BACK TO IT ACT
IT Act 2000AMENDED 2008

Section 67C

Preservation and Retention of Information by Intermediaries

THE STATUTE

Original Text

An intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe. (2) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Simplified

Section 67C imposes a mandatory data retention obligation on intermediaries — it is the enforcement backbone of the government's ability to investigate cybercrime. Without retained logs, IP addresses, and communication records, law enforcement agencies cannot trace criminals who have committed offences weeks or months earlier. The provision works by delegation: the Central Government prescribes by rules what information must be kept, for how long, and in what format. The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 currently require intermediaries to: (a) preserve records of users for 180 days for investigation purposes upon government or court order; and (b) enable traceability of the first originator of messages for Significant Social Media Intermediaries (SSMIs) with 50 lakh+ users. The traceability requirement — which mandates that WhatsApp and similar platforms be able to identify who first sent a message — has been the subject of ongoing legal challenge. WhatsApp filed a writ petition before the Delhi High Court arguing that traceability is incompatible with end-to-end encryption and violates users' right to privacy. Section 67C's fine is not capped in the bare text ('liable to fine') — the quantum is left to judicial discretion, which is unusual in the IT Act's otherwise fine-capped structure. The provision operates as both a sword (law enforcement tool) and a shield (a basis for platforms to assert compliance in safe-harbour claims under Section 79).

Common Queries

The IT (Intermediary Guidelines) Rules 2021 require intermediaries to retain user records for 180 days for law enforcement purposes. VPN providers and cloud service providers must retain logs for 5 years under the CERT-In Directions 2022.
The traceability requirement under Rule 4(2) of the 2021 IT Rules (made under Section 67C's authority) requires identification of the first originator of messages — WhatsApp argues this is incompatible with end-to-end encryption. The matter is pending before the Delhi High Court.
Section 67C(2) punishes intentional or knowing non-compliance with up to 3 years imprisonment and fine. The offence is bailable and non-cognizable.

Legal Evolution

Section 67C was inserted by the IT (Amendment) Act 2008. The 2008 Amendment recognised that as cyber investigations increasingly depended on digital evidence held by intermediaries, a statutory retention obligation was necessary. The 2011 Intermediary Guidelines Rules and the substantially revised 2021 IT Rules have progressively elaborated the retention framework under Section 67C's authority.

Key Amendments

Inserted by IT (Amendment) Act 2008 — no equivalent in original IT Act 2000.

IT Rules 2021 expanded retention and traceability obligations for Significant Social Media Intermediaries.

WhatsApp v. Union of India (Delhi HC) — ongoing challenge to traceability mandate under this section.

Landmark Precedents

WhatsApp LLC v. Union of India (2021)

W.P.(C) 3918/2021 (Delhi HC — pending)
RELEVANCE

WhatsApp challenged the Rule 4(2) traceability mandate under the 2021 IT Rules (made under Section 67C's rule-making power) as violating privacy and the right to encryption — the case remains pending before the Delhi High Court.