WhatsApp on Wednesday filed a lawsuit in Delhi High Court against the Indian government over the IT Rules 2021 arguing that the rules are unconstitutional and beyond the scope of the parent Act.
Download a copy of WhatsApp’s petition here.
In its initial response to the lawsuit, the Indian government said that it does not have any intention to violate the privacy of a citizen, but added that the Right to Privacy is not absolute and that compliance with the rules was necessary for “public interest.”
What is the lawsuit contesting?
WhatsApp’s lawsuit is contesting Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. This rule requires a significant social media intermediary providing services primarily in the nature of messaging to enable the identification of the first originator of the information. WhatsApp argues that this traceability mandate will require the platform to break end-to-end encryption for all its users, which will violate the users’ right to privacy and freedom of speech and expression, and is beyond the scope of the parent Act.
What is WhatsApp asking for and on what grounds?
In its petition, WhatsApp has requested the court to:
- Declare Rule 4(2) as unconstitutional, ultra vires the IT Act, and illegal.
- Ensure that there is no criminal liability imposed on the platform for any alleged non-compliance to the said rule.
- Provide interim relief by staying Rule 4(2) pending adjudication of this lawsuit. The last day to comply with the rules was May 25.
WhatsApp has made these requests on the grounds that Rule 4(2):
- Violates the fundamental right to privacy guaranteed under Article 21 of the Constitution
- Violates the fundamental right to freedom of speech and expression guaranteed under Article 19 of the Constitution
- Is ultra vires the parent statutory provisions, Sections 69A and 79 of the IT Act
- Is “manifestly arbitrary” in violation of Article 14 of the Constitution
- Violates the principle of data minimisation
Rule violates the fundamental right to privacy
Does not satisfy Puttuswamy test: WhatsApp has submitted that the rule infringes upon the fundamental right to privacy because it does not satisfy the three-part Puttuswamy test set forth by the Supreme Court:
- Legality – To satisfy this requirement there must be a valid statute allowing the impugned rule, but currently, there is neither a law requiring intermediaries to enable traceability nor a statute that allows the imposition of such a requirement through subordinate legislation.
- Necessity – To satisfy this requirement, there must be a legitimate state aim and a “guarantee against arbitrary State action.” But the rule currently allows the government to issue tracing orders without judicial review, which does not guarantee against arbitrary State action.
- Proportionality – To satisfy this requirement, the government should achieve its stated aim using the “least restrictive alternative”. However, if WhatsApp has to enable traceability it will have to break end-to-end encryption for all its users, even lawful ones, because there is no way to selectively identity users that the government might issue tracking orders against. This is contrary to the Supreme Court precedent that surveillance must be targeted and limited only to those “persons, whether or not previously convicted, whose conduct shows a determination to lead a life of crime”. WhatsApp argues that end-to-end encryption has many important benefits including ensuring the integrity of the content of communications, promotes a citizen’s fundamental right to privacy, enables journalists and activists to exercise the right to freedom of speech and expression without fear of surveillance, protects deeply personal conversations, provides doctors and patients, as well as lawyers and clients, a tool to confidentially communicate, protects communications by law enforcement agencies, etc, and that all of these benefits will be lost if it breaks end-to-end encryption.
“Fundamental rights cannot be sacrificed on the anvil of fervid desire to find instantaneous solutions to systemic problems”. – Ram Jethmalani v. Union of India, (2011) 8 SCC 1.)
Rule violates the fundamental right to freedom of speech and expression
Chills lawful speech: The petition argues that Rule 4(2) violates the fundamental right to freedom of speech and expression guaranteed under Article 19(1)(a) of the Constitution, as it curbs even lawful speech. The Supreme Court has held in numerous cases that a law violates the fundamental right to freedom of speech and expression if it chills lawful speech. WhatsApp argues that breaking end-to-end encryption will result in curbing of lawful speech because citizens will not feel safe to “speak freely for fear that their private communications will be traced and used against them.” The petition cites a Supreme Court case in which the court guarantees citizens “the right to propagate one’s views through the print media or through any other communication channel”, and says that “any attempt to deny the same must be frowned upon unless it falls within the mischief of Article 19(2) of the Constitution.”
Rule is ultra vires its parent statutory provisions
WhatsApp argues that enabling traceability is ultra vires its parent statutory provisions, Section 69 and 79 of IT Act 2000, and the intent of the IT Act itself for the following reasons:
No clear policy declaration: To mandate traceability, there must be a clear policy declaration in Section 79 that Parliament intended to impose such a requirement. However, there is neither such a declaration nor anything there to suggest the Parliament intended to impose such a mandate. The Supreme Court has previously held “that a subordinate legislation can be challenged not only on the ground that it is contrary to the provisions of the Act or other statutes, but also if it is violative of the legislative object.”
“It is a well-recognised principle of interpretation of a statute that conferment of rule-making power by an Act does not enable the rule-making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent therewith or repugnant thereto.” – Kunj Behari Lal Butail v. State of H.P., (2000) 3 SCC 40
Neither procedure nor safeguard: Section 69A empowers the government to direct an intermediary to block access to content on its platform and to prescribe “procedures and safeguards subject to which such blocking for access by the public may be carried out”. But the traceability mandate is neither a “procedure” nor “safeguard” and it “has nothing to do with the removal of unlawful content.”
Only allowed to prescribe due diligence: Section 79 only allows the government to prescribe the “due diligence” that intermediaries must observe to maintain their immunity. Mandating an intermediary to fundamentally alter its platform to enable traceability falls outside “due diligence”.
Intent is to achieve uniformity of law: According to the preamble of the IT Act, the intent of the Act is to achieve “uniformity of the law” with other countries. WhatsApp claims that it is unaware of any other country that requires intermediaries to enable traceability.
Rule is “manifestly arbitrary” in violation of Article 14 of the Constitution
Article 14 of the Constitution states that “the State shall not deny to any person equality before the law or the equal protection of the laws within the territory of India.” WhatsApp in its petition cites a Supreme Court case where the court held that laws are “manifestly arbitrary” in violation of Article 14 if they are “obviously unreasonable, capricious, irrational, without adequate determining principle, or excessive and disproportionate.”
WhatsApp argues that the traceability mandate is “manifestly arbitrary” for the following reasons:
Disproportionate: Enabling traceability is disproportionate as the harms it causes far outweigh its purported benefits as highlighted above in the proportionality component of the Puttuswamy test.
Parliament did not intend to give such authority: Supreme Court has held that subordinate legislation suffers from manifest arbitrariness if the Parliament did not intend to give authority to make such legislation. As explained in more detail above, the traceability mandate is ultra vires its parent statutory provisions and the intent of the IT Act itself.
Rule violates the principle of data minimisation
Platforms should only collect and store essential data: According to data minimisation principles, an online service “should only collect and store user data that is essential to provide its service in order to minimize the risks of unauthorized entities accessing that data.” The Supreme Court has held that “only with ‘strict observance’ of the principles of data minimisation and storage limitation ‘can the State successfully discharge the burden of proportionality while affecting the privacy rights of its citizens.’” But the traceability mandate requires WhatsApp to store additional data for every message sent in India on its platform and thus goes against data minimization principles. Furthermore, the IT Rules do not prescribe a time limit, forcing WhatsApp to store this additional data even years after the message was sent.
- Breaking: Centre Asks Social Media Firms To Provide Details Of Compliance With IT Rules 2021; Impact Of Non Compliance
- IT Rules 2021: CEO Will Cathcart Says WhatsApp Hopes To Find Solution To Traceability Without Breaking Encryption
- Identifying A Message’s Originator Undermines End-To-End Encryption: Internet Society
- Transcript And Video: MEITY’s Rakesh Maheshwari On IT Rules, 2021; Traceability, Intent, Compliance Timelines
- Supreme Court Directs Madras HC To Transfer All Files In The WhatsApp Traceability Case