blocked in early May 2023, with the restrictions remaining in place as of 2025. Subsequent court proceedings clarified that these blocking orders were, in fact, geographically limited to Jammu and Kashmir. The Delhi High Court upheld the ban on Briar primarily on the basis that its application was confined to the Union Territory of Jammu and Kashmir.
Coverage Applications
Sources
- https://www.accessnow.org/keepiton-data-dashboard/
- https://web.archive.org/web/20260429213418/https://wipolex-res.wipo.int/edocs/lexdocs/laws/en/in/in212en_1.pdf?last-modified=1753881770&Expires=1777498716&Signature=fFiHiyJLKBqjGX1EIGJUnFZ8JY6TU3UfdJS...
- https://web.archive.org/web/20260429215338/https://www.meity.gov.in/static/uploads/2024/10/91f628cb778f94e76df356bc3fd3ac60.pdf
- https://web.archive.org/web/20260429214124/https://www.pib.gov.in/PressReleasePage.aspx?PRID=1635206®=3&lang=2
- https://web.archive.org/web/20260429215028/https://sflc.in/sflc-in-assists-in-challenge-to-blocking-of-foss-apps-element-and-briar-before-kerala-high-court/
- Show more...
INDIA
Since August 2023, entry into force in May 2027
Pillar Domestic data policies |
Indicator Framework for data protection
Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act establishes a comprehensive regime for safeguarding digital personal data in India, extending its reach extraterritorially where processing relates to the provision of goods or services to individuals in India. It imposes statutory duties on data fiduciaries, confers defined rights upon data principals, and generally permits the outward transfer of personal data. The Act introduces the novel institution of independent consent managers, entrusted with administering individuals’ consent and operating separately from data fiduciaries and data processors. It further provides for significant penalties for non‑compliance, including a maximum fine of INR 2.5 billion (approx. USD 31 million), and designates the Data Protection Board of India as the regulatory authority. The Act is implemented in phases, with certain provisions commencing on 13 November 2025, further provisions taking effect one year thereafter, with the remaining substantive provisions entering into force in May 2027.
Coverage Horizontal
Sources
- https://web.archive.org/web/20251216131748/https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
- https://web.archive.org/web/20251216133658/https://www.meity.gov.in/static/uploads/2025/11/c56ceae6c383460ca69577428d36828b.pdf
- https://www.dataguidance.com/jurisdictions/india
- Show more...
