The Intermediary Guidelines 2021 [hereinafter, “guidelines”] was released by the Ministry of Electronics & Information technology as Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and it superseded the Information Technology (Intermediaries Guidelines) Rules, 2011.
The guidelines are divided into 3 parts and the first part deals with different definitions that are associated with the rules. Part 2 of the guidelines deal with the due diligence mechanism related to social media intermediaries and part 3 of the guidelines deals with creators of news and current affairs content and OTT platforms. And the annexure contains the code of ethics which the entities will have to follow. In this article, I will try to dissect the rule for the social media intermediaries only.
CONSTITUTIONAL AND PUBLIC POLICY PROBLEMS
Part 2 of the guidelines deals with due diligence and grievance redressal mechanism related to social media intermediaries but there is some glaring problem embedded in the guidelines. Under the Intermediary guidelines 2021, new classes of entities are being created first is social media intermediaries [Rule 2(w)] and the other is significant social media intermediaries [Rule 2(v)]. And on the 26th of February by a gazette notification, the Ministry of electronics and information technology notified that an Intermediary which has more than 50 lakh registered users will be considered as a significant social media intermediary and there are different sets of obligations for significant social media intermediaries. But there lies a problem in [Rule 6(1)] by which the ministry by order may force any social media intermediaries to follow all the rules that apply to significant social media intermediaries. This is very problematic as the ministry on its will can impose this rule and the intermediaries will have to fulfill huge compliances which may hamper their business.
The problem that lies in the Intermediary Guidelines 2021 starts with the creation itself these guidelines are created under section 87 of the Information technology Act 2000. But if you see in hindsight the information technology act was created to give legal validity to electronic data and it has no provision to control online content except for 2 places (In cyber terrorism [Section 66F] and child pornography [Section 67B] ). But the new intermediary guidelines went a step ahead and tries to control the content that is present on the Internet and this can be considered as an excessive delegation. It is to be noted that the Indian political system works on separation of power where the legislature makes the laws and executive execute it but some time an executive is given the power to makes rules and regulation but it is be noted that the supreme court in the case of Additional District Magistrate (Rev.) Delhi Administration v Shri Ram has already held that rules and regulations should not travel far from the parent act and if it travels far from the parent act it will be considered as ultra-virus.
But the biggest problem that lies in the Intermediary guidelines is [Rule 4(2)] which is related to significant social media intermediaries and their obligation to tell the name of the first originator of the message if there is any court order or any order by the competent authority under Section 69 of information technology act 2000.
In the landmark case of K.S Puttaswamy v. Union of India, the supreme court held that the right to privacy is a fundamental right under article 21. Not just that in a recent case of Central Public Information Officer, Supreme Court v. Subhas Chandra Agarwal the supreme court has affirmed that the right of privacy includes the right of anonymity too.
The requirement to identify the first originator of the information will devastate the idea of privacy in India because for following this rule the Significant social media intermediary needs to track the first originator of every message as they will never know which message will be subject to any court order. This provision will take away the right of privacy and anonymity from the citizen.
The puttaswamy judgment gives a test under which the government can do an intrusion the fundamental right of privacy.
- Legality and existence of law – The Intermediary guidelines are not a law made by the parliament. It is just a subordinated legislation and that is too ultra vires to parent legislation.
- Necessity requirement – while describing the necessity requirement the supreme court said that the law should guarantee against arbitrary state action. Here in this case even if there is an order from the competent authority under Information technology act 2000 the Intermediary needs to act upon this. So, there can be an arbitrary state action without any judicial oversight.
- Proportionality requirement – It is clear that to follow this requirement the intermediaries need to develop a system by which they can track the originator of every message as it is impossible for them to know which message can be subject to a court order. So here the right of privacy of millions of people is thrown away to catch a likely perpetrator. So, to what degree this is proportional. The Supreme court in the case of Ram Jethmalani v. Union of India has said that citizen fundamental rights should not be sacrificed to find the solution to a systemic problem. And here the government while trying to find a solution to catch a potential perpetrator is sacrificing the fundamental right of millions of citizens.
Also [Rule 4(2)] not only does an attack on the right of privacy it also does an attack on the right of speech and expression under Article 19. It in a way will have a chilling effect on every lawful speech as a citizen will not speak freely if their private conversation could be tracked down and can be later used against them when needed.
Not only that under section 79 of the information technology act 2000 the central government has the power to prescribe due diligence mechanism on the intermediaries but compelling the intermediaries to fundamentally alter their platform (Platform likes WhatsApp runs on end-to-end encryption) is way outside of due diligence. Also, the preamble of Information Technology Act 2000 talks about “Uniformity of the law” but I am not aware of any country which forces its intermediary to find the first originator of the message.
Also [Rule 4(2)] applies to significant social media Intermediaries which provide messaging services. The problem is that today most websites and apps provide messaging services in a different format. So, whether this rule will apply to those who primarily provide messaging services or it will apply even if the intermediaries provide ancillary messaging services.
The Intermediaries guidelines 2021 also in a way force the social media intermediaries to work on stiffer deadlines. In the Intermediary guidelines 2011 under [Rule3(4)], the intermediary should act upon a takedown process within 36 hours but under the Intermediary guidelines, 2021 under [Rule3(1)(d)] the whole process of taking down should get complete within 36 hours. Not only this in the Intermediary guidelines 2011 there was no timeline related to giving information to the law enforcement agencies but under the Intermediaries guidelines 2021 under [Rule3(1)(j)] the intermediary should give information to law enforcement agency within 72 hours. The problem is that while working in a stiffer timeline the intermediaries may take down some content just to follow the guideline without any proper due diligence which may create a chilling effect on the right of speech and expression.
Also, a new takedown criterion is added under the intermediary guidelines 2021 under [Rule 3(2)(b)] if any individual makes a complaint related to any obscene material related to him being circulated (Nude photos, morphed image) then the intermediary should take down that content within 24 hours. The measure that is taken by the government is virtuous but the deadline that is given is too short.
Not only that the Intermediary guidelines do not go hand in hand with the personal data protection bill 2019 as according to the intermediary guidelines 2021 [Rule 3(1)(h)] the data retention period is doubled to 180 days and it is done for investigation purpose and the data should be preserved even after the user has deleted the account but if you go by the [Section 9(1)] of the personal data protection bill the data fiduciary are not allowed to keep data beyond a reasonable point of time and it shall be deleted after the processing of data is over and not only that according to [Section 20] of the bill the data principal has the right to be forgotten in which the data fiduciary will be restricted to use the personal data if it has served the purpose or the consent has been withdrawn by the data principal. But according to the rule, your data will be kept for 180 days even if you delete your account, it is in total negation of the right to be forgotten. Both these sections are violated by the [Rule 3(1)(h)] of the intermediary guidelines 2021.
Another camouflaged problem that lies in Intermediary guidelines 2021 is [Rule 4(4)] which talks about the deployment of automated tools to identify content related to rape, child sexual abuse.
Firstly, it only talks about rape and child sexual abuse and not another kind of explicit material. Also, automated tools are not so advance to decide what is sexually explicit material and what is journalistic reporting. For example, the Facebook automated filter once took down the napalm girl picture from the Vietnam war as child sexual abuse. This type of automated tool is still not that advance and relying on them may create a chilling effect on the right of free speech and expression under Article 19 also there is a chance that this automated tool may bring some societal biases while deciding what is obscene and what is not.
There is another problem in the intermediary guidelines 2021 which is under [Rule 4(7)] the significant social media intermediary should allow voluntary verification of account. And in this process, any appropriate mechanism with an active mobile number can be used. The appropriate mechanism is still not decided so there is a chance the government may force Aadhar linkage with your social media account. This could be devastating as India still does not have a personal data protection law as the PDP bill is still stuck in the standing committee so consider giving your governmental ids to a private company without any proper data protection bill. And this is not just an assumption Tamil Nadu government in 2019 went to the supreme court with a request to link all social media account with Aadhar card to curb fake news however this request was rejected by the supreme court.
Also, according to the Intermediary guidelines, the significant social media intermediaries should now have a grievance redressal team in India [Rule 4(1)].
- Firstly, according to [Rule 4(1)(a)], you should have a chief compliance officer whose work includes checking whether the company is following all the compliance under the information technology Act 2000. This person should be a senior employee in the company and must be a resident in India.
- Secondly, according to [Rule 4(1)(b)], you should have a Nodal contact person whose work includes being in constant touch with the law enforcement agencies. This person should be an employee in the company and must be a resident of India
- Thirdly according to [Rule 4(1)(c)], you should have a resident grievance redressal officer whose work includes solving all the grievances that are received by the company. This person should be an employee in the company and must be a resident of India
The problem is that this huge compliance requirement may hamper the right of free trade and profession under Article 19(1)(g) of the constitution. And for example, companies like GitHub or bitbucket which provide code repository services and has millions of the user in India and their operation is neutral in a way and all the services are virtual. But under this rule, they now have to appoint 3 full-time officers in India which is not needed now these entities will either have to reduce the number of registered users in India to below 5 million — or set up operations here and setting up an operation in India would be a hefty task.
It is obvious that the Intermediary Guidelines, 2021 not only transcends the boundary of the Information Technology Act, 2000, but it also has some serious constitutional and public policy hurdles in it. So rather than making rules under the Information Technology Act, different legislation should be introduced to regulate social media intermediaries. A fresh bill, in this case, can be discussed and debated in the Lok Sabha and Rajya Sabha, and possibly all the constitutional and public policy hurdles could be tackled smoothly enabling a fine balance between privacy and public order.