The Information Technology (Guidelines for Intermediary & Digital Media Ethics Code) Rules, 2021 (“IT Rules or Rules”) were formally notified on the 25th of February, 2021.
These new, comprehensive set of Rules supersede the IT Rules, 2011 in several aspects. They allow the Government to regulate Social Media Platforms and also bring Digital News Media Platforms, and Over The Top (OTT) Streaming Services under the regulatory ambit. The Rules have been notified and prescribed in exercise of the powers conferred on the Central Government under Section 87 of the Information Technology Act, 2000.
There have been rapid developments in technology and we have witnessed the world transform digitally around us. However, it is a fact to be admitted that the primary piece of legislation governing technology in India – the IT Act, 2000 – is now over two decades old and in serious need of reconsideration and upgradation. Therefore, the legislature has put in suitable efforts to amend the Act in a way that will bring the Indian IT regime in line with the global standards.
The Government with the help of the revamped IT Rules has attempted to strike a balance between upholding creative and journalistic freedom and the Fundamental Right to Freedom of Speech and Expression overall, as well as ensuring that the conduct of ‘intermediaries’ is ethical and in adherence to the principles laid down by the Indian Constitution.
In this article we attempt to discuss what is a Social Media Intermediary, Salient Features of the Rules, Due Diligence required to be undertaken by Social Media Intermediary and its Impact.
SOCIAL MEDIA INTERMEDIARY
‘Social Media Intermediary’ is defined under Rule 2(w) of Part I of the IT Rules, 2021, which states ‘intermediary’ is a body which primarily functions to facilitate online interaction and allows the creation, sharing, dissemination, etc. of information by users.
The word “intermediary” has not been defined under the Rules. However, it can be safely said that it shall have the meaning ascribed to it under Section 2(1)(w) of the Information Technology Act, 2000 –
“(w) “intermediary”, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes;”
Further, a separate classification of ‘Significant Social Media Intermediary’ has also been introduced, which has been defined in Rule 2(v) of Part I of the Rules as such social media that has users above a certain threshold, which shall be prescribed by the Government eventually.
DUE DILIGENCE TO BE UNDERTAKEN
Part II of the IT Rules provides a list of obligations that any “Intermediary including social media intermediary and significant social media Intermediary” will be obligated to undertake.
(i) belongs to another person and to which the user does not have any right;
(ii) is defamatory, obscene, pornographic, paedophilic, invasive of another’s privacy, including bodily privacy, insulting or harassing on the basis of gender, libelous, racially or ethnically objectionable, relating or encouraging money laundering or gambling, or otherwise inconsistent with or contrary to the laws in force;
(iii) is harmful to children;
(iv) infringes any patent, trademark, copyright or other proprietary rights;
(v) violates any law for the time being in force;
(vi) deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any information which is patently false or misleading in nature but may reasonably be perceived as a fact;
(vii) impersonates another person;
(viii) threatens the unity, integrity, defense, security or sovereignty of India, friendly relations with
Foreign States, or public order, or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting other nation;
(ix) contains software virus or any other computer code, file or program designed to interrupt, destroy or limit the functionality of any computer resource;
(x) is patently false and untrue, and is written or published in any form, with the intent to mislead or harass a person, entity or agency for financial gain or to cause any injury to any person;
The Rule further puts an obligation that all intermediaries must periodically, at least once a year, inform their users that in the event of noncompliance to the Rules and Regulations, they will be entitled to terminate the access or usage rights of the users.
Rule 3(1) (d) strictly restricts the intermediary from hosting and publishing – or continuing the hosting and publication of – any information which is “prohibited by any law in relation to the interests of the sovereignty and integrity of India: the security of the State; friendly relations with Foreign States; public order; decency or morality;”, once it has received actual knowledge of the same by means of notification from the Government or an order of a competent Court.
The Second Proviso to Rule 3(1)(d) also states that on receipt of such notification or Court order, the intermediary must remove or take down the access to such information within a maximum of 36 hours.
Rule 3(1) (j) further demands that the intermediary provide any information or assistance, as may be required, to a Government Agency, with regards to investigation of any cyber security incidents or offences under Indian law, as the case may be, within a maximum of 72 hours from the receipt of an Order which shall state clearly, inter alia, the purpose and reason for seeking such assistance or information.
Rule 3(2)(b) restricts the timeline to remove or disable access to content further to a maximum of 24 hours, in cases where a complaint is made with respect to the non-consensual transmission of sexual content as defined therein. The Proviso to this Sub-Rule further directs the intermediary to formulate a mechanism which enables users to make such aforementioned complaints and provide further details as may be required.
The intermediary has two further obligations –
Firstly – under Rule 3(1) (i) – it must take reasonable measures for security of the electronic device and information in it as per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011.
Secondly – under Rule 3(1) (l) – it is bound to report incidents pertaining to cyber security and furnish information related to them before the Indian Computer Emergency Response Team as notified in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.
Rule 4, on the other hand, stipulates that along with the due diligence requirements to be complied with under Rule 4, such an Intermediary must also appoint a Chief Compliance Officer, a 24×7 Nodal Person of Contact as well as a Grievance Officer, all of whom must be employed by the Intermediary and be a resident and citizen of India.
Another crucial obligation sought to be imposed by the Rules on significant social media Intermediaries in particular those that function in the realm of messaging services is that the intermediary, under Rule 4(2), is bound to identify the First Originator of any messages (or Tweets), when duly mandated to do so by a Court Order or an Order by the designated Authority under Section 69 of the IT Act, 2000, read with IT Rules 2009.
The First Proviso to Rule 4(2), however, clarifies that such information can only be sought from the intermediary for the limited purposes of preventing, detecting, investigating offences as listed therein and, in particular, when such offences materially impact the sovereignty, integrity and security of India.
The Second Proviso further clarifies that while identifying the ‘first originator’, the intermediary shall not be required to disclose the actual contents of messages and/or any other information pertaining to such ‘first originator’ or any other users.
Rule 4(4) further directs and encourages a ‘significant’ social media intermediary to deploy all technological tools available at their disposal and be proactive in the identification and prevention of dissemination of information that pertains to conduct, both implicit and explicit, that amounts to rape or child sexual abuse. Such use of technological tools, however, should result in action that is proportionate, with adequate human as well as automated oversight, with the tools used for such automated oversight subjected to criteria of accuracy, fairness, etc.
Rule 4(5), under this Rule intermediaries are decreed, to also have a physical contact address located in India and to publish the same on their application or website or both
Rule 4(6), under this Rule intermediaries are asked to establish a grievance redressal mechanism that provides each complainant the ability to track the status of their complaint by means of a unique ticket number.
Rule 4(7) under this Rule for the first time, provision for voluntary verification of users, have been provided, post which a clearly visible mark of verification shall be displayed for other users on the platform to see. The intermediary shall ensure that any information collected for the purpose of such verification shall not be used for any other purposes without the prior consent of the user in this regard.
Rule 4(8) attempts to reconcile the measures taken to limit access to information on the grounds as discussed above vis-à-vis the rights of the originator of such content. The intermediary, in this regard, shall ensure that a prior notification is issued to such originator, detailing the action taken as well as the reasons for such action being taken, and also afford an adequate opportunity for such originator to be heard and demand a reinstatement of access to such information or content.
The intermediary has also been directed to ensure that its Resident Grievance Officer maintains sufficient oversight over the redressal mechanism and to ensure that any action against the originator takes into due consideration the context in which such information was published or posted. Further, a notice shall also be displayed to any user trying to access such restricted or disabled content, stating clearly the action that has been taken and the grounds and reasons thereof.
Rule 6 further empowers the Central Government to assess whether the services of an Intermediary so far not covered under the ambit of Rule 4 create a ‘material risk’ in terms of transmission or publication of any content that may potentially harm the sovereignty and integrity of the Country, and to notify that such an intermediary would henceforth be obligated to comply with the requirements under Rule 5.
Such an assessment of ‘material risk’ would depend on the nature of services provided by the intermediary, users’ interaction and whether the primary purpose of the intermediary’s services is to enable such interaction, and finally, whether such transmission and publication of information is likely to result in such information being disseminated in a widespread manner.
Rule 7 clearly states that an intermediary, upon failure to comply with these Rules, shall no longer be entitled to the Safe Harbour Provision under Section 79(1) of the IT Act, 2000. Further, such concerned defaulting intermediary shall also be liable to punishment under the applicable laws, including the IT Act, 2000 and the Indian Penal Code, 1860.
The main purpose for the enactment of these Rules, in essence, is to make Social Media Intermediaries more accountable for their conduct and functioning, not only with respect to the content published and transmitted on their platforms, but also with regards to a timely response from their end, as and when required by the Government.
In particular, the introduction of the category of Significant Social Media Intermediary has been done keeping in mind the enormous number of people such intermediaries cater to, and the resultant increased dissemination of information that happens on their platforms. They are, thus, burdened with stricter and increased compliances.
The Rules are also noteworthy with regards to shorter and stricter timelines for grievance redressal, since it will provide Indian netizens a more organized recourse for their grievances. The Rules further direct the intermediaries to have a physical contact address in India, as well as a Chief Compliance Officer, a Resident Grievance Officer and a Nodal Contact Person all of whom must be resident in India in order to achieve this goal of timely grievance redressal more efficiently. This will also aid law enforcement agencies, in both, investigative as well as preventive, communications and proceedings.
The Rules also provide for voluntary verification now, which has long since been a need felt on social media, since it helps not just the authorities but also other users to beware of dissemination of fake content by inauthentic user profiles. Moreover, the Rules strictly prohibit the Intermediary from using the information collected in the process of verification for any other purposes, which will provide an excellent barrier to the misuse of such information.
Moreover, the structure for addressing grievances has also been formulated in a manner that provides for user complaints to be easily traceable. The Rules also promote the use of automated tools and all forms of technology available to the intermediary in taking the appropriate action, taking into consideration relevant context. Such tools being subject to human oversight will also ensure that the action taken is fair and proportionate. The timeline given for the removal or disablement of content relating to non-consensual dissemination of sexual content is a further step in the right direction.
The major contention that would arise out of these Rules is the compulsory identification of the originator of any information that is a necessity especially for significant social media intermediaries which operate in the field of messaging. The existence of end-to-end encryption on many of these services is going to make it difficult for these Intermediaries to provide such identification since their current codes are not capable of extraction of such information. This is also likely to violate the privacy of the users if it is used in an unreasonable or frequent manner against any disaffection pertaining to the dispensation in power at any level of Government.
This provision existed in previous drafts of the Rules as well, and the Government has remained firm on this stance. This is also the provision that has attracted the most attention from opponents of these Rules, on account of concerns of privacy and security when it comes to social media platforms.
For instance, as mentioned above, this provision is in clear contradiction to the end-to-end encryption mechanisms in place by messengers like WhatsApp, Signal, etc., which would have to clearly be breached if such platforms wish to gain compliance with the Rules. Upon due demand, they would have to break their end-to- end encryption in order to identify the ‘first originator’ of a message.
However, what needs to be appreciated here that the Government, while formulating these Rules, has taken into due consideration these concerns, and have therefore assured that, under the Rules, such a demand for the first originator can only be made when, either less alternative means are not available or have already been exhausted. Moreover, it has also been clarified that in case such a demand is made, the intermediary would have to only identify the first originator the actual contents of the messages, any other information about such individual or information about any other users shall not have to be furnished.
This move represents a sincere effort on part of the Government to strike a balance between increasing the exercise of their regulation on social media companies, on the one hand, and safeguarding the value that social media holds, vis-à-vis their freedom of speech and expression as well as the fundamental right to privacy, for the people at large.
The Government of India as an attempt to regulate the functioning of Social Media Platforms, has imposed greater accountability and responsibility over the intermediaries. The growing concerns with respect to user anonymity, objectionable posts which could hurt the sentiments of the public and any such content that threatens the sovereignty of the country among other such issues in the digital age are being tackled by these Rules.
The introduction of these Rules would allow for greater accountability on the part of such social media platforms and pierce the veil of anonymity enjoyed by miscreants. The introduction of the Code of Ethics provides a standard against which such objectionable content can be analyzed and duly punished if necessary. Furthermore, classification of content and the regulation of the same would allow protection of children from mature content as well as allow the viewers to make informed decisions with respect to the content/programme that they wish to view.
The introduction of the three-tier grievance redressal mechanism would allow for greater efficiency in dealing with objectionable content and for establishing the best practices for the governance of various platforms.
The Rules are definitely a step in the right direction as it enhances the accountability on such social media platforms. The improvement in regulation would allow greater efficiency and compliance on the part of such intermediaries and improve the welfare of the public in general.
– Team AMLEGALS
For any queries or feedback, please feel free to get in touch with firstname.lastname@example.org or email@example.com