What Data Does Instagram Share With the Indian Government?

Every time you open Instagram in India, you’re using a platform that operates under some of the world’s strictest digital regulations. The IT Intermediary Rules 2021 (amended most recently in February 2026) and the Digital Personal Data Protection Act 2023 together create a legal framework that requires Meta to share your data with Indian authorities — under specific conditions.

In this Indiagram guide, we’ll break down exactly what gets shared, when, and what legal protections you have.

The Legal Framework: Two Laws Working Together

Think of India’s data-sharing framework as two locks on the same door:

Lock 1 — IT Intermediary Rules (Rule 3(1)(j)): These rules require Instagram to provide information or assistance to any lawfully authorised government agency within 72 hours of receiving a written order. The order must clearly state the purpose — whether it’s for identity verification, crime prevention, investigation, prosecution, or cyber security incidents.

Lock 2 — DPDP Act 2023: This law governs how personal data is processed, but includes broad exemptions allowing government agencies to access your data for national security, sovereignty, public order, and law enforcement purposes — without the usual consent requirements.

For a deeper understanding of both laws and how they interact, check out our complete interactive e-book: India’s Digital Laws For Dummies.

Exactly What Data Can Be Shared

When Instagram receives a valid legal order from Indian authorities, here’s what they can hand over:

Account Information

Your name, email address, phone number, profile information, registration date, and any verification details you’ve provided. Essentially, everything you gave Instagram when you signed up — and everything you’ve added to your profile since.

Device & Login Data

IP addresses you’ve logged in from, device IDs, browser fingerprints, login timestamps, and session information. This data can be used to identify your physical location and the devices you use to access Instagram.

Content

Your posts, Stories, Reels, comments, and — if specified in the legal order — your Direct Messages. This includes content you’ve posted publicly and content shared privately with other users.

Activity Logs

Your login history, location data (if you’ve enabled location services), search history within the app, and interaction patterns — who you follow, who follows you, what content you engage with.

Financial Data

If relevant to an investigation (such as fraud or tax evasion cases), payment information associated with your account, including any transactions through Instagram Shopping.

Message Tracing

Under Rule 4(2), messaging platforms like WhatsApp (also owned by Meta) can be compelled to identify the first originator of a message — though not the message content itself. This applies only to serious offences like terrorism, child sexual abuse, or threats to national security, and requires either a court order or a Section 69 order under the IT Act.

The Numbers: How Much Data India Actually Requests

Meta publishes transparency reports showing government data requests globally. For India:

• Instagram restricted over 28,000 pieces of content in India in 2025 based on legal orders
• Platforms must respond to law enforcement within 72 hours (24 hours for online gaming platforms)
• Removed content must be preserved for 180 days for investigation purposes
• A 24/7 nodal contact person must be available for law enforcement coordination at all times

The 2026 Changes: What’s New

The February 2026 amendment to the IT Rules (G.S.R. 120(E)) introduced several changes that affect data sharing:

3-hour takedowns: When the government issues a notice about unlawful content, platforms now have just 3 hours to remove it — down from 36 hours. While this is about content removal rather than data sharing, it shows the accelerating pace of government-platform interaction. Learn more about this in our guide to Instagram’s deepfake rules.

AI content tracking: Platforms must now embed permanent metadata in AI-generated content with unique identifiers. This creates a new category of trackable data — the government can potentially trace any piece of synthetic content back to the specific platform and user that created it.

Faster complaint resolution: General complaints must now be resolved in 7 days (previously 15), and intimate image complaints in 2 hours (previously 24). Each complaint generates data that may be accessible to authorities.

What Legal Protections Do You Have?

It’s not a free-for-all. There are safeguards built into the system:

Written orders required: Rule 3(1)(j) requires that any data request must be in writing and clearly state the purpose. Random or verbal requests aren’t valid.

Authorised officers only: Under the 2025/2026 amendments, government notices must come from officers not below the rank of Joint Secretary (or DIG for police matters). This prevents low-level officials from making arbitrary data requests.

Monthly review: All government intimations must be reviewed by a Secretary-level officer every month to ensure they’re necessary and proportionate.

DPDP Act rights: You still have the right to know what data is being collected about you, request corrections, and (in non-law-enforcement contexts) demand deletion of your data.

Grievance mechanisms: If you believe your data was improperly accessed, you can file complaints through the platform’s grievance officer and escalate to the Grievance Appellate Committee.

How to Protect Your Privacy on Instagram in India

While you can’t prevent lawful data sharing, you can minimise your exposure:

• Audit your profile: Remove unnecessary personal information from your Instagram bio and profile
• Review app permissions: Disable location access, limit photo library access, and review connected apps
• Use two-factor authentication: Protect your account from unauthorised access that might trigger false investigations
• Be mindful of DMs: Remember that DM content can be included in legal orders
• Download your data: Instagram lets you download a copy of all your data — do this periodically to know what they have

For a comprehensive deep-dive into all these laws — including an interactive comparison table, industry-specific breakdowns, and FAQ section — read our India’s Digital Laws For Dummies e-book.

The Bottom Line

Instagram and Meta are legally obligated to share your data with Indian authorities when presented with valid legal orders. The framework is structured — not arbitrary — with safeguards including written orders, authorised officers, and periodic reviews. But the trend is unmistakable: India’s digital laws are getting stricter, timelines are getting shorter, and the scope of shareable data is expanding with each amendment.

Understanding these laws isn’t just for lawyers — it’s essential knowledge for every one of India’s 455 million Instagram users. And that’s exactly why Indiagram exists.