The Information Technology Act: Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

In the notification dated 25^th of Feb, 2021 the Central Government through the Ministry of Electronics and Information Technology put forth the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 exercising powers vested in it under the Information Technology Act, 2000. The new rules come into force in supersession of the Information Technology (Intermediaries Guidelines) Rules, 2011.

What are the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 aiming at?

The new rules for online intermediaries set the platform for due diligence, including:

·         Publication of guidelines: Mandatory publication of rules, regulations, privacy policy and user agreement for access and usage of these intermediaries.

·         Accountability: It sets accountability on the intermediary to inform the users to not host, display, upload, modify, publish, transmit, store, update or share certain types of information on their platforms.

·         Circulation of information: Mandates the intermediary to periodically update and inform its users as to the repercussions of non-compliance with these rules and updates in them.

·         Legal interference: These rules further detail the treatment of information by intermediaries upon an order of the Courts of law or the designated Government agency(s).

·         Legal surveillance: They further provide for the issuance of notification(s) that may be made by the Government or its agency(s) in relation to any information which may be prohibited under any law.

·         Retention: The rules discuss what would constitute hosting and exclude transient and intermediate storage of information and provides a timeline for the preservation of user information and preservation of records for Courts.

·         Active Reporting: These rules obligate the intermediary to report cybersecurity incidents and share related information with the Indian Computer Emergency Response Team and on order, with the Government agency, authorised for investigative or protective or cybersecurity activities for the purposes of verification of identity, or for the prevention, detection, investigation, or prosecution, of offences under any law being in force, or for cybersecurity incidents.

·         Grievance redressal mechanism: The IT Rules, 2021 further set the stage for a grievance redressal mechanism and lay down rules for the publication of information on its website and/or mobile-based application regarding the grievance officer including his contact details as well as the mechanism by which a user or a victim may make a complaint regarding a violation of the provisions of this rule or any other matters pertaining to the computer resources made available by the intermediary.

·         New Appointments by significant social media intermediaries.

What are the mandatory new appointments to be made by the significant social media intermediaries?

These rules provide for additional due diligence in case of a significant social media intermediary including:

·         Appointment of a Chief Compliance Officer: The Chief Compliance Officer shall be responsible for ensuring compliance with the applicable law(s) and rules and will be liable in any proceedings relating to any relevant third-party information, data or communication link made available or hosted by that intermediary where he fails to ensure that such intermediary observes due diligence while discharging its duties under the Act. The rules further provide that no liability under may be imposed on a significant social media intermediary without being given an opportunity of being heard.

·          A nodal contact person: The nodal contact person for 24×7 coordination with law enforcement agencies and officers to ensure compliance to their orders or requisitions

The rules provide for the publication of a periodic compliance report every month mentioning the details of complaints received and action taken thereon by the intermediary.

The report must also mention the number of specific communication links or parts of information that the intermediary has removed or disabled access to in pursuance of any proactive monitoring conducted by using automated tools or any other relevant information.

What is the ambit of privacy and security under the new rules?

·         The first origin of Information: These rules further provide for enabling the identification of the first originator of the information. An order seeking this identification may be passed as required by a competent judicial or government authority where other less intrusive means are not effective in identifying the originator of such information.

Such an order shall only be passed for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to:

(a)   The sovereignty and integrity of India.

(b)   The security of the State.

(c)   Friendly relations with foreign States, or public order.

(d)   Incitement to an offence relating to the above or in relation to rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years.

·         Mandatory Disclosure: The rules provide for a significant social media intermediary that provides any service with respect to an information or transmits that information on behalf of another person for direct financial benefit or through ownership or exclusive rights to mandatorily make that information clearly identifiable to its users as being advertised, marketed, sponsored, owned, or exclusively controlled.

An intermediary shall endeavour to deploy technology-based measures, including automated tools or other mechanisms to proactively identify information that depicts certain information including that which is exactly identical in content to information that has previously been removed or access to which has been disabled. The rules provide that these measures shall be proportionate and in regard to the interests of free speech and expression, privacy of users and protected interests.

·         Removal of data on own accord: If a significant social media intermediary removes or disables access to any information, data or communication link on its own accord, it shall ensure that before such removal or disabling such access, it has provided the user who has created, uploaded, shared, disseminated, or modified such information, with a notification explaining the action being taken and the grounds or reasons for such action. That in such circumstances adequate and reasonable opportunity must be provided to the user to dispute the action being taken by such intermediary and request for the reinstatement of access to such information, data or communication link. Such request may be decided within a reasonable time.

Do these rules provide physical presence of these significant social media intermediaries in India?

The rules provide for these significant social media intermediaries to have a physical contact address in India published on its website and/or mobile app.

These Significant Social media intermediaries are also required to set up a mechanism to raise and share a trackable unique ticket number for every complaint received.

The significant social media intermediary is required to enable its users from India to voluntarily verify their accounts by using an appropriate mechanism, including the active Indian mobile number.

 The SSMI is further required to provide a demonstrable and visible mark of verification to any user who voluntarily verifies their account, such mark shall be which shall be visible to all users of the service.

Due Diligence Rules regarding news and current affairs content?

An intermediary having users who are publishers of news and current affairs content is required to publish a clear and concise statement informing such users that in addition to the common terms of service for all users, such publishers shall furnish the details of their user accounts on the services of such intermediary to the Ministry of Information and Broadcasting as may be required under these rules. Such users may be provided with a demonstrable and visible mark of verification as being publishers.

The Ministry as the case may be is empowered to apply additional due diligence rules pertaining to significant social media intermediary, In case any intermediary whose services permit interaction between users and publication or transmission of information to a significant number of other users if the services of that intermediary permit the publication or transmission of information in a manner that may create a material risk of harm to the sovereignty and integrity of India, security of the State, friendly relations with foreign States or public order.

The rules further state that in the event an intermediary fails to adhere to these rules it may be made liable for any third party information, data, or communication link made available or hosted by it and the intermediary shall be liable for punishment under any law for the time being in force including the provisions of the Indian Penal Code.

Note: The notification was also accompanied with Code of Ethics and Procedure and Safeguards in relation to Digital Media, Grievance Redressal Mechanism, Self-Regulating Mechanism – Level-1, Level 2, Oversight Mechanism Level-3, Furnishing of Information, Appendix and Schedule. These topics are covered separately in our other articles.