The Information Technology Rules 2021: An assault on Privacy as we know it

The main emphasis of these Rules is against categories of content which involve determination of issues which are by definition subjective in nature.
Social Media
Social Media

The world has witnessed the emergence of anti-encryption legislation that is causing concern amongst those who value their privacy and desire uninhibited communication.

The most recent entrant making its debut in this field is the Government of India, which has undertaken the task of dictating to companies how their privacy policies must be structured and what consequences should follow in the event of non-compliance.

The recently notified Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 have not followed the “privacy by design” guideline often given to companies which are building their products. Indeed, although the government claims that it is not interested in the content of the messages, the structure of the Rules suggests otherwise.

This article seeks to examine the Rules and bring to light the provisions which are cause for concern, considering the recent spate of prosecutions being launched against persons expressing opinions which run contrary to that of the government of the day.

Definitions

Rule 2 is the definition clause. For our purposes, the following definitions are important:

Rule 2(v) defines a significant social media intermediary as one being above a certain threshold which may be notified by the Central government, (the user limit for this has been set at fifty lakhs and above)

Rule 2(w) defines a social media intermediary as one which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.

The dictates

Part II of the Rules specifies the due diligence to be undertaken by an intermediary including social media intermediary and significant social media intermediary. These obligations are mandatory in nature.

An intermediary will be required to publish its privacy policies or rules and regulations prominently on either its application or website or both. Some notable examples of information which has caused grievance and are unacceptable as per the government are as follows:

  • Is defamatory, obscene, pornographic, paedophilic, invasive of another’s privacy including bodily privacy, insulting or harassing on the basis of gender, libellous, racially or ethnically objectionable, relating or encouraging money laundering or gambling, or otherwise inconsistent with or contrary to the laws of India.

  • Deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any information which is patently false or misleading in nature but which may reasonably be perceived as a fact.

  • Threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign States or public order, or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any foreign States.

  • Is patently false and untrue, and is written or published in any form, with the intent to mislead or harass a person, entity or agency for financial gain or to cause any injury to any person.

The Rules have specified the actions required to be taken by intermediaries and also specified various timelines for which intermediaries have to preserve the offending content. The Rules mention a period of 180 days for which the offending content must be preserved.

Intermediaries are also required to cooperate with lawfully authorised government agencies and assist them in preventing, detecting and prosecuting offences under Indian law on receipt of a lawful, written and reasoned order.

The Rules also specify additional due diligence to be undertaken by significant social media intermediaries. The most significant measure for such an intermediary, which is primarily providing messaging services (for example, Signal and Telegram), is to identify the first originator of information on its computer resource in the event of a judicial order passed by the competent court or by an order passed under Section 69 of the IT Act of 2000.

It is clarified that this requirement will only be for the purpose of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to such an offence, or in relation with rape, sexually explicit material or child sexual abuse material punishable with five years imprisonment and above.

The Rules further clarify that the content of such communications need not be disclosed, and such orders may not be passed if less intrusive means are available.

The Rules also state that intermediaries must endeavour to deploy automated tools which identify information that depicts any act or simulation in any form depicting rape, child sexual abuse or conduct, whether explicit or implicit.

These measures must be proportional having regard to the interests of free speech and expression, privacy of users on the computer resource of such intermediary, including interests protected through the appropriate use of technical measures.

Analysis and Conclusion

The new Rules for intermediaries have been brought into force at a time when anyone expressing dissent or an opinion contrary to the government is being prosecuted for sedition or being slapped with charges under the Unlawful Activities (Prevention) Act (UAPA). FIRs are being lodged left, right and centre, in what is an attempt to stifle free debate and discussion. Therefore, these Rules, which would ordinarily seem to be bringing order to a medium which is difficult to control, must be seen with a lens of suspicion. These Rules are another tool in the hands of the government to use law enforcement agencies and other means to go after individuals who express opinions which run contrary to its ideas and interests.

The inclusion of inclusive definitions gives too much leeway to the government to add more categories at a later stage and increase the scope of the Rules at its convenience.

The Rules as structured have two categories of intermediaries: social media intermediaries, and significant social media intermediaries. The rules qua such intermediaries primarily issue dictates on what privacy policies and rules and regulations such intermediaries have and what action they should take in the event of violation of their privacy policies.

The main emphasis of these Rules is against categories of content which involve determination of issues which are by definition subjective in nature. For instance, who decides what is defamatory or libellous at the very inception? Who decides what is obscene or not? Who decides what is against the sovereignty or integrity of India or against public order? Further, how are intermediaries who do not snoop into the content of the communications expected to control the kind of content which is published on their websites? Simply publishing a privacy policy does not automatically ensure compliance.

The requirements to prominently display privacy policies and make them accessible and remind users at least once a year is a welcome step. Suggesting mechanisms which enable complaints which users can make regarding content they deem to be offensive by sharing the content with the intermediary is also a measure which can elicit little objection. However, there are two measures in the Rules which will handicap end-to-end encryption in its present form:

· Enabling the tracing of the first originator of the message

· Developing automated tools to weed out sexual content which is prima facie without consent etc.

The nature of messaging platforms today is such that the amount of information they have about users is limited by design, which is what data protection laws around the globe are advocating. The platforms today can ostensibly also not see the content of our messages. Therefore, having to alter a system to enable traceability necessarily adds a layer of information which will available in the hands of the platform, and consequently, that which may be accessed by government agencies or even bad actors.

Secondly, automated tools to look into the content of messages and discover offending content will also bring end-to-end encryption to an end. This means that an intermediary will have to develop a system which has the capacity to look into the content of messages. It is not clear whether it is technically feasible and viable for a system to weed out specific content at all and ignore the rest altogether; this is a purely technological solution best left to technical experts. At the moment, this is not a mandatory requirement imposed by the government, but only a suggestion. It remains to be seen whether it is made mandatory at a later stage.

Prior to these Rules, the Information Technology (Procedure and Safeguards for the Interception, Monitoring, and Decryption of Information) Rules, 2009 did not require intermediaries to comply with impossibilities, but only provide technically feasible assistance. With these Rules, that is set to change, as currently, it is ostensibly impossible to trace the originator of a message. It is also impossible to police what kind of content users can post and determine what is conclusively offensive and what is not offensive. These Rules may also assist law enforcement agencies in going after something that has been shared which is deemed as offensive by the government. They may also seek to actively prevent anything which goes against the interests of the government.

The threshold set by the government for who qualifies as a significant social media intermediary is 50 lakh users. We may see an emergence of other end-to-end encrypted platforms which are below the threshold consequently not required to entirely dilute the privacy given to users.

We will also have to wait and see what form the Data Protection Bill, which is pending before a Joint Parliamentary Committee, finally takes, and whether there is a conflict between the directions and obligations between these Rules and the Data Protection Bill once it comes into law. In the event there is a conflict between the two it will be interesting to see which, if any, will prevail.

The author is a Delhi-based lawyer.

Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect those of Bar & Bench.

Bar and Bench - Indian Legal news
www.barandbench.com