Effective February 25, 2021, the law has stepped up the responsibilities of social media and news portals. This is via an entirely fresh set of rules: the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 Rules”). These rules do not amend but simply replace the Information Technology (Intermediaries Guidelines) Rules, 2011 (“Old Rules”). What the 2021 Rules do not do is affect the Information Technology Act, 2000 (“IT Act”) simply because the rules are subservient to the IT Act.
The IT Act has fundamental legal positions which are important to review as the 2021 Rules are notified under the IT Act.
In this note, we focus on the “intermediary” and the amendments in the 2021 Rules.
The Old Rules- the “intermediary”: qualifications and exemptions:
The “intermediary” denotes a safe harbour that has been available broadly to an enabling platform that does not generate or even curate content. This definition finds place in the IT Act. The IT Act is a critical piece in the rubric of media laws besides Indian criminal laws and specific legislations.
An intermediary as “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, web-housing service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes”. [S. 2(w) of the IT Act]
Intermediaries are defined in the IT Act in context of a safe harbour. The safe harbour is intuitive, as an intermediary does not by definition select or create content.
The liability of intermediaries was determined by Section 79(2) of the IT Act read with the Old Rules. Section 79 creates an exemption for intermediaries from any liability “for any third party information, data, or communication link made available or hosted by” them. This exception is effectively applicable to (i) intermediaries who do not initiate or perform editorial functions of the contents, and (ii) who continue to observe “due diligence”. The concept of “due diligence” was encapsulated as a set of fairly basic compliance points in the Old Rules.
The liability of intermediaries is determined by Section 79(2) of the IT Act, the Old Rules. Section 79 creates an exemption for intermediaries: there is no liability “for any third party information, data, or communication link made available or hosted by” them. This exception is effectively applicable to (i) true intermediaries who do not perform editorial functions or host actively chooses the content and (ii) who continue to do “due diligence”. The due diligence was encapsulated as a set of fairly basic compliance points in the Old Rules.
In what is now only of background value, there exists a sub-section of Section 79 of the IT Act which requires the intermediary to “expeditiously remove [upon private party or government notification]…” content which is used to commit “unlawful” acts. This still finds a place in the IT Act but it is written in invisible ink because the Supreme Court has struck down this burden and reduced this “takedown” obligation only to High Court-level order [Shreya Singhal v. Union of India, AIR 2015 SC 1523 as affirmed by MySpace v. Super Casettes, 236 (2017) DLT 47]. There are important exceptions here relating to intellectual property infringement.
The 2021 Rules:
On February 25, 2021 the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 came into force. The 2021 Rules expressly repeal the Old Rules. The 2021 Rules increase compliance standards for intermediaries and for this purpose categorize intermediaries into three buckets. The categories are based on size and purpose and are as follows:
- “Digital Media”: digitized content received, stored or transmitted by an intermediary or a publisher of news and current affairs content or online curated content that can be transmitted over the internet or computer networks.
- “Social Media Intermediary” is a platform that enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services. However, the definition excludes intermediaries that primarily enable commercial or business oriented transactions, provide access to internet or computer networks, is in the nature of a search-engine, online encyclopaedia, online directory or suggestion tool, e-mail service or online storage service.
- “Significant Social Media Intermediary” the Government of India on February 25, 2021 has notified that social media intermediaries with over 50 lakh users fall within this ambit.
Compliance Requirements: Intermediaries
| 2021 RULES | OLD RULES |
| Privacy Policy: A privacy policy and user agreement should be published “prominently on its website and mobile application”. | Prominent display was not mandated and detailed contents were not prescribed.
|
| Contents: Specified disclosures such as users cannot post content that is harmful to children, is defamatory or impersonates another person.
|
None |
| Notification: Notify the user of the changes to the above at least once a year.
|
None |
| Intimation: Annually inform users that non-compliance can prohibit users’ access to the service and/or remove non-compliant content.
|
New provision |
| Take down-timing: Take down content within 36 hours of knowledge of a Court order or notification by the appropriate government.
|
The rules were famously read down in Shreya Singhal but the timing of response was similar at 36 hours of knowledge. |
| Take down- records: Maintain electronic records, for a minimum of 180 days after takedown of content and deletion of user accounts.
|
Such data had to be retained for 90 days only. |
| Take down- information to court: Provide all information available to lawfully authorised agencies within 72 hours of receipt of court order for the purposes of verification of identity, or for the prevention, detection, investigation, or prosecution, of offences.
|
There was no time cap for compliance. |
| Take down- information to court: Report cyber security incidents to the Indian Computer Emergency Response Team (CERT).
|
None |
| Grievance officer: Publish contact details of the grievance officer on its website and mobile application and provide the mechanism to raise complaints by any user.
The grievance officer must acknowledge such a complaint within 24 hours and dispose the matter within 15 days of receipt of the complaint.
|
Similar |
| Complaints: The intermediary was given a period of 30 days to redress complaints. | |
| Immediate action: Take reasonable means to take down content that shows partial or full nudity or sexual conduct of a person, whether artificially created or not, within 24 hours of receiving such complaint from the person.
|
New provision
|
The 2021 Rules impose a higher threshold of compliance mandates for “significant social media intermediaries”. In addition to the requirements in the table above, significant social intermediaries have to comply with the following:
- Resident key officers: Appoint “employees” who are residents of India as (i) chief compliance officer; (ii) nodal contact person, and (iii) resident grievance officer. A grievance redressal mechanism, to receive complaints must allow the complainant to track the complaint. Additionally, it must provide reasons for action taken against the complaint, to the extent possible and a reasonable opportunity to be heard.
- Compliance reports: Publish detailed monthly compliance reports on actions taken on content moderation, automated or otherwise.
- Identification of originator: Enable identification of first originator of information upon receipt of a court or government order directing the same.
- Filtering mechanisms: Deploy automated mechanisms (with “human oversight”) to identify child sexual abuse material, rape and removal of content that is a replication of previously removed content. Upon users attempting to access such content, a notice has to be displayed that this has been removed due to the nature of the content.
- Indian address: Provide a physical address located in India on the website or application.
- Voluntary verification: Provide for voluntary verification of user accounts from India.
- Intimation: Publish a statement that publishers of news and current affairs content are to furnish details of their user accounts to the Ministry of Information & Broadcasting in addition to compliance with the user agreements.
A separate additional stream of compliance requirements are applicable to publishers of news and current affairs and publishers of online curated content who: ((i) operate in the territory of India i.e., have a physical presence in India; and (ii) conduct structured activity to make content targeted at Indian users. The relevant chapter is titled “Code of Ethics” which is reminiscent of soft law- but there are 3 “levels” of compliances- the third of which involve a cluster of ministries. The first level is “self-regulation” which has highly prescriptive standards of grievance redressal in particular. The second level is “self-regulating bodies” which notably require a registration from the Ministry of Information & Broadcasting. The third level is an “oversight mechanism” involving Ministry of Information & Broadcasting and other relevant ministries.
Conclusion
Like with every fresh tide of regulations that deepen compliance and enable stakeholder complaints, there are concerns in the industry about compliance costs and about deepening government control. Yet it is not a structural change it is just a deepening of regulations- and more control with the stage set for a structured involvement of various ministries.
Some areas such as takedown remain intact (court or government order with intellectual property exceptions).
We can expect a proliferation of self-regulatory organisations, higher spends on enabling technology that facilitate compliance, and a more engaged if not guarded media culture. A large part of the new norms relate to grievance management which is easily addressed at a house-keeping level. There is still scope for situations of doubt. For example, curated content publishers are to display the rating of the content- and the guidelines for the ratings are clear yet just like many others laws, are open to interpretation such as “the tone of content” and “imitable behaviour” and several other instances.
Non-compliance of the 2021 Rules will result in the loss of beneficial safe harbour protection under Section 79 of the IT Act and also lead to prosecution under the Indian Penal Code, 1860.
Perhaps the most telling provision heralding the change of times is the definition of “newspaper” as we know it (as excluded from the 2021 Rules): a periodical of loosely folded sheets usually printed on newsprint and brought out daily or at least once in a week, containing information on current events, public news or comments on public news.