On February 25, 2021, the Government of India notified the Information Technology (Intermediary Guidelines Digital Media Ethics Code) Rules, 2021 ("Rules"). These Rules were framed under Section 87(2) of the Information Technology Act, 2000 ("IT Act") and will supersede the Information Technology (Intermediary Guidelines) Rules, 2011.
The Rules will govern intermediaries1 such as social media platforms, digital news publishers and OTT content streaming platforms. Notably, the Rules have been divided into three parts:
- Part I is the preliminary section and provides for definitions;
- Part II provides guidelines on the due diligence and grievance redressal mechanisms expected of all intermediaries (including social media platforms); and
- Part III provides for a Code of Ethics ("COE"), procedures and safeguards that apply to the digital news and current affairs and OTT content streaming platforms.
Notably, the provisions of the Rules (except for Rule 42) come into force with effect from February 25, 2021, i.e., the date they were notified in the Gazette of India. We have highlighted below the most significant obligations mentioned under the Rules and have thereafter provided a more detailed note on these provisions.
Significant Obligations / Requirements
- Notice and Takedown: An Intermediary is required to take down unlawful content within 36 hours of receiving a court order or notification from a Government agency. An Intermediary is also required to retain records of such content for a period of 180 days for investigation;
- Grievance Redressal: An Intermediary must have a grievance redressal mechanism, must acknowledge complaints within 24 hours, and must dispose of user complaints within 15 days of its receipt;
Significant Social Media Intermediaries
- Regulation of Significant Social Media Intermediaries: Social media intermediaries that meet a membership/user threshold that may be published by the Government (referred to as "Significant Social Media Intermediaries" or "SSMI") would be subject to more onerous requirements. The term "social media intermediaries" has been defined in very broad terms3, and could include potentially include any online intermediary including a video sharing platform (such as DailyMotion), a video-conferencing platform (such as MS Teams) or a collaborative online encyclopedia (such as Wikipedia).
- Mandatory Appointments: SSMIs are required to make the following mandatory appointments - Chief Compliance Officer, a Nodal Contact Person, and a Grievance Officer. Each of these individuals need to be Indian residents;
- User Traceability: An SSMI that provides a messaging service must enable identification of the "first originator" of the information on its platform when called upon to do so by an Indian court or the Government. This requirement for user traceability challenges the end-to-end encryption facility offered by certain messaging platforms in India;
- Disclosure of Ads and Sponsored Content: An SSMI must specifically flag or otherwise disclose sponsored or promoted content;
- Proactively Take-down using Automated Tools: SSMIs "shall endeavor" to deploy technology-based measures such as automated tools to proactively identify information that depicts rape, child sexual abuse (CSA), or any information that that is "exactly identical" to information that was previously removed or access to which was disabled. Content taken down through such tools would have to be flagged for users trying to access it later;
- Additional Diligence for News Content: An SSMI must publish a statement on its platform and inform the publishers of news and current affairs that they are required to furnish details of their user accounts on the platform to the Ministry of Information and Broadcasting, Government of India ("MIB"). Thereafter, the SSMI may provide such entities a verifiable mark that indicates that these entities are news publishers;
Publishers of News and Online Curated Content
- Code of Ethics: All publishers of online news content
and "online curated content"4 are required to
adhere to a Code of Ethics formulated by the Government. This Code
has been annexed to the Rules and contains guidelines for content
classification, age restrictions and accessibility. They also
provide issue-based guidelines on matters such as discrimination,
violence, and nudity.
Notably, "online curated content" would not include content uploaded by individual users on a user-generated video sharing platform. Instead, this would be limited to 1st party content created or curated by the publisher (i.e., an OTT streaming service).
- Three Tier Oversight Mechanism: The Rules establish a
3-tiered mechanism to oversee the operations of the publishers of
Online Curated Content (i.e., streaming services):
- Level 1 - Publisher itself: The publisher (i.e., streaming service) must accept complaints through a designated grievance officer, who is required to process the complaint and have a decision within 15 days;
- Level 2 - Self-regulatory organization ("SRO"): Each publisher (streaming service) is required to be a part of an SRO. This SRO would need to register itself with the MIB, and thereafter is responsible for hearing complaints against a publisher (streaming service) that are not adequately resolved through the Level 1 process;
- Level 3 - Inter-Departmental Committee: This committee would hear grievances that are not adequately resolved through the Level 1 and/or Level 2 process. This committee would publish Codes of Practices that would apply to each SRO, and would also issue advisories and directions to publishers (streaming services) from time to time. Lastly, this committee would have the power to hear complaints against publishers (streaming service) that are directly referred to it by the MIB;
- Blocking or Censorship Orders: The MIB may, on the
recommendation of the Inter- Departmental Committee, direct a
publisher (streaming service) or any Intermediary to delete or
modify any content:
- For preventing the commission of an office relating to public order;
- In the interest of sovereignty and integrity of India, defense of India, security of the state, friendly relations with foreign States or public order or for preventing incitement to the commission of any offence relating to aforesaid.
Such an order may only pertain to a specific piece of content and may not require an entity to cease its operations in India.
- Mandatory Reporting: Every publisher of digital news
content and publisher of Online Curated Content is required to
submit information regarding its operations in India to the MIB.
This information is required to be filed within 30 days of the
Rules being published (i.e., on or before March 27, 2021.
Every publisher of news content and the publisher of Online Curated Content is required publish periodic compliance reports every month mentioning the details of grievances received and action taken thereon.
- True or False Disclosures: Publisher (streaming services) and their SROs are required to make "true and full disclosure" of all grievances they receive. They must also disclose how they disposed of grievances and the action taken.
- Record Retention: Every publisher (streaming service) must preserve records of the content transmitted by it for a minimum period of 60 days. This information should be made available to the SRO or the Government of India, as and when required.
I. Due Diligence by Intermediaries
1. Due Diligence
Part II of the Rules provide specific guidelines in relation to due diligence that intermediaries (including social media intermediaries and significant social media intermediaries) are required to observe while discharging their duties. Some of these include the following:
- Publish Rules and Policies: All intermediaries must publish information in relation to rules, regulations, privacy policies and user agreements for access to their computer resources, on their websites, mobile based applications or both.
- Termination of Access: Intermediaries must keep users informed on a periodical basis (at least once a year), that they reserve the right to terminate access due to any non- compliance of rules, regulations, privacy policies and user agreements. Further, intermediaries must inform users periodically (at least once a year) of its rules and regulations, privacy policies and user agreements; or whenever a change occurs.
- Removal of Information: Upon receiving actual knowledge in the form of a court order or upon being notified by the Government or its agency, intermediaries must not host, store or publish any information which is prohibited by law in relation to: (i) the interests of sovereignty and integrity of India; (ii) security of the state; (iii) friendly relations with foreign states; (iv) public order; (v) decency or morality; (vi) contempt of court; (vii) defamation; (viii) incitement to an offence; and (ix) information that violates any law. The Rules have clarified that if such information has been hosted, stored or published, the intermediary must remove/disable access to such information as soon as possible, but no later than 36 hours from receipt of the court order or being notified by the Government or lawful agencies.
- In addition, if intermediaries receive a complaint from an individual in relation to any content which is prima facie in the nature of non-consensual transmission, is in the nature of impersonation, depicts a person in any sexual act/conduct etc., such information must be removed within 24 hours from receipt of the complaint. The intermediary must implement a mechanism for receipt of complaints to enable an individual or person to provide details in relation to such content.
- Record Retention: When an intermediary receives an order/notification to remove/disable access of information, from the court, Government or its lawful agencies, such information and associated records must be preserved by the intermediaries for 180 days or for such period as may be required by the court, Government or lawful agencies. Separately, any information collected from users during the registration process must be retained for a period of 180 days after cancellation of registration.
- Security Practices and Incident Reporting: Intermediaries must follow reasonable security practices as prescribed under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 ("Privacy Rules"). Further, an intermediary must report cyber security incidents and share related information with the Indian Emergency Response Team in the manner as prescribed under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 ("CERT-In Rules").
- Government's Access Rights: When an intermediary receives a written order (clearly specifying the purpose for request and the assistance required) from any Government agency, the intermediary is required to provide information under its control and any assistance as required, within 72 hours from receiving such order. As per the Rules, the Government has the right to request such information for investigative, protective or cyber security activities, for purposes of verification or identity and for prevention, detection, investigation or prosecution of offences or for cyber security incidents.
- Grievance Officers: Intermediaries are required to publish information in relation to the name and contact details of the grievance officer and mechanisms by which a user/victim may file a complaint on its website and application. A grievance officer must acknowledge such complaint within 24 hours and resolve it no later than 15 days from the receipt of the complaint. In addition, a grievance officer must also acknowledge receipt of any order received from government, court and any other authorities. The intermediary must implement a mechanism for receipt of complaints to enable an individual or person to provide details in relation to such content.
2. Significant Social Media Intermediary
In addition to the general due diligence provided under Part I, the Rules also impose certain additional due diligence for Significant Social Media Intermediaries ("SSMI(s)"). As per the Rules, SSMI is a social media with users above a certain threshold as may be notified by the Government. SSMIs are required to adhere to certain additional due diligence requirements within 3 months from the date of notification of the thresholds (in order to be categorized as a SSMI) by the Central Government, which include:
- Appointment of CCO: Appoint a Chief Compliance Officer ("CCO"), to ensure compliance with the IT Act and its rules and will be liable for any proceedings in relation to any third-party information, communication link, or data made available or hosted by the intermediary where the CCO fails to ensure that the intermediary observing due diligence while discharging its duties under the Rules and IT Act. As per the Rules, the CCO must be a key employee or other senior employee of the SSMI, who is a resident in India.
- Appointment of Nodal Person: SSMIs must also appoint a nodal person of contact for 24/7 coordination and compliance with law enforcement agencies. As per the Rules, the nodal person must be an employee of the intermediary and resident in India. It has also been clarified that the CCO and nodal person are required to be two separate individuals.
- Resident Grievance Officer: The grievance officer appointed by SSMIs must be a resident in India.
- Periodic Reports: SSMIs must publish periodic compliance reports, every month, providing details of (i) complaints received and actions taken; and (ii) number of communication links/ information that has been removed pursuant to proactive monitoring by using automated tools.
- Physical Contact Address: SSMIs must have a physical contact address in India, and details of this address must be published on their websites and applications.
- Verification Feature: SSMIs must enable a verification feature for users who register for their services or use their services from India, to voluntarily verify their accounts and receive a verification mark. However, information received by SSMIs for the purpose of verification must not be used for any other purpose, unless such user has expressly provided consent for such use.
- Identification of First Originator: SSMIs which primarily provide messaging services must enable identification of the first originator of the information, pursuant to a judicial order or an order passed under Section 69 of the Act by a competent authority under the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009 ("Interception Rules"). However, the Rules clarify that SSMIs are not required to disclose the contents of the electronic message other than information in relation to the first originator and its other users. Further, the Rules clarify that orders must be passed if there are other less intrusive means are effective in identifying the originator. If the first originator is situated outside India, the first originator situated within the territory of India will be deemed to be the first originator of such information.
- Implementation of Tracking Status: The SSMIs must implement appropriate mechanism for receipt of complaints and enable a complainant to track the status of his/her complaint by providing a unique ticket number for every complaint received by the intermediary.
- Notification of Other Intermediaries as SSMIs: The Rules grant powers to the Central Government to direct any other intermediary, by way of notification along with written reasons, to comply with the obligations imposed on SSMIs, if the intermediary permits publication/transmission of information which may create a material risk to harm the sovereignty and integrity of India, security of the state, friendly relations with foreign states and public order. While assessing the material risk of harm, the Central Government must assess (i) the nature of services provided by the intermediary; (ii) whether the services permit interaction between users (notwithstanding the primary purpose of the intermediary); and (iii) whether such publication/transmission of information to a significant number of users may result in widespread dissemination of such information.
3. Additional Due Diligence to be observed by an intermediary in relation to news and current affairs content
In addition to the due diligence compliance requirements discussed under Paragraphs 1 and 2 (for 2, only if applicable), an intermediary in relation to news and current affairs content must publish on its website, mobile based application or both, a clear and concise statement informing publishers of news and current affairs that the publishers must furnish details of their user accounts on the services of such intermediary to the Ministry of Information and Broadcasting ("MIB").
II. Digital Media: Code of Ethics, Procedures and Safeguards
Part III of the Rules prescribes a COE, procedures, and safeguards in relation to digital media. Part III will only be applicable to the following entities (that operate in India or conduct systematic business activity of making its content available in India which is targeted to Indian users):
- Publishers of news and current affairs content; and
- Publishers of Online Curated Content.
1. COE for News and Current Affairs
The COE mandates publishers of news and current affairs content to comply with the (i) Norms of Journalistic Conduct of the Press Council of India under the Press Council Act, 1978; (ii) Programme Code under section 5 of the Cable Television Networks (Regulation) Act, 1955; and prohibits publishing or transmitting content which is prohibited under any law in force.
2. COE for Online Curated Content
As per the Rules, the COE prohibits publishers of online curated content from transmitting, publishing or exhibiting any content which is prohibited by law. Further, such platforms must exercise due caution towards content that would affect India's security, sovereignty, integrity or relations with foreign countries. Further, they must also exercise due caution when featuring activities, beliefs, practices or views of any religious or racial group, or content that is likely to incite violence or disturb the maintenance of public order.
Notably, the COE also requires content to be self-classified into rating categories, based on the (i) theme/message, (ii) violence, (iii) nudity, (iv) sex, (v) language, (vi) drug abuse and (vii) horror. Based on the nature and type of content, the COE also prescribes classification of content into "U" rating, "U/A 7+" rating, "U/A 7+" rating, U/A 13+" rating, U/A 16+" rating and "A" rating. This classification must be prominently displayed along with a content descriptor prior to watching the programme. The COE also recommends implementation of access control and restrictions, based on the rating of content.
3. Grievance Redressal Mechanism
Any person having a grievance regarding content in relation to the COE may furnish their grievance through the grievance mechanism, to be established by every publisher under the Rules:
- The publisher must generate and issue an acknowledgement of the grievance to the complainant within 24 hours.
- The publisher must address the grievances within 15 days of registration of the grievance.
- If unsatisfied, the complainant may appeal to a self-regulating body ("SRB") (discussed below), which must then make a decision in relation to the complaint. An appeal to its decision lies to the Oversight Mechanism ("OM") (discussed below).
4. Three Tier Regulatory Structure
For ensuring observance and adherence to the COE and for addressing grievances made under Part III, the Rules have prescribed for a three-tier structure:
- Level 1- Self Regulation by publishers ("Tier 1");
- Level 2- Self Regulation by SRB of the publishers ("Tier 2"); and
- Level 3- OM by the Central Government ("Tier 3").
Tier 1: Under Tier 1, publishers must establish a grievance redressal mechanism, appoint a Grievance Officer ("GO") and display related contact details on their websites. The GO must take a decision on every grievance received and inform the complainant of the same, within 15 days. The GO will also be a nodal point for interactions with complainants, the SRB and the MIB.
Tier 2: Under Tier 2, SRBs of publishers will be established. The SRB will be headed by a retired judge or independent eminent person, appointed from a panel of 6 experts from the field of media, broadcasting, entertainment, child rights and human rights. SRBs will provide guidance and oversee adherence with the COE by publishers, address grievances that have been unresolved for more than 15 days and hear appeals from decisions of GOs. SRBs may also take action towards publishers by issuing warnings, requiring apologies, directing the reclassification of ratings etc. SRBs can also refer certain content to the MIB, for consideration by the OM under Tier 3, to block public access to said content.
Tier 3: The MIB will develop an OM to coordinate and facilitate adherence to the COE. The OM will publish a charter for SRBs, establish an Inter-Departmental Committee ("IDC") for hearing grievances, and issue guidelines and advisories. The IDC will consist of representatives of the MIB and other relevant government ministries, along with domain experts. The IDC will hear complaints appealed from of Tier 1 and 2 complaints and complaints by the MIB. It may make recommendations to the MIB to take the same actions against a publisher as the SRB, in addition to making a recommendation to block public access to content under Section 69A of the IT Act. The MIB will appoint an Authorized Officer ("AO") for the purpose of issuing directions in respect of the IDC's recommendations. In case of an emergency, the AO may recommend action under Section 69A directly to the MIB, which may block access to content without a recommendation from the IDC. However, the issue must be brought before the IDC within 48 hours.
5. Furnishing of Information
All publishers, under the purview of the Rules, that are operating in India must inform the MIB of the same and furnish information of the details of its entity for purposes of enabling communication and coordination.
A publisher must notify the MIB within 30 days of the notification of the Rules, where the publisher is operating in India at the time of notification of the Rules, and where such publisher begins operation after publication of the Rules, within 30 days of commencing operation in India. All such publishers must publish periodic compliance reports every month mentioning the details of grievances received and actions taken thereon.
1. As per the IT Act, an "Intermediary" means, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record. An Intermediary includes a telecom service provider, a search engine, an e-commerce marketplace, etc.
2. Rule 4 pertains to additional due diligence requirements to be observed by "Significant Social Media Intermediaries" (SSMIs). As per the Rules, SSMIs are required to adhere to these additional due diligence requirements within 3 months from the date notified by the Central Government.
3. As per the Rules, "Social Media Intermediaries" means an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.
4. As per the Rules, "Online Curated Content" means any curated catalogue of audio-visual content, other than news and current affairs content, which is owned by, licensed to or contracted to be transmitted by a publisher of online curated content, and made available on demand, including but not limited through subscription, over the internet or computer networks, and includes films, audio visual programmes, documentaries, television programmes, serials, podcasts and other such content.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.