In February, the government specifically the Ministry of Electronics and Information Technology (MEITY) in collaboration with the Ministry of Information and Broadcasting released the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021(Intermediaries Rules). You can check out the clips of the actual press conference here. Since then much has been said about its impact on the new aggregators and OTT platforms. I will not delve into those in this current post. However, in case you are wondering, you are neither a social media platform nor a publisher of new / current affairs or OTT content, how does the Intermediaries Rules apply to you? - this post will offer you some guidance. I will explore implications on news and current affairs content and social media intermediaries in a follow-up post to this.
The amendments to the Information Technology (Intermediaries Guidelines) Rules, 2011 (2011 Rules) have been on the horizon for a few years now. In 2018, a draft version of the amendments to the 2011 Rules was released by MEITY for public consultation (2018 Amendment). The Intermediaries Rules have been issued under sections 87(1) and 87(2)(z) and (zg) of the Information Technology Act, 2000 (IT Act), which empower the MEITY to prescribe rules to carry out provisions of the IT Act, including procedures and safeguards for blocking for access by the public and guidelines to be observed by intermediaries. It is important to mention that the Intermediaries Rules are currently being challenged before the Delhi High Court on ground that the rules are ultra vires the parent Act i.e. the IT Act in so far as it seeks to regulate digital media. You can find further details here.
There was a public consultation that was conducted for the 2018 Amendment. The government maintains that public consultation was carried out for the Intermediaries Rules (2021) as well. However, the Intermediaries Rules significantly differ from the 2018 Amendment. Therefore, one can say that effectively stakeholders views were not considered prior to notifying the Intermediaries Rules.
In terms of the structure of the Intermediaries Rules -
Part II of the Rules impose due diligence obligations upon intermediaries, including social media intermediaries; and
Part III of the Rules prescribes a code of ethics and related safeguards and procedures for entities in the digital media space (publishers of news and current affairs content and online curated content).
Part II and III will be administered by the MEITY and MIB respectively. I will link the key concepts and definition here - in order to keep this post concise.
Are you an intermediary?
The IT Act defines an 'intermediary' as any person who on behalf of another person receives, stores or transmits an electronic record or provides any service with respect to that record. Examples of intermediaries include - telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places etc. The definition is non-exhaustive therefore if you are an online service provider you should examine the functions that you undertake for determining whether you fall under the definition of an intermediary.
Safe harbour protection
Under the IT Act, intermediaries are not liable for any third party information, data, or communication link made available or hosted by them (Safe Harbour Protection) if the intermediary observes due diligence, as prescribed under the Intermediary Rules (Due Diligence Requirements), and additionally meets one of the following two conditions:
its function is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or
it must not initiate the transmission, select the receiver of the transmission, or select or modify the information contained in the transmission.
So, an intermediary can avail Safe Harbour Protection only if you comply with the two points above.
The Intermediaries Rules prescribe the following Due Diligence Requirements for an intermediary, social media intermediary (SMI) and a significant social media intermediary (SSMI). There are additional requirements that an SSMI is required to be follow. While the Intermediaries Rules do not mention a threshold, a subsequent notification has been issued by MEITY fixing the threshold as 5 million registered users for a social media intermediary to be considered a significant social media intermediary.
belongs to another person and to which the user does not have any right to;
is defamatory, obscene, pornographic, paedophilic, invasive of another's privacy, including bodily privacy, insulting or harassing on the basis of gender, libellous, racially or ethnically objectionable, relating or encouraging money laundering or gambling, or otherwise contrary to the laws in force;
is harmful to child;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any information which is patently false or misleading in nature but may be reasonably perceived as a fact;
impersonates another person;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order, or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.
contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource; or
is patently false and untrue, and is written or published in any form, with the intent to harass or mislead a person, entity or agency for financial gain or cause any injury to any person is restricted.
Take-down Requirements: In the instance that an intermediary receives actual knowledge of unlawful content through an order by a court or authorized Government agency, it must remove such content within 36 hours of receiving such court or Government order. Further, in the event that an intermediary receives a complaint from an individual or any person on his behalf, in relation to any content which is prima facie in the nature of any material which exposes the private area of such individual, shows such individual in full or partial nudity or shows or depicts such individual in any sexual act or conduct, or is in the nature of impersonation in an electronic form, including artificially morphed images of such individual, it must take all reasonable and practicable measures to remove or disable access to such content hosted, stored, published or transmitted by it within 24 hours from the receipt of such complaint. This requirement is specially important if you are a social media intermediary or you run any kind of online forum on the web. Removal of such content will not result in dilution of the Safe Harbour Protection.
The court or government order can be issued in relation to the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, public order, decency or morality, in relation to contempt of court, defamation, incitement to an offence relating to any of the above or any information which is prohibited under any law in force.
It is important to note that such obligations will apply to information that is stored, hosted or published on the intermediary's computer resource, and not information that is temporarily or transiently stored automatically, and does not involve any human, automated or algorithmic editorial control.
Record Retention Requirements: If the intermediary removes or disables access to any content in the manner described above, or does so voluntarily pursuant to takedown requirements above, it must preserve such information and associated records for 180 days for investigation purposes, or for such longer period as required by the court or authorized government agency. It must also retain information collected from a user during registration, for a period of 180 days after the cancellation or withdrawal of such registration.
Compliance with Data Protection and Cert-In Rules: The intermediary must take all reasonable measures in order to secure its computer resource and information in compliance with the practices prescribed under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011. It must also report cyber security incidents and share related information with the Indian Computer Emergency Response Team (CERT-In) in accordance with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. The definition of cyber security incident is quite broad and includes all kinds of cyber attacks including identity thefts, spoofing and phishing attacks. You can find the template incident reporting form here.
Provision of Assistance or Information: An intermediary must provide any information or assistance to authorized government agencies when required by a lawful order which is in writing, clearly stating its purpose, which could be for the purposes of verification of identity, cyber security incidents or prevention, detection, investigation or prosecution of offences under the law. It must do so within 72 hours of the request. This is clearly to ease the process of access to information by the government agencies, given that information requests through the Mutual Legal Assistance Treaties (MLAT) route results in huge delays.
Use of Technological Measures: An intermediary is prohibited from knowingly deploying, installing or modifying technical configuration of the computer resource or becoming a party to an act that may, or has the potential to change the normal course of operation of such computer resource. However, it may develop or deploy technological means to secure the computer resource.
Grievance Redressal: It must prominently publish on its website and/or mobile application, the name and contact details of a Grievance Officer and the mechanism by which users may make complaints. Such complaints may be against the violation of the Rules or in relation to any other matters that pertain to the intermediary's computer resources. Such Grievance Officer must (i) acknowledge the complaint within 24 hours and dispose of such complaint within 15 days from the date of its receipt; and (ii) receive and acknowledge any order, notice or direction issued by the Government, court or competent authority. An intermediary must also implement a mechanism to enable the individual or person to provide any necessary details regarding such complaints.
Companies often neglect this requirement of appointing a grievance officer. The role of a grievance officer has now become vital in light of the Personal Data Protection Bill, 2019 and the Intermediaries Rules and growing awareness with respect to data and privacy rights.
So, that summarizes the compliance requirement as an intermediary. Of course a SSMI has a bunch of additional requirements to comply with, but that is the subject of another post. Just leave me a note through the contact section, if you want me cover implications on publishers of online content as well.