By Arya Tripathy on April 21, 2021
The government notified the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (2021 Rules) on February 25, 2021. These have been notified under Section 87 of the Information Technology Act (IT Act), and supersede the Information Technology (Intermediary Guidelines) Rules, 2011 (2011 Rules). The change is attributed to increased misuse of social media for cyber-crimes, including fake news, pornography, defamation, hate speech, obscenity, financial frauds, incitement of violence, threat to national security and public order[1]. 2021 Rules are an outcome of inter-ministerial consultation between Ministry of Electronics and Information Technology (MeitY) and Ministry of Information and Broadcasting. They are divided into 2 key parts dealing with (i) due diligence and grievance redressal mechanism for intermediaries, and (ii) code of ethics, procedure and safeguards for digital media.
In this post, we analyse the intermediary obligations and its impact in the backdrop of 2011 Rules as well as decided jurisprudence. For our analysis, we have divided the new requirements into compliance and operation related, take down and filtering, and grievance redressal obligations.
1. Who is an intermediary?
Section 2(w) of IT Act defines “intermediary” as any person who on behalf of another person receives, stores, or transmits electronic records[2], or provides any service with respect to that record. It includes telecom, network, internet, and web-hosting service providers; search engines; online payment and auction sites; online market places and cyber cafes.[3] 2021 Rules classify intermediaries into 3 kinds:
- Social media intermediaries (SMI(s)) – one that primarily or solely enables online interaction between users, allowing them to create, upload, share, disseminate, modify or access information using intermediary’s services.
- Significant social media intermediaries (SSMI(s)) – social media intermediaries who have 5 million registered users in India, and is likely to cover popular messaging and social media players. However, 2021 Rules do not clarify whether the user threshold is a one-time or annual criterion, and consequently, there is ambiguity on what happens when at a given point in time, the number of users is below 5 million.
- Other categories – every other intermediary is likely to be captured in this residual category such as ISPs, e-commerce platforms, search engines, and payment sites.
2. Compliance and operation:
2021 Rules retain requirements under 2011 Rules as well as introduce new ones. In the points below, we provide mapping of what already existed and what has changed with relevant analysis. The below apply to all kinds of intermediaries.
- Publication: Intermediaries must prominently publish privacy policy and terms of use on platform (website or application). They must periodically and at least once a year inform users (i) about its terms, privacy policy and other rules or any change to them, and (ii) that their right to access and use the intermediary’s computer resource[4] can be revoked where information uploaded, created, shared or transmitted is not as per the 2021 Rules or otherwise breaches intermediary’s terms and policies; these requirements were provided under 2011 Rules as well.
- Prohibited information: Intermediary’s terms of use or privacy policy must inform user that its computer resource cannot be used to host, display, upload, modify, publish, transmit, store, update or share certain kinds of information, such as information that infringes third-party IP, is unlawful, defamatory, obscene, harmful to children, etc.; the list of information includes those that were provided under 2011 Rules and further expands it to include fake information. Fake information is any information that is patently false and untrue and is published with the intent to harass or mislead for financial gain, or cause injury to any person, or which may be reasonably perceived as fact. Further, information that infringes bodily privacy, or is harassing/insulting on gender basis is also included in the prohibited list.
- Retention: Intermediaries must retain user registration information for 180 days after registration is cancelled/withdrawn; this is new and 2011 Rules did not have any statutory retention period.
- Security: They need to take all reasonable measures to secure its computer resource and information in accordance with reasonable security practices and procedures as prescribed under the Information Technology (Reasonable Security practices and Procedures and Sensitive Personal Information) Rules, 2011 and report cyber security incidents. These obligations existed under 2011 Rules and once the Personal Data Protection Bill[5] becomes law, intermediaries have to comply with the standards therein.
- Technology and normal course of operation: They shall not directly or indirectly with someone else, deploy/install/modify technical configuration to a computer resource in such manner that changes or has the potential to change the “normal course of operation of the computer resource”, thereby circumventing any law. The only exception to this will be where technical configuration is essential for securing the computer resource and information contained therein; this norm existed under 2011 Rules, but now stands amended with emphasis being on “normal course of operation”. There is no clarity on what is “normal course of operation” for a computer resource. For instance, computer resource will include messaging application software, and the normal course from a layman’s point of view is to enable messaging services. Now, whether a technical feature (like E2E encryption as used by messaging apps like WhatsApp, Telegram, Signal) changes the normal course of operation is subjective, and perhaps, can be best determined by the intermediary controlling the computer resource. Another potential concern is how will intermediary determine if the technical configuration is enabling circumvention of law? For instance, encrypted platforms are often questioned as conduit for transmission of child pornography, and other unlawful information. At the same time, they are a key element for privacy by design. So, can the regulator relying on this rule suggest that the intermediary has deployed technical configuration that enabled circumvention of law? In any event, it will be imperative for intermediaries to evaluate their technical and information security standards, to be in a position to defend their relevance and necessity for security and privacy should such a question emerge.
3. New compliances for SSMIs:
In addition to what is stated at #2 above, SSMIs must also comply with the below-mentioned new requirements by May 24, 2021[6]:
- Compliance officer: SSMI must appoint a Chief Compliance Officer who must be (i) a key managerial personnel such as MD, CEO, whole-time director, or other senior employee, and (ii) resident in India. Chief Compliance Officer shall be responsible for compliance with IT Act and rules, plus be liable in proceedings for non-compliance, provided that no liability can be imposed without a hearing opportunity.
- Ad information: If SSMI processes information on its own or for someone else (i) for direct financial benefit in a manner that increases its visibility or prominence, or targets the information recipient such as customised ads, or (ii) it owns a copyright/has an exclusive license/any other contractual right that limits any third party from publishing or transmitting such information through any other means, it must clearly mark the information as being advertised, marketed, sponsored, owned, or exclusively controlled in an appropriate manner.
- Messaging: If SSMI is primarily providing messaging services, it must on a court order or order passed by competent authority under Section 69 of IT Act[7] (i.e., Union Home Secretary) enable identification of “first originator” of the information on its computer resource. However, such order can only be passed (i) for prevention, detection, investigation, prosecution or punishment of certain offences involving 5 years sentence or its incitement for instance, offence relating to sovereignty and integrity, state security, friendly relations with other nations, public order, rape, etc.; (ii) if there are no other “less intrusive” measures for identifying originator; and (iii) limited to disclosure of originator identity, but not the content of electronic message. Where the originator is located outside India, then first originator located within India will be disclosed. This requirement will require messaging SSMIs to trace and maintain identity records (for at least 180 days after cancellation or withdrawal of registration) plus access user logs (in a way requiring them to undertake private body led surveillance to some extent), and facilitate law enforcement agencies to attribute culpability on the first originator located within Indian boundaries. Compliance with this requirement has several technological challenges, and it appears that messaging SSMIs who provide encryption will have to alter their tech infrastructure. For instance, messaging platforms like Signal do not retain user logs in identified format in order to ensure user privacy. Thus, on the larger scheme, the new requirement is likely to affect an individual’s right to privacy and hence, a careful balancing is absolutely critical to ensure that orders are subject to judicial scrutiny. The vires of this rule is currently being challenged, and on the macro issue of traceability obligations for social media platforms, the Supreme Court is yet to give a verdict in Anthony Rubin vs. Union of India.[8]
- Physical presence: SSMIs must have a physical contact address in India, published on its platform for purposes of receiving communication. One of the biggest roadblocks for enforcement agencies to surveil social media activities has been the lack of territorial jurisdiction on intermediaries who do not have a physical presence in India, and this requirement will help enforcement agencies to assert required jurisdiction. However, there is no requirement of incorporating a company, but having a physical address is likely to raise permanent establishment concerns under taxation laws.
- Voluntary verification: SSMIs need to enable means for voluntary verification of users who register or avail intermediaries’ services in India, such as through Indian mobile, and if a user opts for verification, they shall be provided with a demonstrable and visible mark of verification visible to all users.
- Nodal contact: SSMIs are obligated to appoint an Indian resident employee as nodal contact person, different from the Chief Compliance Officer, for 24×7 coordination with law enforcement agencies, so as to ensure compliance with their orders or requisitions made in accordance with law. The rational could be to ensure that there is seamless and prompt coordination between law enforcers and SSMIs when take down orders or other information is sought.
Apart from this, there are additional requirements for SSMIs regarding news and current affairs content, which we have not captured here.
4. Grievance redressal:
2011 Rules mandated intermediaries to publish name and contact details of the Grievance Officer as well as mechanism available to aggrieved users for raising complaints. It also required the Grievance Officer to redress the complaints within 1 month from date of receipt. 2021 Rules retain the requirement of publishing details, but tighten the rigour for redressal. Now, Grievance Officer shall acknowledge the complaint within 24 hours and dispose it off within 15 days from date of receipt. On receipt of a complaint which relates to any content that prima facie involves private area of an individual, nudity, sexual depiction, impersonation (like morphed images), the intermediary must take all reasonable and practicable steps to remove or disable access to such content within 24 hours of receipt of complaint. In these circumstances, there is no requirement for a take down order (as discussed at #5 below), and actual knowledge of the intermediary will be presumed. Specific to SSMIs, 2021 Rules mandate that (i) the Grievance Officer must be an Indian resident, (ii) compliant mechanism involves generation of a unique ticket number for tracking each complaint, (iii) reasons are provided for action taken pursuant to a complaint, and (iv) a monthly compliance report providing details of complaints received, action taken, and pro-active steps taken to remove or disable access of prohibited content or communication link[9] must be published. It is unclear on how this monthly report has to be published and it should suffice if publication is on the website and mobile application. Currently, many intermediaries follow the practice on tracking numbers, but, overall, 2021 Rules expand the grievance redressal obligations, which is likely to result in additional costs.
5. Take down and filtering
An intermediary’s take down obligation i.e., remove or disable access to unlawful information, data or communication link is interlinked with its ability to disclaim liability, and resort to protection under safe harbour principles under Section 79 of IT Act. An intermediary is not liable if it exercises due diligence as required under law, and (i) it has a limited role (receiving, temporarily storing or transmitting third-party information), or (ii) it does not initiate transmission, select the recipient, or modify the transmission. However, merely satisfying the above criteria does not suffice, and intermediary has to showcase that it has no knowledge about the unlawful information or link to be able to claim safe harbour.
To prove knowledge on intermediary’s part, one has to substantiate an active participation in the unlawful act (like conspiracy, abetment, etc.) or wilful omission to take down on receiving actual knowledge, or on being notified by appropriate government/its agency. Elaborating on these, 2011 Rules provided that an intermediary on obtaining knowledge, suo moto or in writing by an affected person, must take down within 36 hours and preserve the concerned information and associated records for 90 days for further investigation. Intermediaries have argued that 36 hours timeline is unreasonable where there are large number of requests, as it is not sufficient to evaluate the details. Consequently, intermediaries would exercise their own judgment, and if there was a miniscule chance that the information or link was unlawful, they would take down, thereby curtailing the third-party’s freedoms.
The aforementioned provisions have been analysed in several judicial pronouncements. In Shreya Singhal vs. Union of India[10], the Supreme Court held that the threshold of actual knowledge is fulfilled when there is a court order directing take down or where there is a government notification that unlawful acts relatable to Article 19(2) of the Constitution are going to be committed. Article 19(2) allows the state to curtail freedom of speech and expression if it is essential in the interest of sovereignty and integrity of India, state security, friendly relations with foreign states, public order, decency or morality, or in relation to contempt of court, defamation or incitement of an offense. The court observed that mere discussion or even advocacy of particular cause howsoever unpopular is integral to freedom of speech, and that can only be curtailed if there is incitement. The threshold of actual knowledge was diluted by the Delhi High Court in MySpace Inc. vs. Super Cassettes Industries[11] where the court ruled that actual knowledge exists where intermediary has been provided with detailed notice of infringing content (here the content was copyrighted) and in such case, intermediary was obligated to take down within 36 hours. In Swami Ramdev & Anr. vs. Facebook Inc. & Ors.[12], the Delhi High Court explaining the territorial extent of take down obligations ruled that intermediaries can be required to geo-block offensive or unlawful content anywhere in the world, provided such content was uploaded from/in India. Thus, courts have evaluated unique facts of each case and the crux is to identify if intermediaries were as a matter of fact aware of the unlawful information (at least establish a prima facie case), and in a way contributed to the transmission thereof or commission of an illegal activity
2021 Rules statutorily recognise the judicial principles, but expand take down mandate, making safe harbour thresholds stricter. In the below points, we analyse the 2021 Rule requirements:
- Take down requirements: 2021 Rules rely on the principle of actual knowledge and require take down pursuant to order or voluntarily. It provides that on receiving actual knowledge through a court order, or appropriate government/its agency’s[13] notification for take down of unlawful information being against sovereignty and integrity of India, state security, friendly relations with foreign states, public order, decency or morality, contempt of court, defamation, incitement to an offence, or any information which is prohibited under any law, intermediary must acknowledge receipt and take down within 36 hours. The timeline is retained from 2011 Rules. Temporary storage of such information due to computer resource’s intrinsic feature without any human, automated or algorithmic control shall not be a breach of take down obligation. Intermediary can also take down prohibited categories of information on a voluntary basis or pursuant to user grievance. Relevant information and associated records must be preserved for 180 days or such longer period as required by the court or government.
- Information disclosure: Government agency which is authorised for investigative, protective or cyber security activities can issue a written order requiring the intermediary to provide information under its control or possession. The order must specify the purpose for seeking information, which can be for identity verification, prevention, detection, investigation or prosecution of offences or for cyber security incidents. In such situation, intermediary will have to acknowledge and provide the information no later than 72 hours. The obligation to aid government agencies existed under 2011 Rules, but now come with a specific timeline. The short timeline for providing information could be problematic. Further, the manner in which the information has to be provided is left ambiguous. Several intermediaries use encryption tools and it is possible that this requirement is cited for decryption. This may cause potential problems for back-door entry and affect an individual’s reasonable expectation of privacy.
- Filtering: Apart from the above, SSMIs must “endeavour” to deploy technology measures, including automated tools or other mechanism to proactively identify information that explicitly or impliedly depicts any act or simulation of rape, child sexual abuse or conduct, or any information which is exactly identical to information that has already been taken down. Further, they must also display a notice to users attempting to access such taken down information that the information has been prohibited. These deployed measures must be proportionate to the interests of free speech and privacy of users. Furthermore, SSMIs shall deploy appropriate human oversight of measures deployed including periodic review of any automated tools for its accuracy and fairness, propensity of bias and discrimination, and impact on privacy. Thus, SSMIs are expected to substantiate pro-activeness in filtering certain content and at the same time eliminate algorithm bias and balance user’s freedom of speech and privacy. These are subjective standards and will be substantiated with facts. However, the onus placed is significant because SSMIs have to evaluate where and how filtering and algorithmic bias will impinge user rights. Will they follow the same canons that state is required to adhere to under the Constitution? Whether these rights hold the same ground against private parties and can be horizontally enforced? Perhaps, government should issue guidelines and working papers to clarify some of these aspects.
- Internal hearing: If a SSMI takes down under an order or voluntarily, it must provide the user who has created, uploaded, shared, disseminated or modified taken down content with a notification explaining the action taken and reasons thereof. It must also provide the user with an “adequate and reasonable opportunity” to dispute the action taken and request for reinstatement, which must be decided by the intermediary within a reasonable time. SSMI’s Grievance Officer must maintain adequate oversight for resolution any dispute raised by the user. This expands the take down regime. While the process makes sense where there is a suo moto action, it is unclear as to why the steps hold any relevance where take down is pursuant to a court order or government notification. As the case may be, these are likely to enhance operational costs for SSMIs.
Conclusion:
The vires of 2021 Rules have been challenged in Delhi and Kerala High Courts as being violative of the principles of delegated legislation and fundamental rights, and lack of jurisdiction. The decisions of these courts will determine the merits of the new requirements, but until such time intermediaries (except where the court has issued a stay order) will have to comply with 2021 Rules.
[1] Ministry of Electronics & IT press release of February 25, 2021 available at https://pib.gov.in/PressReleseDetailm.aspx?PRID=1700749 (last accessed on April 20, 2021)
[2] Electronic record means data, record or data generated, image or sound stored, received or sent in electronic form or micro file or computer-generated micro fiche
[3] This definition was introduced through am amendment in 2008 to recognize new forms and roles of intermediaries.
[4] Computer resource is defined under IT Act. It means computer, computer systems, computer network, data, computer data base or software.
[5] The Joint Parliamentary Committee is reviewing the draft bill. For perusing our recommendations to JPC, access https://www.psalegal.com/policy-recommendation/
[6] MeitY Notification S.O. 942(E) dated February 25, 2021 available at https://images.assettype.com/barandbench/2021-02/da bb41f-8289-4148-9b99-308cf1ed21b6/Significant_Social_Media_Intermediary.pdf (last accessed on April 20, 2021)
[7] Section 69 authorises Central and State Governments or its authorised officer to intercept, monitor, decrypt any information on a computer resources in the interest of sovereignty and integrity of India, state security, friendly relations with other nations, public order, prevention of crimes by passing written and reasoned orders.
[8] Writ Petition 20774 and 20214 of 2018; a copy of this petition can be accessed here – https://www.medianama.com/wp-content/uploads/WP-on-Aadhar-linking-by-Antony-1.pdf (last accessed on April 20, 2021)
[9] Communication link means a connection between hypertext or graphical element, and one or more items in the same or different electronic documents, wherein if the user clicks on the hyperlinked item, they will be automatically transferred to the other end of the hyperlink. This can be another record, or website, or application, or graphical element.
[10] (2013) 12 S.C.C. 73
[11] MANU/DE/3411/2016 (Delhi High Court)
[12] Decision of Delhi High Court in CS(OS) 27/2019 dated October 23, 2019
[13] Agencies authorised to issue take down notifications will be notified by the government.