A database of millions of customers including their contact details are found freely accessible online and are available for sale at a very nominal price at various online social media platforms has brought a serious and basic question in focus- who all can be held responsible and accountable for such unauthorize and illegal acts?

Prima facie, the person who is selling the database is responsible under the eyes of law, but do the technology services providers or the platform where such database is been listed, owes any obligation to the customers and can be held responsible for unauthorize acts by a third party on their platform?

The technology service providers or the online platform operators are commonly known as "Intermediaries".

In India, these technology service providers or Intermediaries are governed by the provisions of Information Technology Act, 2000 ("IT Act") along with Information Technology (Intermediaries Guidelines) Rules, 2011 ("Intermediary Rules")

Section 2 (1) (w) of the IT Act define intermediary as follows:

Intermediary with respect to any electronic messages means any person who on behalf of another person receives, stores or transmits that messages or provides any service with respect to that messages and includes:

  • Telecom service providers;
  • Network service providers;
  • Internet service providers;
  • Web hosting service providers;
  • Search engines;
  • Online payment sites;
  • Online auction sites;
  • Online market places; and
  • Cyber cafes

The intermediaries play a very important role in the enforcement of various provisions under the IT Act. In any technology services, there are multiple players involved in provision of services such as setting up web page or website, ISP providing internet connectivity, service provider for registration of domain name and hosting the domain, different service provider for uploading the web pages etc. The present definition of intermediaries is broad enough to encompass every technology service provider involved in any manner in transmission, retention or hosting of electronic records. The IT Act places substantial burden on the intermediaries as briefed below:

1. Section 67C: Intermediaries to preserve and retain the information as prescribed under the IT Act and any intentional or knowingly contraventions are punishable with 3 years' imprisonment and fine;

2. Section 69: Intermediaries are required to comply with an order passed by the Central or State Government directly or through designated agency for granting access or securing access to the computer resource containing the information or intercepting, monitoring or decrypting encrypted data or provide information stored in a computer resource. Failure to assistance to the said Government or its designated agency is punishable with 7 years' imprisonment and fine;

3. Section 69A: An intermediary may be directed by the order of the Central Government to block access by the public or cause to be blocked for access by public, any information generated, transmitted, received, stored or hosted in any computer resource, which such intermediary has to comply with. Failure to do so would entail maximum imprisonment of 7 years' and fine;

4. Section 69B: The Central Government may direct an intermediary to provide technical assistance and extend all facilities to its designated agency or authority, to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information, as required by such agency and non-compliance with such order may be prosecuted and the intermediary may be punished with 3 years' imprisonment and fine;

5. Section 70B: CERT-IN may call for information or give directions to intermediaries and any intermediary fails to comply with such directions may be punished with 1 year imprisonment and fine;

6. Section 72A: An intermediary who discloses personal information obtained while providing services under the terms of lawful contract, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, without the consent of the person concerned, or in breach of a lawful contract, may be punished with 3 years' imprisonment or fine of maximum Rs. 5 lakhs or with both. With respect to compliance with Section 72A, the intermediary is required to comply with the guidelines set out in the IT (Reasonable Security Practices And Procedures And Sensitive Personal Information) Rules 2011, which sets out the procedure for collection, retention, use and dissemination of sensitive personal information pertaining to users.

Section 79 of the IT Act exempts the intermediary from any liability under the IT Act from prosecution for third party actions, on fulfillment of the following requisite:

a. That the intermediary's role is limited to providing access to a communication system, which is used by third parties to transmit, store or host information;

b. That the intermediary did not initiate the transmission, and did not select the receiver of transmission and also did not select or modify the information forming part of such transmission;

c. That the intermediary observed due diligence and complied with the guidelines set out by the Central Government, while discharging its duties under the IT Act

However, the intermediary cannot claim exemption under Section 79 of the IT Act on the following conditions:

a. An intermediary is involved in the commission of an unlawful act, either through conspiring, abetting or aiding such act or had induced, whether through threats or promises or otherwise the commission of the unlawful act;

b. An intermediary, after having received actual knowledge, by itself or through notification from the appropriate Government or its agency, that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary, is being used to commit an unlawful act, fails to expeditiously remove or disable access to that material on that resource, without vitiating the evidence in any manner.

An intermediary is required to act on information received about violation of any laws within 36 hours of such receipt and the intermediary is required to ensure that removal of content from a website or computer resource would not affect the evidentiary value of such content.

Moreover, the intermediary is requisite to demonstrate due diligence and publish rules & regulations, data privacy & protection, usage policy and user agreement for access or usage of the intermediary's online platform or computer access along with details of grievance officer who has to dispose of the matter within one month from date of receipt of complaint.

With ongoing evolution in the business world, the technology service providers are part and parcel of each and every business & their role as intermediary has increased manifold.

Originally published 1 June 2019 - this republication shall be limited for information purposes only

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.