India: Information Technology (Intermediary Guidelines And Digital Media Ethics Code) Rules, 2021: Adequate Regulation Of Intermediaries?

Introduction: What is an Intermediary

The term 'Intermediary' has been defined in clause (w) of sub-section 1 of section 2 of the Information Technology Act, 2000 (" IT Act") as "any person who on behalf of another person receives, stores or transmits an electronic record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes".

This is a very broad definition. This not only covers social media companies (e.g., Facebook, Twitter) but also a wide range of players in the internet ecosystem including search engines (Google Inc., Yahoo Inc.), online payment sites (Paypal, Phonepe), online-market place (Amazon, Flipkart), telecom service providers (Jio, Vi), and cyber-cafes. The definition applies to any company where the user has an identity in the intermediary in form of a unique account/number (though some intermediaries may not require prior registration for access), who accesses, uses, and interacts with other users (who may or may not be of the same kind) and the intermediary enables these interactions. Cyber-cafes would be an exception to this notional definition.

Regulation of Intermediary in India

Intermediaries did not have protection of safe harbour until 2008. That is, there was nothing in the IT Act which protected intermediaries from content posted by its users. This became clear in Avinash v State¹, where the managing director of an e-commerce company was charged with criminal provisions of the Indian Penal Code, 1860 for the content posted by third parties on the e-commerce company. The Delhi High Court observed that there was a requirement for widening the scope of protection given to intermediaries. Consequently, the IT Act was amended in 2008 to include a safe harbour regime under Section 79 of the IT Act, along with an amendment in the definition of intermediaries.

Intermediary Guidelines, 2011 and the Shreya Singhal Judgement

In 2011, the Government of India notified the Information Technology (Intermediaries Guidelines) Rules, 2011 ("Intermediary Guidelines, 2011") which brought certain obligations for the intermediaries, which included, inter alia, publication of privacy policy and user agreement on its website/App, prohibition of posting of harmful content, developing systematic and organizational measures for data security, etc.

In the landmark judgment of Shreya Singhal v Union of India², the Supreme Court also discussed the intermediary liability, "Section 79 is valid subject to Section 79(3)(b) being read down to mean that an intermediary upon receiving actual knowledge from a court order or on being notified by the appropriate government or its agency that unlawful acts relatable to Article 19(2) are going to be committed then fails to expeditiously remove or disable access to such material.... Similarly, the Information Technology "Intermediary Guidelines" Rules, 2011 are valid subject to Rule 3 sub-rule (4) being read down in the same manner as indicated in the judgment."

Intermediaries Guidelines 2021

The Intermediaries Guidelines 2011 were superseded by Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("Intermediary Guidelines"). The new guidelines inter alia have brought a classification of intermediaries. They classified them into social media intermediary and significant social media intermediary, based on the number of users served by the intermediary. Significant social media intermediary, which has a higher threshold of registered users (50,00,000 (fifty lakh) as per a recent notification³), has certain additional obligations. Unlike the Intermediary Guidelines, 2011, these guidelines also regulate OTT channels and providers of news and current affairs on the internet under a different chapter.

According to the Rule 3, intermediaries are required to observe due diligence, such as prominently publishing on its website or application or both, the rules and regulations, privacy policy, etc. They have to inform the users beforehand about the prohibited content. Further, upon receiving actual knowledge in the form of an order by a court of competent jurisdiction or on being notified by the appropriate Government or its agency, the intermediary shall not host, store or publish any such prohibited information. In case, any such information is hosted, stored or published, the intermediary shall disable access to that information within 36 hours from the time of being notified. It shall also preserve such information and associated records for 180 days for investigation purposes, or for longer period as may be required by Government agencies or by the court. Intermediaries are also required to furnish information concerning verification of identity, or prevention, detection, investigation, or prosecution, of offences under any law or for cyber security incidents to the Indian Computer Emergency Response Team within 72 hours of the receipt of a lawful order. The intermediary shall also publish the name of the Grievance Officer and his/her contact details as well as mechanism for complaint. Grievance Officer shall acknowledge the complaint within 24 hours and resolve it within 15 days from the date of its receipt. Intermediaries are also required to remove or disable access to any content which exposes the private area of any person, or shows nudity or sexual act or conduct including artificially morphed images within twenty four hours from the receipt of a complaint.

A 'significant social media intermediary' has to observe certain additional due diligence⁴ such as appointing an Indian resident as Chief Compliance Officer, a nodal contact person for 24x7 coordination with law enforcement agencies and officers, and a Resident Grievance Officer and publisha monthly compliance report.

Conclusion

It is only logical that intermediaries cannot be made responsible for what third parties post on their platforms but to absolve them entirely from third-party liability would not be advisable in this hyperconnected world where companies like Facebook and Twitter are universes in themselves. Cambridge Analytica scandal showed the potential of these platforms. Facebook, which remains the first and often the only source of information for many people could influence the world in manners no one can, and could affect public order, markets, and entire democracies, on a very large scale. The point is to strike a balance between the two opposite ends of the spectrum. The bottom line is provide freedom to intermediaries to operate smoothly but have enough checks and compliances to prevent them from becoming uninhibited, archaic tech nations. Intermediary Guidelines so far as the social media intermediaries are concerned (which cannot be said about the regulation of digital media and OTT platforms), have arguably struck the balance between the security of the State and privacy of the citizens.

Footnotes

1. 2008 (105) DRJ 721

2. (2013) 12 S.C.C. 73

3. Ministry Of Electronics and Information Technology, [F. No. 16(4)/2020-CLES], (Notified on 25.02.21)

4. Rule 4, Information Technology (Intermediaries Guidelines) Rules, 2011

Originally published 4 January, 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.