The Government of India, in supersession of the Information Technology (Intermediary Guidelines) Rules, 2011, notified the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (hereinafter referred to as the “Rules”) under the Information Technology Act, 2000 (“IT Act”) on February 25, 2021. The Rules encapsulate guidelines and regulations for intermediaries, OTT platforms, digital news apps, publishers of news and current affairs content and other social media players.

In our previous posts here and here and here on the Rules, we had discussed the provisions of the Rules pertaining to intermediaries, its applicability on publishers of online curated content and news aggregators, the three-tier grievance redressal mechanism that the Rules introduced and the implications of the Rules on social media intermediaries and significant social media intermediaries.

Last week, India and the rest of the world witnessed WhatsApp, Twitter, Facebook and other major social media entities clash with the Indian government over these Rules. In this article, we provide an overview of what can only be best described as a ‘furore’ and what instigated the same.

To provide some background, the Rules issued back in February define a social media intermediary as an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services. The Rules also go on to define a significant social media intermediary (“SSMI”) as a social media intermediary whose number of registered users in India is more than 50 lakhs registered users. As on today’s date some of the sizable SSMIs in India are WhatsApp, YouTube, Facebook, Instagram and Twitter. As SSMIs, these entities are encumbered with additional due diligence which they are required to observe, along with the standard due diligence that all intermediaries are bound by, in order to maintain their status as an intermediary.

Under the Rules, SSMIs were provided with a period of 3 (three) months effective February 25, 2021 to comply with the additional due diligence which requires SSMI’s to appoint a full grievance redressal team of 3 (three) officers with different responsibilities. The 3 (three) officers required to be appointed are a:

  • Chief Compliance Officer, responsible for ensuring compliance with the IT Act and the Rules made thereunder, and liable for proceedings in this regard;
  • Nodal Person of Contact, for “24×7 coordination” with law enforcement agencies; and
  • Resident Grievance Officer, with similar responsibilities as the Grievance Officer for intermediaries but with an added responsibility to notify a user before removing content posted by such user with reasons, provide them with an opportunity to dispute such action, and give the complainant its reasons for the decision taken in response to their complaint.

All 3 (three) officers appointed by the significant social media intermediaries, as above, are now legally required to reside in India. A SSMI under the Rules is required to have a physical contact address in India, which should be published on its website, mobile based application or both, to receive any communication addressed to it.

The Rules were set to be effective from May 26, 2021, thereby giving SSMIs a 3 (three) months’ period to make the required appointments after which non-complying SSMIs would lose the immunity granted to intermediaries by Section 79 (1) of the IT Act – famously known as the safe harbour provision. This safe harbour provision, subject to other provisions of the IT Act, provided intermediaries immunity from any liability for any third-party information, data, or communication link made available or hosted by such an intermediary. Losing their immunity would mean that SSMIs will be equally responsible for any unlawful content (for example obscene pictures or impersonation) as the person posting such content, and can be prosecuted for the same under applicable law such as the Indian Penal Code. The loss of immunity or the intermediary tag would also mean that SSMI’s would be liable for every user post on SSMI platforms. Last week, with the due date fast approaching and with most SSMIs not having complied with the Rules, SSMIs such as WhatsApp, Facebook and Twitter were continuing to negotiate with the Indian government and seek an extension of 6 months’ time to comply with the new Rules.

One of the most significant grievances that WhatsApp has with the Rules and what has become the central point of contention, is that the Rules require a SSMI providing services primarily in the nature of messaging, to break its end-to-end encryption in order to identify the first originator of the information on its computer resource (on receipt of a judicial order). While the Rules state that this is solely for limited purposes such as prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, WhatsApp is of the opinion that the Rules violate one’s right to privacy and are therefore fundamentally unconstitutional. Facebook, the parent company of Instagram and WhatsApp, has expressed its intent to comply with the Rules but has flagged certain issues regarding privacy. In a recent move, the company has now moved the Delhi High court challenging the Rule for identifying ‘first-originator’ of a message which would effectively breach WhatsApp’s end-to-end encryption, long recognized as being the cornerstone of WhatsApp’s privacy framework. The breakdown of this end-to end encryption may not only change internet usage in India but may also start a domino effect in other countries as well.

After days of face-off with the Indian Government over the Rules, on May 28, 2021, several social media entities such as Facebook, WhatsApp, LinkedIn, Telegram, Google etc. complied with certain provisions of the Rules pertaining to the appointment of India-based grievance redressal officers and shared with the Ministry of Information Technology, details of their chief compliance officers, nodal contact persons and grievance officers to address local complaints regarding unlawful messages1. Twitter, it is reported was not amongst those SSMIs that complied with the Rules thus forcing the Delhi High Court to issue a notice to Twitter for non-compliance with the Rules. In its response to the same, Twitter has informed the Delhi High Court that it had already appointed a Resident Grievance Officer on May 28, 2021, and that there was “no question of not complying with the law or Rules”. Twitter has now been granted a period of 3 (three) weeks to file an affidavit to substantiate its assertions with regard to complying with the Rules2.

Since the notification of the Rules, several petitions have been filed before various courts challenging the provisions of the Rules on grounds such as the Rules conferring unfettered powers to the executive, potentially in complete disregard to the constitutionally guaranteed rights of freedom of speech and expression or because the Rules exceed the legal authority of its parent act – the IT Act. One such petition has been filed before the Kerala High Court by petitioner Live Law Media Private Limited and challenges the constitutional validity of the Rules. Aside from the privacy concerns expressed as part of the entire debate generated due to the issue, it does make one probe into the intent of the legislation which no doubt introduces onerous measures which may result in huge compliance costs to large intermediaries. Furthermore, the fracas also puts into focus the clear need for a centrally legislated and appropriately drafted data privacy law which balances the rights of the individual, the businesses and the sovereign in one comprehensive whole, instead of in this piece meal manner.