I. What is the current legal landscape for the Information Technology sector in your jurisdiction?

Legal Regime 

1. The Information Technology (“IT”) sector is currently governed through the Information Technology Act, 2000 (“IT Act”) and the rules issued under it.  The IT Act and several underlying rules together govern electronic contracts and signatures, cyber-crimes, cyber-security and online third party content liability.

In its key parts, the IT Act:

• Makes electronic contracts presumptively enforceable (Section 10A).
• Requires anyone who causes damage to any computer, computer system or computer network to compensate the affected person (Section 43).
• Requires body corporates handling “sensitive personal data or information” to compensate affected persons if they are negligent in maintaining reasonable security practices and procedures and cause wrongful loss/gain. (Section 43A). From May 14, 2027, this section will be omitted and data protection issues will be governed by the framework of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) (see Section Point 3 below for additional details),
• Penalises persons – including intermediaries – who disclose a person’s personal data without their consent or in breach of a lawful contract, knowing that such disclosure is likely to cause wrongful loss or gain. (Section 72A).
• Provides safe harbour to intermediaries for online third party content if they fulfil the prescribed due diligence requirements. (Sec. 79)

2. Specific rules issued under the IT Act govern different aspects. For example:

a. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”): The SPDI Rules impose obligations on body corporates with regard to “personal information” and “sensitive personal data or information”. These include obligations such as publishing a privacy policy, informing users of the purpose of collecting information, and obtaining consent for purposes of using information.

b. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 IT Rules”): The 2021 IT Rules impose various “due diligence” obligations on intermediaries for them to avail safe harbour immunity for third party content liability. Such obligations include publishing terms and privacy policies for their services, complying with content takedown orders and data requests and resolving user grievances within specified timelines, appointment of a Grievance Officer and other resident officers, and having a physical address in India (depending on the type of intermediary). The Government has also recently proposed amendments to the 2021 IT Rules that intend to specifically address issues arising from Generative AI and deepfakes.

c. CERT-In Directions: Additionally, the Indian Computer Emergency Response Team (CERT-In) is the Indian cybersecurity regulator which was established through Section 70B of the IT Act and can call for information and give directions to intermediaries/service providers/body corporates. Failure to comply is punishable with imprisonment of up to 1 year and/or a fine extending up to INR 1 Crore.
Under the CERT-In Rules, 2013 and CERT-In’s 2022 directions, certain cybersecurity incidents (e.g. data breaches/leaks, intrusions) need to be notified to CERT-In within 6 hours (FAQ 30). Other cybersecurity incidents must be reported to CERT-In within a reasonable time of becoming aware.

3. Digital Personal Data Protection Act, 2023: In 2023, the Indian Parliament passed the DPDP Act which is India’s first comprehensive data protection framework. On November 14, 2025, the Indian Government released the timelines in which the DPDP Act and Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) will come into force.

1. Certain provisions of the DPDP Act and DPDP Rules, primarily relating to establishing the Data Protection Board (“DPB”), have been brought into force from November 14, 2025.
2. Remaining provisions of the DPDP Act and DPDP Rules will come into force within 12 to 18 months.

Once DPDP Act and Rules are fully operational they will provide the framework for, amongst other things:

1. providing notice to users about their data processing in a specified manner [Section 5, DPDP Act; Rule 3, DPDP Rules];
2. obtaining consent that is “free, specific, informed, unconditional and unambiguous” [Section 6(1), DPDP Act];
3. providing Data Principals’ the right to withdraw consent, with the ease of withdrawing being comparable to the ease with which consent was given [Section 6(4), DPDP Act; Rule 3(c), DPDP Rules];
4. exercising Data Principal rights such as the right to access information, the right to erasure and correction, and the right to nominate individuals in case of death and incapacity [Sections 11, 12, 14, DPDP Act; Rule 14, DPDP Rules];
5. processing data for certain legitimate uses, without consent as a legal basis [Section 7(a), DPDP Act]; and
6. prescribing additional obligations for Significant Data Fiduciary (which are classes of Data Fiduciaries the Government will notify) such as appointing a Data Protection Officer and carrying out Data Protection Impact Assessment [Section 10, DPDP Act; Rule 13, DPDP Rules]
7. establishing a DPB which can inquire into violations of the DPDP Act and impose penalties of up to INR 250 crore (~ USD 28,188,225) [Section 18, 27, 31, Schedule, DPDP Act; Rule 19, DPDP Rules].

The DPDP Act and DPDP Rules will be effective in their entirety from May 14, 2027. After such data, the SPDI Rules will no longer be in force.

4. Additionally, the Consumer Protection Act, 2019 and the guidelines/rules issued under it also regulate certain aspects of online platforms. For example,

Consumer Protection (E-Commerce) Rules, 2020: These prescribe additional obligations for e-commerce platforms and sellers. For example, marketplace e-commerce entities are required to amongst other things prominently display information regarding seller disclosures on their platforms, refunds/return policies and available payment methods and contact details of their grievance officer.

Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022:  These guidelines define misleading advertisements, prohibit surrogate advertising, and regulate advertisements that target children.

Guidelines for Prevention and Regulation of Dark Patterns, 2023: These guidelines are applicable to platforms offering goods and services, advertisers and sellers and service providers and prohibit them from engaging in certain types of “dark patterns”. These dark patterns include engaging in “false urgency”, “subscription traps”, “basket sneaking”, “confirm shaming” and “drip pricing”.

5. Apart from the above, there are also provisions in the Bharatiya Nyaya Sanhita, 2023 (‘BNS’) (earlier known as the Indian Penal Code) which govern certain cybercrimes. Sections 303, 314, 318 and 319 of the BNS cover cybercrimes such as theft, dishonest misappropriation of property and cheating.

6. Regulators, such as the Reserve Bank of India, Telecom Regulatory Authority of India and Insurance Regulatory and Development Authority of India also impose certain technology-related compliances on the sector-specific entities they regulate.

Regulatory Headwinds

India has looked at regulations for the Information Technology sector with multiple objectives:

• Enabling adoption of new technologies for achieving greater efficiencies: from electronic signatures under IT Act to providing safe harbour to intermediaries for online content;
• Tackling harms and ill effects of new technologies: from cyber-crimes and content offences involving computer resources under IT Act to influencing product designs for data protection, consumer protection and overall online safety and prohibiting online gambling;
• Developing indigenous technology frameworks: for various policy objectives, India has been scaling up its Digital Public Infrastructure successfully and even looking to expand beyond its borders. Data sovereignty and data localisation in particular, has remained an important objective in addition to India’s ambitious push to have indigenous technology leadership in AI and deep tech.

Overall, the Government continues to bring in new regulation / amend existing regulation rapidly to achieve the above main objective. For e.g., it is considering replacing the IT Act with a new Digital India Act which may re-evaluate safe harbour immunity granted to intermediaries and add substantial compliance obligations and depth for those in the digital operations.

II. What three essential pieces of advice would you give to clients involved in Information Technology sector matters?

For clients in the IT sector, it is essential to:

• When entering the India market, keep legal and regulatory regime as a key metric for your business decisions. India is a complex and large market with multiple legal and regulatory touch points serving what is still a welfare state. They should be engaged with in the right manner respecting the various objectives they serve.
• When going about India operations and launch of products, conduct timely assessments of regulatory and policy risks impacting them. India has a dynamic environment with a strong push to be world leaders in a few decades, and yet carries uniquely Indian issues. It is important to understand the regulatory objectives, headwinds and market and enforcement trends to see beyond the written letter of the law and policy;
• When things become contentious, it is important to act quickly and strategically. Having a holistic perspective on the sector acts as an important asset when moving into disputes.

III. What are the greatest threats and opportunities in Information Technology sector law in the next 12 months?

As data consumption continues to increase in India, related threats and opportunities increase too. The following areas have the greatest potential in the next 12 months:

1. Data Protection: India has finally enacted a dedicated data protection framework. It mandates extensive compliances for corporations, and grants specific rights to people whose personal data they process. There is a well laid down enforcement mechanism with hefty penalties. This area of law, which actually encompasses all other sectors given the ubiquity of data processing today, will see a lot of opportunities for practitioners from a regulatory, policy, disputes and transactional perspective..
2. Cybersecurity: India’s IT laws as well as several sector specific regulations together govern cybersecurity in India. Ever increasing incidents of malicious attacks, data breaches and disruptions due to malicious activities, coupled with frauds and scams on end users are causing severe losses. Therefore, cybersecurity remains one of the key practice areas under the information technology sector.
3. Platform Economy and Intermediary Liability: India’s burgeoning platform economy—encompassing e-commerce, gig work, and digital intermediaries—faces an evolving regulatory landscape. The Government continues to expand pre-conditions for availing safe harbour for digital platforms and further impose consumer protection norms on e-commerce platforms. There has been growing litigation on issues such as content takedown and moderation, with increased talk of diluting safe harbour protections. As business models and regulations both evolve, the role of legal counsels in balancing both would remain critical.

At the same time, key concerns for the sector include:

• Evolving business realities due to AI: A number of large technology contracts would require relook as AI continues to disrupt business operations and models. A number of standard IT operations and processes will cease to exist, thereby impacting commercial transactions, and potentially opening up disputes.
• Premature and over-regulation: To fully realise India’s tech potential and create an innovation-based environment, our institutions – all three state organs – would need to exercise caution in regulation. Many-a-times, a bad incident which warrants state action has resulted in bad interventions, through an overbroad amendment to laws, or an unworkable court order. Such instances hamper confidence in our ability to regulate tech issues in a responsible fashion.

Caution, along with taking along all relevant stakeholders, is key to an optimal solution.

IV. How do you ensure high client satisfaction levels are maintained by your practice?

For legal practice in the Information Technology sector, we adopt the following approach:

• Stay up-to-date on regulations as well as technology and engage with clients proactively;
• Keep advice focused on enabling business while identifying and flagging all legal risks adequately;
• Recognise market practice, business realities and enforcement trends to provide a well rounded risk assessment;
• Articulate what is achievable and what is not in terms of results, and do not give false or unreal assurances;
• Maintain strong cybersecurity hygiene and confidentiality in communications;
• Be responsive and consistent for gaining long term trust; and
• Communicate clearly.

V. What technological advancements are reshaping Information Technology sector law and how can clients benefit from them?

Some key technological advancements that are reshaping the Information Technology sector are:

1. Artificial Intelligence: Artificial Intelligence is the single biggest technological advancement of our times which will transform most aspects of our lives. Laws in IT will evolve to regulate AI in some manner, while hopefully encouraging the development and deployment of AI for most part.
   With the right supervision and support, clients can benefit from AI immensely. It will make business processes efficient many-fold, and would let legal teams focus on strategic legal work with tremendous support at their disposal. For example, Generative AI tools can process large volumes of information and churn out complex reports in seconds; Agentic AI can take it a step further and turn around specific action items.
2. Blockchain: Blockchain technology has become a practical tool in the legal space. Smart contracts which have recently become popular (although not recognised by the courts), assist many clients in managing digital assets, licensing agreements and transactions.
   Blockchain technology helps clients in maintaining privacy, reducing the costs of transactions by eliminating intermediaries in licensing agreements. Blockchain based technology also assists intermediaries with identity verification by preserving the users privacy.

While business efficiencies are one aspect of technology use, technology has also been increasingly used to maintain corporate accountability. Firms are increasingly relying on technology for internal investigations (e.g. flagging mails and documents). At Shardul Amarchand Mangladas, we too have a forensic wing which is focused on leveraging technology to ensure high standards of corporate compliance