"If liberty means anything at all it means the right to tell people what they do not want to hear." - George Orwell

Ever since the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, were passed by the government of India, they have been a topic of discussion and have faced serious criticism for being violative of fundamental rights. While, with the increase in the overall internet accessibility and increase in cybercrimes, it is without a doubt true that the digital space does need to be regulated, the regulations need to be drafted in a manner that strikes a balance between the duty of the State to protect the citizens by way of drafting laws for the purpose, and the fundamental rights of the citizens.

This paper provides an overview of the provisions of the IT Rules and analyses them on the touchstone of the constitutional provisions to test their validity. The authors aim to provide an alternate perspective, by comparing the Rules with international instruments and legislations regarding the control of media and user privacy, like the Cyber Security Law of People's Republic of China, and the General Data Protection Regulation of the European Union, in order to highlight the shortcomings of the Indian framework, and suggest how the authorities could oversee digital communications and content and protect the morality and security of the nation and its people, without overstepping the constitutional boundaries or violating the rights of the citizens.

Introduction
In India, the Internet was launched by Videsh Sanchar Nigam Limited (VSNL) on the 15 of August, 1995.[1] Within a quarter century, the internet landscape transformed considerably from being a service that only a few could afford to an easily accessible resource that is now everywhere. With 560 million users, evolution of the internet has been very rapid in India.[2]

Earlier, internet was only used to facilitate web-based searches on search engines like google, Bing, yahoo, etc., but with the introduction of sites like Facebook, WhatsApp, Instagram, internet has become an essential stimulus for the expression of opinion for the masses. With a user base of millions, these sites dominate the internet space making it pertinent for the government to regulate them.

Though, they help amplify the voice of the masses, they also have a corrosive effect on democracy and public discourse. From harboring hatred through fake news to encroaching privacy of the innocent by stealing their data, internet is being used for it all. This has made imperative it for the government to bring in laws to keep up with the ever - evolving internet regime.

As a result, on the 25 of February, 2021 the Law and IT minister Ravi Shankar Prasad introduced the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 which replaced the Information Technology (Intermediary Guidelines) Rules, 2011. These rules are framed under Section 87 of the Information Technology Act, 2000 and intend to regulate the Intermediary conduct and the digital media content.

They are structured in a very detailed and comprehensible manner, divided into three parts, Part 1 consists of Short title and Definitions, Part 2 enlists the guidelines for due diligence by the Intermediaries, Part 3 provides for the code of ethics and rules concerning digital media.

Who is an intermediary?
According to the Information Technology Act, 2000, an intermediary is a person who on behalf of another person receives, stores or transmits a record or provides any service concerning to that record. Internet and Network service providers are some of the many people included as intermediaries in the definition.[3]

Though the definition of Intermediary under Rule 2 (m) is the same as under the Act [Section 2(w)], but it has included websites, apps and portals of social media, media sharing websites, blogs, online discussion forums also under the definition of an Intermediary. Therefore, there are two types of intermediaries one which connects us to the internet like Airtel, Vodaphone and the other which provide us web-based services like WhatsApp, Facebook, Twitter, etc.

Judicial Delineation on liability of an intermediary
Considering the ginormous amount of content published on social media platforms, it is highly unreasonable to expect the government to check the credibility and legality of each and every post. An intermediary at this stage is assigned the task to filter the content which prima facie is unlawful and against their privacy policy. This seems to be an effective way to obstruct the free flow of illegal content on the Internet. Therefore, an intermediary is an essential cog in the wheel. These make us question whether an intermediary can be held liable for every unlawful and unscrupulous content posted on its website by a third party.

The issue of intermediary liability was first acknowledged by the judiciary in 2004 in Avnish Bajaj v. The State[4] . In this case Ravi Raj, a student of IIT Kharagpur, listed for sale, a sexually explicit video of two students from DPS RK Puram on Baazi.com, a platform where a buyer and seller connect for concluding transactions. Through Baazi.com who is an intermediary in this case, the video was sold to 8 customers and was eventually made viral on the internet.

In consequence of which Ravi Raj along with the Managing Director (Avnish Bajaj) of Baazi.com were arrested. Ravi raj's arrest owning to promoting a sexually explicit MMS of 2 minors was right but Avnish's arrest was frowned upon by the legal fraternity. In 2005, Avnish Bajaj filed a petition in the high court of Delhi for quashing all the criminal proceedings against him on the grounds that the transaction took place directly between the seller and buyer with no intervention by Baazi.com therefore he owes no liability.

The high court quashing the liability of the MD under Section 292(a) and (d) held him liable under Section 67 of the IT act. This was later overturned by the Supreme Court in 2012[5] claiming that vicarious liability cannot be fastened to Avnish Bajaj and he could not be held guilty under section 67 and 85 of the Act[6], as the company was not arraigned as an accused. Therefore, when there was no case made against the company, the managing director of the company stands acquitted.

This case highlighted the legal risks that corporates operating an online business platform for users to host their content could be exposed to, in spite of the fact that they are not the authors of the content. This case not only marked a drastic shift in intermediary liability but it also gave way to a much-needed amendment in Section 79 of the Information Technology Act in 2008.

Prior to the amendment, Section 79 of the act provided immunity to internet service providers only with respect to liability arising from the IT Act, 2000 and there was absolutely no protection from liability under other legislations.[7] As a corollary, Baazi.com was not immune from any liability arising out from the Penal Code, 1860 (conviction under Section 292).

With the amendment of 2008, the definition of intermediary under section 2(w) was broadened to include Telecom service provides, web-hosting service providers, search engines, online payment sites also as intermediaries along with Internet Service Providers. Section 79 was also amended to create a safe harbor provision for intermediaries. Reversing the burden of proof, an intermediary, now, would not be liable for any third - party information, data or communication link made available or hosted by it.

The supreme court has also observed this in Shreya Singhal v. Union of India[8] that "it would be very difficult for intermediaries like google, Facebook, etc to act when millions of requests are made and the intermediary is then to judge as to which of such requests are legitimate and which are not". Similar was held in Kent Ro Systems Ltd. v. Amit Kotak[9]. But this extends only to those instances where the intermediary merely acts as a facilitator and is not involved in creation or modification of the data or information as recently clarified by the Supreme Court in Google India Pvt. Ltd. v. Visakha Industries.[10]

The Delhi high court, also clarified in Christain Louboutin SAS v. Nakul Bajaj[11], that the safe harbor provision under Section 79 is applicable only to "passive intermediaries". It even provided an exhaustive list of various functions that may be performed by an intermediary and claimed that the more functions an intermediary performs the more it is likely to be termed as an "active participant".

Further, this immunity is taken away when an intermediary upon receiving actual knowledge does not take down a content which is unlawful.[12] The term "actual knowledge" was deciphered by the Supreme Court in Shreya Singhal v. Union[13] of India to include an order from the court of competent jurisdiction or a competent authority.

The most striking aspect of the amendment was sub section c of clause 2 of Section 79 which slyly insinuated that such immunity is not absolute and will be guided by the rules for due diligence made by the Central Government. These rules were first made by the government in 2011 and are succeeded by the - the Information Technology (Guidelines for Intermediaries and Digital Media ethics code) Rules, 2021. Now the question arises whether this safe harbor is as safe for intermediaries as it is contended to be. This can be answered through the analysis of the Rules, 2011 and Rules, 2021.

The IT Intermediary Rules
The new IT Intermediary Rules which amended the 2011 Intermediary Rules are discussed briefly, formed under Sections 69A, 79, and 89:

1. Due Diligence by the Intermediary
   Rules 4-6 implement a duty on the intermediaries to implement due diligence in their functioning. These duties are: The rules and regulations, privacy policy, and user agreement should explain to the user not to publish, modify, upload, display any information which comes under the heads mentioned under Section 4(1)(b).
   
   The intermediary may be asked to remove any information which comes under any of the said restrictions and may be asked to provide information about the disputed content by government order. The information of the identification of the first publisher shall be given by the social media intermediary, providing messaging services like WhatsApp, to the judicial officer on the order received under Section 69 of the Act. They are required to use technology- based measures which will help in disseminating the information promoting restricted information.
   
   A Chief Compliance Officer, a Nodal Officer, and a Resident Grievance Officer shall be appointed within three months of the publication of such rules to ensure due diligence and publish a compliance report every six months. The cyber incidents are to be reported by them to the Indian Computer Emergency Response Team following the policies and procedures as prescribed in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.
    
2. Code of Ethics and Procedure and Safeguards about Digital/Online Media
   As per Section 2(w) of the IT Act, 2000, the intermediaries are simply persons who facilitate the use of the internet. It includes cyber cafes, interactive websites like WordPress, blogs, web hosts, search engines like Google, Opera, etc. The functions of intermediaries are hosting content, collecting information, evaluating scattered information, facilitating communication and information exchange, aggregating information, providing access to the internet, etc. The Rules state that when asked by the government order, they (intermediaries) must disclose the identity of the first originator of the information on their platform. The due diligence to be followed by the intermediaries to control the content has put a significant amount of obligation on them, but at the same time has infringed the privacy of the originator and freedom of expression of the publisher.
   
   Publishers, as per Part III of the Rules, include: (i) news and current affairs content providers, and (ii) online curated content providers, such as the Leaflet, Livelaw, etc. Therefore, publishers mean all such publishers who operate in the territory of India or conduct the systematic business activity of making their content available in India. A Publisher shall be deemed to operate in the territory of India where such publisher has a physical presence in the territory of India.[14] The Rules cover individual content producers like bloggers as well. In response to a plea filed in the Delhi High Court on May 31, the Court issued notice to a microblogging site for non-complying with the IT Intermediary Rules.[15] Following is the structure for grievance mechanism for the said entities:
   
   • Level I - Self-regulation by the applicable entity;
   • Level II - Self-regulation by the self-regulating bodies of the applicable entities;
   • Level III - Oversight mechanism by the Central Government.
   The authorized officer will give notice to the applicable entity of the disputed content for the reply and the content will be subsequently reviewed by the inter-departmental committee.
   
   Also, the authorized officer is required to submit the recommendation of the Committee along with the information available to the Secretary in the Ministry of Information and Broadcasting ("MIB"), Government of India, and on his approval shall continue as per the directions.
    
3. Significant publisher and disclosure:
   The significant publisher of the news and current affairs is required to notify the broadcast seva about the functioning and broadcasting in the territory of India for proper coordination and communication.

Concerns about The IT Intermediary Rules
The IT Intermediary Rules, essentially change the internet experience in India. They have the effect of bringing about governmental control, rather than regulation of social media, digital news platforms, and OTT platforms. Several of these rules are unconstitutional and violate the freedom of speech and the right to privacy of the users of these services.

1. Data Preservation and Traceability
   Rule 3(1)(h) requires social media intermediaries to preserve data for 180 days. This information has to be preserved even after the user has deleted their account, for investigative purposes. Further, significant social media intermediaries are also required to allow their users to 'voluntarily' verify their accounts with appropriate mechanisms including their mobile numbers. The accounts so verified shall be indicated by a mark indicating such verification.[16]
   
   Instances of such 'voluntary' requirements becoming practically mandatory are not unknown to India. (For instance, although initially, Aadhar Cards were introduced as voluntary ID proof, yet activities like banking transactions, getting a sim card, etc, were linked to it in such a way that it was difficult to proceed in normal life without an Aadhar Card, thus, making it mandatory in effect.) This shall also enable the social media intermediaries to collect individual data via their respective government IDs. Therefore, these requirements, in the absence of data protection laws and oversight mechanisms regarding the working of surveillance in India, shall have severe implications on the privacy and anonymity of the social media users, where just recently, the Supreme Court had stated privacy to be a fundamental right.[17]
   
   Rule 4(2) requires significant social media intermediaries to enable the tracing of the originator of information if required by a Court of competent jurisdiction or competent authority under Section 69 of the IT Act, thus putting an end to the system of end-to-end encryption if required.
   
   End-to-end encryption ("E2EE") is a technique employed by messaging apps where only the communicating parties have access to the messages exchanged between them. It prevents the internet service providers and other third parties from snooping into the information shared by the users. Social media platforms like WhatsApp use the system of end-to-end encryption, which allows the users to keep the integrity of their messages intact, while they communicate via the internet, which is otherwise considered an insecure public channel. Although the rules provide that such order shall only be passed for prevention, detection, investigation, prosecution, or punishment of certain offenses that are specifically stated, the category of 'public order' is relatively broad and can be used to exercise arbitrary and whimsical actions.
   
   No doubt, this provision shall help in reducing the cases, and identifying the culprits of serious cyber offenses, but, at the same time, can be used to identify political dissenters and may be a threat to freedom of speech and right to dissent. This is contrary to the opinion of Delhi High Court, expressed in Maqbool Fida Husain v. Rajkumar Pandey[18] as:
   "In a real democracy, the dissenter must feel at home and ought not to be nervously looking over his shoulder fearing captivity or bodily harm or economic and social sanctions for his unconventional or critical views. There should be freedom for the thought we hate. Freedom of speech has no meaning if there is no freedom after speech. The reality of democracy is to be measured by the extent of freedom and accommodation it extends."
    
2. 'Self-Regulation' and Content Blocking
   The IT Intermediary Rules also regulate digital news media and OTT platforms, which before this, in the 2011 Intermediary Rules, were left out. The digital news media and OTT platforms are required to adhere to a Code of Conduct, provided in the Appendix to these rules. To ensure compliance with this code of conduct, the three-tier system discussed above includes a grievance redressal and appeal mechanism. This consists of a Grievance Officer at the first tier, the self-regulating body at the second tier, and an Inter-Departmental Committee constituted by the Ministry at the third tier. Under this mechanism, if the grievance officer is unable to provide the complainant with a sufficient response, the complainant may appeal to the self-regulating body at tier II.

Now, as per Rule 11, this self-regulating body is supposed to be an independent body, headed by a retired judge of the Supreme Court or of a High Court, who shall be appointed from a panel prepared by the Ministry, and have other, not more than six members, from the field of media, broadcasting, technology, and entertainment. In case the applicable entity fails to comply with the guidance and advisory of the self- regulatory body within the stipulated time, the body may refer the matter to the Oversight Mechanism constituted under Rule 12.

This Oversight Mechanism is the Inter-Departmental Committee, consisting of representatives from various ministries under the government and other organizations, including domain experts, that it may decide to include in the Committee, with an 'Authorized Officer' who shall be a member of the Ministry, designated by the Ministry, as its Chairperson.

Therefore, while on the face of it, this mechanism may appear to be quite 'self-regulatory' with minimal government interference, on a deeper look, it is much more than that, keeping in mind the degree of control that the Ministry has over appointments in the 'self-regulating body'.

Furthermore, the action that can be taken by this Committee includes censoring the platform, asking the platform to reclassify ratings, and action under Section 69A(1) of the IT Act, on the mere ground that the Authorised Officer, on the recommendation of the committee, is satisfied that there is need for taking such action.

Such action may be blocking concerning the content, subject to Section 69A(2), for reasons to be recorded in writing. Section 69A(2) provides that the procedure of such blocking, and the safeguards available against it, maybe as prescribed. This procedure has been prescribed under the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 ("2009 Rules").

The Apex Court, in the case of Shreya Singhal v. Union of India,[19] not only declared Section 66A of the Act as unconstitutional but also upheld the constitutional validity of Section 69A, which was also challenged in the case. The reason provided by the Court for its decision was twofold.

The Hon'ble Court noted that firstly, Section 69A is narrowly drawn, and contains several safeguards, unlike Section 66A, and secondly, the necessity envisaged in the section is on the grounds that are same as those envisaged under Article 19(2) of the Constitution of India, i.e. 'in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order, or preventing incitement to the commission of any cognizable offence'.

However, what the Hon'ble court might have overlooked, was the fact that while Article 19(2) of the Constitution lays down grounds on the basis of which the Parliament and the State Legislature are allowed to pass laws that restrict the freedom of speech and expression of the citizens, what Section 69A allows on the similar grounds is for the government, or an officer authorised by the government to interpret the grounds such as security of the State, etc, as per their own understanding, and direct blocking of content.

The reasonable restrictions provided under the Constitution are quite subjective. The difference between the passing of a law in the Parliament, and the issuance of directions by an officer is that while a bill is heavily debated in the Parliament before it becomes a law, a governmental guideline may be based solely on the whims and fancies of the authority.

Another anomaly in the blocking procedure is found under the 2009 Rules. Framed under Section 69A(2) of the IT Act, these rules provide the procedures and safeguards concerning blocking. According to the 2009 Rules, every request for blocking is supposed to be reviewed by the review committee before action is taken, the review committee comprises of designated officers and representatives from the Ministry of Law and Justice, Information and Broadcasting,

Home Affairs, and the Indian Computer Emergency Response Team.[20] The rules also provide the stakeholders with the opportunity of hearing, and for deliberations by a reviewing committee, before any decision for blocking is made, as a safeguard against unwarranted blocking. However, under Rule 9, the competent authority can direct the intermediary to block access by the public to any information for forty-eight hours, before the notice is deliberated upon by the review committee, in 'emergency cases'. What constitutes an emergency is not defined and is left to be interpreted as per the wisdom of the relevant authorities.

The rules also provide for the Department to record in writing the reasons for the issue of the direction of blocking of content, which may, as noted in the Shreya Singhal case, 'be assailed in a writ petition under Article 226 of the Constitution'.[21] Although this provision is supposed to be a safeguard against whimsical actions, the forty-eight hours of unreviewed blocking, and the time taken to dispose of a writ petition, are enough to curb the voices of political dissenters or social movements that do not suit the government's interests. It is for these reasons that the constitutional validity of Section 69A and the action taken under the 2009 Rules, seem questionable.

This provision, and the misuse that may ensue thereof, becomes relevant in light of the Supreme Court judgment in Indibly Creative (P) Ltd. v. the State of W.B.[22], wherein the Court stated that, "The views of the writer of a play, the meter of a poet, or the sketches of a cartoonist may not be palatable to those who are criticized. Those who disagree have a simple expedient: of not watching a film, not turning the pages of the book, or not hearing what is not music to their ears. The Constitution does not permit those in authority who disagree to crush the freedom of others to believe, think and express."

At the point in time when India is not only a consumer but an active creator of original digital content released via OTT platforms, the opportunity could be used to monetize the growing OTT trend across the globe. In light of the South Korean model, where the government systematically works to realize the full potential of the Hallyu export market, building on USD 13.4 billion in export sales throughout the world in 2018-19, the increasing restrictions on the Indian content on these OTT platforms are not only a blow to the artistic freedom of content creators, and freedom of speech, but also a lost economic opportunity.[23]

Constitutionality of the Rules
In addition to the above, the concern is that the rules have no legislative backing in regulating said media, this is exercising powers beyond the scope of the parent legislation. It has been held by the Supreme Court in the State of Karnataka v. Ganesh Kamath[24] that:
"It is a well-settled principle of interpretation of statutes that conferment of rulemaking power by an Act does not enable the rule making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent therewith or repugnant thereto."

A combined reading of Section 79(2) read with Section 89(2)(zg) makes it clear that the power of the Central Government is limited to prescribing guidelines related to the due diligence to be observed by the intermediaries while discharging its duties under the IT Act. However, the IT Intermediary Rules have imposed additional requirements and widened the ambit of requirements to be fulfilled by the intermediary.

Thus, the Rules extend the scope of the responsibilities of the intermediary and are ultra vires as an intermediary can act only after receiving an order from the court or a notification from the appropriate government or its agency. The intermediary is not required to exercise its discretion regarding the material which is to be removed or disabled.

Also, as per the Rules, the intermediaries are liable to follow the due diligence provisions which are similar to the provisions of due diligence attached in the 2011 Intermediary Rules. These principles under Rule 3(4) of the 2011 Intermediary Rules, were read down in Shreya Singhal v. Union of India[25], to the extent that an intermediary would only be required to disable information that would be relatable to Article 19(2) of the Constitution.

Similarly, the IT Act does not provide any classification of intermediaries. Section 2 (1)(w) of the Act defines an intermediary as "any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes."

Thus, all intermediaries are treated as a single undifferentiated entity that are subject to the same responsibilities and obligations. However, the new Rules have set up different categories of intermediaries like social media intermediaries,[26] and significant social media intermediaries.26 This classification, in turn, subjects social media intermediaries with an extra set of obligations, and the scope of significant social media intermediaries' responsibilities also stands expanded. These new responsibilities find no basis in the parent act that does not classify intermediaries into different types.

Section 87(1) and Section 87(2)(z) and (zg), under which the Rules have been prescribed, do not give the Central Government the power to amend the definition of intermediaries as stated in the IT Act, or create any such classifications as the Rules have already done. Therefore, once again, it can be evidently seen that the Rules have gone beyond the parent legislation.

Secondly, Section 79 of the Act provides that subject to clauses (2) and (3) the intermediary shall not be liable to any content of the third-party hosted or published by it. Thus, providing a clear safeguard to the intermediary. Further, Section 79(2) of the Act states the grounds under which the said safeguard will be availed to the intermediary and Section 79(3) mentions the grounds when the intermediary may be held liable if the content is not taken down when they have the knowledge of its unlawfulness.

In Shreya Singhal v. Union of India,[27] the Supreme Court read down Section 79(3)

(b) to mean that an "intermediary upon receiving actual knowledge from a court order or on being notified by the appropriate government or its agency that unlawful acts relatable to Article 19 (2) are going to be committed, fails to expeditiously remove or disable access to such material."

Thus, requiring the intermediary to apply their own mind in the regulation of data goes against the Court's interpretation in the Shreya Singhal judgment.

Also, as per the Rules, the responsibility of administering Part II of the Rules lies with the Ministry of Electronics and Information Technology. As per the Allocation of Business Rules, 1961, Digital Media is under the purview of the Ministry of Information and Broadcasting, while the entry 'Matters relating to Cyber Laws, administration of Information Technology Act 2000 (21 of 2000) and other IT related laws', which would include IT Act, 2000 and framing of rules under the said Act, would fall under the MeitY.

While it may be argued that Digital Media, concerning the processing of content on digital media by publishers can be covered as an aspect of the wide scope of 'cyber crimes', digital media still falls under the ambit of Information and Broadcasting and any legislation or delegated legislation in the form of rules, under this legislation, can be enacted by the MIB.

Therefore, the MeitY cannot legislate upon digital media as a delegate or otherwise, since it is the job of the MIB. Neither can the MIB, under the IT Act, act as a delegate and administer a part of it, since it is an accepted principle of law that what cannot be done directly, cannot be done indirectly. To regulate digital media, the MeitY would have to pass a law in the Parliament, under which it may require the MIB to consult the MeitY and other ministries, but the enacting body would still be the MIB. Not passing the law amounts to an abdication of the Parliament's legislative duties.

The Supreme Court, in various cases, has stated that if a rule goes beyond the rule- making powers conferred by the statute, and hence, the rule should be declared ultra vires. The basic test is to determine and consider the source of the power conferred upon the rule.[28] For a rule to have the effect of a statutory provision, two requirements should be fulfilled. Firstly, the rule must conform to the provision of the statute under which it is framed, and secondly, it must also come into the scope and purview of the rule-making power of the authority making the rule. If any one of the above two conditions is not fulfilled, the rule shall remain void.[29]

The conferment of rule-making power by an Act does not enable the rule-making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent therewith or repugnant thereto.[30] Hence, it is clear that the rules are beyond the scope of the purview of the IT Act and are ultra vires the parent act, therefore, are liable to be challenged in court on this ground.

Challenges To The Rules & Way Forward
Considering all the above, it is only understandable and expected that the Rules have been challenged in Courts by various platforms that it claims to cover, to settle the applicability and remove the ambiguity in them. Google, for example, appealed the Delhi High Court against an order of a single judge bench on the ground that it is classified as a social media intermediary and is required to comply with the Rules, whereas being a search engine, it considers itself not a subject to such compliances.[31]

Petitions have also been filed by the Wire,[32] the Quint,[33] etc., challenging the provisions of the Rules regulating digital news media and OTT platforms, claiming that the rules impose upon them unreasonable restrictions that violate their freedom of speech and expression. A similar challenge has been made by the Press Trust of India as well.[34] Even WhatsApp moved to the Delhi High Court against the traceability clause that requires it to break the end-to-end encryption that secures user communications, on the ground of it being violative of the people's right to privacy.[35]

Here, it becomes pertinent to note that the Bombay High Court, in a plea filed by AGIJ Promotion of Ninteenonea Media Pvt. Ltd., the company that runs the legal news portal the Leaflet, stayed the application of Rule 9(1) of the IT Intermediary Rules. With the rapid pace of technological development and the internet becoming an indispensable part of the lives of people everywhere, the issue of the protection of user information and privacy, as well as the freedom of speech online has been a concern all around the world, and legislations regulating said aspects of the internet experience have been passed.

Poland, for instance, proposed a law that criminalizes self- regulation by intermediaries. The country believes that the removal of content and regulation of free speech on social media platforms is not a function that the intermediaries should exercise, thus advocating for a 'free and transparent' internet policy. Failure to restore deleted content and accounts could cost the intermediaries up to $13.4 million by way of fines.[36]

While India is enabling government-sanctioned privacy breaches by requiring intermediaries like WhatsApp to break their end to end encryption, the European Union's General Data Protection Regulations ("GDPR") requires the Information Commissioner-an independent regulator, to make sure that the personal data of the citizens are protected and their privacy is maintained under transactions that occur between the member states, by way of granting the Information Commissioner various responsibilities[37] and powers[38] like ordering the data controller or processor to inform the data subject about personal data breach, carrying out data protection audits, warning the controller that the intended data processing is likely to breach the provisions of GDPR, etc.

The same has also been reiterated in the UK Data Protection Act, 2018.[39] Further, the GDPR provides that where personal data of users is stored, it must be done so in a way that allows the identification of data subjects for a period no longer than is necessary for accomplishing the purpose for which the data was so processed.[40]

The only case in which personal data can be stored for a longer period is in instances where it relates to the public interest, or scientific or historical research purposes, or statistical purposes, subject to technical and organizational measures as prescribed by national laws. The European Union Regulation also provides the data subjects the right to object to the processing of personal information.[41] Processing includes

collection, recording, storage, etc.[42] Under Article 21 of GDPR, the data subject can object to such processing at any stage, and the controller shall no longer proceed with the processing unless they demonstrate such 'compelling legitimate grounds' under which the processing overrides the interests, freedoms, and rights of the data subject, except when the processing is for direct marketing purposes, the controller shall, in no case, proceed with such purposes. In this light, the storage of user information for a period of one hundred and eighty days, irrespective of the purpose for which the information was collected under the IT Intermediary Rules, seems excessive. GDPR also emphasizes the lawfulness of data processing.

It states that the purpose of such processing should be explicitly informed to the user, and be determined at the time of collection of the data.[43] It also categorically lays down the purposes for which processing would be considered lawful.[44] Although the Indian legislation does require the consent of the user to be taken before any processing, it does not, unlike the GDPR, define what consent means.

It must be kept in mind that while foreign legislations like GDPR state the right to protection of personal data as one of its objectives, the IT Act, and the Rules were not drafted for this purpose.[45] All this further strengthens the argument for the need for a data protection law in India.

Conclusion
India is the world's largest democracy and, in a time, where democracies around the world are aiming to expand the scope of their citizen's freedoms and rights, the IT Intermediary Rules, are on the receiving end of large-scale outrage in the nation. It is clear from the provisions of these rules that the government has missed out on an opportunity for further betterment of the democratic rights of internet users. With the jurisprudence of rights of individuals on the internet evolving rapidly, the introduction of these intermediary rules, with their immoderate regulations and government interference, is like taking two steps back in catching up with this development.

Admittedly, the rise of internet coverage in the country has led to increased cases of illegal activities through the internet, including sexual harassment, pornography, and the spread of messages and content igniting communal violence. But in the absence of regulatory mechanisms, and due to the excessive interference on OTT platforms, we are of the view that these rules have far-reaching negative implications on the right to privacy, freedom of speech and expression, and access to information, alongside the above-mentioned constitutional irregularities.

While we agree that there is an urgent requirement for better regulation of these aspects of cyberspace, how these rules have been brought about, as well as their substance, beg urgent judicial review. What is required is the introduction of revised rules as the bill for deliberations in the Parliament and its subsequent enforcement as a law.

The need for a data protection law becomes more highlighted in these circumstances. The formation of a regulatory body, to make sure that the data collected in compliance with such rules are used only for such verification purposes as mandated by the law, to prevent an unwarranted breach of citizen's privacy is also vital. The authorities should be held accountable for the content takedowns or website blocks made at the request of the government, making the overall legislation more transparent, and ensuring that unwarranted and arbitrary actions are not taken to promote the government's propaganda and suppress any difference in opinion.

The government could also set up a body specifically for monitoring and reporting misinformation trends and hate comments online. This would not only reduce the burden on the intermediaries but would also not require them to apply their minds in self-regulating the content posted on their platform.

References:
Statutes Referred:

• The Information Technology Act, 2000
• The Information Technology Rules, 2021

Bibliography:

1. Computers internet and e-commerce - Nandan Kamat
2. Cyber Laws and Crimes - Dr. Santhosh Kumar

End-Notes:

1. Brijendra K. Syngal, Sandipan Deb, "How the Internet arrived in India", Mint, Feb 10, 2020, available at https://www.livemint.com/news/india/how-the-internet-arrived-in-india.
2. Statista, available at https://www.statista.com/statistics/262966/number-of-internet-users-in-selectedcountries.
3. The Information Technology Act, 2000 (Act 21 of 2000), s.2(w).
4. Avnish Bajaj v. The State, (2005) 3 CompLJ 364 Del.
5. Criminal Appeal No. 1222 of 2016.
6. The Information Technology Act, 2000 (Act 21 of 2000).
7. Chinmayi Arun, "Gatekeeper liability and article 19(1)(A)of the Constitution of India" NUJS Law Review (2015).
8. Shreya Singhal v. Union of India, AIR 2015 SC 1523.
9. Kent Ro Systems Ltd. v. Amit Kotak, (2017) 69 PTC 551.
10. Google India Pvt. Ltd. v. Visakha Industries, (2020) 4 SCC 162.
11. Christain Louboutin SAS v. Nakul Bajaj, CS(COMM) 344/2018.
12. The Information Technology Act, 2000 (Act 21 of 2000), s.79, cl 3(b).
13. Shreya Singhal v. Union of India, AIR 2015 SC 1523.
14. Obhan & Associates, India tightens the noose on intermediaries and social media platforms, LEXOLOGY, (March 1, 2021).
15. Rahul Srivastava, On new IT rules, Twitter says it will strive to comply with applicable law in India, INDIA TODAY, (May 27, 2021).
16. [16] Rule 4(7), The Information Technology (Intermediary Guidelines and Digital Media Ethics Code), Rules, 2021, Part II�Section 3�Sub-section (i), The Gazette Of India, Govt. Of India.
17. K.S. Puttaswamy v. Union of India, (2017) 10 SCC 641.
18. Maqbool Fida Husain v. Rajkumar Pandey, 2008 SCC OnLine Del 562.
19. Shreya Singhal v. Union of India, (2015) 5 SCC 1 : AIR 2015 SC 1523.
20. Rule 7, The Information Technology (Procedure and safeguards for Blocking for access of Information by Public) Rules, 2009, Part II�Section 3�Sub-section (i), The Gazette Of India, Govt. Of India.
21. Shreya Singhal v. Union of India, (2015) 5 SCC 1 : AIR 2015 SC 1523.
22. Indibly Creative (P) Ltd. v. the State of W.B, (2020) 12 SCC 436.
23. Korean Film Industry Generated USD 18.45 Billion in 2018, MOTION PICTURE ASSOCIATION (December 12, 2019)
24. State of Karnataka v. Ganesh Kamath, (1983) 2 SCR 665.
25. Shreya Singhal v. Union of India, (2015) 5 SCC 1.
26. Rule 7, The Information Technology (Procedure and safeguards for Blocking for access of Information by Public) Rules, 2009, Part II�Section 3�Sub-section (i), The Gazette Of India, Govt. Of India..
27. Shreya Singhal v. Union of India, (2015) 5 SCC 1.
28. Union of India v. S. Srinivasan, (2012) 7 SCC 683.
29. General Officer Commanding-in-Chief v. Dr. Subhash Chandra Yadav, (1988) 2 SCC 351.
30. State of Karnataka v. S Ganesh Kamath, (1983) 2 SCC 402.
31. Staff Reporter, New IT Rules Don't Apply to Us, Google Tells Delhi High Court, THE HINDU (July 2, 2021)
32. Livelaw News Network, The Wire and Others move Delhi HC Challenging IT(Intermediary Guidelines and Digital Media Ethics Code), Rules, 2021, LIVELAW (March 8, 2021)
33. Karan Tripathi, Chilling Effect on Media': The Quint Challenges New IT Rules, THE QUINT (March 19,2021)
34. Sparsh Upadhyay, Press Trust of India Moves Delhi High Court Challenging IT Rules 2021, Notice Issued, LIVELAW (July 8, 2021)
35. Delhi Court Adjourn to August 27 WhatsApp's Plea Challenging Traceability Clause under New IT Rules as Violative of Right to Privacy, LIVELAW (July 30, 2021)
36. Adam Easton, Poland proposes social media Free Speech Law, BBC News (January 15, 2021)
37. Article 57, L119, 4 May 2016, General Data Protection Regulation, 2016
38. Article 58, L119, 4 May 2016, General Data Protection Regulation, 2016.
39. Article 115, UK Data Protection Act, 2018.
40. Article 5, L119, 4 May 2016, General Data Protection Regulation, 2016.
41. Article 21, L119, 4 May 2016, General Data Protection Regulation, 2016.
42. Article 4(2), L119, 4 May 2016, General Data Protection Regulation, 2016.
43. Recital 39, L119, 4 May 2016, General Data Protection Regulation, 2016.
44. Article 6, L119, 4 May 2016, General Data Protection Regulation, 2016.
45. Article 1, L119, 4 May 2016, General Data Protection Regulation, 2016.