‘Progressive on paper, tough in practice’: Stakeholders point gaps in MeitY’s NCII norms
Experts highlight that roughly 800 OSCs must now serve a population of 1.4 billion. Many of these centres already face resource shortages and are now expected to handle cyber-sensitive complaints requiring technical skills.
ADVERTISEMENT
Legal and digital policy experts have raised serious concerns over the operational feasibility, institutional readiness, and compliance burdens introduced by the Ministry of Electronics and Information Technology’s (MeitY) new Standard Operating Procedure (SoP) to Curtail Dissemination of Non-Consensual Intimate Imagery (NCII). While most welcomed the intent behind the framework, they cautioned that without stronger implementation mechanisms, the guidelines risk being more effective on paper than in protecting victims.
The SoP, made public following a direction from the Madras High Court, outlines how victims can seek removal of private or intimate content shared online without consent. The Court had earlier asked the Centre to develop a “prototype” describing the steps available to affected individuals.
Issued under Clause (b) of sub-rule (2) of Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the SoP aims to create a coordinated response mechanism between intermediaries, government agencies, and law-enforcement authorities.
However, experts warn that the framework’s success will depend less on its legal soundness and more on its execution. They point to potential over-removal of content, limited institutional capacity at ground level, and the absence of clear funding and oversight mechanisms as major barriers.
Dhruv Garg, Founding Partner at the Indian Governance and Policy Project (IGAP), said the SoP is not introducing a new legal regime but formalising existing ones. “The immediate trigger for the publication was the Madras High Court proceedings, but its fundamentals were already set in Prajwala v. Union of India and the Intermediary Guidelines Rules under the IT Act,” Garg noted. “This SoP consolidates those obligations, mechanisms, and touchpoints.”
He emphasised that the framework’s utility depends on public awareness. “The main thrust should be publicising remedies that help victims swiftly manage the dissemination of NCII. Unless citizens know how to access these remedies, the SoP will have limited practical effect. The government and digital platforms must invest in widespread awareness campaigns,” he said.
Once a complaint is received, intermediaries must remove or disable access to the reported content within 24 hours, acknowledge the action to the complainant, and use crawler or hash-matching technologies to detect “identical or derivative” content across other URLs. They must also share hashed identifiers of the content with the Indian Cyber Crime Coordination Centre (I4C) via the Sahyog Portal to prevent reappearance.
Kazim Rizvi, Founding Director of The Dialogue, said these requirements could significantly raise compliance complexity. “While the SoP is a welcome step in affirming the seriousness of online abuse, it may also introduce considerable operational and compliance challenges,” Rizvi said. “Platforms already use hash-based tools for exact duplicates, but determining what constitutes ‘similar’ or derivative content could lead to over-removal of legitimate material or under-enforcement, leaving gaps in protection.”
He added that smaller intermediaries might struggle to deploy crawler technology and real-time detection tools, given cost constraints and the need for dedicated moderation staff. Privacy advocates have also flagged risks around cross-platform hash-sharing, particularly where servers are hosted outside India.
Institutional capacity remains a weak link
The SoP identifies One Stop Centres (OSCs) established under the Ministry of Women and Child Development as a key reporting channel for NCII complaints. An affected person—or anyone acting on their behalf—can approach the nearest OSC, which must then coordinate with intermediaries and law enforcement for swift content removal.
Yet, experts highlight that roughly 800 OSCs must now serve a population of 1.4 billion. Many of these centres already face resource shortages and are now expected to handle cyber-sensitive complaints requiring technical skills. Local police stations, which victims are encouraged to approach, often lack cybercrime training and sensitivity in handling intimate imagery cases.
“The institutional gap is glaring,” said a cyber policy researcher. “Victims of NCII often fear stigma or secondary trauma when reporting. Without training and digital forensics support, OSCs and local police may not be equipped to ensure confidentiality or timely action.”
The SoP also advises victims to use the National Cybercrime Reporting Portal (NCRP) for redress. But accessibility and usability remain concerns, especially for victims in Tier-3 and rural areas. The portal’s interface requires URL identification and cyber-related details that many users cannot easily provide.
Advocate Siddharth Chandrashekhar of the Bombay High Court said that despite its progressive spirit, the SoP’s real-world impact depends on implementation quality. “Multiple reporting channels sound great, but unless One Stop Centres are genuinely accessible and sensitive, we’re building a highway nobody feels safe driving on,” he said.
He warned that hash-matching and automated detection technologies require significant investment. “The framework assumes all platforms have the same technological capacity, which isn’t true. Many small platforms lack resources to deploy such systems. Without state-supported infrastructure or training, compliance will be uneven,” Chandrashekhar added.
Legal experts have called for MeitY to supplement the SoP with detailed operational guidelines, budgetary support, and periodic audits to ensure effective enforcement. Aurelia Menezes, Partner at King Stubb & Kasiva, said the challenge lies in “ensuring quick yet accurate verification within such short timelines.”
“Smaller intermediaries will face capacity issues, while cross-border hosting and privacy safeguards in hash-sharing mechanisms need robust oversight,” Menezes explained. “The framework’s intent is progressive, but its success depends on how efficiently platforms, law enforcement, and cyber units coordinate to translate these norms into real, victim-centric action.”
Stakeholders also emphasised the importance of victim-sensitive training for personnel across OSCs, police stations, and digital grievance cells. Without capacity-building and community outreach, experts warn, victims—especially women and minors—may remain hesitant to report NCII incidents.
SoP marks an important step in India’s evolving approach to online safety and privacy. Experts agree that MeitY’s publication signals the government’s recognition of digital dignity as a key rights issue. But the consensus among stakeholders is clear: without robust institutional support, clear coordination protocols, and public awareness, the SoP risks being a well-intentioned but weakly implemented measure in India’s digital governance framework.
