Intermediary Liability — Section 79 and IT Rules, 2021

Every tweet, marketplace listing, WhatsApp forward and YouTube upload passes through an intermediary — a platform that neither authors the content nor, in most cases, reads it. The central question of modern cyber law is deceptively simple: when that third-party content turns out to be defamatory, obscene, infringing or seditious, should the platform be punished alongside the author? India's answer is the safe harbour of Section 79 of the Information Technology Act, 2000 — a conditional immunity that protects an intermediary so long as it stays passive, observes due diligence, and removes unlawful material once it acquires actual knowledge. This chapter traces the architecture of Section 79, the landmark reading-down in Shreya Singhal, the messy case law on what counts as an "intermediary" and "actual knowledge", and the sprawling compliance regime built on top of it by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

Who is an "intermediary"? Section 2(1)(w)

Before safe harbour can attach, an entity must first qualify as an intermediary. Section 2(1)(w) of the IT Act defines an intermediary, with respect to any particular electronic record, as "any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record". The 2008 Amendment recast the clause into an inclusive, illustrative definition, expressly naming "telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes".

The breadth is deliberate. A telecom carrier moving packets, a cloud host storing files, a search engine indexing pages, and an e-commerce marketplace connecting buyers and sellers are all intermediaries, even though their functions differ enormously. The unifying thread is the phrase "on behalf of another person": the entity must be dealing with someone else's electronic record. The moment a platform becomes the author or originator of the content, it sheds its intermediary character for that content and steps outside Section 79 entirely. This conceptual boundary — passive conduit versus active author — recurs in every dispute discussed below. For the statutory scaffolding underpinning these definitions, see our chapter on definitions under the IT Act.

The anatomy of Section 79

Section 79 is titled "Exemption from liability of intermediary in certain cases". It is a non obstante provision, operating "notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3)". Three sub-sections do the work.

Sub-section (1) states the immunity: an intermediary "shall not be liable for any third party information, data, or communication link made available or hosted by him". The Explanation clarifies that "third party information" means "any information dealt with by an intermediary in his capacity as an intermediary".

Sub-section (2) states the conditions precedent. The immunity applies only if: (a) the intermediary's function is "limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted"; OR (b) the intermediary does not (i) initiate the transmission, (ii) select the receiver of the transmission, and (iii) select or modify the information contained in the transmission; AND (c) the intermediary "observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf".

Sub-section (3) states the disqualifications. Safe harbour evaporates if (a) the intermediary "has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act"; or (b) the intermediary, "upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act", fails to "expeditiously remove or disable access to that material".

The structure is thus a layered defence: clear the conduit/passivity test in sub-section (2), keep your hands clean under sub-section (3)(a), and respond expeditiously to valid notice under sub-section (3)(b). Fail any limb and the immunity collapses.

Why safe harbour exists: the Bazee.com shock

The pre-2008 Section 79 was thin, and its limits were exposed dramatically in Avnish Bajaj v. State (NCT of Delhi), the Bazee.com prosecution. A user of the online auction site Bazee.com listed an obscene MMS video clip (the notorious "DPS" clip) for sale in November 2004. The CEO of Bazee.com, Avnish Bajaj, was prosecuted under Section 292 of the Indian Penal Code and Section 67 of the IT Act for the obscene listing, even though the platform had not authored or knowingly hosted the clip and had removed it once alerted. The Delhi High Court declined to quash the proceedings against Bajaj at that stage, illustrating how exposed a marketplace operator could be for purely third-party wrongdoing.

The legislative response was the 2008 Amendment, which rebuilt Section 79 into the modern conditional safe harbour and broadened the definition of intermediary. The Supreme Court ultimately set aside the prosecution of Bajaj himself on a narrower ground — the company had not been arraigned, so its director could not be made vicariously liable. But the episode is remembered as the catalyst that gave India a proper safe harbour, aligning Indian law with the global notice-and-takedown model. The introduction to the IT Act situates the 2008 Amendment within the statute's broader evolution.

Shreya Singhal: reading down "actual knowledge"

The constitutional cornerstone of intermediary liability is Shreya Singhal v. Union of India, AIR 2015 SC 1523, decided on 24 March 2015 by Justices J. Chelameswar and R.F. Nariman. The case is best known for striking down Section 66A as a disproportionate restriction on Article 19(1)(a), but its treatment of Section 79 is equally consequential.

The petitioners argued that Section 79(3)(b) was vague: an intermediary acquiring "actual knowledge" of unlawful content faced an impossible duty to adjudicate the lawfulness of millions of posts, with crippling liability for guessing wrong. This pressure, they said, would cause platforms to over-censor — the classic "chilling effect". The Court agreed that read literally the provision was unworkable and would offend Article 19(1)(a).

Rather than strike it down, the Court read down Section 79(3)(b) (and the corresponding Rule 3(4) of the 2011 Intermediary Guidelines). It held that "actual knowledge" means knowledge received through a court order or a notification by the appropriate Government or its agency that the content relates to one of the subjects in Article 19(2). A private complaint from an aggrieved person does not, by itself, trigger the takedown obligation. The intermediary is obliged to remove content only when an authorised public authority has determined its unlawfulness. This judicial gloss freed platforms from acting as private censors adjudicating competing claims — a principle that still anchors every intermediary dispute decided since.

"Actual knowledge" in the IP context: MySpace

Shreya Singhal arose in the constitutional/criminal context. How does "actual knowledge" operate when the underlying wrong is copyright infringement rather than unlawful speech? The Delhi High Court answered in MySpace Inc. v. Super Cassettes Industries Ltd., decided on 23 December 2016 by a Division Bench of Justices S. Ravindra Bhat and Deepa Sharma.

Super Cassettes (T-Series) sued the social-media platform MySpace for hosting infringing copies of its sound recordings and films and sought a sweeping injunction requiring MySpace to pre-screen all uploads. The single judge had granted broad relief. On appeal, the Division Bench reversed the most onerous parts. It held that an intermediary is not liable for infringement unless specific actual knowledge of the infringing material is shown; "general awareness" that some infringement probably occurs on the platform is not enough. The Court distinguished actual knowledge from constructive or general awareness, and harmonised Section 79 and Section 81 of the IT Act with Section 51 of the Copyright Act, holding that safe harbour is not ousted by the Copyright Act's non-obstante clause.

Crucially, the Court refused to impose a general obligation of proactive monitoring. Instead it required the rights-holder to identify the specific infringing URLs, whereupon MySpace had to remove them expeditiously. The judgment thus translated the Shreya Singhal logic — knowledge must be specific, not diffuse — into the intellectual-property arena.

No duty to pre-screen: Kent RO Systems

The refusal to impose ex-ante monitoring was confirmed in Kent RO Systems Ltd. v. Amit Kotak, decided by a single judge of the Delhi High Court on 18 January 2017. Kent, the proprietor of registered designs in water purifiers, sued a seller for design infringement and sought to compel the marketplace eBay India to independently verify every future listing against Kent's registered designs before hosting it.

The Court squarely rejected this. It held that the IT Act and the 2011 Rules require an intermediary to remove infringing content on being notified, but do not cast a duty on the intermediary to screen all content in advance to ensure no intellectual-property right is violated. Requiring a marketplace to act as a roving examiner of registered designs would impose an impossible and disproportionate burden and would, in effect, make the intermediary the author and adjudicator of third-party listings. The intermediary's obligation is reactive — take down on valid complaint — not proactive. Read together, MySpace and Kent RO establish that Indian safe harbour is a notice-and-takedown regime, not a notice-and-stay-down or filter-everything regime.

Active versus passive: Christian Louboutin

Safe harbour rests on passivity. But many modern platforms are anything but passive — they curate, promote, authenticate sellers, and take a commission. When does a platform become so "active" that it forfeits intermediary status? The Delhi High Court grappled with this in Christian Louboutin SAS v. Nakul Bajaj, 2018 SCC OnLine Del 12215, decided on 2 November 2018 by Justice Prathiba M. Singh.

The luxury footwear house alleged that the website Darveys.com sold counterfeit Louboutin products while claiming Section 79 immunity. Justice Singh enumerated roughly twenty-six services or activities — from identifying the seller, authenticating products, transporting goods, advertising, and using the plaintiff's trademark in meta-tags — that could push a platform from a passive conduit into an "active participant". The greater the value the platform adds beyond mere hosting, the closer it moves to losing safe harbour, because Section 79(2) demands that the intermediary not "select or modify" the information and that its role be "limited to providing access".

The Court held that an e-commerce platform that crosses the line into active conduct cannot claim the benefit of Section 79, and may be liable for trademark infringement in respect of counterfeit goods sold through it. Louboutin thus operationalised the active/passive distinction that the statute presupposes, giving litigants a concrete checklist for testing whether a marketplace is a genuine intermediary or a disguised retailer.

The auto-block experiment: Sabu Mathew George

Not every obligation on intermediaries flows from Section 79 alone; some arise from other statutes read alongside it. In Sabu Mathew George v. Union of India, the Supreme Court confronted the duty of search engines under the Pre-Conception and Pre-Natal Diagnostic Techniques Act, 1994 (PC-PNDT Act), which by Section 22 prohibits advertisements relating to pre-natal sex determination.

The petitioner sought to bar Google, Yahoo and Microsoft from displaying sex-selection advertisements. By an order dated 16 November 2016, the Court directed the search engines to "auto-block" a list of prohibited keywords so that results for sex-determination services would not surface, and directed the constitution of a nodal agency to receive complaints and convey offending URLs. The case is significant because it pushed intermediaries beyond reactive takedown toward a form of proactive, keyword-based filtering — sitting in tension with the no-pre-screening logic of Kent RO. The Court tried to reconcile the two by confining auto-block to a defined statutory prohibition and a curated keyword list, rather than a general duty to police all content. The litigation illustrates how special statutes can layer additional, content-specific obligations on top of the general Section 79 framework.

The reach of safe harbour over time: Google v. Visaka

Safe harbour is not retrospective, and the timing of a cause of action can decide whether a platform is protected at all. Google India Pvt. Ltd. v. Visaka Industries Ltd., (2020) 4 SCC 162, makes the point. Visaka Industries sued over allegedly defamatory blog posts hosted on Google's platform, with the cause of action arising in 2008 — before the amended Section 79 came into force.

The Supreme Court held that the post-amendment safe harbour, which for the first time extended protection against offences under all laws (including criminal defamation under Sections 499 and 500 IPC) subject to the conditions of Section 79, applies only prospectively. For a cause of action arising before the 2008 Amendment took effect, the older and narrower Section 79 governed, and that provision did not shield the intermediary from a criminal defamation prosecution. Google could therefore be put to trial on the pre-amendment defamation complaint. The decision is a reminder that Section 79's generous immunity is a creature of the 2008 Amendment, and that conduct predating it is judged by a far less forgiving standard. It also underscores that even today, safe harbour is conditional, not absolute — a theme the e-commerce and content-moderation cases repeatedly confirm.

The IT Rules, 2021: due diligence as a condition of immunity

Section 79(2)(c) makes "such other guidelines as the Central Government may prescribe" a condition of safe harbour. That hook gave birth first to the Information Technology (Intermediary Guidelines) Rules, 2011, and then to the far more elaborate Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, notified on 25 February 2021.

Rule 3 sets out due-diligence obligations for all intermediaries: publishing rules, privacy policy and user agreements; informing users of prohibited categories of content; removing or disabling access to unlawful content within 36 hours of a court order or appropriate-government notification (tracking the Shreya Singhal reading of "actual knowledge"); preserving information for 180 days; and operating a grievance-redressal mechanism with a Grievance Officer who must acknowledge complaints within 24 hours and resolve them within 15 days. Rule 3(1)(d) — central to recent litigation — obliges an intermediary, on actual knowledge through a court order or government notification, to take down information prohibited under the law.

The compliance burden is the price of admission to safe harbour: an intermediary that flouts these guidelines forfeits the protection of Section 79(1), because it can no longer say it has "observed due diligence" under Section 79(2)(c). The Rules thus convert a once-static immunity into a continuing, condition-laden bargain between the State and the platform. For the digital-records plumbing these obligations rely on, see our note on attribution, acknowledgment and dispatch of electronic records.

Significant social media intermediaries and traceability

The 2021 Rules created a new, heavier tier. Rule 4 imposes additional due diligence on a Significant Social Media Intermediary (SSMI) — a social-media intermediary with registered users above a threshold notified at fifty lakh (5 million). An SSMI must appoint three India-resident officers: a Chief Compliance Officer responsible for ensuring compliance, a Nodal Contact Person for round-the-clock coordination with law enforcement, and a Resident Grievance Officer. It must publish monthly compliance reports listing complaints received and action taken, including content removed through proactive monitoring.

The most contested obligation is traceability: Rule 4(2) requires an SSMI providing messaging services to enable the identification of the "first originator" of information when ordered by a court or competent authority, in connection with specified serious offences. Messaging platforms argue that traceability is technically incompatible with end-to-end encryption and would compromise the privacy of all users to identify one — a tension yet to be conclusively resolved by the courts, with challenges pending. The SSMI regime shows how Section 79's due-diligence condition has been used to graft onto large platforms a quasi-regulatory compliance architecture far removed from the simple passive-conduit model of 2000.

Free speech limits on the Rules: Kunal Kamra

The due-diligence power is not unlimited; it must survive Article 19. That principle was vindicated in Kunal Kamra v. Union of India, where the Bombay High Court struck down the 2023 amendment to Rule 3(1)(b)(v) of the 2021 Rules. The amendment empowered the Central Government to set up a Fact Check Unit (FCU) to flag information about "the business of the Central Government" as "fake, false or misleading", with intermediaries effectively required to act on the FCU's say-so or risk their safe harbour.

A Division Bench delivered a split verdict on 31 January 2024 — Justice Gautam Patel holding the rule unconstitutional and Justice Neela Gokhale upholding it. The tie-breaker, Justice A.S. Chandurkar, on 20 September 2024 held the amended Rule 3(1)(b)(v) unconstitutional, and the matter was formally disposed of on 26 September 2024 striking down the rule. The Court reasoned that the rule had a chilling effect on free speech, that vague terms like "fake, false or misleading" lacked guidance, that the State could not be the sole arbiter of truth about itself, and that the restriction failed the proportionality standard. The decision is a direct descendant of Shreya Singhal: rules made under Section 79 cannot be used to coerce intermediaries into suppressing protected speech.

The takedown-power debate: X Corp and the Sahyog portal

The newest frontier is whether Section 79(3)(b) is merely a condition of immunity or an independent content-blocking power parallel to Section 69A. The distinction matters enormously, because Section 69A carries elaborate procedural safeguards (a designated officer, a committee, reasons, confidentiality) that Section 79(3)(b) lacks.

In X Corp v. Union of India (WP 7405/2025), decided by a single judge of the Karnataka High Court on 24 September 2025, X (formerly Twitter) challenged the Government's Sahyog portal — built on an Office Memorandum that authorised numerous ministries, State governments and police officers to issue takedown notices to intermediaries under Section 79(3)(b) read with Rule 3(1)(d). X argued, leaning on Shreya Singhal, that content blocking can only be done under Section 69A and its safeguards, and that Section 79(3)(b) merely describes when safe harbour is lost, not a freestanding power to compel removal.

The High Court rejected the challenge. It upheld the Sahyog portal as a facilitative tool, read Section 79(3)(b) and Rule 3(1)(d) as permitting authorities to require takedown of unlawful content on pain of losing immunity, and held that X Corp, as a foreign company, could not invoke the Article 19 protections available to citizens. The judgment, currently the subject of an appeal, has been criticised for diluting the Shreya Singhal distinction between safe-harbour conditions and blocking powers. It marks the live edge of intermediary-liability law in India: the same Section 79 that began as a shield for passive platforms is now being deployed as a lever for State content control.

Synthesis: the four questions to ask

For an exam answer, marshal the doctrine into four sequential questions. First, is the entity an intermediary at all? Apply Section 2(1)(w) and the active/passive test of Christian Louboutin — a platform that authors, curates or sells in its own right is no intermediary for that content. Second, are the Section 79(2) conditions met? The function must be limited to access/hosting, the platform must not initiate, select the recipient, or modify the content, and it must observe due diligence including the IT Rules, 2021. Third, do the Section 79(3) disqualifications apply? Has the platform conspired, aided or abetted; and on receiving valid "actual knowledge" — meaning, after Shreya Singhal, a court order or government notification — did it fail to remove the content expeditiously? MySpace and Kent RO confirm there is no duty to pre-screen, and knowledge must be specific. Fourth, what is the temporal and constitutional frame? Google v. Visaka shows the amended safe harbour is prospective; Kunal Kamra shows rules under Section 79 must respect Article 19; and X Corp shows the contested boundary between Section 79(3)(b) conditions and Section 69A powers. Used together, this framework lets you place any new platform dispute — from deepfakes to AI-generated content — within a coherent doctrinal map. For the hub of all chapters, return to the IT Act notes hub.