Information Technology Rules, 2021 – Going overboard with the regulations?
Authored By: Krishan Kant Sharma
With the coronavirus pandemic sweeping the globe, pushing people inside their homes, social media and OTT (Over-the-Top) platforms witnessed an exponential increase in their market. With 40+ digital platforms, both domestic and international, the sector is the fastest-growing in the world. This explosion isn't a fluke. High consumer demand for online content and a progressive regulatory environment that has aided in the growth of innovations and investments has led to this rise.
Social media has been increasingly used not just to voice opinions on social, but also political matters. While this is an essential pillar of any vibrant democracy, the increasing use of hate speech, defamatory contents, abusive language, fake news coupled with the spread of child abuse, rape, sexual violence videos, etc has led to increasing concerns over privacy, cybersecurity, safety and the need for regulation of such platforms.
With this background, on February 25, 2021, the notification of new Information Technology (Guidelines for intermediaries and Digital Media Ethics Code) Rules, 2021[i], henceforth referred to as the IT Rules 2021 added new significant mandates and the need for a regulatory framework on such platforms. According to the government, “the new rules empower ordinary users of social media, embodying a mechanism for redressal and timely resolution of their grievance. The proposed framework seeks to address peoples’ varied concerns while removing any misapprehension about curbing creativity and freedom of speech and expression.”[ii]
The new Rules were enacted under the Information Technology Act of 2000's Sections 69A (2), 79(2)(c), and 87[iii]. They supersede the Information Technology (Intermediary Guidelines) Rules 2011[iv]. The article will further analyse the various provisions of the IT rules, 2021.
In the Tehseen S. Poonawalla vs Union of India[v] case, the Supreme Court of India urged the government to control and stop the transmission of explosive messages and videos on various social media platforms that have the potential to instigate mob violence and lynching of any kind. In 2017, the Supreme Court observed that to curb the dissemination of child pornography, rape, gang-rape images and videos, the government may issue required guidelines for content hosting platforms and other apps.[vi]
An Ad-hoc committee of the Rajya Sabha submitted its report in 2020 on the issue of social media pornography and its effect on children and society.[vii] The research suggested that the creator of such content be tracked down. Following that, in 2020, the government added OTT platforms under the Information and Broadcasting Ministry's remit.
All these developments led to the new IT rules being introduced at a time when the country is continually working to safeguard the safety and sovereignty of individuals, their data and security in cyberspace.
Features of 2021 rules
Part I of the Intermediary Rules is concerned with the definitions of various terms, while Parts II and III deal with the actual compliances and requirements. Part II focuses on the regulation of social media intermediates, such as messaging-related intermediaries like WhatsApp, Signal, and Telegram, as well as media-related intermediaries like Facebook, Instagram, and Twitter. This section comes under the Ministry of Electronics and Information Technology or MeitY. Part III focuses on the regulation of digital news outlets and over-the-top (OTT) platforms like Netflix, Amazon Prime, and Disney+ Hotstar. This section comes under the Ministry of Information and Broadcasting.
Rules for intermediaries
The new rules view social media platforms as ‘intermediaries’ – entities that facilitate access to internet services but are not the authors of the content on the said services. They simply transmit, host, or publish user-generated content. Since they do not have editorial control, several countries including India have formulated safe harbour protections to offer them immunity from criminal liability. In India, these provisions are defined under Section 79 of the IT Act. The new IT rules, however, contains a proviso stating that if any intermediary fails to comply with the rules given in Part II of the act (which will be discussed further in the article), that intermediary won’t be able to enjoy the immunity under Section 79[viii].
According to the new rules, social media intermediaries have been classified into two categories namely; social media intermediaries and significant social media intermediaries. The difference is based on the user size as a result of which, owing to a large number of users and content volume, there are additional compliance measures for the significant social media intermediaries.
The rule mandates all intermediaries to follow ‘due diligence.’ However, this term was not defined under the IT Act of, 2000 and neither did it prescribe the standards of due diligence to be followed. But this is where guidelines come into play. Before the 2021 rules, standards of due diligence were laid down in the 2011 rules which required the intermediaries to disable access or remove illegal information upon receiving actual knowledge about it, among others. But the Supreme Court, in Shreya Singhal vs. Union of India,[ix] read down this requirement of actual knowledge to mean knowledge by an order by a court and this was then embodied in the 2021 rules. One of the major criticisms of this provision is that it requires the intermediary to take down the information within 36 hours based on orders of a court or government. This strict timeline would however deny the intermediary any recourse if it does not agree with the government’s order. Oftentimes, the government may misuse its power and direct the intermediary to take down some matter based on its political agenda and the intermediary would have to do that within the stipulated time as, if not taken down, the intermediary would lose its immunity under Section 79.
Another requirement is a mandatory grievance redressal mechanism whereby all intermediaries shall appoint a Grievance Officer to deal with complaints and share officers’ detail and contact information. The officer should acknowledge the complaint within 24 hours and resolve the issue within 15 days.[x] Significant social media intermediaries must designate a Chief Compliance Officer, a Nodal Contact Person, and a Resident Grievance Officer as part of additional due diligence, and all of these officers must be Indian residents. They should issue a monthly compliance report that lists all of the complaints they've received. However, all these requirements could create additional operation costs which may not be in the best interests of many small digital businesses who have the potential to open the door to a slew of new initiatives.
Another contentious and debatable provision of establishing the identity of the first originator of the message/content by intermediaries who mainly provide messaging services like WhatsApp. It must be disclosed if required by the court or the government. The objective is to detect, prevent, investigate, and punish offences that endanger India's sovereignty and integrity, the state's security, friendly relations with foreign countries, or public order, or are related to rape, sexually explicit material, or child sexual abuse material, and are punishable by a minimum of five years in prison. This provision of establishing traceability, when necessary, by authorities has raised concerns among social media platforms such as WhatsApp. This provision could lead to the decryption of end-to-end encryption, which could jeopardise users' privacy. While the government has assured that it should only be used as a last resort measure, imposing this required traceability requirement will shatter users' immunity, compromising the security and privacy of the conversations. The threat is not limited to privacy, but deprivation and invasion of a safe space for the users. The government even though contends that this could also be implemented without breaking the end-to-end encryption, the onus however will be on the intermediaries to find a technology for this.
Finally, the data retention time has been increased to 180 days (six months) [Rule 3(1)(h)[xi]], and intermediaries must now keep information for 180 days (six months) for investigative purposes. Even after a user's account has been deleted, the data must be retained. However, in the absence of a data privacy law and any form of control on how surveillance is carried out in India, it is critical to evaluate this necessity.
Rules for OTT platforms, news publishers and digital media
These platforms need to follow the Code of Ethics. OTT platforms have been referred to as ‘publishers of online curated content’ in the new rules. They are required to self-classify the content into five categories based on age; U (Universal), U/A 7+, U/A 13+, U/A 16+ and A (Adult). Provision for parental locks U/A 13+ or higher, and age verification ‘Adult’ content.
To establish a level playing field between the offline (print, TV) and digital media, publishers of news on digital media will have to follow the Press Council of India's Norms of Journalistic Conduct[xii] and the Programme Code under the Cable Television Networks Regulation Act 1995[xiii].
In addition, there is a compulsion for setting up a three-level grievance redressal mechanism with distinct levels of self-regulation. Level-I requires Self-regulation by the publishers. Level-II requires Self-regulation by the self-regulating bodies of the publishers. And Level-III mandates an Oversight mechanism framed by the Information and Broadcasting Ministry.
With the coming of the new rules, the social media platforms and OTT platforms were given three months to comply with them. While several companies like Google, Telegram, Koo, LinkedIn, etc shared the details with the Ministry of Electronics and Information Technology as per the rules, some like Twitter and WhatsApp raised apprehensions. It spurred a standoff between the Centre and a few companies leading to a fear of them leaving the Indian markets. While WhatsApp launched a lawsuit against the government in the Delhi High Court alleging that the new rules breached customer privacy, Twitter, to safeguard freedom of speech and expression, requested a constructive dialogue and a collaborative approach from the government. Entities like The Wire, The Quint and LiveLaw also took issue with the new rules.
Several petitions were filed in various High Courts seeking relief and challenging the constitutionality of several provisions.
In the Karnataka High Court, Advocate Charita V challenged the IT Rules, 2021 requesting to declare Rule 3 (1) (d) (which mandates the intermediaries to take down illegal information on orders of a court of government) and Rule 7 (which takes away the immunity provided to the intermediaries under Section 79 if they fail to observe the IT rules) as "ultra vires and unconstitutional." The Centre has been served with a notice by the court. The main contention in respect to these sections is that they grant executive powers without safeguards that could be misused to their benefit. The same thing happened in the Madras High Court where the challenge came from the Digital News Publishers Association. After challenging the IT Rules, 2021, the Kerala High Court awarded interim relief to the News Broadcasters Association (NBA). Under the Centre's new Cable TV rules, the court has ordered the Centre not to take any "coercive action" against them. LiveLaw has also filed a lawsuit against the rules in the Kerala High Court. It claims that the IT Rules of 2021 violate Articles 14 (right to equality), 19(a) (freedom of speech and expression), and 19(1)(g) of the Constitution (freedom to practice any profession or to carry on any occupation, trade or business).
In a recent judgement, the Bombay High Court stayed two clauses, 9(1) and 9(3) stating that they infringe upon the fundamental right to freedom of speech and expression and go against the substantive provisions of the IT Act, 2002. “The portion which is stayed brings Code of Ethics under the IT Rules and self-regulation by the publishers, self-regulation by the self-regulating bodies of the publishers and oversight mechanism by the central government.”[xiv]
All the petitions and cases question us to think what are the main debates regarding the IT rules. The biggest one is regarding the clash between the IT Rules and the right to freedom of speech and expression guaranteed under section 19(1)(a) of the Indian Constitution. The main concern is for the power in the hands of the executive to decide what will constitute free speech or reasonable restrictions, which should ideally be the task of judicial authority. The argument is that while media regulation is needed, but it should not be by the executive, rather by an autonomous authority as government intervention would have a chilling effect thereby weakening the dynamic relationship of checks and balances between the three pillars of democracy and the media, commonly referred to as the fourth pillar.
What could the IT rules mean for India as an investment opportunity?
Due to the massive compliance burden, and a heavy and peculiar grievance redressal system, some investors may become sceptical and weigh their returns against the troubles they may have to face. Some may shift to some kind of proxy investment whereby they might explore alternative content for their potential investments. Moreover, it might scare away or make young and new entrepreneurs, who may not have enough resources, hesitant to develop something new in this tight space. The news might become less impactful as items would be reported in a vague and unclear manner to avoid violating the loosely defined parameters under the Code of Ethics. No company would want to deal with a surge of complaints and grievances. What would be the future of international media agencies, both working with and without an Indian office? Would be also come under the IT Rules and how would the rules play out for them? It remains unclear.
The way forward
In a liberal democracy, regulation plays a vital role. However, in an environment where people are sensitive to content, a regulatory framework that allows for substantial government intervention could become a bureaucratic nightmare, stifling creativity and freedom of speech. In the case of Life Insurance Corporation of India vs. Prof. Manubhai D. Shah[xv] (1992), the Judge Ruled that "the freedom to circulate one's views is the lifeline of any democratic institution." But again, every freedom comes with certain reasonable restrictions and is not absolute. This is essential to maintain a positive relationship between the state and various other players. Since the promulgation of the Constitution, striking the correct balance between fundamental rights and determining the rationality of a restriction has been an ongoing endeavour. The new guidelines do have several flaws, but the most serious one relates to the way the rules were implemented, i.e., without much public oversight. One of the ways to address the continuous criticism of these guidelines could be to start over with the release of a white paper. If regulation is still thought necessary by the public, it must be enacted through a process of debate and discussion in the Parliament by the legislation rather than relying on executive rule-making authority. In a country where citizens are still without a data privacy law to protect them from any party's excesses, making platforms that provide more information could be detrimental. Hence, the passing of the Personal Data Protection Bill of 2019[xvi] should be considered as an important step. The IT Rules 2021 aim to answer individuals' concerns without intruding on their privacy or personal liberties, while also preserving digital sovereignty. But it needs support from the public and the companies to be impactful.
[i] Notification dated, the 25th February, 2021 G.S.R. 139(E): the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[ii] Government notifies Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, Ministry of Electronics & IT, Press Information Bureau, Government of India, https://pib.gov.in/PressReleseDetailm.aspx?PRID=1700749.
[iii] Information Technology Act (21 of 2000), https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf.
[iv] Information Technology (Intermediary Guidelines) Rule 2011, https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf.
[v] Writ Petition (Civil) No. 754 of 2016’ Supreme Court of India, July 17, 2018, https://districts.ecourts.gov.in/sites/default/files/Jugement.pdf.
[vi] ‘In Re: Prajwala Letter Dated 18.2.2015 Videos of Sexual Violence and Recommendations’, Supreme Court of India, October 23, 2017, https://main.sci.gov.in/supremecourt/2015/6818/6818_2015_Order_23-Oct-2017.pdf.
[vii] Report of the Adhoc Committee of the Rajya Sabha to Study the Alarming Issue of Pornography on Social Media and its Effect an Children and Society as a Whole, Rajya Sabha, Parliament of India, 25th January, 2020, https://rajyasabha.nic.in/rsnew/Committee_site/Committee_File/ReportFile/71/140/0_2020_2_16.pdf.
[viii] Section 79 of The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[ix]Shreya Singhal vs. Union of India AIR 2015 SC 1523; Writ Petition (Criminal) No. 167 OF 2012.
[x] Rule 3(2)(a)(i) of The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[xi] Rule 3(1)(h) of The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[xii] Norms of Journalistic Conduct, The Press Council of India, Ed. 2019, http://presscouncil.nic.in/WriteReadData/Pdf/NORMSTWOZEROONEININE.pdf.
[xiii]Section 5 (Programme Code) of the Cable Television Networks Regulation Act, 1995, https://www.indiacode.nic.in/bitstream/123456789/1928/1/A1995-07.pdf.
[xiv] Bombay High Court stays provisions of new IT Rules, The Hindu, August 14, 2021, https://www.thehindu.com/news/national/bombay-high-court-stays-provisions-of-new-it-rules/article35917008.ece.
[xv] Life Insurance Corporation of India v. Prof. Manubhai D. Shah (1992) 3 SCC 637.
[xvi] Draft of the Personal Data Protection Bill, 2019, as introduced in Lok Sabha, Parliament of India by Ministry of Electronics and Information Technology, Bill No. 373 of 2019, http://18.104.22.168/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.