- The IT Rules 2021 was spurred on by court cases (including the Prajwala case on child sexual abuse and gang rape imagery online) and by the Rajya Sabha Committee’s report on child pornography.
- The government will bring in new standard operating procedures to be followed by intermediaries for compliance with the rules; they will not be notified in the gazette.
- The government is open to revising the 5 million threshold up or down in the future if necessary, according to MEITY’s Rakesh Maheshwari.
According to MEITY official Rakesh Maheshwari, the Indian government’s intention with the IT Rules 2021 has always been to have a higher level of accountability for users from all intermediaries, particularly the significant ones. The IT Rules 2021 represent a sea change for how internet intermediaries, which include ISPs, search engines, social media platforms, and countless others, will govern their own services, a change that will have a direct impact on free speech and user privacy.
Maheshwari is the Senior Director and Group Coordinator of Cyber Law & eSecurity at the Ministry of Electronics and Information Technology (MEITY). Speaking at MediaNama’s April 23 discussion on the impact of the IT Rules 2021 on intermediaries, he explained several of the Rules’ requirements and the government’s reasoning behind them. He said the government’s intention is not to net in more platforms as significant social media intermediaries or to harass chief compliance officers. He cited the following as some of the reasons that the rules were brought in place (note that quotes are paraphrased not verbatim):
- A clear recommendation from the Prajwala case was that need to curb child sexual abuse and gang rape imagery online. The question at the time was prevention. Everyone agreed that it should be possible to not to allow uploading of the same digitally identical content on the same platform.
- The rules have also been spurred on by court cases and the Rajya Sabha Committee’s report on online child pornography.
- The government felt the need to have some sort of rules for the just-declared allocation of business rules for the Ministry of Information & Broadcasting.
- “We thought that in the given scenario, given the limitations of the [IT] Act that we have as of now, the best route will be to have this combined rule covering intermediaries as well as publishers, the VOD platforms and the online news platforms,” Maheshwari said.
- In the course of some court cases, people were also claiming that their accounts were being suspended from social media without their knowledge. This is when we realised that why not have the option of some sort of advanced warning by platforms to users before accounts are suspended.
After elucidating these reasons, Maheshwari said he agreed that “there is no one-stop solution”. “The way the intermediaries have grown, the kind of complexities which have come up over a period of time, with the constraint that the IT Act has not been able to keep up pace with the changing requirements; that three tier structure has been created, as of now,” he said.
We have summarised some of the key clarifications and statements he made below. Read the full transcript (and watch the video) of Maheshwari’s remarks here.
User alerts: Maheshwari said that the requirement for platforms to convey terms and conditions to the user was felt because of the need to address fake news. The December 2018 draft rules said this should be done every month, but “we realised that this will become onerous” given that people use multiple apps and will ignore such messages; this has now been decreased to once in 12 months, he added.
Data retention: The data retention period has been doubled to 180 days; the need was felt in cases where the user or platform have removed an account and the data was not available when investigations were being carried out, Maheshwari said.
Social media and significant intermediaries: It’s true that in the present version, the way the definition of social media has come out can be quite broad and quite misunderstood, Maheshwari said. He added that the government’s aim is not to have more and more platforms being declared as significant social media platforms; the intent is for only those platforms that are reasonably large and present risk to be considered significant. We have already started working on putting up a clarification as to what constitutes a social media platform, he said.
The intent is to those platforms which clearly provide the possibility of higher and higher social interaction, which have a possibility of content going viral, which have a potential to cause damage, and which are otherwise not in a specific or niche domain, whether it is a business domain or whether it’s an within the organization, or maybe for a specific kind of an activity that you are carrying out; maybe such platforms should not be considered as social media platforms. — Rakesh Maheshwari
Personal Data Protection Law and social media: Some definition of social media and social media intermediaries has already gone into the Personal Data Protection Bill, which may bring about a definition of social media, Maheshwari said.
5 million threshold for identifying significant intermediaries: The 5 million figure for identifying significant social media intermediaries came about because of a gut feeling, but the government remains open to changing it, whether that needs to be increased or decreased in the future. Registered users will be counted, whether they are active or inactive. It’s for the platform to decide what they want to do with inactive users.
Legal accountability and grievance officer: The problem is that larger platforms providing services in the country legally absolve themselves by stating that their Indian counterparts are not the ones providing the service in the country, Maheshwari said. “So we ended up talking to faceless entities which are providing services in India, but who do not directly understand the culture and the sensitivities of the Indian mindset,” he said. Taxation is not a concern as far as MEITY is concerned, but there should be be accountability to the Indian citizen, user, and to the government, Maheshwari added.
And for that reason only, the concept of the chief compliance officer, the nodal officer, and the resident grievance officer has been brought in picture. Because there are a large number of cases also wherein when you were writing grievances or when you are making grievances to them, maybe not even acknowledgments were being made. And then, because you are not really sure whether your grievance has reached there or not, maybe you are also writing to California or to Ireland by post that your grievance is, at least, reaching there and hopefully gets heard. — Rakesh Maheshwari
But why have criminal liability for the individual? Maheshwari repeated that the government’s aim is not to have a criminal liability for the chief compliance officer. The government envisages the officer’s role as someone who ensures compliance with lawful orders and requests and addresses systemic failures and misunderstandings.
However, at the level of the Act, it clearly says that the intermediaries are exempted, and the intermediaries exemptions go in certain cases. So it is at the Act level and not at the rules level that the liability has become criminal or liability has become civil. So liability is already known, known right from the day the law act was last amended, the day the Shreya Singhal judgment was conveyed. So the liability has remained, but the aim of CCO is not to hold and howl him, but to ensure compliance of the lawful requirement of the government, and to resolve the issues. Because the majority of the time, there is a communication gap. — Rakesh Maheshwari
MEITY is working on SOPs for grievance redressal: “We are working on a few SOPs to ensure that sometimes people may not be directly able to reach out. Not everybody is well conversant with the act, with the internet. And not everybody will be a user of that particular platform,” Rakesh Maheshwari said.
So we are trying to work out some three four options, wherein the platforms will also be given an option to— they are also being encouraged to come up with trusted flaggers, some of them already have. So if a trusted flagger brings it to your knowledge, if the law enforcement brings it to your knowledge. If the person directly approaches, or if the person approaches through some authorization mechanism, that the grievance in such cases, should be expeditiously heard and taken care of. The same now applies that initially, say, as per 2011 rules, there was 36 hours of time for acknowledgement and 30 days for resolution. — Rakesh Maheshwari
The SoPs will not be notified in the gazette; they will only support the rules and will set the expectations for platforms, citizens, and for the government, he clarified.
Maheshwari suggested that the timelines are not hard and fast: Under the rules, intermediaries have to acknowledge a user complaint within 24 hours and dispose off it within 15 days. Maheshwari said the intermediaries could set up an automated system for acknowledgements. For the latter, he said that not every case has be done [resolved] within 15 days, “but definitely every platform must make an earnest effort”. Given the wide variety of intermediaries we have, the rules set the expectations, he said, adding that it is always on a case-by-case basis that actual timelines can be decided, he said.
Thereafter it is always on a one to one basis, on a case-to-case basis, that the actual timelines can be decided. But if there is an acknowledgement, if the reasons for delay, if any, becomes clear, I’m sure it’s more important that the due diligence is done, rather than we just stick on to whatever timelines have been defined. — Rakesh Maheshwari
At the same time, platforms will be exposed to losing their legal intermediary protections in case of systemic failures such as when they haven’t tuned their systems or increased the number of moderators.
Our intent is compliance. Our intent is that in a one-off case if some things go wrong, nobody should be chased. And therefore, particularly say for example with respect to the chief compliance officer, we have very categorically conveyed that an opportunity has to be given before anything is acted upon. So I would like to use this platform to convey that it is not the aim of the government to chase the chief compliance officer, or for that reason the intermediary, and then for every possible scenario maybe look forward and communicate that maybe you have lost your exemptions.
We are only looking forward when there is clear, willful defiance, systemic failures, and that too, we will be trying to address as much as possible. At least that’s our aim through the mechanisms that are being established, through the mechanism of chief compliance officer, and nodal officers that are being requested in certain, particularly larger platforms.
— Rakesh Maheshwari
Traceability and technical possibility: When questioned about the technical possibility of traceability within the bounds of end-to-end encryption and how such a demand should have been made only after technical consultation, Maheshwari said that the draft rules were made public over two years ago. There are certain expectations from the users as well that they won’t be involved in certain activities; platforms cannot simply take the shelter of being end-to-end encrypted. According to him, they cannot impose certain conditions on users but remain blind to what happens on their own platform.
MediaNama’s discussion on the IT Rules, 2021 was supported by Google.
Read our posts from the discussion here:
- The Traceability Mandate And What It Means For End-To-End Encryption
- Will IT Rules 2021 pass the muster of legal challenges?
- Impact of IT Rules 2021 on intermediaries, platform power and compliance burden
- Transcript: MEITY’s Rakesh Maheshwari on IT Rules, 2021