Intermediary Liability under the Information Technology Act: Time for an Amendment?

Malvika Kapila Kalra

The Ministry of Electronics and Information Technology recently published a draft of the Information Technology (Intermediary Guidelines) Rules 2018 and invited comments/counter comments on the same. A perusal of the draft rules illuminate familiar problems which have beset the Information Technology Act, 2000 since inception, i.e. excessive delegation to subordinate legislations, ambiguously worded provisions, and difficult to implement rules. 

The proposed rules ostensibly seek to address the proliferation of fake news and envisage a proactive role for intermediaries. However, on close consideration, it is apparent that the proposed rules travel well beyond this mandate. This article offers a critical examination of the proposed rules and bats for an amendment to the Information Technology Act, 2000 in dealing with intermediaries.   

Who is an Intermediary?

An ‘intermediary’ has been defined in Section 2(w) of the Act as “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, web-housing service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes”.  

This term has belied a narrow construction. Typically, intermediaries are persons who facilitate the use of the internet. Interestingly, the definition of an intermediary includes cyber cafes, and is not restricted to online intermediaries. Although a disparate range of functions are performed by intermediaries; common functions include hosting content, collecting information, evaluating scattered information, facilitating communication and information exchange, aggregating information, providing access to the internet etc. Internet service providers, search engines, social media platforms, cloud service provider, cyber cafes, are all intermediaries. 

Intermediary Liability under the Information Technology Act, 2000

Section 79 of the Act is a ‘safe harbour’ provision which grants conditional immunity to intermediaries from liability for third party acts. Section 79(1) of the Act grants intermediaries a conditional immunity with regard to any third party information, data or communication link made available or hosted by them. This immunity is subject to section 79 (2) and 79 (3) of the Act. 

Section 79(2) essentially covers cases where the activity undertaken by the intermediary is of a technical, automatic and passive nature. Thus, for section 79(2) to be applicable, intermediaries are to have neither knowledge nor control over the information which is transmitted or stored.  

Furthermore, Section 79(3)(b) envisages a ‘notice and take down’ regime, wherein the intermediary is required to take down unlawful content upon receiving actual knowledge of its existence. In Shreya Singhal vs. UOI, the Supreme Court read down Section 79(3)(b) to mean that an “intermediary upon receiving actual knowledge from a court order or on being notified by the appropriate government or its agency that unlawful acts relatebale to Article 19 (2) are going to be committed then fails to expeditiously remove or disable access to such  material”. 

Thus, an intermediary is only required to act upon receiving a court order or a notification from the appropriate government or its agency. The intermediary is not required to exercise its own discretion regarding the material which is to be removed or disabled. 

Information Technology (Intermediary Guidelines) Rules 

The Information Technology (Intermediary Guidelines) Rules 2011 were notified by the Central Government pursuant to the powers under Section 87(2)(zg) of the Act read with Section 79(2) of the Act. The 2011 Rules inter alia prescribed due diligence practices to be adopted by intermediaries. In Shreya Singhal, Rule 3 (4) of the 2011 Rules was read down to the extent that an intermediary would only be required to disable information that would be relatable to Article 19(2) of the Constitution. 

The proposed Information Technology (Intermediary Guidelines) Rules, 2018 seek to replace the 2011 rules. However, the proposed changes suffer from infirmities which are set out below: 

1. Rule 3(2)(j) requires that the privacy policy/user agreement shall inform the users of the computer resource not to host, display, upload or modify, publish, transmit, update or share any information that:

 “threatens public health or safety; promotion of cigarettes or any other tobacco products or consumption of intoxicant including alcohol and Electronic Nicotine Delivery System (ENDS) and like products that enable nicotine delivery except for the purpose & in the manner and to the extent, as may be approved under the Drugs and Cosmetics Act, 1940 and Rules made thereunder.”

The term ‘public health or safety’ is overly broad. Furthermore, such a restriction does not bear any nexus to Article 19(2). Thus, such a rule is likely to fall foul of Article 19(1). Furthermore, a prohibition on sharing or publishing any information relating to consumption of intoxicants or ENDS, is problematic. There is no prohibition on the  usage of ENDS in India and there are already laws in place which ban the advertising of liquor and tobacco products, regardless of the medium used to effect such advertising.

2. Rule 3(4) places an obligation on intermediaries to inform their users at least once a month that non-compliance with the rules and regulations, user agreements, and privacy policies, will allow the intermediary to immediately terminate the access or usage rights and remove non-compliant information. Such a requirement is onerous and difficult to implement. 

Significantly, ‘user’ has not been defined anywhere in the parent legislation or in the proposed rules. Many websites are visited without any users registering, which makes it difficult to implement such a rule. Such a mandatory compliance requirement is likely to place an undue burden on smaller intermediaries. Moreover, the effectiveness of such a rule is questionable since it is likely to lead to notification fatigue amongst the users.

3. Rule 3(5) requires that when required by a lawful order, the intermediary shall, within 72 hours of communication, provide such information or assistance as asked for by any government agency or assistance concerning security of State or cyber security; or investigation or detection or prosecution or prevention of offence (s); protective or cyber security and matter connected with or incidental thereto. Any such request can be made in writing or through electronic means stating clearly the purpose of seeking such information or assistance. Furthermore, the intermediary is required to enable tracing of such originator of information. 

This rule provides an unusually onerous obligation on the intermediary. Any requirement of traceability will lead to breaking of end to end encryption. Such a requirement can affect user experience in India, by exposing users to cyber security threats and cyber crimes. 

Furthermore, in Puttaswamy, informational privacy was held to be a vital aspect of the fundamental right to privacy. Thus for any order under this rule to withstand the scrutiny of the Courts, it will have to meet the requirements of the three pronged test set out in Puttaswamy, i.e. of legality, necessity and proportionality. 

It may be noted that Section 69 of the Act already grants the Central or State Government the power to intercept, monitor or decrypt any information through any computer resource. Furthermore, Section 69A allows the Centre to issue directions for blocking for public access any information through any computer resource. However, these provisions have been made subject to procedural and constitutional safeguards. They can only be invoked for the reasons set out in Article 19(2). 

Moreover, an order under these provisions requires that the reasons be set out in writing.  The present rule does not have any of the aforementioned procedural and constitutional safeguards. It is far deeper and amounts to excessive delegation. Thus, the present rule is ultra vires the parent Act. 

4. Rule 3(7) requires that any intermediary with over 50 lakh users in India or in any such list notified by the government, shall be incorporated under the Companies Act 2013 and have a permanent registered office in India. Such a rule is in line with the government policy of data localisation. However, ambiguity around who is a ‘user’ makes compliance difficult. It is also problematic to introduce such a provision by way of a delegated legislation under Section 79 of the Act, which is essentially a safe harbour provision. 
5. Rule 3(8) requires that the intermediary, upon receiving actual knowledge in the form of a court order, or on being notified by the appropriate government authority or its agency, under Section 79(3)(b) of the Act, shall remove or disable access to unlawful acts relateable to Article 19 (2) within 24 hours, without vitiating any evidence. Further, the intermediary shall preserve such information for at least 180 days for investigating purposes, or for such longer period as may be required by the court or government agencies who are lawfully authorised.

At a practical level, data retention for a period of 180 days creates a significant financial and technical challenge for various intermediaries. Since there is no clarity regarding the outer limit to which such data retention may be extended, compliance may be difficult for some intermediaries. 

6. Rule 3(9) requires intermediaries to deploy technology-based automated tools or appropriate mechanism for proactively identifying and disabling public access to unlawful information or content. 

This rule is the most problematic. A plain reading of Section 79 makes it clear that an intermediary must be passive in order to avail of the ‘safe harbour’ provision. However, this clause changes the nature of an intermediary from passive to active, thereby negating the safe harbour afforded to the intermediary. Also, no definition has been provided for the term ‘unlawful content or information’. 

Requiring intermediaries to self-censor on the basis of vague criterion doesn’t just go against the spirit of Shreya Singhal and international jurisprudence, but also runs counter to the plain wording of Section 79 itself. Once again, given the broad definition of ‘intermediaries’, it is difficult for such a rule to be enforced. How will a cyber café or a  small startup adhere to such a requirement?

Conclusion

The objective sought to be achieved by the MeitY, ie. tackling the issue of fake news, is laudable and necessary. The MeitY must be also be applauded for inviting comments/counter comments on the draft rules.  However, it is clear that such far reaching provisions must be provided for by way of statutory amendment.

Further, the provisions must abjure the use of undefined terms such as ‘user’, ‘unlawful content’ and ‘government order’. In the alternative, the Act must itself define such terms. It is suggested that a white paper on the different categories of intermediaries be instituted. A possibility of applying differential treatment to different categories of intermediaries can also be explored.  

The author is a Partner at Parinam Law Associates and an Advocate-on-Record at the Supreme Court of India.