India: Social Media: New Rules Of The Game

The Ministry of Electronics and Information Technology and the Ministry of Information and Broadcasting ("MIB") notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("Intermediary Rules 2021") under Section 87 of the Information Technology Act, 2000 ("IT Act") to replace the Information Technology (Intermediaries Guidelines) Rules, 2011, on February 25, 2021. The Intermediary Rules 2021 are aimed to empower the users of social media platforms to seek redressal for their grievances and command accountability in case of infringement of their rights. The objective is to establish a harmonious, soft-touch oversight mechanism in relation to social media platform as well as digital media and OTT platforms etc.

In the Press Release of February 25, 2021 ("Press Release"), the Ministry of Electronics and Information Technology ("MEITY") had provided the rationale and justification for introducing Intermediary Rules 2021. According to the Press Release, in July 26, 2018, there was a Calling Attention Motion on the misuse of social media and spread of fake news in the Rajya Sabha and the government conveyed that the resolve of the Government is to strengthen the legal framework and make the social media platforms accountable under the law. The Supreme Court of India ("SC") in a suo-moto writ petition in Prajwala, vs Union Of India, vide order dated December 11, 2018 had observed that the Government of India may frame necessary guidelines to eliminate child pornography, rape and gang rape imageries, videos and sites in content hosting platforms and other applications. Later, the SC vide order dated September 24, 2019 had directed MEITY to apprise the timeline in respect of completing the process of notifying the new rules. Also, the Ad-hoc committee of the Rajya Sabha laid its report on February 3, 2020 after studying the alarming issue of pornography on social media and its effect on children and society as a whole and recommended for enabling identification of the first originator of such contents. MEITY then prepared draft rules and invited public comments, which were analysed and an inter-ministerial meeting was held to discuss and finalize the rules.

The Intermediary Rules 2021 have been drafted keeping the significance of "intermediary" in consideration and, therefore, compliances and due diligence requirements for a significant social media intermediary ("SSMI") is more than a social media intermediary ("SMI"). Section 2(w) of the IT Act defines "intermediary", with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes. The Intermediary Rules 2021 introduce the concept of a "SMI" and define it to mean "an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services. Based on the number of users on the social media platform, intermediaries have been divided into "SMI" and a "SSMI" (number of registered users in India should be above 50 lakhs as notified by the Central Government). In this article we will discuss these requirements.

An intermediary, both SMI and SSMI, are required to publish a Privacy Policy, User Agreement, and Rules and Regulation for usage of its website or app or both informing the user (i) to not host, display, upload, modify, publish, transmit, store, update or share any information that belongs to other person, infringes on any Intellectual Property Law, is obscene, harmful to a child, is pornographic, encourages gambling, threatens the sovereignty and unity of India etc.; (ii) the access to the website/app can be terminated if they are not in compliance with these policies; (iii) any changes in these policies.

Intermediary shall remove any objectionable content, within 36 hours that it has stored, hosted or published on its servers, once it gains actual knowledge, in form of a court order or such notification by the appropriate government. The information of any user who has withdrawn or cancelled his registration or the objectionable content could be stored in servers for 180 days or more (if court or government permits). Intermediary shall protect the data following reasonable security procedures and practices as laid down in Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011. It shall provide access to information under its control or possession to the government agency within 72 hours, after being in receipt of order and not  install any kind of technical configuration to its computer resource, altering the normal course of its operation, in order to by-pass the law.

Intermediary shall report any cyber security incident and share the same with Indian Computer Emergency Response Team, in accordance with (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. It shall prominently publish on its website/app the contact details of the Grievance Redressal Officer ("GRO") and mechanism to lodge the complaint against any content on the website/app. The GRO shall acknowledge the receipt of such compliant within 24 hours, and dispose of the same within 15 days from receipt. However, if the complaint is regarding content which shows any kind of nudity prima facie, then the GRO must take down such content within 24 hours, of being in receipt of such complaint. Further, the GRO must acknowledge and receive any order, notice or direction by the Appropriate Government, any competent authority, or a court of competent jurisdiction.

In addition to the above, an SSMI has to undertake certain additional due diligence while discharging their duties. It shall appoint a Chief Compliance Officer for compliance with IT Act and corresponding rules, a 24/7 Nodal Contact Person for assisting the law enforcement agencies & complying with their orders and requisitions, and a Resident Grievance Officer ("RGO") for dealing with complaints lodged by any person with respect to any content on the website/app. It shall implement an appropriate mechanism for the receipt and processing of complaints which shall enable the complainant to track the status of such complaint by providing a unique ticket number. It should endeavour to provide the complainant with reasons for any action taken or not taken pursuant to the complaint.

An SSMI shall enable identification of first originator of the information, in case of messaging platforms, which would require chats to be backed up to encrypted cloud server, rather than providing end-to-end encryption to its users. An SSMI shall clearly mark any information as being advertised, marketed, sponsored, owned or exclusively controlled, if such intermediary is deriving direct financial benefit by advertising information on someone else's behalf, to which it owns a copyright, or has an exclusive license, or in relation with which it has entered into any contract that directly or indirectly restricts the publication or transmission of that information through any means other than those provided through the computer resource of such SMI.

In addition, an SSMI shall have a physical contact address in India published on its website, mobile application, or both for the purposes of receiving the communication addressed to it. In case, wherein, users' access to website or app has been revoked, or any other content that has been uploaded by the user has been removed. It shall inform the user prior to such removal about why the action is being taken, and on what grounds, is the action being taken. However, it shall also provide the user an opportunity to contest this claim of removal and the users' request to re-upload the content. However, this should be done within reasonable time. The RGO shall oversee this process. It can be asked to furnish any additional information as deemed fit by the MIB.

SSMI shall employ technology-based measures to identify and remove information that depicts any sexually explicit content or any identical information which has already been removed by it. It shall display a notice to the user who is attempting to access such information that it has identified such information as objectionable. The measures taken by the SSMI must be proportional and have regard to the interests of free speech and privacy of the individual. The SSMI must further review periodically the technology-based measures to ensure there is no propensity of bias and discrimination in such measures.

It shall enable users to voluntarily verify their accounts by using any appropriate mechanism and provide such users with a demonstrable and visible mark of verification, which shall be visible to all users of the service. SSMI must publish compliance reports every month, containing the details in respect of the complaints which were received and the action taken on those complaints, and the number of links or information removed while using proactive monitoring through automated tools. 

The SSMIs were to comply with the above-mentioned requirements within 3 months from the date of notification of the threshold of an SSMI, i.e., May 26, 2021. This compliance is necessary for the SSMIs since the non-observance of the Intermediary Rules 2021 would strip away these SSMIs of the protection accorded to them by the safe harbour provisions, i.e., Section 79(1) of IT Act. In other words, if there is any objectionable content on the SSMI's platform, the intermediary can no longer claim legal immunity from the same and can be dragged to the court along with the person who posted the objectionable content. While certain SSMIs have already started adhering to the compliances, others have either sought an extension of time to implement these compliances or gone to court to challenge the constitutionality of the Intermediary Rules 2021 on the ground that the first originator clause violates the right to privacy and should be struck down as being unconstitutional as complying with the first originator clause will entail breaking its end-to-end encryption policy, which will weaken user privacy on the app and severely affect free speech.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.