The 2009 Rules

The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 – referred to here as the “Blocking Rules 2009” – were notified to give procedural flesh to Section 69A of the Information Technology Act, 2000. This provision empowers the Central Government to direct any agency or intermediary to block access to certain information or content that is available online, provided such blocking is necessary or expedient in the interest of:

These rules are intended to provide a clear procedural pathway for exercising this power – and to ensure that orders of blocking are not passed arbitrarily, but follow a regulated mechanism.

The Blocking Rules lay out a tiered process involving designated officials and committees at every stage. A Nodal Officer (appointed by the government – presently from the MeitY) is responsible for receiving complaints from the public or government agencies about potentially unlawful online content. Once a complaint is found to fall within the permissible grounds under Section 69A, it is forwarded to a Designated Officer – an officer of Joint Secretary rank – for further examination.

At this stage, a Committee for Examination is constituted. This Committee is chaired by the Designated Officer and includes representatives from key Ministries: Law and Justice, Home Affairs, Information & Broadcasting, and the Indian Computer Emergency Response Team (CERT-In). The Committee’s role is to scrutinize the complaint and any accompanying materials to determine whether blocking is warranted.

The Committee is required to issue a notice to the originator of the content or the intermediary hosting it, giving them an opportunity to respond. However, the Rules are clear on one point – the originator (i.e., the actual content creator) need not always be heard. The obligation is limited to providing the opportunity to the hosting platform, not the original author. This exclusion has been the subject of significant criticism, especially when understood in the context of the safe harbour provision. That is, whereas the intermediaries are recognized not to be liable for content that they transmit (save as specified under the Intermediary Rules), they are required to justify the presence of such content – which they have no stake in.

If, after this hearing, the Committee believes the content must be blocked, it forwards its recommendation to the Secretary, MeitY. Only after the Secretary’s formal approval can a blocking order be issued. In urgent or emergency cases, however, an interim order can be passed without a prior hearing – but such an order must be reviewed by the Committee within 48 hours.

The Rules provide for a Review Committee at the apex level, chaired by the Cabinet Secretary, and comprising the Secretaries of Legal Affairs and Telecommunications. This Review Committee is mandated to meet at least once every two months and examine whether the blocking directions issued under Section 69A were made in accordance with the law. If the Committee finds any blocking direction to be legally unjustified, it can revoke the order.

All decisions – whether they involve blocking, refusal to block, or revocation – must be recorded in writing. This requirement is meant to preserve traceability and ensure that blocking decisions can be revisited, at least internally.

The most controversial element of the Blocking Rules is Rule 16, which requires strict confidentiality of all complaints, requests, and actions taken under these rules. In practical terms, this means the public is often unaware of what content has been blocked, who requested it, and why. Unlike court orders that are published or accessible, blocking directions issued under Rule 16 are withheld from public disclosure. This raises serious concerns regarding transparency and public accountability, especially in the context of the three-pronged test outlined under K.S. Puttuswamy (supra).

The Supreme Court, in Shreya Singhal v. Union of India (supra), upheld the constitutionality of Section 69A and the Blocking Rules, while striking down Section 66A of the IT Act for being vague and overbroad. The Court held that the safeguards under the Blocking Rules – particularly the requirement for notice and post-decision review – were sufficient to prevent abuse. However, critics argue that Rule 16’s confidentiality clause and the lack of mandatory disclosure obligations effectively shield the entire blocking process from public scrutiny.

The issue came to the fore again in Twitter (now X Corp.) v. Union of India (2023), where Twitter challenged several blocking orders issued by MeitY. Twitter argued that many of these orders were procedurally flawed, lacked proportionality, and failed to comply with the due process requirements under Section 69A and the Blocking Rules. The Karnataka High Court, however, upheld the government’s position and imposed a ₹50 lakh fine on Twitter for failing to comply with the directions. The Court also held that entire accounts, and not just specific posts, could be blocked under Section 69A. This judgment has further cemented the expansive power available to the government, and demonstrated the limited remedial options available to platforms and users affected by blocking orders.

The Blocking Rules 2009 thus form one of the most potent instruments available to the Indian Government for regulating digital information flows – but they also represent one of the opaquest, and arguably least accountable, aspects of Indian tech law enforcement today.

The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, referred to here as the Monitoring Rules 2009 were notified to operationalise Section 69 of the IT Act, and lay down the procedure for government agencies to conduct surveillance of digital communications, including emails, messages, and calls, for national security and law enforcement purposes. The grounds of enforcement are the same as with the Blocking Rules, with the addition of “investigation for offence.”

The Monitoring Rules prescribe a hierarchical mechanism involving specified authorities and procedural checks. A direction for interception or monitoring can only be issued under Rule 3 of the Monitoring Rules 2009 by the Secretary in the Ministry of Home Affairs (at the Central level) or the Home Secretary of the relevant State or Union Territory (referred to as the “Competent Authority”). In emergent or unavoidable cases, a direction may be issued by an officer not below the rank of Joint Secretary – but such direction must be confirmed by the Competent Authority within seven working days, failing which it lapses.

Only government agencies specifically authorised under Rule 4 – such as the Intelligence Bureau, Central Bureau of Investigation (CBI), National Investigation Agency (NIA), Enforcement Directorate (ED), and the Commissioner of Delhi Police – may be directed to carry out such interception.

Applications seeking such orders must clearly specify the person or class of persons and the computer resource to be targeted, along with the reasons justifying the surveillance. If approved, the initial order is valid for a maximum of 60 days and may be extended, provided the cumulative period does not exceed 180 days (Rule 11). Following the expiry of the interception/decryption period, the electronic records received shall be destroyed within 2 months (Rule 23(2)), and all records shall be destroyed every 6 months except if new information is received or existing information is required for procedural reasons (Rule 23(1)).

Intermediaries – such as internet service providers, telecom companies, or messaging platforms – are obligated under Rule 13 to provide all technical assistance required to execute the interception. They are also bound to maintain strict confidentiality and cannot disclose the existence of such an order to any party. Rule 20 also mandates that these intermediaries will be liable for the actions of their employees in case of violation of this confidentiality.

As is the case with the Blocking Rules, confidentiality can prove to be a major issue – especially since the objective of these rules is surveillance.

Rule 22 provides that the Review Committee (as described under the Indian Telegraph Rules, 1951) shall sit at least once every 2 months to review the directions issued under Rule 3 are valid and true to the spirit of Section 69(2) – i.e., in accordance to any other relevant rules as prescribed by the government as well as the IT Act 2000. If they are of the opinion that the orders are not in consonance, they have the power to set aside the orders, and direct the destruction of all electronic records collected.

Further, Rule 24 provides for protection from unauthorised interception, and established punishments “as per laws in force,” such as under Section 43, 43A or 66 of the IT Act (among other provisions). In continuance of this, Rule 25 states that the information shall ONLY be revealed to the authorised officer as communicated to the intermediary under Rule 10.

The issue of confidentiality applies to these rules as well. Not only are citizens generally unaware if they are under surveillance, the government does not disclose data on the number of interception orders issued. This opacity also means that there is a lack of clarity with regards to the extent of government surveillance. However, naturally, the government may find it inappropriate to disclose information regarding surveillance being done for national security, but concerns regarding potential misuse of powers are inevitable.

The Review Committee’s powers under Rule 22 are to ensure that such misuse does not occur. However, the Committee, at the Central Level, consists of: (a) Cabinet Secretary: Chairman; (b) Secretary to the Government of India In-charge, Legal Affairs: Member; (c) Secretary to the Government of India, Department of Telecommunications: Member. The State level Review Committee consists of: (a) Chief Secretary: Chairman; (b) Secretary Law/Legal Remembrancer In-charge, Legal Affairs: Member; (c) Secretary to the State Government (other than the Home Secretary): Member.

The members of the Review Committee, however, are not independent members, and are all members of the executive. In fact, the entire process – from authorisation to review – is handled by the executive branch. There is no judicial review over the process. This is a huge concern, and threatens to provide the government with overwhelming power with respect to surveillance. Scholars suggest the addition of more independent members to the Review Committee, including judicial members to ensure objectivity.

The Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 – hereinafter referred to as the Traffic Data Rules 2009 – were issued to give effect to Section 69B of the IT Act, 2000. These Rules enable the Central Government to authorise designated agencies to monitor and collect “traffic data” or “information” through any computer resource, where such monitoring is considered necessary to enhance cybersecurity and prevent intrusion. Unlike the Blocking or Monitoring Rules, which target content or communication, these Rules are primarily concerned with metadata – the who, when, and how of communication, not the actual substance.

Under Rule 3 of the Traffic Data Rules 2009, the Central Government may authorise any agency to collect or monitor traffic data. Such authorisation must be made by an officer not below the rank of Joint Secretary to the Government of India. The authorised agency must submit a proposal outlining the purpose, the specific computer resource to be monitored, and the time period for which monitoring is sought. The scope of permitted grounds is limited to cybersecurity concerns. Specifically, monitoring may be carried out for the identification, analysis, and prevention of intrusion or spread of computer contaminants, such as malware or spyware.

The Rules do not apply to the content of communications – only to information such as origin, destination, route, time, and duration of communication, IP addresses, and domain names. These categories align with what is commonly referred to as metadata.

Rule 4 requires all intermediaries to provide the necessary facilities and technical assistance to enable the collection of such traffic data. However, they are also bound by strict confidentiality obligations.

The safeguards under these Rules are significantly weaker than those in the Blocking or Monitoring Rules. There is no formal Review Committee or periodic oversight body mentioned under the Traffic Data Rules. Rule 6 mandates that the information collected, as well as the process of collection, must be kept confidential.

The data collected is also subject to purpose limitation – it can only be used for cybersecurity objectives as specified in the direction. However, the enforcement of this limitation remains entirely within the executive framework, as is the case with the monitoring and blocking rules.

While the collection of metadata is often viewed as less intrusive than content surveillance, modern studies and jurisprudence increasingly recognise that traffic data can reveal deeply personal insights – including behavioural patterns, associations, and political or religious affiliations. Rule 5 prohibits any retention of data beyond what is authorised in the direction. However, critics argue that the absence of any formal review mechanism or independent oversight leaves open the possibility of abuse – particularly since the definition of “cybersecurity” in Section 69B is broad and ill-defined.

Further, as with the Blocking and Monitoring Rules, the Traffic Data Rules suffer from executive concentration of power, with no requirement for judicial authorisation, public disclosure, or external audit. The opacity of the regime, combined with the increasing sensitivity of metadata, raises red flags from a privacy and surveillance standpoint – especially in a post-Puttuswamy constitutional environment.

While the Traffic Data Rules are ostensibly more limited in scope, the absence of procedural and institutional safeguards means they can still function as potent tools of mass surveillance under the guise of cybersecurity.