NASSCOM Policy Brief
24.01.2019
Ministry of Electronics & Information Technology’s Draft Information Technology [Intermediary Guidelines (Amendment)] Rules, 2018
Context
Ministry of Electronics & Information Technology (‘MeitY’) has invited comments from all stakeholders on the draft Information Technology [Intermediaries Guidelines (Amendment)] Rules, 2018 (“draft guidelines”) which seek to replace the Information Technology (Intermediaries Guidelines) Rules, 2011 (“existing guidelines”).
The existing guidelines were passed under section 79(2) of the Information Technology Act, 2008 (“IT Act”). Under section 79(2), intermediaries[1] enjoy safe harbour and are not liable for any third party information, data, or communication link hosted by them. The intermediaries lose the safe harbour protection if they fail to comply with the guidelines.
It is important to note that, as per section 79(2), the guidelines appear to be only applicable to intermediaries who provide access to a communication system over which information made available by third parties is transmitted or stored or hosted [sub clauses (a), (b) and (c) of section 79(2)].
The issue of intermediary liability has recently come into focus in relation to:
- IPR infringement[2]
- Circulation of obscene content
- Incitement to violence
- Spread of fake news
The immediate stimulus for proposing changes through the draft guidelines is to address concerns related to threat to public order and security.[3]
Key changes
- Rule 3(2) of the existing guidelines obligates the intermediaries to inform users through its rules and regulations and terms and conditions not to host/ display/ upload/ modify/ publish/ transmit/ update/ share an enumerated list of information. The words terms and conditions have been replaced by privacy policy.
a) Rule 3(2)(j) is being added to expand this enumerated list to include information which threatens public health or safety. This information would cover promotion of cigarettes or any tobacco product or consumption of intoxicant including alcohol and products that enable nicotine delivery including Electronic Nicotine Delivery System (ENDS).[4]
b) Rule 3(2)(k) is being added to include information which threatens critical information infrastructure.[5]
2. Rule 3(4) is being modified to require intermediaries to inform users, at least once every month, about non-compliance. The existing guidelines do not require the users to be informed periodically. This obligation relates to informing users that any non-compliance with rule 3(2) would lead to termination of the users’ access/usage rights, and removal of non-compliant content.
3. Rule 3(5) dealing with the obligation to assist in law enforcement is being modified to require intermediaries to provide information or assistance:
a) to any government agency
b) within 72 hours
c) and enable tracing of the originator
d) and the scope of the information and assistance has been reformulated to include security of the State; detection of offence(s) has been added to the purposes of assistance; matters connected with or incidental thereto has been added to cover any related purposes that might otherwise be left out.
4. Rule 3(7) is a new rule being proposed for intermediaries with more than 50 lakh users in India. This would require them to:
- Incorporate a company under the Indian Companies Act
- Have a permanent registered office in India with physical address
- Appoint a nodal person of contact in India and alternate senior designated functionary for 24×7 coordination with law enforcement agencies (LEA).
5. Rule 3(8) proposes to modify the existing Rule 3(4). Rule 3(4) contains the obligation to remove unlawful content and hold records. The rule was read down in Shreya Singhal v. Union of India[6]. At present, an intermediary must remove specific content only on an Article 19(2) restriction[7] upon receiving a court order or notification from a government agency. The draft guidelines propose to:
a) require intermediaries to remove/ block content which is relatable to restrictions that can be imposed through law on freedom of speech and expression within 24 hours and
b) preserve such information and associated records for 180 days or longer (if required by an authorised government agency).
6. Rule 3(9): Deploy automated technology to screen and remove unlawful content. This is a new rule which requires the intermediaries to use automated tools to proactively identify and remove access to unlawful information.
Analysis
- Rules 3(2)(j) & 3(2)(k) – Information which threatens public health or safety, or critical information structure: Users may lack a common understanding on the meaning of information which threatens public health or safety or what is a critical information structure. Intermediaries might be forced to exercise undue discretion in deciding what might threaten public health or safety. For example, would a photo of a person smoking be considered as promotion of cigarettes?
- Rule 3(4) – Inform users (at least once every month) about non-compliance: It is not clear how this obligation might be effectively met. All users of all intermediaries might not be registered. How will the intermediaries inform inactive users?
- Rule 3(5) – Provide information within 72 hours and enable tracing the originator: Under rule 3(5) of the draft guidelines, the intermediaries must enable tracing out the originator of unlawful information; this is in addition to the obligation to provide information/assistance to government agencies. The government already has the power to intercept messages transmitted on a telecom service provider’s network through Internet Platform applications. [8] Therefore, the need for enabling tracing is not clear and appears to disproportionately burden the intermediaries. If the intent was to build a sense of urgency and accountability, would a 72 hours’ time frame to provide information on a best effort basis be appropriate?
- Rule 3(7) – Incorporation and other obligations for intermediaries with more than 50 lakh users- An obligation to incorporate a company in India would bring in a host of other obligations on an intermediary. To begin with, they would need to comply with all rules and regulations provided in the Companies Act 2013. These require ongoing obligations. Incorporating an entity in India is likely to result in important taxation implications. These are just a couple of examples. Should the guidelines propose obligations which can be onerous for intermediaries given the fact that the purpose of the guidelines is to provide a safe harbour to the intermediaries? The purpose that the guidelines seek to achieve is ensuring accountability of intermediaries. It might be useful to study how this might be achieved with least burden on the intermediaries.
- Rule 3(8) – Takedown unlawful content within 24 hours and hold records for 180 days or longer: We have no specific concerns with the 24 hour requirement as proposed. The rationale for extending the time for holding records for all situations from 90 to 180 days is not clear. The change provides for records to be stored for such longer period as may be required by the court or by government agencies who are lawfully authorised. This should be sufficient to take care of situations where storage for more than 90 days is required instead of increasing the base line storage period to 180 days. Further, the appropriate sections for framing rules to takedown content and hold records appear to be sections 69A and 67C of the IT Act respectively and not section 79(2) of the IT Act. Therefore, it needs to be studied if the guidelines under section 72(2) are the appropriate place to provide the proposed rules.
- Rule 3(9) – Deploy automated technology to screen and remove unlawful content: This obligation appears to be onerous. Rules should be technology agnostic and focus on the outcome and not the means. Only a few intermediaries might have the capability to meet this requirement. In Kent RO Systems v. Amit Kotak[9], the Delhi HC specifically rejected a proactive screening requirement for intermediaries.
It would be important to emphasise that the guidelines are only for intermediaries who provide access to communication systems. This may be partly achieved by renaming the guidelines as: Information Technology [Guidelines for Intermediaries providing access to communication systems] Rules, 2018. More might need to be done to improve clarity around which kind of intermediaries need to comply with these guidelines.
The intent of the guidelines to strengthen the framework around maintaining public order and safety is laudable. However, the guidelines should not disproportionately burden the intermediaries. NASSCOM is studying the changes in detail and undertaking member consultations.
For further discussion on this, kindly contact: Devika Agarwal, Policy Analyst at Dagarwal@nasscom.in.
[1] The definition of an intermediary is given in section 2(1)(w) of the IT Act- “Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.
[2] See, for instance, Kent RO Systems v. Amit Kotak (CS (Comm) 1655/2016) and My Space Inc. v. Super Cassettes Industries Ltd. (CS (OS) 2682/2008).
[3] The various lynching incidents which took place in India in 2017-2018 led the Rajya Sabha to admit a calling attention motion on misuse of social media platforms and spreading of fake news in July, 2018.
[4] The only exception in this regard are products that enable nicotine delivery as may be approved under the Drugs and Cosmetics Act, 1940 and the related rules.
[5] Under Explanation to section 70(1) of the IT Act, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.
[6] Writ Petition (Criminal) No. 167 of 2012.
[7] The grounds specified in Article 19(2) of the Constitution of India are: sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.
[8] The government’s power to intercept messages on a TSP’s network is provided in section 5 of Indian Telegraph Act, 1885.
[9] CS (Comm) 1655/2016, para 35: “Merely because intermediary has been obliged under the IT Rules to remove the infringing content on receipt of complaint cannot be read as vesting in the intermediary suo motu powers to detect and refuse hosting of infringing contents.”