Posted on March 2, 2021
Authored by Eishan Mehta*
On February 25th, 2021, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (“IT Rules, 2021”) were notified by the Ministry of Electronics and Information Technology (“MeitY”). The IT Rules, 2021 have been framed by the Government in exercise of the powers conferred under Sections 87(1) & (2) of the Information Technology Act, 2000 (“IT Act”) and in supersession of the Information Technology (Intermediary Guidelines) Rules, 2011 (“IT Rules, 2011”). It seeks to regulate three sectors, namely online intermediaries with specific emphasis on social media conglomerates, online streaming services (over-the-top services) and digital news media. While the Government touts the IT Rules, 2021 as empowering citizens of their digital rights and providing them redressal in case of infringements, various organisations term the rules as an impediment on the citizens’ right to free speech and their right to privacy. It has been deliberated that the Government through these rules would curb free speech and expression in the garb of ‘regulating’ social media and broadcasting platforms. In light of the aforesaid, the present article seeks to present a purely socio-legal analysis of the IT Rules, 2021 and is divided into two parts. This article forms the first part of a two-part series and deliberates upon the regulation of intermediaries including social media intermediaries which is to be administered by MeitY.
Intermediaries – Due Diligence and Grievance Redressal Mechanism
The IT Rules, 2021 categorize social media and significant social media intermediaries as two new classes of online platforms in contrast to its predecessor the IT Rules, 2011. As per Rule 2(w) of the IT Rules, 2021, a social media intermediary enables online interaction between users and helps them disseminate information. A significant social media intermediary, as prescribed by the Central Government, is a social media intermediary having more than 50 lakh users. With the creation of specific classes of intermediary, it is expected that the Government would have the upper hand in their regulation.
The IT Rules, 2021 require due diligence to be observed by intermediaries, including social media and significant social media intermediaries.
1. Publication of Rules of Policies
Rule 3(1)(a) mandates all intermediaries to prominently publish on their website and mobile applications, relevant rules and regulation, privacy policies and the user agreements. Furthermore, the intermediaries are required to specifically mention that their users should not hold, display, modify or publish any information which, (i) belongs to any other person, (ii) is defamatory, obscene, pornographic or invades into another’s privacy, (iii) is harmful to child, (iv) infringes others intellectual property rights, (v) is in violation of any law in force, (vi) is deceiving or false and mislead its reader, (vii) impersonates any other person, (viii) is detrimental to the unity and integrity of the country, (ix) contains software virus, (x) is patently false and intended to harass a person or entity.
- Termination of Access
- Removal of Information
An intermediary, who has information stored in their computer resource, on receiving “actual knowledge”, which refers to an order of the court or an appropriate government authority under Section 79(3)(b) of the IT Act, shall not host or publish any unlawful information which is detriment to the security of the country, public order or is defamatory. Additionally, the intermediaries are required to remove or disable access to any such information within thirty-six hours of the receipt of the order of the court or the competent government agency.
Under sub-clause (g) of rule 3(1) intermediaries are required to preserve the disabled information for one hundred eighty days for investigative purposes.
- Automatic Storage of Information
Sub-clause (e) of rule 3(1) clarifies that the automatic storage of information by an intermediary shall not amount to processing. Also, intermediaries are required to inform its user about the change in privacy policies or user agreements at least once a year.
- Retention Period
The retention period under the IT Rules, 2021 has been doubled. Now, intermediaries are required to preserve user’s deleted account details for one hundred eighty days.
- Assistance to Government
To comply with ‘written government order’ seeking assistance, intermediaries would be required to provide assistance to government agencies with the information in their possession within seventy-two hours of the receipt of such an order.
- Security Measures
Intermediaries are required to take reasonable measures to secure their computer resource following the procedures of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011.
Grievance Redressal Mechanisms
The IT Rules, 2021 empower the users by mandating intermediaries to establish grievance redressal mechanisms for resolving user complaints. In this regard, similar to the IT Rules 2011, intermediaries are required to publish the name and contact details of grievance officer on their website and mobile applications. Additionally, proper mechanisms for making complaints in cases of violation of the IT Rules are to be provided on the intermediary’s website. Further, the Grievance Officers are required to acknowledge such complaints within twenty-four hours and dispose of them within fifteen days. This is in contrast with the IT Rules, 2011, which required grievance officers to resolve complaints within a month’s time.
Additionally, significant intermediaries are required to take down contents which expose users to full or partial nudity, depicts sexual conduct or impersonation, within twenty-four hours of the complaint made by an aggrieved party. It is a separate requirement to be observed by intermediaries in cases of non-consensual transmissions. The provision emphasises on taking down contentious content and addresses the problem of the publication of sexual content without the subject’s consent.
Presently, in major regimes, twenty-four hours or forty-eight hours takedowns operate. However, 24 hours appears to be enough time for any information to be circulated throughout the internet. In this regard, inspiration can be drawn from the European Union, where one hour limit for the takedown of extremist content is being deliberated upon. Some stake-holders had concerns with the one-hour takedown limit as it might be difficult for smaller platforms with minimal resources to comply with the obligation.
Significant Social Media Intermediary
Rule 2(v) of the IT Rules, 2021 define a significant social media intermediary as a social media intermediary having a minimum number of users as notified by the Central Government. As per the latest notification, any social media intermediary having more than 50 lakh (or 5 million) users would be classified as a significant social media intermediary. The IT Rules, 2021 impose additional due diligence requirements on significant social media intermediaries.
- Human Workforce for Ensuring Compliance
A Chief Compliance Officer needs to be appointed by significant social media intermediaries to ensure compliance of the IT Act. This officer would possibly be managerial personnel of the intermediary company and would have to suffer liabilities in case of non-compliance of the due diligence requirements. Additionally, intermediaries need to appoint a nodal person for 24*7 coordination with the law enforcement agencies. The nodal person shall be required to ensure compliance of legal and other orders sent to the intermediary. Moreover, for ensuring compliance of the due diligence requirements, the appointment of a resident grievance officer has been mandated by the IT Rules.
The implementation of these rules may create problems with intermediaries operating internationally. Moreover, this would be an additional financial burden on intermediaries.
- Compliance Reports
Rule 4(d) requires significant intermediaries to publish monthly compliance reports, detailing the number of complaints received and the measures taken for their disposal, providing specific information with respect to the disabled content. This rule facilitates transparency and accountability in the content moderation practices deployed by intermediaries.
- Identification of First Originator
One of the most controversial developments by the IT Rules is the requirement of a significant social media intermediary engaged in messaging to identify the “first originator” of information. An order to this effect can be made by a competent court or an authority competent under Section 69 of the IT Act. This category of an order can only be passed “for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years.”
Additionally, it has been categorically mentioned while complying with the originator requirement that no significant intermediaries would be required to disclose information about other users.
- Intelligent Methods to Identify certain Information
As per Rule 4(4) of the IT Rules, 2021, significant social media intermediaries shall endeavour to deploy technology-based measures to identify information that depicts rape, child sexual abuse or any content identical to some previously removed information. Moreover, measures taken by intermediaries should be proportionate to the users’ right to free speech and expression, right to privacy and other such interests.
- Grievance Redressal
Significant social media intermediaries are required by Rule 4(6) to implement appropriate mechanisms for receipt of complaints and grievances. Additionally, the complainants can track the status of their complaints with a unique ticket number. Rule 4(8) of the IT Rules, 2021 requires the intermediaries to inform users about the taking down of their content along with reasons. Moreover, the content created has been provided with a reasonable opportunity to dispute such an action undertaken by an intermediary and request its reinstatement.
The opportunity accorded to the users to dispute the intermediary’s claim is a forward move. This may add transparency and accountability in the take-down procedure. Moreover, inadvertent take-downs by social media intermediaries for political or other motives are not unknown.
General Implications on Privacy Rights
The IT Rules, 2021 also have two controversial aspects, namely ‘identification of the first originator’ and ‘the usage of intelligent systems to filter information’ on a user’s right to free speech and right to privacy.
Sub-clause (2) of Rule 4 of the IT Rules, 2021 requires significant social media intermediaries engaged in “messaging” to identify the “first originator” of information. An order by a court or competent authority has to be passed to this effect.
At the very outset the applicability of the provision has been limited to “messaging” social media intermediaries such as WhatsApp or Signal, therefore it is uncertain whether this rule would apply to social media platforms where the primary feature is posting, uploading and sharing content along with messaging services such as – Twitter or Facebook.
Nevertheless, even if prima facie, it appears that sufficient safeguards have been provided, the Rules pose problems at several levels. The “public order” ground can be used by Government to curb “anti-government” information. Some have argued that with the advent of these rules, every WhatsApp or Signal user would have to think twice before sending a message. The public order ground appears to be a suspect and it remains to be seen how it could be used by Governments to arbitrarily restrict free speech.
Irrespective of the impact on free speech, this provision is in direct violation of users’ right to privacy. In order to adhere to the requirements of the rule, intermediaries would be obligated to store data of their users as anytime a court or an appropriate government authority could pass an order requiring them to demonstrate the originator of some information. This would in turn nullify the end-to-end encryption observed by WhatsApp and Signal.
Section 24(1) of the proposed Personal Data Protection Bill 2019 requires data fiduciaries and data processors to implement necessary safeguards to use de-identification and encryption methods to protect the integrity of personal data. Moreover, the Srikrishna Report on Data Protection also mentioned that low encryption standards pose threats on the safety and security of the personal data of data principals.
This provision requiring the identification of the originator of information may pose a challenge to one’s free speech and privacy. It remains to be seen how its operation could be legally restricted in the absence of adequate data protection laws.
- Application of Intelligent Systems
As per Rule 4(4) of the IT Rules, 2021 the Government requires significant social media intermediaries to use intelligent systems and automated tools to identify information that depicts rape, child sexual abuse or any content identical to some previously removed information. Moreover, the provision mentions that measures taken by intermediaries should be proportionate to the users’ right to free speech and expression, right to privacy and other such interests.
This provision appears to be concerning as AI technologies used for automated filtration of objectionable content is presently in its nascent stage and such AI tools are limited. In order to develop AI censorship, machine learning would be deployed to learn about objectionable data and intermediaries would be required to store vast amounts of users’ data. In turn compromising the users’ data privacy.
Additionally, AI lacks transparency and accountability and the cases of AI discrimination are not unknown [See our earlier analysis of racial bias with facial recognition technologies here]. Therefore, AI usage to monitor a user’s free speech and expression appears to be problematic. Nevertheless, the fact that the Government was prudent enough to mention, “measures taken by the intermediary under this sub-rule shall be proportionate having regard to the interests of free speech and expression, privacy of users….”. Moreover, the rule requires a significant social media intermediary to “endeavour” and deploy technology-based measures. The absence of the word ‘shall’ indicates that the provision may not be mandatory in its scope. Further, as Facebook and others have been properly using AI to censor information promoting hate speech in the EU and the US, it is expected that similar automated systems would be deployed in India too.
The IT Rules, 2021 are expected to have far-reaching consequences in the digital space. Intermediaries, including social media, would be bound by the new regulations which may have an impact on users’ free speech and privacy. Therefore, it marks a novel debate in the public discourse concerning the regulation of online intermediary. Nonetheless, in this information era it becomes as necessary to regulate free speech and expression (for instance the expeditious removal of non-consensual explicit images) as it is to promote free speech through the usage of social media. It remains to be seen how the rules are implemented and whether judicial challenge(s) are likely to bring about any change.
*Eishan Mehta is an Editor at IntellecTech Law and is currently pursuing BA. LL.B. from WBNUJS, Kolkata.