This article summarises our observations on the impact the proposed amendments to intermediary guidelines are likely to have.

It is a selected excerpt from our series tracking the Evolution of Safe Harbour provisions in India, available here. A further excerpt outlining the current statutory framework for availing Safe Harbour protection under the IT Act and the areas of challenge in the existing law is available here.

In 2018, the government released the Information Technology [Intermediary Guidelines (Amendment) Rules], 2018 ("Draft Guidelines")1. These Draft Guidelines propose to increase due diligence standards intermediaries must comply with to avail Safe Harbour protection. The proposed amendments to the Safe Harbour provisions amend the Intermediary Guidelines alone and do not change any provision of the IT Act itself. Nevertheless, they impose far reaching onerous provisions on intermediaries. These have been summarised and contrasted with the corresponding earlier requirements below-

Current Obligation Proposed Obligation Concerns with Proposed Obligation
Terms of Use: Intermediaries are required to publish rules and regulations, privacy policy and/or user agreement for use and access to their portals.

Such Rules must warn users not to publish certain type of content which has been listed ("Prohibited Content") in the Intermediary Guidelines.

Terms of Use: The list of Prohibited Content has been expanded to include content which promotes consumption of tobacco or intoxicating products and content which threatens the critical infrastructure of India.

An intermediary will also be required to warn its users at least once a month, of their need to comply with the intermediary's terms of use.

  • There is no guidance as to the manner in which this monthly notification is to be sent. Should it be via the platform or via email or by push notifications on apps?
  • Users are suffering from 'notification fatigue' and 'consent fatigue' and this requirement detracts from a good user experience.
No equivalent requirement in current Intermediary Guidelines. Mandatory Assistance to State Agencies: Intermediaries are required to provide assistance requested by "any government agency", within 72 hours of such request being made. This request may be for the security of the State; cyber security; the purpose of investigation, detection, prosecution or prevention of offence, or for protection or cyber security and matters connected with or incidental thereto.
  • Investigation and prosecution of cyber offences requires the investigating body to have sophisticated technical capabilities. Consequently, the IT Act has specific requirement as to the rank of the officer who may investigate offences under the act and the authorities who may issue orders to block monitor or collect data.
  • The draft amendments significantly water down these requirements and oblige intermediaries to assist any government agency.
  • The type of assistance intermediaries as required to provide to these government agencies is also unclear.
Trace the publisher of information: The intermediaries, upon receiving a request by the authorised agency, will be required to trace the originator of any information.
  • The type of information collected by intermediaries vary and several intermediaries do not collect enough data points from their users to meet this requirement.
Local Presence Requirement: Intermediaries with above 50 Lakh users are required to be incorporated in India and permanent, registered, physical address in India. They are also required to have a nodal person who shall be available 24X7 to provide assistance to State agencies.
  • Will increase operational costs. Bootstrapped intermediaries may find it more convenient to stop offering services in India all together.
  • May have adverse tax implications for intermediaries, as they will be deemed to have a permanent establishment in India.
Take-Down Requirement: Intermediaries are required to take-down Prohibited Content within 36 hours of receiving "actual knowledge" of the existence of such content on their platform. They are required to preserve records relating to such content for 90 days to facilitate investigation. Take-Down Requirement: Intermediaries are required to take-down content only upon receiving actual knowledge by way of a court order or upon being notified by appropriate government agency.

Courts or Government agencies may order content to be taken-down only if such content is not in the interest of the sovereignty and integrity of India; security of the State; friendly relations with other States; public order, decency or morality; or in relation to contempt of court, defamation or incitement of any offence.

Such take-down must occur within 24 hours of the receipt of the order and/or notification.

The intermediary will have to preserve the records for a minimum of 180 days.

  • It may not be practical to take down content within these timelines.
No equivalent requirement in current Intermediary Guidelines. Proactive Monitoring of Content: Intermediaries are required to deploy technology based automated tools or appropriate mechanisms with appropriate controls to proactively identify and remove access to unlawful content.
  • The rationale behind extending Safe Harbour protection to intermediaries is that they are merely passive transmitters of information, which is generated by third parties without interference or oversight of the intermediaries.
  • Proactive monitoring requirement means that intermediaries have knowledge and oversight over information that is transmitted on their platform and are as such no longer amenable to Safe Harbour protection.
  • Given the volume of information to be filtered, many companies may begin to deploy automated tools. These are also error-prone2 and have seen limited success3.

Footnotes

1. Ministry of electronics and information technology, the Information Technology [Intermediary Guidelines (Amendment) Rules] 2018, available at https://www.meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf.

2. J. Malcolm, Users Around the World Reject Europe's Upload Filtering Proposal, available at https://www.eff.org/deeplinks/2016/11/users-around-world-reject-europes-upload-filtering-proposal.

3. In Sabu Mathew George v. Union of India, (2017) 7 SCC 657, it was submitted by the respondent intermediaries that content which violated the PCPNDT Act could be removed only upon being brought to their notice. Even such limited blocking has not seen much success; Legally India, Roundup of Sabu Mathew George vs. Union of India: Intermediary liability and the 'doctrine of auto-block', available at https://www.legallyindia.com/views/entry/roundup-of-sabu-mathew-george-vs-union-of-india-intermediary-liability-and-the-doctrine-of-auto-block.

Originally published 12 November, 2019

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.