Summary: IT Rules clarifications from the government and some comments from us

By Anushka Jain, Aihik Sur, Nishant Kauntia, and Mitaksh Jain

After months of controversy, India’s Ministry of Electronics and Information Technology (MeiTY) has finally provided clarity on the Information Technology (Guidelines For Intermediaries And Digital Media Ethics Code) Rules, 2021, through a set of Frequently Asked Questions.

The 28-page document goes through various questions on the applicability, due diligence provisions, penalties, etc. of the IT Rules related to social media intermediaries; however, the ministry is expected to release another document on the Standard Operating Procedures for the Rules, Minister of State (MoS) for IT Rajeev Chandrashekhar said at a press conference on November 1.

Since their enactment in May, the IT Rules have been challenged in various courts and has also led to Twitter nearly losing its safe harbour status in India. In fact, soon after the rules came into force, five industry bodies wrote to MeitY asking for more clarification on the compliance requirements and norms dictated by the rules.

Advertisement. Scroll to continue reading.

FAQs on the basics of IT Rules

• Will news aggregators qualify as intermediaries or publishers under the IT Rules, 2021? Some entities may be functioning both like an intermediary as well as a publisher, the FAQ clarifies. Further clarification with respect to the Rules relating to news and current affairs content may be sought from the Ministry of Information & Broadcasting (MIB).
  • What is left unaddressed? The response does not address how such aggregators will comply with the rules for both intermediaries and publishers. “…it’s quite hard to imagine how they [news aggregators] can both be intermediaries and follow the provisions applicable to aggregators at the same time,” Udbhav Tiwari said at an earlier MediaNama event. Alternatively, Tiwari asked, they should clarify that in cases where an intermediary is also a news aggregator, what should they be treated as. In saying that further rules will be outlined by the MIB, MeitY, which is the nodal agency for the IT Act, might be passing the buck for its responsibility.

• Do the rules affect the privacy of individuals? The FAQs document says that the IT Rules do not infringe on the right to privacy as users can ask intermediaries to remove any content that depicts them in partial/full nudity within 24 hours of reporting it. Intermediaries also, under the rules, have to remind users not to post content that is invasive of someone else’s privacy. Further, in relation to the IT Rules’ ‘first originator’ clause or traceability mandate, intermediaries only have to identify users when there is an order from a court or a competent authority and the matter relates to child abuse, national security, etc.
  • MediaNama’s Take: These rules, if implemented, would force platforms to do away with end-to-end encryption thereby removing privacy protections that platforms may have instituted. This would be a disproportionate violation of privacy because to be able to catch a few people, they would force the reduction of privacy for all users and thus, because of the lack of necessity and proportionality would result in the violation of privacy.
• Do the rules affect the right to free speech and expression? The FAQs document says that the IT Rules do not infringe upon free speech and expression as they have been written in tandem with the constitutional safeguards for freedom of speech, under Article 19 and 19 (2). It also says the rules do not place any more obligations on users or have provisions to penalise them.
  • MediaNama’s Take: The removal of end-to-end encryption will have a chilling effect on free speech because of reduced privacy for communication between two individuals. This would essentially violate the fundamental right to privacy.

Related: MEITY’s Rakesh Maheshwari On IT Rules, 2021; Traceability, Intent, Compliance Timelines

FAQs on terminology and scope of IT Rules

• Who is a social media intermediary? “To qualify as a social media intermediary, enabling of online interactions should be the primary or sole purpose of the intermediary. Therefore, typically, an entity which has some other primary purpose, but only incidentally enables online interactions, may not be considered as a social media intermediary,” the FAQs say. The IT rules had defined a social media intermediary which enables online interaction allowing users to create, upload, share, disseminate, modify or access information using its services. In the FAQs the ministry further clarifies the phrase “enables online interaction” saying that such a platform should:(a) Facilitates socialization/social networking, including the ability of a user to increase their reach and following, within the platform via specific features like “follow”/“subscribe” etc.;
  (b) Offers opportunity to interact with unknown persons or users;
  (c) Ability of enabling virality of content by facilitation of sharing. Virality, in this context, means the tendency of any content to be circulated rapidly and widely from one internet user to another.
• Who doesn’t qualify as a Social Media Intermediary? Entities ‘enabling commercial or business-oriented transactions, provide access to internet or search-engine services, e-mail service or online storage service, etc.’ will not qualify as a social media intermediary.
• • MediaNama’s Take: Our discussion on the IT Rules highlighted that different intermediaries may have a different kind of liability. For instance, an intermediary that offers IoT services will have different liabilities as compared to one that offers AI services, explained S Chandrasekhar, Group Director, Government Affairs & Public Policy, Microsoft (India). The discussion had also thrown up a possibility of an authority to help businesses verify whether they are covered or not, as suggested by Rahul Narayan, a lawyer. “I don’t think that the government or the authorities actually intend to make business difficult for entities which shouldn’t be covered,” he added.
• Which social media intermediaries will qualify as ‘significant social media intermediaries’? Reiterating the fifty lakh registered user threshold, the Ministry clarified that only those users who have registered or created an account with an SSMI are to be computed for the threshold.
  • MediaNama’s Take: While it is clear that messaging apps like WhatsApp, Signal, and Telegram fall under the purview of the IT Rules, 2021, Apple’s encrypted messaging service iMessage, which has around 75 crore iPhone users, has fallen in a grey area. The Hindustan Times quoted an unnamed official saying that iMessage does not have to comply with the rules. But everyone who wants to use iMessage has to create an Apple ID. So, the question’s still out on whether these rules apply to Apple or iMessage as an SSMI.

FAQ on Intermediaries

• When ordering content takedowns, what details will the government authority provide? Typically, an order for a takedown by a public authority will contain –
  1. the platform specific identified URL(s)
  2. the law being administered by the authorised agency
  3. the specific clause of the law being violated
  4. justification and evidence; and
  5. any other information (e.g. time stamp in case of audio/ video etc.)

FAQs on Significant Social Media Intermediaries

• Can one person be appointed to fulfil the roles of the nodal contact person as well as the Resident Grievance Officer for significant social media intermediaries?  If not, can one person be appointed to fulfil the diverse roles of the Chief Compliance Officer as well as the Resident Grievance Officer? The ministry clarifies that the Chief Compliance Officer and the nodal contact person cannot be the same person whereas the roles of the nodal contact person and the Resident Grievance Officer may be performed by the same person. However, it is desirable intermediaries appoint separate persons for the nodal contact person and the resident grievance officer. The Government, through this rule, expects the intermediary to provide separate contact details for grievances submitted by users and the requests/orders made by the Government or authorized Government agencies.
  • What’s the catch? It is important to note that the government has asked to provide separate contact details for “grievances submitted by users” ( to a resident grievance officer) and “requests/orders made by government or authorised government agencies (to a chief compliance officer). The government has not made it clear whether the posts have to be manned by two persons (like it did in the case for chief compliance officer and nodal contact person). This is significant because currently Twitter is embroiled in a legal battle in the Delhi High Court in regards to compliance to the IT Rules 2021. Although Twitter showed that it has made all the necessary appointments, objections have been raised regarding the appointment of Vinay Prakash, who has been given the roles of chief compliance officer and resident grievance redressal officer.
• If a parent company owns multiple significant social media intermediaries, can they appoint common officers across all SSMIs? The ministry’s response was affirmative but it added that the contact details to approach these officers are required to be clearly mentioned on each of those product/service platforms separately.
• Is there a particular format for publishing this report including details on the type of information that is essential or the level of granularity of the information published? The document specifies that the report should ideally contain 1. Summary details of the complaints received, e.g., the subject under which the complaint is received (e.g., copyright) Action taken under these different heads 2. The information could be disclosed in the aggregated form without disclosing granular details of all cases. 3. Under voluntary actions taken by an SSMI, it is enough to mention the number of communication links removed by the SSMI.
  • What’s the catch? The frequency of monthly compliance reports has been termed as onerous given that companies used to come out with periodic reports every six months earlier which was a better timeframe than a month. Harshitha Thammaiah, General Counsel, Xiaomi India, said in a MediaNama discussion on IT Rules that the way the provision is worded, companies would have to compile very large reports, which would need considerable effort. “Even if it is the silliest grievance, I need to start compiling in a certain way, and file it with the government. I think that’s a huge, huge compliance burden,” she said. The FAQs do not clarify the need for a monthly report.
• Intermediaries must, to the extent reasonable, provide the complainant with reasons for any action taken or not taken. Is there a criterion on what would qualify as ‘reasonable’? In case of frivolous complaints, would it not be reasonable to desist from providing reasons for inaction? The government said that intermediaries are expected to provide a reasonable explanation to the aggrieved user. In case of a frivolous complaint, the nature of the complaint can be cited as the reason for any action not taken. “It is expected that the intermediary provides details of its grievance redressal mechanism for the benefit of the aggrieved users,” the ministry wrote in the document.
• Social media intermediaries are required to notify the user whose information is taken down and allow adequate opportunity to dispute the action. Should the user be notified in all such scenarios? The FAQs document explains: “The user may be notified only in a scenario where the content is removed or disabled by an SSMI on its own accord for violation of terms and conditions of the service. The term “on its own accord” implies, where the SSMI:

1. Uses automated tools/filters or some national or international agency/specialised organisation has identified child sexual abuse materials (CSAM) and related materials;
2. Concludes that the content falls under the prohibited category as defined under any law for the time being in force;
3. Is of the opinion that the content is blatantly illegal and notifying might harm the complainant
4. Removes the content as advised by its Resident Grievance Officer in accordance with its grievance redressal mechanism.

• If bots are notified about action taken, they may tweak their attack strategy. In such cases, are intermediaries allowed not to send a notification to suspected bots and/or to implement a lag in notification? There might be situations (e.g., in case of a bot activity or malware, terrorism related content, spam, etc.) where the intermediary may not find it prudent to inform the user prior to taking down their content. In such a scenario, it is expected that the intermediaries may undertake steps while handling a non- human user, to effectively counter bot activity.
  • What’s the catch? One worrying factor is that algorithms can sometimes mistakenly identify legitimate accounts as bot activity. For instance, at times individual users, which may be campaigning, have been identified as bots and censored. If such an approach is allowed, such users will not get adequate notice.
• Would detection of the first originator of a message in the messaging platforms compromise end-to-end encryption? The intent of this rule is not to break or weaken the encryption in any way but merely to obtain the registration details of the first Indian originator of the message. The electronic replica of the message (text, photo or video, etc.) will be shared by the requesting agency along with a lawful order. A typical principle of detection is based on the hash value of the unencrypted message, wherein identical messages will result into a common hash (message digest) irrespective of the encryption used by a messaging platform. How this hash will be generated or stored needs to be decided by the concerned SSMI, and SSMI are free to come up with alternative technological solutions to implement this rule.
  • Is it possible? MediaNama interviewed independent security researcher Anand Venkatanarayanan, who told us that “no one in the world who studies cryptography knows how to do it.” Venkatnarayanan explained: To implement it, WhatsApp either needs to store the plain text of every message, which means breaking up E2E entirely or store the hash value of every message. The hash value lookup is also problematic because Hash (Encrypted Message) will not be equal to Hash (Unencrypted Message) and WhatsApp only has access to encrypted messages. Further, the encryption keys change every message and are not known to WhatsApp at all. So when law enforcement serves a request to WhatsApp to find out the originator of the above message, what can it do, even if it stores every encrypted message ever sent? said Anand Venkatnarayanan.
• Rationale for traceability: If the intermediary has to convey to its users not to upload or share a particular type of content, it should have the capability of determining so or else the platform loses its own capability to enforce its own terms of usage. That’s the rationale for the traceability requirement, according to the FAQ.
  • Counterview from Nikhil Pahwa: The government is trying to put forth what it feels is the most palpable reason for breaking end to end encryption. The actual reason for it might be that the government actually wants to snoop on our communications. This is only an attempt to seem reasonable. Let’s also not forget that the rules have no legal backing in terms of being used to enforce adherence to terms and conditions. The IT Act does not allow this. The government has no basis for recommending any mechanism that violates end to end encryption merely for the purpose of enabling a platform to enforce its own terms and conditions. As of today, it is completely at the platform’s discretion under law to act against a user that violates its terms of conditions. To use what might be a discretionary activity through breaking of encryption does not make sense.

Questions we had asked MeitY about the IT Rules that they’ve answered

Below are some of the question which Medianama had sent to the ministry with relation to the IT rules. The ministry has answered a few of them, allow of which have been listed below.

On News Aggregators qualifying as intermediaries: Regarding Rule 2, can an entity be categorized as both, a ‘publisher of news and current affairs content’ AND an intermediary? Would this entity be subject to obligations under both Part II and Part III of the rules?

On who qualifies as Significant Social Media Intermediary:
1. In the definition of “significant social media intermediary” (Rule 2(1)(v)), how should the term “registered users” be interpreted? Does this include users who have been inactive for a period of time, and if so, for what period of time? Does a person who has two registered accounts count as two registered users, or just one?

2. A “social media intermediary” (Rule 2(1)(w)) includes an intermediary “which primarily or solely enables online interaction between two or more users […]”. What is the scope of the term “interaction” in this definition?

3. Will email service providers such as gmail, yahoo, rediffmail etc. be covered under the definition of a “social media intermediary” in Rule 2(1)(w)?

4. Clarification on the definition of ‘social media intermediary’ and whether they would include fintech, payments, e-commerce entities under the Rules

Details of content takedown orders and information requests:

Advertisement. Scroll to continue reading.

1. In what manner and format will the authorised agency under Rule 3(1)(d) notify the intermediary regarding the information to be taken down?

2. Under Rule 3(1)(j), what are the legal standards to be met for information or assistance to be requested from an intermediary, and what kind of constitutional safeguards will be present to ensure that fundamental rights such as right to privacy are protected?

Period of retention of content: Under Rule 3(1)(g),what is the time period of retention of content in case the customer deletes the account?

180 days, say the FAQs about retaining a customer’s data after they have ‘withdrawn’ their registration from the intermediary.

Details in compliance reports: Which complaints should be included by an intermediary in the compliance reports to be published under Rule 4(1)(d)?

Safe harbour to intermediaries on advertisements: Rule 4(3)- Where a significant social media intermediary publishes ads, owned/ licensed content and identifies such content as advertised, promoted etc., or pays third parties to upload certain types of content, will it still qualify as an intermediary and be eligible to claim immunity under Section 79?

Advertisement. Scroll to continue reading.

The FAQs lay down that advertisements will not impact an intermediaries claim to safe harbour protection under Section 79 of the IT Act, which will anyway be decided as per judicial interpretations. The FAQs also refer to the Rule 4(3) of the IT Act, which asks intermediaries to label advertisements as such, to say that it allows consumers to make an informed choice of accessing such content.

Exceptions under notice given to users before removal of access: In which events is prior notification to be given to users regarding the suspension or removal of their access under Rule 4(8)? Are there any exceptions to this Rule?

Exceptions under additional information requested from intermediaries: Under Rule 4(9), what is the nature of additional information that may be requested by MeitY from intermediaries and how would such information requests safeguard against commercially sensitive or otherwise confidential information held by intermediaries?

Information related to their grievance redressal process including compliance reports and such additional information that MeitY is empowered to seek under the IT Act for effective implementation of Part II of the IT Rules can be requested, the FAQs lay down. However, this would exclude ‘commercially sensitive, trade secret or otherwise confidential information’ it adds.

Questions that no one probably asked the government but they answered anyway

• Can users be penalised under the IT Rules? No. However, users do need to ensure that the content they share on intermediary platforms is not violative of the IT Act (e.g., under sections 67, 67A, 67B, etc.) or other existing laws such as the Indian Penal Code, the Copyright Act, etc. as they may be liable to be prosecuted/ penalized under all such laws.
• Does the intermediary have to submit a physical copy of compliance reports to MeitY? Is the intermediary required to publish the report on its website? MeitY said that the intermediary does not have to submit a physical copy of the compliance report to MeitY. Rather, the intermediary is required to publish the monthly compliance report on its platform. The report should contain details of the preceding month.

This is a developing story that will be updated with more details related to the IT Rules FAQs

Also Read:

• Guide: All You Need To Know About The New IT Rules, 2021
• Summary: Information Technology Rules 2021, And Intermediaries And Social Media Platforms
• Summary: Information Technology Rules 2021 And Digital News Publishing
• Summary: Information Technology Rules 2021 And OTT Streaming Services

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.