Overview of Due Diligence Framework for Intermediaries
In the rapidly evolving digital landscape, intermediaries such as social media platforms, e-commerce sites, and internet service providers play a pivotal role in enabling communication, commerce, and content sharing. However, with this role comes the challenge of regulating and managing vast amounts of user-generated content while ensuring compliance with legal frameworks. India's Information Technology ("IT") laws, particularly Section 79 of the IT Act, 2000, form the cornerstone of the regulatory framework that governs intermediaries.
Section 79 provides safe harbour protection, shielding intermediaries from liability for third-party content, provided they fulfil specific due diligence requirements. These provisions are essential to fostering innovation and growth in the digital ecosystem while ensuring accountability and responsibility in addressing unlawful content. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, have expanded the compliance obligations for intermediaries, adding layers of responsibility in areas such as content moderation, grievance redressal, and data protection. This section mandates that intermediaries must observe due diligence while discharging their duties and follow guidelines prescribed by the Central Government.1 The safe harbour provisions aim to protect intermediaries from being held liable for unlawful content posted by users as long as they do not have actual knowledge of the infringing content and act promptly to remove it once notified.2
This article delves into the due diligence framework under India's IT laws, exploring the obligations of intermediaries, the implications of the IT Rules, 2021, and the intersections with other legal frameworks. It aims to provide an overview of the regulatory landscape that intermediaries must navigate to maintain their safe harbour protection and build a resilient compliance system in an increasingly complex environment.
Definition of Intermediaries:
According to Section 2(1)(w) of the IT Act, 2000 an intermediary is defined as any entity that receives, stores, or transmits records on behalf of another. This includes various service providers such as telecom companies and online marketplaces.
Due Diligence Framework under the IT Rules, 20213
The IT Rules, 20214, prescribe extensive compliance obligations for intermediaries, including:
- Publishing user agreements and privacy policies prohibiting certain categories of content.
- Setting up grievance redressal mechanisms.
- Appointing officers responsible for compliance (such as Chief Compliance Officers, Nodal Contact Officers, and Resident Grievance Officers).
- Acting upon takedown requests for illegal content, including specific time-bound responses.
- Significant Social Media Intermediaries (SSMIs) are subject to additional requirements, such as enabling traceability of originators of messages and submitting periodic compliance reports.
Compliance with these requirements is critical for intermediaries to maintain their safe harbour status. However, these obligations often intersect with requirements under other laws and sector-specific regulations.5
Judicial Interpretation6
Judicial decisions have shaped the understanding of due diligence. In cases like Myspace Inc. v Super Cassettes Industries Ltd [(2017) 236 DLT 478 (DB)], Super Cassettes Industries alleged that Myspace, a social networking platform, enabled copyright infringement by allowing users to upload infringing content. Myspace provided a Terms of Use Agreement and a Privacy Policy, restricting users from uploading such content, and it did not alter the user-uploaded content beyond adding advertisements on the pages.
The Delhi High Court analyzed the concept of "knowledge" under Section 79(3)(b) of the IT Act, 2000 to determine liability. While Myspace claimed it lacked actual knowledge of infringing content, the court found that the platform failed to implement effective preventive measures and maintain a robust mechanism to act on takedown requests. This lack of proactive compliance diluted its safe harbour defense, making it liable for copyright infringement.
In Christian Louboutin SAS v. Nakul Bajaj [253 (2018) DLT 728], the luxury brand Christian Louboutin accused Darveys.com, an online marketplace, of selling counterfeit products and misleading customers about their authenticity. The platform claimed safe harbour protection under Section 79 of the IT Act,2000 asserting that it was a passive intermediary. However, the court found otherwise, noting that Darveys.com actively curated listings, guaranteed product authenticity, and maintained contractual relationships with sellers.
The court held that such actions went beyond the role of a neutral intermediary and demonstrated active participation in promoting and facilitating the sale of counterfeit goods. Compliance with intermediary guidelines alone, the court emphasized, does not suffice if the entity is complicit in unlawful activities. By breaching its due diligence obligations through direct involvement in these activities, Darveys.com lost its safe harbour protection and was held liable for trademark infringement.
Overlap with Other Legal Frameworks
The due diligence obligations under the IT Rules, 2021, intersect with multiple other regulatory frameworks, including:
- Regulated Entities (SEBI, RBI, IRDA)
Entities regulated by bodies like the SEBI, RBI and IRDA must also adhere to sector-specific guidelines that emphasize due diligence practices. These guidelines often intersect with the IT Act's provisions on data security, privacy, and intermediary liability.
SEBI Circular on Specified Digital Platform ("SDP")7
Entities regulated by SEBI, such as online trading platforms and digital investment advisory services, must adhere to stringent disclosure norms outlined in SEBI's circulars, including the Specified Digital Platform ("SDP") Circular. These requirements intersect with the IT Rules, 2021, which mandate intermediaries to prevent the hosting of unlawful or misleading content. For instance, platforms like Zerodha or Upstox are required to ensure that investment-related content aligns with SEBI's disclosure standards while simultaneously complying with IT Rules on transparency and takedown mechanisms. Non-compliance could jeopardize their safe harbour protection under Section 79 of the IT Act,2000 exposing them to regulatory penalties from both SEBI and the IT Act,2000.
RBI Master Direction on Outsourcing of IT Services8
RBI-regulated entities, including banks and non-banking financial companies (NBFCs), face overlapping compliance obligations under the IT Act and RBI's Outsourcing of IT Services Guidelines. While the IT Act emphasizes data protection and cybersecurity under Section 43A, RBI's framework requires regulated entities to conduct due diligence on third-party vendors and ensure robust data security measures in outsourced IT operations. For instance, client-facing applications, such as mobile banking apps and online payment platforms, are expected to maintain high standards of security and usability. Banks utilizing third-party vendors for these applications must ensure compliance with IT Rules on privacy and security while adhering to RBI's requirements for end-user data protection, service continuity, and vendor risk management on an ongoing basis.
IRDA Standards for Data Protection9,10
Insurance providers regulated by IRDA must comply with sector-specific guidelines on safeguarding policyholder data, which closely align with the IT Act's data security mandates. For example, IRDA's regulations require insurers to implement stringent measures to protect sensitive personal data, mirroring the IT Act's focus on reasonable security practices. Platforms offering insurance products online must also ensure compliance with IT Rules concerning grievance redressal and privacy policies. The dual compliance obligations necessitate a cohesive framework for insurers to meet both IRDA and IT Act requirements effectively.
- Digital Personal Data Protection Act, 2023
The proposed Digital Personal Data Protection Act emphasizes data minimization, lawful processing of personal data, and ensuring security safeguards. These align with the IT Rules' mandates for publishing privacy policies and securing user data, creating potential overlaps in compliance. Social media platforms like Meta (Facebook) and WhatsApp face significant challenges in managing user data across jurisdictions while adhering to these overlapping requirements. For instance, WhatsApp implemented end-to-end encryption but continues to face scrutiny over compliance with traceability requirements.11
- Consumer Protection (E-Commerce) Rules, 2020
E-commerce platforms must provide grievance redressal mechanisms and ensure transparency regarding product listings and service terms. These requirements overlap with IT Rules' stipulations for intermediary liability concerning user grievances and information disclosure. These rules directly impact e-commerce giants like Flipkart and Amazon India, requiring transparency in product listings and seller details while adhering to IT Rules for intermediary obligations. Disputes over fake reviews, counterfeit products, or misleading advertisements frequently test compliance frameworks.
- Copyright (Amendment) Rules, 2021
The Copyright Rules impose obligations on intermediaries to respond to copyright infringement claims. This overlaps with the IT Rules' general requirement to act on takedown requests for illegal content, including intellectual property violations. Content creators regularly raise concerns over unauthorized use of their works, leading to significant compliance challenges. YouTube developed the Content ID system to allow rights holders to automatically detect and manage copyright violations.
- Cybersecurity Guidelines
The Indian Computer Emergency Response Team (CERT-In) Guidelines, issued under Section 70B of the IT Act,2000 require intermediaries to report cybersecurity incidents and maintain records of activities, overlapping with traceability and accountability mandates under the IT Rules. Companies like Paytm and Razorpay, which handle vast amounts of sensitive financial data, face increased compliance burdens to meet both cybersecurity and IT Rules obligations.
In Sum
The overlapping regulatory frameworks create a dense compliance landscape for intermediaries, increasing their operational and legal risks. While these regulations aim to enhance transparency, accountability, and consumer protection, the lack of harmonization amplifies the burden on intermediaries. Entities must adopt integrated compliance strategies, such as advanced content moderation tools, data management systems, and robust grievance redressal mechanisms, to mitigate liability and ensure seamless adherence to these overlapping mandates.
Footnotes
2 https://blog.ipleaders.in/safe-harbour-provisions-for-intermediaries-in-india-and-us/
5 https://www.meity.gov.in/writereaddata/files/FAQ_Intermediary_Rules_2021.pdf
8 https://www.rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=12486
9 https://irdai.gov.in/document-detail?documentId=385593
10 https://irdai.gov.in/document-detail?documentId=604638
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.