"If liberty means anything at all it means the right to tell people what they do
not want to hear." -
George Orwell
Ever since the Information Technology (Guidelines for Intermediaries and Digital
Media Ethics Code) Rules, 2021, were passed by the government of India, they
have been a topic of discussion and have faced serious criticism for being
violative of fundamental rights. While, with the increase in the overall
internet accessibility and increase in cybercrimes, it is without a doubt true
that the digital space does need to be regulated, the regulations need to be
drafted in a manner that strikes a balance between the duty of the State to
protect the citizens by way of drafting laws for the purpose, and the
fundamental rights of the citizens.
This paper provides an overview of the
provisions of the IT Rules and analyses them on the touchstone of the
constitutional provisions to test their validity. The authors aim to provide an
alternate perspective, by comparing the Rules with international instruments and
legislations regarding the control of media and user privacy, like the Cyber
Security Law of People's Republic of China, and the General Data Protection
Regulation of the European Union, in order to highlight the shortcomings of the
Indian framework, and suggest how the authorities could oversee digital
communications and content and protect the morality and security of the nation
and its people, without overstepping the constitutional boundaries or violating
the rights of the citizens.
Introduction
In India, the Internet was launched by Videsh Sanchar Nigam Limited (VSNL) on
the 15 of August, 1995.[1] Within a quarter century, the internet landscape
transformed considerably from being a service that only a few could afford to an
easily accessible resource that is now everywhere. With 560 million users,
evolution of the internet has been very rapid in India.[2]
Earlier, internet was
only used to facilitate web-based searches on search engines like google, Bing,
yahoo, etc., but with the introduction of sites like Facebook, WhatsApp,
Instagram, internet has become an essential stimulus for the expression of
opinion for the masses. With a user base of millions, these sites dominate the
internet space making it pertinent for the government to regulate them.
Though,
they help amplify the voice of the masses, they also have a corrosive effect on
democracy and public discourse. From harboring hatred through fake news to
encroaching privacy of the innocent by stealing their data, internet is being
used for it all. This has made imperative it for the government to bring in laws
to keep up with the ever - evolving internet regime.
As a result, on the 25 of February, 2021 the Law and IT minister Ravi Shankar
Prasad introduced the Information Technology (Intermediary Guidelines and
Digital Media Ethics Code) Rules, 2021 which replaced the Information Technology
(Intermediary Guidelines) Rules, 2011. These rules are framed under Section 87
of the Information Technology Act, 2000 and intend to regulate the Intermediary
conduct and the digital media content.
They are structured in a very detailed
and comprehensible manner, divided into three parts, Part 1 consists of Short
title and Definitions, Part 2 enlists the guidelines for due diligence by the
Intermediaries, Part 3 provides for the code of ethics and rules concerning
digital media.
Who is an intermediary?
According to the Information Technology Act, 2000, an intermediary is a person
who on behalf of another person receives, stores or transmits a record or
provides any service concerning to that record. Internet and Network service
providers are some of the many people included as intermediaries in the
definition.[3]
Though the definition of Intermediary under Rule 2 (m) is the
same as under the Act [Section 2(w)], but it has included websites, apps and
portals of social media, media sharing websites, blogs, online discussion forums
also under the definition of an Intermediary. Therefore, there are two types of
intermediaries one which connects us to the internet like Airtel, Vodaphone and
the other which provide us web-based services like WhatsApp, Facebook, Twitter,
etc.
Judicial Delineation on liability of an intermediary
Considering the ginormous amount of content published on social media platforms,
it is highly unreasonable to expect the government to check the credibility and
legality of each and every post. An intermediary at this stage is assigned the
task to filter the content which prima facie is unlawful and against their
privacy policy. This seems to be an effective way to obstruct the free flow of
illegal content on the Internet. Therefore, an intermediary is an essential cog
in the wheel. These make us question whether an intermediary can be held liable
for every unlawful and unscrupulous content posted on its website by a third
party.
The issue of intermediary liability was first acknowledged by the judiciary in
2004 in
Avnish Bajaj v. The State[4] . In this case Ravi Raj, a student of IIT
Kharagpur, listed for sale, a sexually explicit video of two students from DPS
RK Puram on Baazi.com, a platform where a buyer and seller connect for
concluding transactions. Through Baazi.com who is an intermediary in this case,
the video was sold to 8 customers and was eventually made viral on the internet.
In consequence of which Ravi Raj along with the Managing Director (Avnish Bajaj)
of Baazi.com were arrested. Ravi raj's arrest owning to promoting a sexually
explicit MMS of 2 minors was right but Avnish's arrest was frowned upon by the
legal fraternity. In 2005, Avnish Bajaj filed a petition in the high court of
Delhi for quashing all the criminal proceedings against him on the grounds that
the transaction took place directly between the seller and buyer with no
intervention by Baazi.com therefore he owes no liability.
The high court
quashing the liability of the MD under Section 292(a) and (d) held him liable
under Section 67 of the IT act. This was later overturned by the Supreme Court
in 2012[5] claiming that vicarious liability cannot be fastened to Avnish Bajaj
and he could not be held guilty under section 67 and 85 of the Act[6], as the
company was not arraigned as an accused. Therefore, when there was no case made
against the company, the managing director of the company stands acquitted.
This
case highlighted the legal risks that corporates operating an online business
platform for users to host their content could be exposed to, in spite of the
fact that they are not the authors of the content. This case not only marked a
drastic shift in intermediary liability but it also gave way to a much-needed
amendment in Section 79 of the Information Technology Act in 2008.
Prior to the amendment, Section 79 of the act provided immunity to internet
service providers only with respect to liability arising from the IT Act, 2000
and there was absolutely no protection from liability under other
legislations.[7] As a corollary, Baazi.com was not immune from any liability
arising out from the Penal Code, 1860 (conviction under Section 292).
With the
amendment of 2008, the definition of intermediary under section 2(w) was
broadened to include Telecom service provides, web-hosting service providers,
search engines, online payment sites also as intermediaries along with Internet
Service Providers. Section 79 was also amended to create a safe harbor provision
for intermediaries. Reversing the burden of proof, an intermediary, now, would
not be liable for any third - party information, data or communication link made
available or hosted by it.
The supreme court has also observed this in
Shreya
Singhal v. Union of India[8] that "it would be very difficult for intermediaries
like google, Facebook, etc to act when millions of requests are made and the
intermediary is then to judge as to which of such requests are legitimate and
which are not". Similar was held in
Kent Ro Systems Ltd. v. Amit Kotak[9]. But
this extends only to those instances where the intermediary merely acts as a
facilitator and is not involved in creation or modification of the data or
information as recently clarified by the Supreme Court in
Google India Pvt. Ltd.
v. Visakha Industries.[10]
The Delhi high court, also clarified in
Christain Louboutin SAS v. Nakul
Bajaj[11], that the safe harbor provision under Section 79 is applicable only to
"passive intermediaries". It even provided an exhaustive list of various
functions that may be performed by an intermediary and claimed that the more
functions an intermediary performs the more it is likely to be termed as an
"active participant".
Further, this immunity is taken away when an intermediary
upon receiving actual knowledge does not take down a content which is
unlawful.[12] The term "actual knowledge" was deciphered by the Supreme Court in
Shreya Singhal v. Union[13] of India to include an order from the court of
competent jurisdiction or a competent authority.
The most striking aspect of the amendment was sub section c of clause 2 of
Section 79 which slyly insinuated that such immunity is not absolute and will be
guided by the rules for due diligence made by the Central Government. These
rules were first made by the government in 2011 and are succeeded by the - the
Information Technology (Guidelines for Intermediaries and Digital Media ethics
code) Rules, 2021. Now the question arises whether this safe harbor is as safe
for intermediaries as it is contended to be. This can be answered through the
analysis of the Rules, 2011 and Rules, 2021.
The IT Intermediary Rules
The new IT Intermediary Rules which amended the 2011 Intermediary Rules are
discussed briefly, formed under Sections 69A, 79, and 89:
- Due Diligence by the Intermediary
Rules 4-6 implement a duty on the intermediaries to implement due diligence in
their functioning. These duties are: The rules and regulations, privacy policy,
and user agreement should explain to the user not to publish, modify, upload,
display any information which comes under the heads mentioned under Section
4(1)(b).
The intermediary may be asked to remove any information which comes
under any of the said restrictions and may be asked to provide information about
the disputed content by government order. The information of the identification
of the first publisher shall be given by the social media intermediary,
providing messaging services like WhatsApp, to the judicial officer on the order
received under Section 69 of the Act. They are required to use technology- based
measures which will help in disseminating the information promoting restricted
information.
A Chief Compliance Officer, a Nodal Officer, and a Resident Grievance Officer
shall be appointed within three months of the publication of such rules to
ensure due diligence and publish a compliance report every six months. The cyber
incidents are to be reported by them to the Indian Computer Emergency Response
Team following the policies and procedures as prescribed in the Information
Technology (The Indian Computer Emergency Response Team and Manner of Performing
Functions and Duties) Rules, 2013.
- Code of Ethics and Procedure and Safeguards about Digital/Online
Media
As per Section 2(w) of the IT Act, 2000, the intermediaries are simply persons
who facilitate the use of the internet. It includes cyber cafes, interactive
websites like WordPress, blogs, web hosts, search engines like Google, Opera,
etc. The functions of intermediaries are hosting content, collecting
information, evaluating scattered information, facilitating communication and
information exchange, aggregating information, providing access to the internet,
etc. The Rules state that when asked by the government order, they
(intermediaries) must disclose the identity of the first originator of the
information on their platform. The due diligence to be followed by the
intermediaries to control the content has put a significant amount of obligation
on them, but at the same time has infringed the privacy of the originator and
freedom of expression of the publisher.
Publishers, as per Part III of the Rules, include: (i) news and current affairs
content providers, and (ii) online curated content providers, such as the
Leaflet, Livelaw, etc. Therefore, publishers mean all such publishers who
operate in the territory of India or conduct the systematic business activity of
making their content available in India. A Publisher shall be deemed to operate
in the territory of India where such publisher has a physical presence in the
territory of India.[14] The Rules cover individual content producers like
bloggers as well. In response to a plea filed in the Delhi High Court on May 31,
the Court issued notice to a microblogging site for non-complying with the IT
Intermediary Rules.[15] Following is the structure for grievance mechanism for
the said entities:
- Level I - Self-regulation by the applicable entity;
- Level II - Self-regulation by the self-regulating bodies of the
applicable entities;
- Level III - Oversight mechanism by the Central Government.
The authorized officer will give notice to the applicable entity of the disputed
content for the reply and the content will be subsequently reviewed by the
inter-departmental committee.
Also, the authorized officer is required to submit the recommendation of the
Committee along with the information available to the Secretary in the Ministry
of Information and Broadcasting ("MIB"), Government of India, and on his
approval shall continue as per the directions.
- Significant publisher and disclosure:
The significant publisher of the news and current affairs is required to notify
the broadcast seva about the functioning and broadcasting in the territory of
India for proper coordination and communication.
Concerns about The IT Intermediary Rules
The IT Intermediary Rules, essentially change the internet experience in India.
They have the effect of bringing about governmental control, rather than
regulation of social media, digital news platforms, and OTT platforms. Several
of these rules are unconstitutional and violate the freedom of speech and the
right to privacy of the users of these services.
- Data Preservation and Traceability
Rule 3(1)(h) requires social media intermediaries to preserve data for 180 days.
This information has to be preserved even after the user has deleted their
account, for investigative purposes. Further, significant social media
intermediaries are also required to allow their users to 'voluntarily' verify
their accounts with appropriate mechanisms including their mobile numbers. The
accounts so verified shall be indicated by a mark indicating such
verification.[16]
Instances of such 'voluntary' requirements becoming practically mandatory are
not unknown to India. (For instance, although initially, Aadhar Cards were
introduced as voluntary ID proof, yet activities like banking transactions,
getting a sim card, etc, were linked to it in such a way that it was difficult
to proceed in normal life without an Aadhar Card, thus, making it mandatory in
effect.) This shall also enable the social media intermediaries to collect
individual data via their respective government IDs. Therefore, these
requirements, in the absence of data protection laws and oversight mechanisms
regarding the working of surveillance in India, shall have severe implications
on the privacy and anonymity of the social media users, where just recently, the
Supreme Court had stated privacy to be a fundamental right.[17]
Rule 4(2) requires significant social media intermediaries to enable the tracing
of the originator of information if required by a Court of competent
jurisdiction or competent authority under Section 69 of the IT Act, thus putting
an end to the system of end-to-end encryption if required.
End-to-end encryption ("E2EE") is a technique employed by messaging apps where
only the communicating parties have access to the messages exchanged between
them. It prevents the internet service providers and other third parties from
snooping into the information shared by the users. Social media platforms like
WhatsApp use the system of end-to-end encryption, which allows the users to keep
the integrity of their messages intact, while they communicate via the internet,
which is otherwise considered an insecure public channel. Although the rules
provide that such order shall only be passed for prevention, detection,
investigation, prosecution, or punishment of certain offenses that are
specifically stated, the category of 'public order' is relatively broad and can
be used to exercise arbitrary and whimsical actions.
No doubt, this provision
shall help in reducing the cases, and identifying the culprits of serious cyber
offenses, but, at the same time, can be used to identify political dissenters
and may be a threat to freedom of speech and right to dissent. This is contrary
to the opinion of Delhi High Court, expressed in Maqbool Fida Husain v. Rajkumar
Pandey[18] as:
"In a real democracy, the dissenter must feel at home and ought
not to be nervously looking over his shoulder fearing captivity or bodily harm
or economic and social sanctions for his unconventional or critical views. There
should be freedom for the thought we hate. Freedom of speech has no meaning if
there is no freedom after speech. The reality of democracy is to be measured by
the extent of freedom and accommodation it extends."
- 'Self-Regulation' and Content Blocking
The IT Intermediary Rules also regulate digital news media and OTT platforms,
which before this, in the 2011 Intermediary Rules, were left out. The digital
news media and OTT platforms are required to adhere to a Code of Conduct,
provided in the Appendix to these rules. To ensure compliance with this code of
conduct, the three-tier system discussed above includes a grievance redressal
and appeal mechanism. This consists of a Grievance Officer at the first tier,
the self-regulating body at the second tier, and an Inter-Departmental Committee
constituted by the Ministry at the third tier. Under this mechanism, if the
grievance officer is unable to provide the complainant with a sufficient
response, the complainant may appeal to the self-regulating body at tier II.
Now, as per Rule 11, this self-regulating body is supposed to be an independent
body, headed by a retired judge of the Supreme Court or of a High Court, who
shall be appointed from a panel prepared by the Ministry, and have other, not
more than six members, from the field of media, broadcasting, technology, and
entertainment. In case the applicable entity fails to comply with the guidance
and advisory of the self- regulatory body within the stipulated time, the body
may refer the matter to the Oversight Mechanism constituted under Rule 12.
This
Oversight Mechanism is the Inter-Departmental Committee, consisting of
representatives from various ministries under the government and other
organizations, including domain experts, that it may decide to include in the
Committee, with an 'Authorized Officer' who shall be a member of the Ministry,
designated by the Ministry, as its Chairperson.
Therefore, while on the face of
it, this mechanism may appear to be quite 'self-regulatory' with minimal
government interference, on a deeper look, it is much more than that, keeping in
mind the degree of control that the Ministry has over appointments in the
'self-regulating body'.
Furthermore, the action that can be taken by this Committee includes censoring
the platform, asking the platform to reclassify ratings, and action under
Section 69A(1) of the IT Act, on the mere ground that the Authorised Officer, on
the recommendation of the committee, is satisfied that there is need for taking
such action.
Such action may be blocking concerning the content, subject to
Section 69A(2), for reasons to be recorded in writing. Section 69A(2) provides
that the procedure of such blocking, and the safeguards available against it,
maybe as prescribed. This procedure has been prescribed under the Information
Technology (Procedure and Safeguards for Blocking for Access of Information by
Public) Rules, 2009 ("2009 Rules").
The Apex Court, in the case of
Shreya Singhal v. Union of India,[19] not only
declared Section 66A of the Act as unconstitutional but also upheld the
constitutional validity of Section 69A, which was also challenged in the case.
The reason provided by the Court for its decision was twofold.
The Hon'ble Court
noted that firstly, Section 69A is narrowly drawn, and contains several
safeguards, unlike Section 66A, and secondly, the necessity envisaged in the
section is on the grounds that are same as those envisaged under Article 19(2)
of the Constitution of India, i.e. 'in the interest of sovereignty and integrity
of India, defence of India, security of the State, friendly relations with
foreign States or public order, or preventing incitement to the commission of
any cognizable offence'.
However, what the Hon'ble court might have overlooked,
was the fact that while Article 19(2) of the Constitution lays down grounds on
the basis of which the Parliament and the State Legislature are allowed to pass
laws that restrict the freedom of speech and expression of the citizens, what
Section 69A allows on the similar grounds is for the government, or an officer
authorised by the government to interpret the grounds such as security of the
State, etc, as per their own understanding, and direct blocking of content.
The
reasonable restrictions provided under the Constitution are quite subjective.
The difference between the passing of a law in the Parliament, and the issuance
of directions by an officer is that while a bill is heavily debated in the
Parliament before it becomes a law, a governmental guideline may be based solely
on the whims and fancies of the authority.
Another anomaly in the blocking procedure is found under the 2009 Rules. Framed
under Section 69A(2) of the IT Act, these rules provide the procedures and
safeguards concerning blocking. According to the 2009 Rules, every request for
blocking is supposed to be reviewed by the review committee before action is
taken, the review committee comprises of designated officers and representatives
from the Ministry of Law and Justice, Information and Broadcasting,
Home
Affairs, and the Indian Computer Emergency Response Team.[20] The rules also
provide the stakeholders with the opportunity of hearing, and for deliberations
by a reviewing committee, before any decision for blocking is made, as a
safeguard against unwarranted blocking. However, under Rule 9, the competent
authority can direct the intermediary to block access by the public to any
information for forty-eight hours, before the notice is deliberated upon by the
review committee, in 'emergency cases'. What constitutes an emergency is not
defined and is left to be interpreted as per the wisdom of the relevant
authorities.
The rules also provide for the Department to record in writing the
reasons for the issue of the direction of blocking of content, which may, as
noted in the
Shreya Singhal case, 'be assailed in a writ petition under Article
226 of the Constitution'.[21] Although this provision is supposed to be a
safeguard against whimsical actions, the forty-eight hours of unreviewed
blocking, and the time taken to dispose of a writ petition, are enough to curb
the voices of political dissenters or social movements that do not suit the
government's interests. It is for these reasons that the constitutional validity
of Section 69A and the action taken under the 2009 Rules, seem questionable.
This provision, and the misuse that may ensue thereof, becomes relevant in light
of the Supreme Court judgment in Indibly Creative (P) Ltd. v. the State of W.B.[22],
wherein the Court stated that, "The views of the writer of a play, the meter of
a poet, or the sketches of a cartoonist may not be palatable to those who are
criticized. Those who disagree have a simple expedient: of not watching a film,
not turning the pages of the book, or not hearing what is not music to their
ears. The Constitution does not permit those in authority who disagree to crush
the freedom of others to believe, think and express."
At the point in time when India is not only a consumer but an active creator of
original digital content released via OTT platforms, the opportunity could be
used to monetize the growing OTT trend across the globe. In light of the South
Korean model, where the government systematically works to realize the full
potential of the Hallyu export market, building on USD 13.4 billion in export
sales throughout the world in 2018-19, the increasing restrictions on the Indian
content on these OTT platforms are not only a blow to the artistic freedom of
content creators, and freedom of speech, but also a lost economic
opportunity.[23]
Constitutionality of the Rules
In addition to the above, the concern is that the rules have no legislative
backing in regulating said media, this is exercising powers beyond the scope of
the parent legislation. It has been held by the Supreme Court in the
State of
Karnataka v. Ganesh Kamath[24] that:
"It is a well-settled principle of
interpretation of statutes that conferment of rulemaking power by an Act does
not enable the rule making authority to make a rule which travels beyond the
scope of the enabling Act or which is inconsistent therewith or repugnant
thereto."
A combined reading of Section 79(2) read with Section 89(2)(zg) makes
it clear that the power of the Central Government is limited to prescribing
guidelines related to the due diligence to be observed by the intermediaries
while discharging its duties under the IT Act. However, the IT Intermediary
Rules have imposed additional requirements and widened the ambit of requirements
to be fulfilled by the intermediary.
Thus, the Rules extend the scope of the responsibilities of the intermediary and
are ultra vires as an intermediary can act only after receiving an order from
the court or a notification from the appropriate government or its agency. The
intermediary is not required to exercise its discretion regarding the material
which is to be removed or disabled.
Also, as per the Rules, the intermediaries are liable to follow the due
diligence provisions which are similar to the provisions of due diligence
attached in the 2011 Intermediary Rules. These principles under Rule 3(4) of the
2011 Intermediary Rules, were read down in Shreya Singhal v. Union of India[25],
to the extent that an intermediary would only be required to disable information
that would be relatable to Article 19(2) of the Constitution.
Similarly, the IT Act does not provide any classification of intermediaries.
Section 2 (1)(w) of the Act defines an intermediary as "any person who on behalf
of another person receives, stores or transmits that record or provides any
service with respect to that record and includes telecom service providers,
network service providers, internet service providers, web-hosting service
providers, search engines, online payment sites, online-auction sites,
online-market places and cyber cafes."
Thus, all intermediaries are treated as a
single undifferentiated entity that are subject to the same responsibilities and
obligations. However, the new Rules have set up different categories of
intermediaries like social media intermediaries,[26] and significant social
media intermediaries.26 This classification, in turn, subjects social media
intermediaries with an extra set of obligations, and the scope of significant
social media intermediaries' responsibilities also stands expanded. These new
responsibilities find no basis in the parent act that does not classify
intermediaries into different types.
Section 87(1) and Section 87(2)(z) and (zg), under which the Rules have been
prescribed, do not give the Central Government the power to amend the definition
of intermediaries as stated in the IT Act, or create any such classifications as
the Rules have already done. Therefore, once again, it can be evidently seen
that the Rules have gone beyond the parent legislation.
Secondly, Section 79 of the Act provides that subject to clauses (2) and (3) the
intermediary shall not be liable to any content of the third-party hosted or
published by it. Thus, providing a clear safeguard to the intermediary. Further,
Section 79(2) of the Act states the grounds under which the said safeguard will
be availed to the intermediary and Section 79(3) mentions the grounds when the
intermediary may be held liable if the content is not taken down when they have
the knowledge of its unlawfulness.
In
Shreya Singhal v. Union of India,[27] the Supreme Court read down Section
79(3)
(b) to mean that an "intermediary upon receiving actual knowledge from a court
order or on being notified by the appropriate government or its agency that
unlawful acts relatable to Article 19 (2) are going to be committed, fails to
expeditiously remove or disable access to such material."
Thus, requiring the intermediary to apply their own mind in the regulation of
data goes against the Court's interpretation in the Shreya Singhal judgment.
Also, as per the Rules, the responsibility of administering Part II of the Rules
lies with the Ministry of Electronics and Information Technology. As per the
Allocation of Business Rules, 1961, Digital Media is under the purview of the
Ministry of Information and Broadcasting, while the entry 'Matters relating to
Cyber Laws, administration of Information Technology Act 2000 (21 of 2000) and
other IT related laws', which would include IT Act, 2000 and framing of rules
under the said Act, would fall under the MeitY.
While it may be argued that
Digital Media, concerning the processing of content on digital media by
publishers can be covered as an aspect of the wide scope of 'cyber crimes',
digital media still falls under the ambit of Information and Broadcasting and
any legislation or delegated legislation in the form of rules, under this
legislation, can be enacted by the MIB.
Therefore, the MeitY cannot legislate
upon digital media as a delegate or otherwise, since it is the job of the MIB.
Neither can the MIB, under the IT Act, act as a delegate and administer a part
of it, since it is an accepted principle of law that what cannot be done
directly, cannot be done indirectly. To regulate digital media, the MeitY would
have to pass a law in the Parliament, under which it may require the MIB to
consult the MeitY and other ministries, but the enacting body would still be the
MIB. Not passing the law amounts to an abdication of the Parliament's
legislative duties.
The Supreme Court, in various cases, has stated that if a rule goes beyond the
rule- making powers conferred by the statute, and hence, the rule should be
declared ultra vires. The basic test is to determine and consider the source of
the power conferred upon the rule.[28] For a rule to have the effect of a
statutory provision, two requirements should be fulfilled. Firstly, the rule
must conform to the provision of the statute under which it is framed, and
secondly, it must also come into the scope and purview of the rule-making power
of the authority making the rule. If any one of the above two conditions is not
fulfilled, the rule shall remain void.[29]
The conferment of rule-making power
by an Act does not enable the rule-making authority to make a rule which travels
beyond the scope of the enabling Act or which is inconsistent therewith or
repugnant thereto.[30] Hence, it is clear that the rules are beyond the scope of
the purview of the IT Act and are ultra vires the parent act, therefore, are
liable to be challenged in court on this ground.
Challenges To The Rules & Way Forward
Considering all the above, it is only understandable and expected that the Rules
have been challenged in Courts by various platforms that it claims to cover, to
settle the applicability and remove the ambiguity in them. Google, for example,
appealed the Delhi High Court against an order of a single judge bench on the
ground that it is classified as a social media intermediary and is required to
comply with the Rules, whereas being a search engine, it considers itself not a
subject to such compliances.[31]
Petitions have also been filed by the Wire,[32] the Quint,[33] etc., challenging
the provisions of the Rules regulating digital news media and OTT platforms,
claiming that the rules impose upon them unreasonable restrictions that violate
their freedom of speech and expression. A similar challenge has been made by the
Press Trust of India as well.[34] Even WhatsApp moved to the Delhi High Court
against the traceability clause that requires it to break the end-to-end
encryption that secures user communications, on the ground of it being violative
of the people's right to privacy.[35]
Here, it becomes pertinent to note that the Bombay High Court, in a plea filed
by AGIJ Promotion of Ninteenonea Media Pvt. Ltd., the company that runs the
legal news portal the Leaflet, stayed the application of Rule 9(1) of the IT
Intermediary Rules. With the rapid pace of technological development and the
internet becoming an indispensable part of the lives of people everywhere, the
issue of the protection of user information and privacy, as well as the freedom
of speech online has been a concern all around the world, and legislations
regulating said aspects of the internet experience have been passed.
Poland, for
instance, proposed a law that criminalizes self- regulation by intermediaries.
The country believes that the removal of content and regulation of free speech
on social media platforms is not a function that the intermediaries should
exercise, thus advocating for a 'free and transparent' internet policy. Failure
to restore deleted content and accounts could cost the intermediaries up to
$13.4 million by way of fines.[36]
While India is enabling government-sanctioned privacy breaches by requiring
intermediaries like WhatsApp to break their end to end encryption, the European
Union's General Data Protection Regulations ("GDPR") requires the Information
Commissioner-an independent regulator, to make sure that the personal data of
the citizens are protected and their privacy is maintained under transactions
that occur between the member states, by way of granting the Information
Commissioner various responsibilities[37] and powers[38] like ordering the data
controller or processor to inform the data subject about personal data breach,
carrying out data protection audits, warning the controller that the intended
data processing is likely to breach the provisions of GDPR, etc.
The same has
also been reiterated in the UK Data Protection Act, 2018.[39] Further, the GDPR
provides that where personal data of users is stored, it must be done so in a
way that allows the identification of data subjects for a period no longer than
is necessary for accomplishing the purpose for which the data was so
processed.[40]
The only case in which personal data can be stored for a longer
period is in instances where it relates to the public interest, or scientific or
historical research purposes, or statistical purposes, subject to technical and
organizational measures as prescribed by national laws. The European Union
Regulation also provides the data subjects the right to object to the processing
of personal information.[41] Processing includes
collection, recording, storage, etc.[42] Under Article 21 of GDPR, the data
subject can object to such processing at any stage, and the controller shall no
longer proceed with the processing unless they demonstrate such 'compelling
legitimate grounds' under which the processing overrides the interests,
freedoms, and rights of the data subject, except when the processing is for
direct marketing purposes, the controller shall, in no case, proceed with such
purposes. In this light, the storage of user information for a period of one
hundred and eighty days, irrespective of the purpose for which the information
was collected under the IT Intermediary Rules, seems excessive. GDPR also
emphasizes the lawfulness of data processing.
It states that the purpose of such
processing should be explicitly informed to the user, and be determined at the
time of collection of the data.[43] It also categorically lays down the purposes
for which processing would be considered lawful.[44] Although the Indian
legislation does require the consent of the user to be taken before any
processing, it does not, unlike the GDPR, define what consent means.
It must be kept in mind that while foreign legislations like GDPR state the
right to protection of personal data as one of its objectives, the IT Act, and
the Rules were not drafted for this purpose.[45] All this further strengthens
the argument for the need for a data protection law in India.
Conclusion
India is the world's largest democracy and, in a time, where democracies around
the world are aiming to expand the scope of their citizen's freedoms and rights,
the IT Intermediary Rules, are on the receiving end of large-scale outrage in
the nation. It is clear from the provisions of these rules that the government
has missed out on an opportunity for further betterment of the democratic rights
of internet users. With the jurisprudence of rights of individuals on the
internet evolving rapidly, the introduction of these intermediary rules, with
their immoderate regulations and government interference, is like taking two
steps back in catching up with this development.
Admittedly, the rise of internet coverage in the country has led to increased
cases of illegal activities through the internet, including sexual harassment,
pornography, and the spread of messages and content igniting communal violence.
But in the absence of regulatory mechanisms, and due to the excessive
interference on OTT platforms, we are of the view that these rules have
far-reaching negative implications on the right to privacy, freedom of speech
and expression, and access to information, alongside the above-mentioned
constitutional irregularities.
While we agree that there is an urgent requirement for better regulation of
these aspects of cyberspace, how these rules have been brought about, as well as
their substance, beg urgent judicial review. What is required is the
introduction of revised rules as the bill for deliberations in the Parliament
and its subsequent enforcement as a law.
The need for a data protection law
becomes more highlighted in these circumstances. The formation of a regulatory
body, to make sure that the data collected in compliance with such rules are
used only for such verification purposes as mandated by the law, to prevent an
unwarranted breach of citizen's privacy is also vital. The authorities should be
held accountable for the content takedowns or website blocks made at the request
of the government, making the overall legislation more transparent, and ensuring
that unwarranted and arbitrary actions are not taken to promote the government's
propaganda and suppress any difference in opinion.
The government could also set
up a body specifically for monitoring and reporting misinformation trends and
hate comments online. This would not only reduce the burden on the
intermediaries but would also not require them to apply their minds in
self-regulating the content posted on their platform.
References:
Statutes Referred:
- The Information Technology Act, 2000
- The Information Technology Rules, 2021
Bibliography:
- Computers internet and e-commerce - Nandan Kamat
- Cyber Laws and Crimes - Dr. Santhosh Kumar
End-Notes:
- Brijendra K. Syngal, Sandipan Deb, "How the Internet arrived in India", Mint, Feb 10, 2020, available at
https://www.livemint.com/news/india/how-the-internet-arrived-in-india.
- Statista, available at https://www.statista.com/statistics/262966/number-of-internet-users-in-selectedcountries.
- The Information Technology Act, 2000 (Act 21 of 2000), s.2(w).
- Avnish Bajaj v. The State, (2005) 3 CompLJ 364 Del.
- Criminal Appeal No. 1222 of 2016.
- The Information Technology Act, 2000 (Act 21 of 2000).
- Chinmayi Arun, "Gatekeeper liability and article 19(1)(A)of the Constitution of India" NUJS Law Review (2015).
- Shreya Singhal v. Union of India, AIR 2015 SC 1523.
- Kent Ro Systems Ltd. v. Amit Kotak, (2017) 69 PTC 551.
- Google India Pvt. Ltd. v. Visakha Industries, (2020) 4 SCC 162.
- Christain Louboutin SAS v. Nakul Bajaj, CS(COMM) 344/2018.
- The Information Technology Act, 2000 (Act 21 of 2000), s.79, cl 3(b).
- Shreya Singhal v. Union of India, AIR 2015 SC 1523.
- Obhan & Associates, India tightens the noose on intermediaries and social media platforms, LEXOLOGY, (March 1, 2021).
- Rahul Srivastava, On new IT rules, Twitter says it will strive to comply with applicable law in India, INDIA TODAY, (May 27, 2021).
- [16] Rule 4(7), The Information Technology (Intermediary Guidelines and Digital Media Ethics Code), Rules, 2021, Part II—Section 3—Sub-section (i),
The Gazette Of India, Govt. Of India.
- K.S. Puttaswamy v. Union of India, (2017) 10 SCC 641.
- Maqbool Fida Husain v. Rajkumar Pandey, 2008 SCC OnLine Del 562.
- Shreya Singhal v. Union of India, (2015) 5 SCC 1 : AIR 2015 SC 1523.
- Rule 7, The Information Technology (Procedure and safeguards for Blocking for access of Information by Public) Rules, 2009, Part II—Section 3—Sub-section (i),
The Gazette Of India, Govt. Of India.
- Shreya Singhal v. Union of India, (2015) 5 SCC 1 : AIR 2015 SC 1523.
- Indibly Creative (P) Ltd. v. the State of W.B, (2020) 12 SCC 436.
- Korean Film Industry Generated USD 18.45 Billion in 2018, MOTION PICTURE ASSOCIATION (December 12, 2019)
- State of Karnataka v. Ganesh Kamath, (1983) 2 SCR 665.
- Shreya Singhal v. Union of India, (2015) 5 SCC 1.
- Rule 7, The Information Technology (Procedure and safeguards for Blocking for access of Information by Public) Rules, 2009, Part II—Section 3—Sub-section (i),
The Gazette Of India, Govt. Of India..
- Shreya Singhal v. Union of India, (2015) 5 SCC 1.
- Union of India v. S. Srinivasan, (2012) 7 SCC 683.
- General Officer Commanding-in-Chief v. Dr. Subhash Chandra Yadav, (1988) 2 SCC 351.
- State of Karnataka v. S Ganesh Kamath, (1983) 2 SCC 402.
- Staff Reporter, New IT Rules Don't Apply to Us, Google Tells Delhi High Court, THE HINDU (July 2, 2021)
- Livelaw News Network, The Wire and Others move Delhi HC Challenging IT(Intermediary Guidelines and Digital Media Ethics Code), Rules, 2021, LIVELAW (March 8, 2021)
- Karan Tripathi, Chilling Effect on Media': The Quint Challenges New IT Rules, THE QUINT (March 19,2021)
- Sparsh Upadhyay, Press Trust of India Moves Delhi High Court Challenging IT Rules 2021, Notice Issued, LIVELAW (July 8, 2021)
- Delhi Court Adjourn to August 27 WhatsApp's Plea Challenging Traceability Clause under New IT Rules as Violative of Right to Privacy, LIVELAW (July 30, 2021)
- Adam Easton, Poland proposes social media Free Speech Law, BBC News (January 15, 2021)
- Article 57, L119, 4 May 2016, General Data Protection Regulation, 2016
- Article 58, L119, 4 May 2016, General Data Protection Regulation, 2016.
- Article 115, UK Data Protection Act, 2018.
- Article 5, L119, 4 May 2016, General Data Protection Regulation, 2016.
-
Article 21, L119, 4 May 2016, General Data Protection Regulation, 2016.
-
Article 4(2), L119, 4 May 2016, General Data Protection Regulation, 2016.
-
Recital 39, L119, 4 May 2016, General Data Protection Regulation, 2016.
-
Article 6, L119, 4 May 2016, General Data Protection Regulation, 2016.
- Article 1, L119, 4 May 2016, General Data Protection Regulation, 2016.
Please Drop Your Comments