Intermediary Rules 2021 – Not Liberal

The Government of India has recently notified the Information Technology (Intermediary Guidelines & Digital Media Ethics Code) Rules, 2021 ["2021 Rules"]. These rules have the potential to impact the manner in which all Indians use social media, search engines, OTT platforms and the Internet itself. The Central Government is terming these rules to be progressive, liberal and contemporaneous.

Debates in the Rajya Sabha when a draft version of the rules were being contemplated by the Government in the year 2018, offer an insight into the purpose behind the same. The law minister had specifically stated in the Rajya Sabha that some of the provisions of the IT Act need to be revised and strengthened so as to respond to emerging challenges. He further stated that this was proposed to be done by strengthening the implementation aspects of Section 79 of the IT Act.

The 2021 Rules were issued under Section 87(2)(z) & (zg) of the IT Act, in supersession of the Information Technology (Intermediaries Guidelines) Rules, 2011 ["2011 Rules"]. The 2021 Rules make a distinct departure from the erstwhile 2011 Rules while dealing with obligations and duties of intermediaries by classifying them into two groups namely, social media intermediary and a significant social media intermediary. Rule 2(w) defines social media intermediary as an intermediary which primarily or solely enables online interaction between users and allows users to create, upload, share information using its services. A significant social media intermediary means a social media intermediary having registered users above the threshold as notified by the Government. At present the Government has notified the same to be 50 Lakh users. This Article seeks to examine some of the controversial aspects and constitutionality of Part II of the 2021 Rules.

A. Rule 3(1)(d) – Lack of Procedural Safeguards

Rule 3 of the 2021 Rules deals with the due diligence to be observed by both social media intermediaries and significant social media intermediaries while discharging its duty. Under Rule 3(1)(d) an intermediary after receiving 'actual knowledge' through a court order or by being notified by a government agency, is bound to remove information that is prohibited by law within a duration of thirty-six hours. Therefore, Rule 3(1)(d) essentially prescribes a procedure for take down/blocking of content in the public domain. Section 69A of the IT Act deals with the power of the Central Government to direct any intermediary to block public access to any information generated, transmitted, received, stored or hosted in any computer resource.

Under Section 87(2)(z) of the IT Act, the Central Government is empowered to make rules regarding the procedure and safeguards for blocking for access by the public under Section 69A(3). Interestingly, the Central Government had in exercise of the powers under Section 87(2)(z) read with Section 69A(2) framed the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 ["Blocking Rules 2009"]. While the 2021 Rules are in supersession of the 2011 Rules relating to Intermediary liability, they are not in supersession of the Blocking Rules 2009, which ultimately leads to a scenario where there exist two different rules that prescribe different procedures for blocking of online content. While that per se may be an unwanted scenario, it becomes aggravated when both are juxtaposed against each other. The Blocking Rules 2009 contained an elaborate procedure relating to blocking of online content including inter alia :

• A three-tier system of scrutiny with Nodal Officers, Designated Officers and a Committee, for examination of a request.
• An opportunity of hearing before the Committee prior to the issuance of the order of blocking.
• A Bi-Monthly review of the orders issued by the Committee by a Review Committee.

Pertinently, Rule 3(1)(d) is devoid of any of the above procedural safeguards, and it fails to comply with the principles of natural justice and due process as it at no point gives an opportunity of hearing to creator/first originator of the content or the intermediary. Furthermore, while the erstwhile 2011 Rules read with subsequent clarifications effectively gave intermediaries 30 days to comply, the 2nd proviso says remove the content within 36 hours from actual knowledge, which may in certain situations and depending on the nature of information seem unreasonable.

B. Rule 3(2)(b) & Rule 4(4) – Contrary to Shreya Singhal

In Shreya Singhal v. Union of India the Supreme Court was examining the constitutional validity of various provisions of the IT Act, including Section 79. The Court upheld the validity of Section 79 subject to reading down the words 'actual knowledge' used in Section 79(3)(b) to mean actual knowledge from a Court order or being notified by an appropriate government or its agency. Rule 3(4) of the 2011 Intermediary Rules which was worded similarly to Section 79(3)(b) was also read down in the manner stated above. The reasoning given by the Supreme Court while arriving at the above conclusion which is of utmost significance in the present context, is summarized below:

• The Supreme Court stated that Intermediary must not be made the judge to decide which requests are legitimate or not, the same being notably absent in Section 69A read with the Blocking Rules 2009.
• The Court was also conscious of the practical difficulties which might be faced by intermediaries on account of the millions of requests they might receive.

Rule 3(2)(b) of the 2021 Rules require an intermediary upon receipt of a complaint made by an individual to remove any content which prima facie shows explicit content relating to that individual within a period of 24 hours. Rule 4(4) additionally requires a significant social media intermediary to endeavor to deploy technology-based measures, including automated tools or other mechanisms to proactively identify information that depicts any act or simulation in any form depicting rape, child sexual abuse or conduct, or any information which is exactly identical in content to information that has previously been removed or access to which has been disabled on the computer resource of such intermediary under Rule 3(1)(d). Both Rule 3(2)(d) and Rule 4(4) essentially empower intermediaries to act as gatekeepers and decide on what content is objectionable and what is not. Viewed in that respect, the abovementioned rules are contrary to the observations made by the Supreme Court in Shreya Singhal.

C. Rule 4(2) – Concerns of Informational Privacy

Under Rule 4(2) a significant social media intermediary providing services primarily in the nature of messaging is obligated to enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under section 69 by the Competent Authority. Before dealing with the proportionality aspect of Rule 4(2) viz-a-vis the right to privacy, it is apposite to consider whether it was permissible to the Central Government to incorporate Rule 4(2) as part of the 2021 Rules.

It is beyond cavil that Rule 4(2) entails at some stage the decryption of information by the intermediaries such as WhatsApp or Telegram on whose platform the objectionable content has been shared or transmitted as those platforms use End-to-End encryption technology ["E2E"]. The Central Government has in exercise of the powers under Section 87(y) read with Section 69(2) enacted the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 ["Decryption Rules 2009"] dealing with the procedures and safeguards for interception, monitoring or decryption under sub-section (2) of section 69. Again, we are met with an unwanted scenario where two Rules exist contemporaneously to deal with the same subject i.e., decryption of information. Furthermore, Rule 4(2) which relates to the identification of first originator as it involves decryption of information, is beyond the scope of the 2021 Rules as it has not been issued under Section 87(y). Assuming for the sake of argument that Rule 4(2) is in exercise of the relevant legislative power, the same can be said to be exceeding the ambit of Section 69 of the IT Act as Section 69 of the Act does not contemplate the identification of the first source of information.

Under Rule 5 read with Rule 3 of the Decryption Rules 2009, the competent authority could demand the decryption key holder to decrypt any information involving his or her computer resource. Rule 11 of the above Rules merely mandated the Intermediary to provide assistance for interception or monitoring or decryption and any direction of decryption could be issued against the intermediary only to the extent the information is encrypted by the intermediary, or the intermediary has control over the decryption key. However, Rule 4(2) of 2021 Rules casts the obligation on the intermediary to provide the decrypted information sought for, irrespective of whether it is in possession of the decryption key or not.

A compelling argument has been made out by WhatsApp that identification of first source of information under Rule 4(2) would result in the breaking of E2E which it has deployed in its app. To explore this argument a brief understanding of the technology is essential. Any message send on WhatsApp contains the Sender ID, Receiver ID [commonly known as Routing Information] and the content. Similar to the functioning of a typical post office, WhatsApp merely looks at the Receiver ID i.e., a device associated with a phone number and delivers the content to the said device. The content as such is encrypted via encryption keys, which change for every message and are thus known only to the sender and the receiver. No copy of the message is saved by WhatsApp.

The issues which arise from Rule 4(2) in so far as it requires the identification of the first source of information in an E2E messaging service is as follows:

• It would require the Intermediary to save a copy of all information send by its users, thereby requiring it to store messages. This would amount to storing all messages to trace a few, which by itself poses a huge security risk.
• If the original unlawful content was downloaded by a user, or a screenshot of the same was taken and then forwarded, the said user would be determined as the first originator of content.
• A similar scenario to the above would also result from a user copying some content and then sending it to any receiver.

The Supreme Court in K.S Puttaswamy & Anr v. Union of India & Ors while upholding the existence of a right to privacy, also stated that this right is not absolute. The Court stated that any lawfully authorized invasion of privacy must meet the following threefold requirement:

• Legality which postulates the existence of a law.
• Need, defined in terms of a legitimate State aim.
• Proportionality – i.e., a rational nexus between the objects and means adopted to achieve them.

While conditions (a) and (b) can be considered to have been satisfied, Rule 4(2) seems to be disproportionate to the right to privacy of citizens while achieving its discernable goal of reducing the spread of objectionable content, fake news and for the security of the state. The provisos to Rule 4(2) are more in the nature of substantive provisions which inter alia indicate the purpose and circumstances under which an order under Rule 4(2) can be passed. The 3rd proviso even proceeds to state that while complying with an order issued under Rule 4(2), the significant social media intermediary is not required to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users. However, Rule 4(2) postulates the existence of technology which can enable intermediaries to identify the source of information in E2E, without breaking E2E. Unfortunately, the said technology does not exist as of today.

Freedom of speech and expression guaranteed under Article 19(1)(a) is one of the most precious rights available to Indians. In the digital age, freedom of speech requires an infrastructure of free expression and not mere freedom from digital state prohibition. The infrastructure of free expression includes various kinds of media and institutions for knowledge, creation, and dissemination that are available at any point in time, of which social media is an integral part. Safe harbour provisions similar to Section 79 of the IT Act, have aided in the development of various search engines, platforms, cloud services etc. At the same time to prevent unlawful and harmful online behavior, or at least to mitigate its effect, moderation is absolutely essential. While the 2011 rules relating to Intermediary liability were outdated and insufficient, the Government must endeavor to bring the 2021 Rules in line with the judgments of the Hon'ble Supreme Court and proportionate to fundamental rights of privacy and freedom of speech and expression of all citizens, guaranteed under the Constitution of India.

Amith Krishnan is a lawyer practicing in the Supreme Court of India.

Views are personal