Earlier in 2021, the Government of India issued the much-contested Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Rules), under the Information Technology Act, 2000 (IT Act) to regulate online platforms and digital media. These rules were laden with ambiguities and many stakeholders challenged the validity of the same across various courts in India. The Intermediary Rules set forth several due diligence requirements and grievance redressal obligations for such platforms, thereby increasing the regulatory burden in this sector. To ease some concerns and provide clarity to the stakeholders, the Ministry of Electronics and Information Technology (MEITY) issued frequently asked questions (FAQs) on 1 November 2021 to clarify certain aspects in relation to the Intermediary Rules. This article aims to provide a snapshot of the key clarifications and their implications for the digital space.
Classification of intermediaries
A key change introduced by the Intermediary Rules was the categorization of 'intermediaries' as 'social media intermediaries' (SMIs) and 'significant social media intermediaries' (SSMIs). The Intermediary Rules subjected SSMIs to additional obligations including, inter alia, appointing personnel in India, user tracing, deployment of automated tools with periodic human oversight, etc. While there is some prior jurisprudence in India regarding interpretation of 'intermediaries', the FAQs appear to broaden the definition by acknowledging that many kinds of platforms may qualify as 'intermediaries' with respect to the third-party content made available, shared, hosted, stored or transmitted on their platforms.
Additionally, there is also lack of clarity and limited context regarding interpretation of SMIs and SSMIs. In terms of the Intermediary Rules, SMIs (which includes SSMIs) are intermediaries which primarily or solely enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using their services. Importantly, the recent FAQs note that an 'intermediary' incidentally enabling online interactions may not be considered as a SMI. Further, the FAQs set out certain indicative features which may be taken into account while assessing whether an entity is an SMI or not (e.g., whether it allows social networking, including through specific features such as 'follow' or 'subscribe', whether it provides opportunity to interact with unknown individuals, whether it enables content to become 'viral', etc.).
Key clarifications to the Intermediary Rules
- Appointment of personnel: As a part of their due diligence obligations, SSMIs are required to appoint certain personnel such as a Chief Compliance Officer (for ensuring compliance with the IT Act and its rules), a nodal contact person (for 24x7 coordination with law enforcement agencies) and a Resident Grievance Officer (to facilitate the redressal of grievances). The FAQs clarify that the Chief Compliance Officer and the nodal contact person cannot be the same, however the roles of the nodal contact person and the Resident Grievance Officer may be performed by the same person. That said, MEITY 'advises' that the SSMI should appoint separate individuals for this purpose and provide separate contact details for grievances submitted by users and the requests/orders made by the Government or authorized Government agencies.
- Content takedown by intermediary: SSMIs are required to notify the users when their content has been removed / disabled by an SSMI 'on its own accord' (e.g., through the use of automated tools / filters or identification by an agency/organisation of content containing child sexual abuse material, removal of content on the advise of the Resident Grievance Officer, etc.). However, in situations where it is not practical to notify users prior to taking down content, such as during instances of attack by bots or malware, SSMIs may undertake steps while handling a non-human user, to effectively counter bot activity.
- Action taken by intermediary pursuant to complaints: According to the FAQs, intermediaries are expected to provide 'reasonable explanation' to the complainant for any action taken or not taken with respect to such complaint to facilitate two-way communication between the aggrieved users and the intermediary. For instance, in case of frivolous complaints, SSMIs may cite the nature of the complaint as a reason for not taking action. The FAQs also provide that adequate flexibility has been afforded to the intermediaries to set the process and the method to provide explanation to the aggrieved user.
- Tracing of first originator: MEITY has maintained that the regulatory intent behind the rule that mandates detection of the first originator of a message, is to merely obtain the registration details of the first originator of a message and not to break or weaken encryption. The clarifications elucidate that the principle of detection is based on the 'hash' value of the unencrypted messages, which will be common for identical messages. The FAQs give SSMIs flexibility to come up with alternative technological solutions, including the method of generating and storing the hash.
- Consequences and penalties: The FAQs reiterate that in case of any non-compliance, an intermediary shall lose its exemption from liability against third party content under Section 79 of the IT Act and may also be liable for punishment under any existing law. The FAQs further clarify that while users may not be liable for any direct penalty under the Intermediary Rules, users may however be liable to be prosecuted / penalised with respect to the content that they share on the platform, for any violation of other laws such as IT Act, Indian Penal Code, Copyright Act, etc.
Since their enactment, the Intermediary Rules have received a fair share of criticism for inter alia lack of stakeholder consultation, imposition of onerous obligations on online platforms, additional content moderation and take-down burdens, and user privacy concerns. While the fate of these rules remains undecided (pending outcome of the ongoing proceedings before various courts), these rules are in force and appear to be actively enforced by MEITY and other concerned authorities (in particular, the obligations relating to appointment of personnel in India).
While MEITY has asserted in the FAQs that the Intermediary Rules are consistent with protecting the fundamental right of privacy of individuals with adequate safeguards, many continue to question the practicality, adverse implications, and potential misuse of some of its provisions. For instance, it has been argued that enabling identification of the first originator has the effect of breaking the end-to-end encryption since SSMIs will have to deploy such traceability features across all its platforms, irrespective of whether it receives an appropriate court order or not. In fact, Intermediary Rules were challenged by WhatsApp on grounds of its incompatibility with end-to-end encryption and the implications of the tracing obligations on user privacy. Though the FAQs appear to be aimed at providing some ease of mind to users regarding the privacy concerns, it is unclear if the clarifications ease the concerns cited by platforms like WhatsApp in terms of technical operations and the consequential privacy implications for users.
The much-awaited clarifications are an attempt to fill the gap with respect to some of the obligations for intermediaries. However, thus far it appears that the FAQs have only received lukewarm response. While some stakeholders are appreciating the clarifications, some continue to be wary of its impact. In any case, with the release of these FAQs, it seems that the Government is pushing for the Intermediary Rules, and it is paramount for online platforms to ensure compliance with the same.
The content of this document do not necessarily reflect the views/position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up please contact Khaitan & Co at firstname.lastname@example.org