INTRODUCTION

The Central Government has notified the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules 2021 (New IT Rules), with effect from 25 February 2021, pursuant to Section 87 of the Information Technology Act, 2000 (IT Act). The New IT Rules will supersede the Information Technology (Intermediary Guidelines) Rules 2011 (2011 Rules).

The New IT Rules have been described by the Government as a "harmonious, soft-touch oversight mechanism in relation to social media platform as well as digital media and OTT platforms etc." and are intended to empower the ordinary users of digital platforms and social media to command accountability in case of infringement of their rights and seek redressal for their grievances.

The New IT Rules regulate entities transmitting content through digital media as well as intermediaries and publishers who are operating in India or overseas (but target users in India). Interestingly, while the regulatory and compliance aspects (under Part II of the New IT Rules) in respect of social media intermediaries (such as WhatsApp, Signal, Telegram, Facebook, Instagram and Twitter) will be administered by the Ministry of Electronics and Information Technology (MEIT), the compliance regime in relation to digital news media and OTT platforms (such as Netflix, Amazon Prime and Disney+Hotstar), which is prescribed under Part III of the New IT Rules, will be administered by the Ministry of Information and Broadcasting (MIB).

This article encapsulates the top 5 salient features of the New IT Rules along with the key implications thereof for the social and digital media sector in India. 

  1. More Stringent Requirements for Significant Social Media Intermediaries

The New IT Rules seek to categorise social media intermediaries (basis the number of registered users) into 'significant' social media intermediaries or 'other' social media intermediaries. A social media intermediary having five million or more registered users is categorised as a 'significant' social media intermediary and needs to comply with certain additional due diligence related requirements as discussed below.

The general compliance regime for all intermediaries includes:

  • providing information for verification of identity or assistance to any lawfully authorised government agency within 72 hours of receiving a written order;
  • removal of any unlawful information which is hosted, stored or published by the intermediary within 36 hours of receiving a court order or being notified by a government agency;
  • removal or disabling of access to any content that exposes the private areas of individuals or show such individuals in full or partial nudity or in sexual act or is in the nature of impersonation including morphed images etc., within 24 hours of receipt of complaints; and
  • clearly publishing rules and regulations, privacy policy and user agreement on their websites, mobile based applications or both.

The users are required to be informed about types of information that are 'objectionable' and not to be shared, displayed, uploaded, etc. and an intermediary also required to inform users (at least once every year) about (a) any changes to its rules and regulations, privacy policy and/or user agreement; and (b) its right to terminate user's access or remove any published content from its platform which does not comply with the intermediary's rules and regulations, privacy policy or user agreement.

The compliance framework for 'significant' social media intermediaries is much heavier and extends beyond the requirements mentioned above to include additional conditions such as:

  • establishment of a physical contact address in India (the details of which are required to be published on the intermediary's website or mobile application or both) including appointment of certain officers, namely, a chief compliance officer, a nodal contact person and a resident grievance officer (which individuals are required to be Indian residents);
  • an obligation to allow users who register for services from India, or use services in India, to verify their accounts using any appropriate mechanism, such as the active Indian mobile number of such users, to verify their accounts and to provide a visible mark of verification;
  • complying with government orders to trace the originators of social media content; and
  • development and deployment of technology-based measures such as automated tools to proactively identify information that depicts any act or simulation in any form depicting rape, child sexual abuse or conduct.

Pertinently, the New IT Rules also give discretion to the Government to require any other intermediary (i.e. even a relatively smaller social media platform) to comply with the foregoing additional compliances, if the services of such intermediary imposes a material risk to the sovereignty or integrity of India, security of the State, etc.

Any failure on part of an intermediary to comply with the provisions of the New IT Rules, may lead to such intermediary losing the safe harbour provisions available to it under the IT Act, in addition to being liable to punishment under the relevant law for the time being in force.

  1. Identity of first originator of information - a threat to end-to-end encryption

The obligation on the significant social media intermediaries (which primarily provide messaging services) to trace and confirm the identification of the first originator of information, if required by a court order or an order passed by a competent authority under Section 69 of the IT Act, has not received a warm reception by the industry.

Many social media platforms are contending that end-to-end encryption makes it impossible to track the originator of a message and that even the platform itself does not have decryption keys, and, therefore, does not have access to the messages itself. From a cost perspective, the concern remains that any change to these technologies that have been developed through rigorous cybersecurity testing over the years, will require additional investment. Social media platforms argue that such additional cost outlay will be counterproductive as the end result will defeat the principle of data minimalism and privacy which is the core inherent element of end-to-end encryption technology and provides people with a safe environment to have private conversations over the instant messaging services.

Another concern that has been raised by the industry is that in case the originator is located outside India, the first originator in India will have to be identified. In such a scenario, the intermediary will have to have access to the metadata of the entire chain of the conversation which in turn will require messaging applications to be re-engineered to capture metadata. The industry players argue that this will again entail additional costs, encroach upon user privacy, and fuel user paranoia.

  1. Regulation of the content published on OTTs and digital news media platforms 

The most significant development in the New IT Rules has been the introduction of a new framework for the regulation of content that is published on OTTs and digital news media platforms. The New IT Rules have prescribed a Code of Ethics (Code) which, among other things, lays down the general principles, and metrics and guidelines for the classification of content and needs to be complied with by publishers of online curated content (OCC), intermediaries which primarily enable the transmission of OCC, publishers of news and current affairs and intermediaries which primarily enable the transmission of news and current affairs. Interestingly, these guidelines are similar to the rules that had been issued by MIB in December 1991 for sanctioning of films for public exhibition.

Further, with a view to create a level playing field for all the players in the media sector including TV broadcasting and print media, the New IT Rules now require digital media platforms and online publishers of news and current affairs to also comply with the norms prescribed by the Press Council of India (under the Press Council Act, 1978) and the Programme Code under Section 5 of the Cable Television Networks Regulation Act, 1995.

  1. Content Censorship and Classification

OTT platforms are required to classify all content such as films, web-series or other shows based on age, themes, content, tone and impact, and target audience. The rating categories provided in the New IT Rules are - "U", U/A 7+, U/A 13+, U/A 16+ and 'A', with requirement to have parental controls and age verification mechanisms where content is classified as U/A13+ or higher.

Further, the OTT platforms are required to consider before exhibiting content, the implications of such content on areas such as the sovereignty and integrity of India, India's relations with foreign countries and maintenance of public order. They are also required to take into consideration India's multi-cultural and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group. With the ever changing and fluid moral compass of the society, it will be interesting to see how the OTT platforms will be able to steer around the diverse sensibilities, cultures and beliefs of the Indian content consumer and balance their demands for different genres of content. Another practical difficulty which the OTT platforms will face is around the classification/re-classification of the already published content on the platforms to ensure compliance with the New IT Rules. As regards to the content which has already been produced but is yet to be released, the new regime may result in additional editing costs depending on the content and the target audience that the platforms were eyeing.

  1. Three-tier grievance redressal mechanism - self-regulation under government oversight

The New IT Rules require OTT platforms and the digital news media to formulate a robust three-tier grievance redressal mechanism on the following lines:

  1. Level I: Self-regulation by the publishers themselves through a grievance officer who will be based in India and whose contact details are to be placed on the platform's website and/or the mobile app;
  2. Level II: Self-regulation by an independent self-regulatory body constituted by publishers or their associations. Such self-regulatory bodies will be headed by a retired judge of the Supreme Court, a High Court, or an independent eminent person from the relevant field; and 
  3. Level III: Oversight by MIB through an inter-departmental committee constituted by the Government (Committee). This Committee will hear violations of the Code arising out of decisions taken at level two or if a complaint is directly referred to the Committee by MIB. At the third level, MIB will appoint an 'Authorised Officer', who on approval by the Secretary of MIB, may give directions for the deletion, modification or blocking of relevant content and information generated, transmitted, received, stored or hosted in their computer resource for public access within the time limit specified in the direction.

Under this new tiered system, MIB not only has the power to refer grievances to the Committee constituted by it but it also has the authority to issue guidance and advisories to publishers. The Committee can also send recommendations to MIB for warning, censuring, admonishing or reprimanding an entity.

Key implications for the industry players

While the Indian government's intent to regulate social and digital media platforms has been known for a while, the timing of the New IT Rules, nevertheless, aligns well with (and works as a logical corollary to) the already mounting global pressure (spearheaded by top social and digital media markets such as US, the UK and Australia) on digital media and social networking giants to take more responsibility for the content that is published on their platforms.

The compliance heavy regime for 'significant social media intermediaries' will definitely have a cost implication (given the requirement of setting up of a physical presence in India along with deployment of additional resources and employees) let alone other commercial and tax implications which are inherent in establishing a place of business in India.

At the same time, an active compliance of the New IT Rules will require the social media intermediaries to deploy significant resources to revamp their existing end-to-end encryption technologies, without compromising on user confidence and comfort. It would be interestingly to see how the changes to these technologies will play out and balance out (if at all) the users' concerns around privacy.

Separately, while many players in the industry do concede to the fact that online content must adhere to some prescribed rules and ethics so as to remain unbiased and (given the ubiquitous outreach of the internet) some filtration of online content is also justified; however, in the same breath, concerns are also being raised that the Government's push for a soft-touch oversight over the social and digital media sector should not morph into overregulation (with time) and stifle the freedom of speech and expression that has become synonymous with this medium.

While what will become of the New IT Rules (particularly from an enforcement perspective) is something that remains to be seen, however, the recent observation by the Supreme Court in an ongoing litigation involving a political show on an OTT platform manifests that the New IT Rules "lack teeth" which in turn could trigger the Government to introduce more specific liability provisions for the breach of these rules by the industry players.

The content of this document do not necessarily reflect the views/position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up please contact Khaitan & Co at legalalerts@khaitanco.com