Skip to content
🚨 DPDP Rules 2025: Compliance Deadline 44 weeks awayRead handbook →

India's IT Rules and DPDP Act Are Forcing Businesses to Delete and Retain User Data at the Same Time

India's Draft IT Second Amendment Rules 2026 mandate 180-day data retention while the DPDP Act requires erasure when consent lapses — with no statutory fix in sight.

D
DPDPBot Research Team
🕐 10 min read

#India's IT Rules and DPDP Act Are Forcing Businesses to Delete and Retain User Data at the Same Time

India has given digital platforms an impossible assignment: erase user data when consent lapses, and retain the same user data for at least 180 days. Both obligations come from the central government. Neither law acknowledges the other. And the penalty for getting it wrong under each regime is severe enough to end a business.

This is not a hypothetical future risk. It is the current state of Indian digital regulation as of July 2026, created by the simultaneous operation of the Digital Personal Data Protection Act, 2023 and the Draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Second Amendment Rules, 2026 — a conflict that legal teams are only beginning to fully map, and that most compliance programs have not yet built a response to.


#Two Laws, Two Irreconcilable Mandates

The DPDP Act is India's foundational privacy law. Section 8(7) is unambiguous: a Data Fiduciary must erase personal data as soon as the purpose for which it was collected has been fulfilled or the Data Principal withdraws consent — whichever comes first. There is no minimum retention window. There is no government override clause. The mandate is to delete, promptly.

Now consider the Draft IT Second Amendment Rules, circulated by MeitY on March 30, 2026, with public comments requested by April 14. This draft amends Rule 3(1) of the existing IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, adding a new sub-clause that requires intermediaries to retain certain user-related and grievance-linked information for a minimum period of 180 days — even after content is deleted or a grievance is resolved.

The draft's own language acknowledges the tension: it states that the retention obligation operates "without prejudice to any other requirement under the Act or any other law." In plain English, that means both obligations apply simultaneously. Intermediaries cannot satisfy one by invoking the other. They must comply with both — even when both cannot be complied with at once.


#What the Draft IT Second Amendment Rules Would Change

The February 10, 2026 IT First Amendment — already in force since February 20 — focused on artificial intelligence and synthetic content: mandatory labeling of AI-generated media, user self-declarations about deepfakes, compressed 3-hour government takedown windows, and new obligations around synthetically generated information (SGI). That amendment is live. Major platforms are already operating under it.

The Draft Second Amendment, published by Lakshmikumaran & Sridharan in a detailed analysis on June 18, 2026, goes further in four significant directions:

1. MeitY advisories become part of safe-harbor due diligence. Under Section 79 of the IT Act, intermediaries are shielded from liability for third-party content if they exercise due diligence. The draft amendment ties that safe-harbor directly to compliance with MeitY-issued clarifications, advisories, standard operating procedures, codes of practice, and guidelines. If a platform fails to follow an informal MeitY advisory — not a court order, not a statutory rule, but an advisory — it risks losing its Section 79 immunity. This is a structural shift that effectively makes executive guidance legally enforceable without the parliamentary safeguards that formal rulemaking requires.

2. The 180-day data retention floor. Even after user data is deleted per DPDP obligations, intermediaries must retain user-linked grievance data and user information for a minimum of 180 days. The purpose is law enforcement access and accountability — but the mechanism collides directly with DPDP's consent-withdrawal erasure requirement.

3. The Inter-Departmental Committee's scope expands dramatically. The IDC, previously limited to overseeing content from news publishers, would gain authority over all intermediaries and all user-generated content. The IDC would also be empowered to take up matters referred by any government department, not just formal complainants.

4. Social media platforms come under Information and Broadcasting oversight. Rule 8(1), as amended, would bring platforms hosting user-generated news and current-affairs content under the Ministry of Information and Broadcasting's regulatory reach for the first time.

As of July 2, 2026, the draft has not yet been formally notified in the Gazette of India. But the consultation period has closed, and legal analysts following MeitY's pace of notification expect a formal gazette notification before September.


#The Core Contradiction: Erase vs. Retain

Here is the specific compliance trap the two instruments create together.

A user posts a complaint through an intermediary's grievance mechanism. The intermediary processes it, logs the details, and resolves the matter. If the user then withdraws consent to data processing — which the DPDP Act expressly permits — Section 8(7) requires erasure of their personal data. But under the Draft Second Amendment, the intermediary must retain the grievance-linked user data for 180 days from the date of the complaint, regardless of consent withdrawal.

There is no statutory reconciliation framework. The draft does not amend the DPDP Act. The DPDP Act does not acknowledge IT Rules retention obligations. Intermediaries operating across both frameworks face a genuine legal impossibility: they must simultaneously comply with an erasure mandate and a retention mandate for the same dataset.

A detailed legal analysis from Candour Legal describes this as "fundamental simultaneous imposition of contradictory duties at a critical moment when DPDP Rules enter binding effect." The analysis recommends that compliance teams immediately map cross-regime retention obligations, build documented exception frameworks, and review consent architecture — but notes that the amendment "provides no statutory reconciliation framework, leaving platforms to document exceptions themselves."

The same conflict appears in a separate context: government data demand powers. DPDP Act Sections 36 and Rules 22–23 allow government data requests for sovereignty and security purposes without disclosing those requests to data subjects. The Draft Second Amendment's Rule 3(4) gives MeitY a parallel channel to direct data surrender through advisories, operating below the constitutional thresholds that the Supreme Court set in Shreya Singhal v. Union of India. Critics, including the Internet Freedom Foundation, have described this as a mechanism for executive data access without judicial oversight.


#Who Gets Hit Hardest

The collision is not equally distributed across sectors.

Major social media platforms — Meta/WhatsApp, YouTube, X, Snapchat, Instagram — face the broadest exposure. They handle enormous volumes of user grievances daily, maintain large datasets of user behavioral information, and are already navigating WhatsApp's ongoing Supreme Court data-sharing case, in which Meta undertook to comply with data privacy safeguards by March 16, 2026. Adding a 180-day retention floor across grievance-linked data creates a compliance stack that legal teams at these companies describe as "layered without a resolution."

EdTech platforms face a specific version of the problem. The DPDP Act requires verified parental consent for processing data of children (defined as individuals under 18). But the 180-day retention rule would require platforms to retain user-grievance data even after consent is withdrawn — a direct conflict for platforms handling student complaint data, which often contains sensitive educational and behavioral information.

Fintech and payment gateways simultaneously navigate RBI data localization requirements, DPDP Act obligations, and IT Rules. The Online Gaming Authority Rules, effective May 1, 2026, added another layer of compliance obligations for gaming companies that also process financial data.

News aggregators and content platforms face a new and untested exposure: the draft's Rule 8(1) expansion would subject them to the Content Ethics Code previously limited to broadcasters and publishers — without clarity on how journalistic content processed as personal data interacts with DPDP's exemptions, which currently offer no carve-out for journalism. The Editors Guild of India flagged this gap explicitly after the DPDP Rules were notified, and three Supreme Court petitions filed in February 2026 are now before a larger constitutional bench on precisely this question.


#Penalty Exposure Is Not Hypothetical

Both regimes carry real penalties, and they do not cancel each other out.

Under the DPDP Act, failure to erase personal data when required — either when consent is withdrawn or when the purpose lapses — is a failure to maintain "reasonable security safeguards" for personal data. That attracts penalties of up to ₹250 crore per violation, and the Data Protection Board of India, which received its first chairperson and Members in June 2026, is now operationally capable of imposing them.

Under the IT Rules, failure to comply with the due-diligence framework strips intermediaries of their Section 79 safe harbor. Without that protection, platforms become directly liable for all third-party content hosted on their services — an exposure that has no statutory ceiling and that courts can interpret expansively. For a platform with millions of users generating content continuously, losing Section 79 protection is an existential threat.

There is no "pick your compliance" option here. Choosing to comply with DPDP erasure requirements while ignoring the IT Rules retention floor creates IT Act liability. Choosing to retain data to satisfy the IT Rules draft while ignoring a DPDP consent withdrawal creates DPDP Act liability. The only defensible path is to document the conflict explicitly and seek legal clarity — which, as of today, requires companies to act before the formal gazette notification arrives.


#What Businesses Should Do Before the Second Amendment Lands

The draft is not yet in force. That window matters. Companies that move now can structure their compliance architecture before the conflict becomes legally binding, rather than retrofitting it afterward.

Map your cross-regime data flows. Identify every category of user data that triggers both DPDP consent obligations and IT Rules grievance-logging requirements. These datasets need separate treatment: data that is both consent-held and grievance-linked cannot be managed by a single deletion workflow.

Build a documented exception framework. Until Parliament or MeitY provides a statutory reconciliation mechanism, the only defensible approach is explicit documentation of why a specific dataset is being retained beyond a DPDP consent withdrawal — citing the applicable IT Rules provision and the absence of a conflict-resolution clause.

Review your consent architecture against layered obligations. DPDP-compliant consent notices need to disclose all purposes for which data will be processed, including purposes triggered by legal obligations like IT Rules retention. If your current consent notice does not disclose grievance-data retention as a processing purpose, it needs to be updated before full DPDP enforcement kicks in.

Watch for the gazette notification. When the Draft Second Amendment is formally notified, its effective date will be the trigger for all 180-day retention obligations. Legal teams should have their compliance playbook ready to deploy immediately, not after the notification date.

For organizations already implementing DPDP compliance programs, the consent manager and data mapping capabilities available within your DPDP framework are the right starting point — they give you visibility into which datasets carry concurrent obligations and which consent withdrawals will trigger conflict. Resources on how to structure cross-regime documentation are available at /resources.


#The Bigger Picture: India Is Building Two Regulatory Architectures Simultaneously

The deeper issue the Draft Second Amendment reveals is structural. India is simultaneously building a European-style privacy framework (the DPDP Act, with consent-centric, rights-based architecture) and an enforcement-and-oversight framework (the IT Rules and their amendments, with government-centric, content-control architecture). Both are legitimate policy goals. But neither was designed with the other in mind, and the result is a compliance environment where the two frameworks produce contradictory primary duties for the same entities over the same data.

The Supreme Court's March 2026 hearings on constitutional challenges to the DPDP Act raised exactly this structural question — pressing the government on where the boundary between public data and private data lies, and whether the Act's exemptions for government bodies are constitutionally sustainable. A larger constitutional bench is now tasked with that question. Until it answers, and until Parliament or MeitY provides explicit guidance on how IT Rules retention obligations interact with DPDP erasure requirements, Indian businesses are navigating a compliance environment with two legally binding compasses pointing in different directions.

That is not a reason to wait. It is a reason to start building now.

Automate your DPDP compliance

Capture consent, honour data principal rights, and stay audit-ready — all in one platform.

Start free trial