29 November 2021
From their abrupt promulgation[1] to their unusual administration by two ministries[2], to being the subject of widespread protests, and the staying of several operative portions by courts[3], the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Rules”) have had a brief and tumultuous existence.
Therefore, the recently-published ‘Frequently Asked Questions on The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“FAQs”)[4] would have been an ideal forum for the Ministry of Electronics and Information Technology (“MEITY”) to clarify certain long-standing questions around various aspects of the Rules.
While it is somewhat understandable that the FAQs do not clarify Part III of the Rules (though they are by far the most contentious) as they are administered by the Ministry of Information and Broadcasting (“MIB”), clarity is elusive even in aspects that the FAQs deal with.
Definition of Social Media Intermediaries (“SMIs”):
The FAQs reiterate the Rules in stating that SMIs (which are subject to substantial additional onerous requirements) are platforms which ‘solely or primarily’ enable online interactions.
The FAQs list out the following as examples of ‘enabling online interaction’:
-
Platforms that facilitate socialisation or social networking as well as allow the users to increase their reach and following within the platform through specific features such as ‘follow’ and ‘subscribe’.
-
Platforms that offer opportunity to users to interact with unknown persons or users; and
-
. Platforms which enable content to become viral (i.e. to get circulated rapidly and widely from one internet user to another).
Interestingly the above examples do not cover (and indeed may be read to exclude[5]) ‘private messaging’ SMIs. However, the FAQs still treat them as SMIs, in the context of end-to-end encryption[6].
Further, the FAQs helpfully clarify that intermediaries, which primarily enable commercial or business transactions such as search engines or online storage services would not be treated as SMIs.
This is a welcome clarification for online businesses that allow registered users to comment or be part of community forums, as well as for service providers who facilitate interaction amongst registered users as one facet of a diverse service offering.
Unfortunately, the FAQs stop short of specifying a bright line test to define ‘primarily’ enabling interaction. Such an approach would have helped remove much of the ambiguity in this space.
Information Sharing with Law Enforcement Agencies:
While the Information Technology Act, 2000[7] (“IT Act”) and the erstwhile Information Technology (Intermediary) Guidelines, 2011, already provided the grounds under which law enforcement agencies could seek information, the FAQs clarify the extent of information that an intermediary is required to store after an account has been deleted[8].
They clarify that only information collected at the time of registration and withdrawal (especially information which enables identification of the location and time the relevant user account was created) is covered under the relevant rule and any information pertaining to the user’s activity will be governed under the Information Technology (Reasonable security Practices and Procedures and Sensitive Personal Data and Information) Rules, 2011[9] and Section 67C of the IT Act.
While the FAQs do not set out a bright line test, the clarification may help platforms reconcile their obligations under the Rules against impending data minimisation obligations[10].
Additional Obligations of Significant Social Media Intermediaries (SSMIs):
SSMIs[11] have an obligation under the Rules[12] to appoint a chief compliance officer, resident grievance officer and a nodal officer, each having distinct roles and responsibilities[13].
While the Rules technically allow the grievance officer and nodal officer to be the same person, the FAQs bring out a preference for this to be different people and require different contact information for government and private requests.
The FAQs also clarify that designations apply across all entities providing services and not each product or service that may qualify such entity as an SSMI.
This is welcome and may help streamline processes within organisations, avoiding undue compliance burdens.
With respect to the obligation on publishing a monthly compliance report[14], the FAQs clarify that information around user complaints, actions taken, and proactive removal of date can be published in aggregated fashion. They also clarify that any information in the compliance report needs to be in consonance with data privacy principles.
This is welcome as the Rules do not specify a format of the report, resulting in some ambiguity around levels of disclosure.
Sharing Details of First Originator by SSMIs:
SSMIs are required to share details of the first originator of information[15]. This has led to multiple objections, as complying with retrospective requirements may require undermining end-to-end encryption and create privacy concerns. The FAQs clarify that the intent is not to compromise privacy. While an illustrative mechanism to enable compliance is proposed, this is less than clear, particularly where messages may have been modified or amplified. The FAQs do clarify that SSMIs are permitted to devise alternative technical means.
Notification on Takedown of Content:
The FAQs clarify[16] the it is mandatory for the SSMI to notify users where content is taken down for violation of user terms either on grounds such as being illegal, or where takedown is directed by the Grievance Officer. This seems to be an interesting new adjudicatory role for the Resident Grievance Officer.
However, no such communication is required in the event such content has been removed to counter bot activity, malware, terrorism or other activities where it may not be prudent to notify the user.
The FAQs clarify that the status of SSMIs as intermediaries (and safe harbour protection under Section 79 of the IT Act) will not be impaired by their labelling of paid or sponsored content[17].
Conclusion
The FAQs leave open several thorny points, including the trigger for the requirement to identify the first originator of messages, the definition of SSMI in the context of private messaging, and several aspects of Part III of the rules.
The above being said, the publication of the FAQs is a step in the right direction and provides clarity around intermediary obligations.
It also sets a valuable precedent for the consolidation and formalisation of responses provided on individual queries to various entities, a trend that is only likely to increase in days to come.
For further information, please contact:
Arun Prabhu, Partner, Cyril Amarchand Mangaldas
arun.prabhu@cyrilshroff.com
[2] Part II of the Rules are administered by the Ministry of Information and Technology, Government of India and Part III of the Rules are administered by the Ministry of Information and Broadcasting, Government of India.
[3] For further details on stay of several operative portions by courts, please see https://www.livelaw.in/news-updates/high-court-latest-news-kerala-madras-bombay-delhi-orissa-allahabad-185113?infinitescroll=1, https://www.livelaw.in/top-stories/madras-high-court-it-rules-2021-code-of-ethics-intermediaries-stayed-181762?infinitescroll=1 and https://www.livemint.com/news/india/bombay-hc-stays-provisions-of-it-rules-2021-11628948228496.html.
[5] FAQ 12 of the FAQs.
[6] FAQ 6 read with FAQ 24 of the FAQs.
[8] Rule 3(1)(h) of the Rules read with FAQ 15 of the FAQs.
[10] The Personal Data Protection Bill, 2019, in its current form, recognises the principles of data minimisation laid down in Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[11] Rule 2(v) of the Rules read with https://egazette.nic.in/WriteReadData/2021/225497.pdf define SSMIs as SMIs who have more than 5 million registered users.
[12] Rule 4 of the Rules.
[13] Rules 4(1)(a), 4(1)(b) and 4(1)(c) of the Rules.
[14] Section 4(1)(d) of the Rules.
[15] Rule 4(2) of the Rules.
[16] FAQ 21, 22 and 23 of the FAQs.
[17] Rule 4(3) of the Rules read with FAQ 26 of the FAQs.
