The Information Technology (Intermediaries Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 ("New Rules") were notified by the Ministry of Electronics and Information Technology on 25 February 2021. The Part II of New Rules marks a paradigm shift in the treatment of safe harbour provided to intermediaries and significantly overhauls the obligations cast on them. This article analyses the Part II of New Rules and its impact on intermediaries, free speech and privacy.

Background

Safe harbour to intermediaries, i.e., exemption of liability against third-party content hosted by them, is laid down in Section 79 of the Information Technology Act, 2000 ("IT Act"). In 2008 learning from the infamous baazee.com case1 where the CEO of an e-auction website was charged under the Indian Penal Code, 1860 ("IPC") and IT Act, the nature and scope of safe harbour to intermediaries was expanded. The amended Section 79 of the IT Act accorded safe harbour to intermediaries under any law as long as certain pre-requisites were met.

An intermediary may show that its function is limited to providing access to third party content to avail safe harbour. If the intermediary's function is broader, then it has to ensure that it does not (i) initiate the transmission, (ii) select the receiver of the transmission and (iii) select or modify the information contained in the transmission. In both cases, the intermediary is required to comply with the due diligence requirements as stipulated.

However, the safe harbour will not be available to intermediaries if (i) it has been involved in the commission of an unlawful act and (ii) if it has failed to remove or disable access to any information after receiving actual knowledge or being notified by the appropriate government or its agency. In the seminal judgement of Shreya Singhal2, the Hon'ble Supreme Court read down the phrase "receiving actual knowledge" to mean through court order or notification by the appropriate government or its agency. The provision was watered down because "it would be very difficult for intermediaries like Google, Facebook, etc. to act when millions of requests are made and the intermediary if then to judge as to which of such requests are legitimate or not".

Before the promulgation of the New Rules, the due diligence requirement was stipulated by the Information Technology (Intermediaries Guidelines) Rules 2011 ("Old Rules"). The Government has been contemplating an amendment to the Old Rules since 2018. Draft of the proposed changes to the Old Rules was circulated, and a public consultation was carried out. However, the New Rules as promulgated are significantly different from the proposed draft that was circulated.

Overview of Part II of the New Rules

Part II of the New Rules pertains to due diligence by intermediaries and grievance redressal mechanisms. Like the Old Rules, the New Rules require publishing terms for access or usage of the intermediary's platform. The terms are required to inform users not to share any information that falls with certain categories like defamatory, obscene, pornographic, paedophilic or invasive of another's privacy or violative of any law in force etc. The categories largely remain the same with the addition of publication of "patently false and untrue" information for financial gain.

Some of the critical obligations cast on all intermediaries by the New Rules are listed as under -

  1. Intermediaries are required to periodically (at least once a year) inform their users of any change in the terms and that non-compliance would result in termination of access or usage rights or removal of non-compliant content.
  2. Any content voluntarily removed or disabled by an intermediary for non-compliance of terms will not bar an intermediary from availing safe harbour.
  3. Intermediaries must remove or disable access to the information within 36 hours of receipt of a court order or appropriate government or its agency under Section 79(3)(b) of the IT Act.
  4. Any information sought by law enforcement agencies should be provided within 72 hours.
  5. Intermediaries are required to appoint a Grievance Officer ("GO") whose contact details are available to users/victims. Upon receipt of a grievance, the GO must acknowledge the same within 24 hours and dispose of the grievance within 15 days. In cases where the grievance relates to sexually explicit content or morphed images, the content should be removed within 24 hours as far as practically possible.

The New Rules provide for a new category of intermediaries, i.e., significant social media intermediaries ("SSMI"), based on the number of registered users in India. The threshold has been set at 50 lakh users as of now. In addition to the base requirements for all intermediaries, SSMI's are required to comply with the following -

  1. Appoint a Chief Compliance Officer who will be responsible for compliance to the IT Act and rules and will be liable in case of failure to observe due diligence requirements. This should be a key managerial person or a senior employee who is a resident of India.
  2. Appoint a nodal contact person who is available 24x7 for coordination and compliance of law enforcement and their orders. The nodal contact person should also be an employee and resident of India.
  3. Appoint a Resident Grievance Officer, which as the name suggests, will be a GO who is a resident of India.
  4. Should have a physical contact address in India.
  5. To deploy technology-based measures to identify information that depicts rape proactively, child sexual abuse or content exactly identical to content previously removed or disabled after receipt of a court order or appropriate government or its agency. Such tools will be subject to periodic review and should factor in the free speech, expression and privacy of users.
  6. Where no other less intrusive means are effective, an order shall require a messaging service to identify the first originator in India by a court or competent authority under the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009. Such an order can only be passed in case of "an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years."

Given the additional obligations on SSMIs, the New Rules had contemplated a period of 3 months, i.e., till 26 May 2021 for ensuring compliance. Despite the lapse of this period, compliance and impact of these New Rules remain uncertain. On the one hand, two prominent SSMI's have challenged these New Rules before Delhi High Court3 over concerns relating to free speech and privacy. On the other hand, non-compliance of certain SSMIs has been challenged before the same Court.4 Non-observance of the New Rules will bar the intermediaries from availing of the safe harbour provision and make them liable under applicable law, including IPC.

Comments

In our view, the New Rules turn the concept of safe harbour for intermediaries in the IT Act on its head. The principle laid down in Shreya Singhal was to ensure that due diligence requirements do not elevate intermediaries to the status of super censors and arbiters of the legality of content. The Old Rules provided some leeway for intermediaries to remove or disable content or terminate accounts for violation of their terms while still ensuring that they are not precluded from availing safe harbour if the content is not actioned based on private complaints.

The New Rules tip the scales in favour of censorship. This is because of two factors (i) removal or disabling of content at intermediaries' instance, or pursuant to the grievance redressal mechanism is protected and not considered violative of pre-requisites to avail safe harbour and (ii) any non-observance of the New Rules will incur liability including criminal liability. The introduction of a shorter timeline for grievance redressal (i.e., 15 days compared to 30 days as envisaged in the Old Rules) puts an additional operational burden on all intermediaries, especially SSMIs, which likely receive thousands of complaints daily. Given the risk of criminal liability, it is more likely that intermediaries will lean in favour of removing or disabling accounts to limit their exposure instead of safeguarding free speech by letting content remain available.

Additionally, SSMIs are obligated to identify inappropriate content by deploying technology-based measures proactively. This leaves many questions unanswered, like how will constant monitoring impact the privacy of users? Is this a proportionate and legitimate exception to privacy, especially considering that a large volume of monitored content will be lawful? How accurate can determinations by technical measures be in reality? Although the New Rules call for free speech and privacy aspects to be considered, it is unclear how this will be achieved. Interestingly, both these requirements appear to be irreconcilable with one of the pre-requisites of availing safe harbour, i.e., an intermediary should not select the information contained in a transmission.

Another problematic aspect is that the New Rules require SSMIs to provide information about the first originator in India on messaging services. The term messaging service has not been defined but can be loosely interpreted to include popular applications like WhatsApp, Telegram, Slack etc. This requirement is at odds with the end-to-end encryption model in place in these popular applications. Notably, the New Rules are aware of the privacy ramifications of this requirement and have stated that this measure must only be relied upon where no other less intrusive method is available and only for limited offences. However, it is unclear if messaging services will have to overhaul the end-to-end encryption in all cases to ensure compliance with this requirement. The issue of traceability of originators of information on messaging platforms is also the subject of litigation before the Supreme Court5 It will be interesting to see the development of jurisprudence on this aspect as it will have to delve into questions like whether the right to privacy includes a user's right to anonymity.

* The authors would like to acknowledge the assistance provided by Harshvardhan Korada, a student of Amity Law School, Delhi.

Footnotes

1 Avinash Bajaj v. State (NCT of Delhi), 2005 79 DRJ 576.

2 Shreya Singhal v. Union of India, 2015 5 SCC 1.

3 Reuters, "WhatsApp sues Indian government over new privacy rules - sources". Read more, here

4 BarandBench, "Plea before Delhi High Court seeks compliance by Twitter with IT Rules 2021; cites tweets by Mahua Moitra, Swati Chaturvedi". Read more, here.

5 Antony Clement Rubin v. Union of India, (T.C. Civil No.189 of 2020).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.