Technology Law Analysis
November 18, 2021
It’s here! MeitY’s FAQs on Due Diligence Requirements for Intermediaries under the New Intermediary Rules
On November 1, 2021, the Ministry of Electronics and Information Technology (MeitY) released the much-anticipated FAQs on Part-II of the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 (IL & DMEC Rules/ Rules).1
Background and Summary of the IL & DMEC Rules
The IL & DMEC Rules were issued in February 2021 and supersede the Information Technology (Intermediaries Guidelines) Rules, 2011 (IL Rules 2011). The MeitY had been contemplating the introduction of amendments to the IL Rules 2011 since around 2018, when it issued the Draft Intermediary Guidelines (Amendment) Rules (Draft Amendments).2
MeitY’s intention in revising due diligence requirements applicable to intermediaries stems from the need to ensure an open, safe and trusted internet ecosystem. The IL & DMEC Guidelines were issued subsequent to a detailed and exhaustive consultation on the Draft Amendments, and multiple Writ Petitions before various courts urging the MeitY to expedite the issuance of the updated rules.3
The IL & DMEC Rules are split in three parts. Part I lists out definitions and other general clauses. Part II provides details of due diligence requirements applicable to intermediaries, and Part III lists out content moderation standards, grievance redressal and appellate mechanisms, and a self-regulatory code of ethics, applicable to publishers of online curated content and online news and current affairs content.
Unlike the IL Rules 2011, the IL & DMEC Rules recognize various categories of intermediaries, viz. intermediaries, social media intermediaries, and significant social media intermediaries (SSMIs), and introduce a risk-based and multi-tier set of obligations applicable to such categories.
To this end, the Rules impose additional/ updated obligations on all intermediaries, such as establishing robust grievance redressal mechanisms (Rule 3(2)(a)) and the requirement for expedited takedown of content that violates privacy4 for the reason of non-consensual depiction of sexual act or conduct or nudity (Rule 3(2)(b); ostensibly targeted at curbing “revenge porn”).
In addition, the Rules introduce incremental requirements for SSMIs (Rule 4) and other intermediaries to whom the Government may by way of a notification extend the obligations applicable to SSMIs (under Rule 6). Such obligations inter alia extend to appointment of key officials to oversee compliance, enabling tracing of originator of messages (for messaging platforms), providing disclosures for advertised content, undertaking voluntary takedown of certain categories of content, and publishing periodic compliance reports.
The IL & DMEC Rules have been in force since 25 May 2021.
Background to the FAQs
In the months that followed the notification of the IL & DMEC Rules, the MeitY acknowledged the lack of clarity on some aspects in the Rules and indicated its plans to issue detailed FAQs on the obligations under the IL & DMEC Rules, and a set of Standard Operating Procedures (SOPs) governing the issuance of orders by the Government and its authorized agencies under the IL & DMEC Rules.5
The FAQs, as released, are limited in scope and aimed at providing clarity on the scope of due diligence obligations required of intermediaries and SSMIs under Part – II of the Rules. These have been issued in response to the general queries received by MeitY on the rules and may be updated from time to time.
Notably, the FAQs are not intended to be a legally binding document, and intermediaries would be advised to seek guidance from the MeitY in the course of structuring their internal compliance processes.
Key Clarifications Provided:
FAQs Clarify the Criteria for Intermediaries to Qualify as a “Social Media Intermediary”
Rule 2(1)(w) of the IL & DMEC Rules define a “social media intermediary” as “an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.”
The definition attains significance, since social media intermediaries with more than 50,00,000 registered users (i.e. users who have registered/created an account with such intermediary) in India,6 are classified as SSMIs, and are required to meet additional due diligence requirements such as appointment of key personnel in charge of ensuring compliance with the Rules, .
Based on the definition, several online platforms, including code-sharing platforms, or even online encyclopedias, would qualify as a “social media intermediary”, given that they enable online interactions between multiple users, despite their primary purpose being distinct from that of a social networking platform.
The FAQs clarify that platforms which incidentally enable online interactions, but do not serve the primary purpose of being a social networking platform, may not be considered a “social media intermediary.” The FAQs indicate that the inclusion of platform features which: (a) enable socialization/ social networking or enable users to increase their reach and following; (b) enable interactions with unknown persons or users; or (c) enable virality of content by facilitating the sharing of content across users on the platform; may lead to an intermediary being classified as a “social media intermediary.”
Therefore, any intermediary whose primary purpose is enabling commercial or business-oriented transactions, provide access to internet or search-engine services, e-mail service or online storage service, etc. will typically, not qualify as a social media intermediary
FAQs Specify the Components of a Valid Notice for Removing or Disabling Access to Information
Rule 3(1)(d) of the IL & DMEC Rules require intermediaries to remove illegal content within 36 hours of receiving actual knowledge of such content by way of a Court order, or notification from an authorized agency of the Appropriate Government (i.e., the Central Government or any State Government, as the case may be).
In practice, several authorities issue notices to intermediaries which are incomplete in certain aspects. Such notices invariably increase the timelines involved for complying with takedown notices, since intermediaries would be compelled to seek clarifications, or validate the request when no clear justification or evidence is provided for takedown.
The FAQs clarify that a notice directing an intermediary to take-down content, should contain: (a) the platform specific URL(s) identified for take-down; (b) the law that is being administered by the Appropriate Government/ authorized agency and the specified clause of the law which is being violated; (c) justification and evidence; (d) any other information (e.g. time stamp in case of audio/video, etc.) as may be relevant.
The clarification is expected to ensure the issuance of complete notices, avoid vague and incomplete notices, and provide sufficient information for intermediaries to ensure timely compliance. Moreover, the requirement for providing references to specific URLs, time stamps, etc. is likely to ensure that take-downs are specific and do not impact content that are otherwise legal, thereby ensuring that free speech is protected in online spaces.
The MeitY is currently in the process of preparing SOPs governing the issuance of orders by the Government and its agencies under other applicable rules of the IL & DMEC Rules.7 The SOPs are expected to significantly streamline the processes currently adopted by intermediaries to validate orders received by Government agencies.
Chief Compliance Officer and Nodal Officer/Resident Grievance Redressal Officer to be Separate Individuals
Rule 4(1) of the IL & DMEC Rules require SSMIs to appoint (a) a Chief Compliance Officer (CCO) who shall be responsible for ensuring compliance with the Act and rules made thereunder; (b) a nodal contact person (Nodal Officer; NO) for 24x7 coordination with law enforcement agencies and officers to ensure compliance to their orders or requisitions made in accordance with the provisions of law or rules made thereunder; and (c) a Resident Grievance Redressal Officer (RGO) responsible for the grievance redressal mechanism of the SSMI.
Given that several SSMIs may have thinly staffed operational units in India, several stakeholders sought clarifications on whether the same person could be appointed to the roles listed out under Rule 4(1), i.e. the CCO, NO and RGO.
The FAQs clarify that the individual appointed as CCO cannot be simultaneously designated as the NO. Further, while it is desirable that separate officers be designated to discharge the duties of the NO and the RGO, the obligations of the NO and RGO can be discharged by the same official. However, the FAQs advice SSMIs to publicize the contact information for the NO and RGO separately on their website.
“Parent SSMI” may Appoint Common Officers Across Multiple Products or Services
Certain SSMIs could be offering multiple platforms and products through a single corporate entity. In such scenarios, it was unclear whether such SSMIs could appoint common officers (i.e. CCO, NO and RGO) across their product line-up.
The FAQs clarify that a “Parent SSMI”, can appoint the same person who is discharging a particular role (e.g. a person appointed as a NO), to discharge the same role for different products/services for the purposes of complying with requirements under Rule 4(1) of the IL & DMEC Rules. However, the contact details for approaching these officers are required to be clearly mentioned on each of those product/ service platforms separately.
While neither the Rules, nor the FAQs clarify the definition what “Parent SSMI” means, it can be inferred that a “Parent SSMI” refers to an SSMI offering multiple platforms/products/services, and not the holding company of an SSMI.
Compliance Reports should be Published Online on the SSMI’s Platform
Rule 4(1)(d) of the IL & DMEC Rules require SSMIs to furnish reports providing details of complaints received and action taken, and the number of specific links removed through proactive monitoring undertaken by the SSMI pursuant to their obligations under Rule 4(4) of the IL & DMEC Rules (i.e. voluntary takedown of rape or Child Sexual Abuse Material (CSAM) content).
For context, the reference to “complaints received” could relate to grievances raised by users with the RGO under the mechanism set forth under Rule 3(2)(a), i.e. complaints requesting the removal/ blocking of information that violate the rules and regulations of the intermediary, or relate to any of the categories of illegal information specified under Rule 3(1)(b) (such as CSAM, malicious software, content infringing upon any patent, trademark, copyright or other proprietary rights, etc.), or content that is violative of privacy (as set forth under Rule 3(2)(b)).
Prior to the issuance of the FAQs, there was a lack of clarity surrounding the granularity of information expected to be disclosed under the compliance reports, and confusion over whether such reports would need to be physically submitted to the MeitY.
The FAQs clarify that compliance reports required to be furnished by SSMIs pursuant to Rule 4(1)(d) need not be shared with the MeitY in physical form but should be published on the SSMI’s platform. The reports may disclose details of complaint received and action taken, in an aggregate form. With regard to voluntary takedowns, an SSMI may only publish the number of voluntary actions, without providing specifics of impacted content.
Explanation of Actions Taken Pursuant to Grievance Redressal and Content Policies
Rule 4(6) requires the RGO appointed by an SSMI to provide aggrieved users (users whose content is impacted/ taken down) with explanations for the actions taken by the SSMI in accordance with their grievance redressal mechanisms, pursuant to a complaint received.
The FAQs clarify that such explanations should include details of the grievance redressal mechanism and content policies put in place by the SSMI, and details of actions taken pursuant to such mechanism. This is likely to address concerns of unnecessary or unjustified takedowns outside the ambit of Government-mandated takedowns, and equally shield the intermediary from potential allegations of excessive censorship.
Tracing of First Originator of Messages not Intended to Break or Weaken Encryption
Rule 4(2) of the IL & DMEC Rules require SSMIs providing services primarily in the nature of messaging to enable the identification of the first originator of messages, pursuant to a judicial order or orders issued under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (IT Decryption Rules).
Several commentators and privacy advocates had raised concerns over the implications of this obligation on privacy, since for certain encryption protocols where the intermediaries do not have access to the decryption key, technical compliance with the obligation would require them to remove or weaken encryption.
The FAQs clarify that the intent of the obligation under Rule 4(2) of the IL & DMEC Rules is not to break or weaken any encryption deployed, but rather to identify the first originator of a message through the adoption of new solutions which rely on matching message hash values.
Requests for Additional Information to Exclude Commercially Sensitive, Trade Secret or Other Confidential Information
Rule 4(9) of the IL & DMEC Rules specify that the MeitY may call for any additional information from SSMIs (over and above other reporting requirements under the IL & DMEC Rules).
The FAQs clarify that the scope of additional information under Rule 4(9) may extend to sharing compliance reports (prepared under Rule 4(1)(d)) or other information relevant to monitoring the implementation and enforcement of the IL & DMEC Rules, and would typically exclude any commercially sensitive, trade secret or other confidential information held by SSMIs.
The FAQs provide much needed clarity on issues such as factors for determining whether an intermediary qualifies as a “social media intermediary”, components required for a complete and valid take-down notice, and provide additional guidance on compliance requirements such as the appointment of CCO, RGO and NO by SSMIs.
The FAQs, which will be updated from time to time, is a good initiative by the MeitY to address the concerns of the industry, and work together with them to ensure better compliance of the IL & DMEC Rules.
– Indrajeet Sircar, Aarushi Jain & Gowree Gokhale
You can direct your queries or comments to the authors
1 ‘See, MeitY, “Frequently Asked Questions (FAQs) on Part – II of the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021”, Available at URL: https://www.meity.gov.in/writereaddata/files/FAQ_Intermediary_Rules_2021.pdf
2 See, MeitY, Draft Information Technology [Intermediaries Guidelines (Amendment) Rules], 2018, 24 December 2018, Available at URL: https://www.meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf
3 See, Chaturvedi A., “Process of notifying Intermediary Rules likely to be completed by January 15, 2020”, Economic Times, 21 October 2019, Available at URL: https://economictimes.indiatimes.com/tech/internet/process-of-notifying-intermediary-rules-likely-to-be-completed-by-january-15-2020-meity-to-sc/articleshow/71689301.cms?from=mdr
4 Rule 3(2)(b) of the IL & DMEC Rules require an intermediary to takedown within 24 hours, all such content, which, on the basis of a complaint received by or on behalf of an individual, is prima facie, in the nature of any material which exposes the private area of such individual, shows such individual in full or partial nudity or shows or depicts such individual in any sexual act or conduct, or is in the nature of impersonation in an electronic form, including artificially morphed images of such individual.
5 See, “MeitY Working on Intermediary SOPs under New Digital Norms”, Indian Broadcasting World, 27 July 2021, Available at URL: https://www.indianbroadcastingworld.com/meity-working-on-intermediary-sops-under-new-digital-norms/; See also, Aryan A., “SOP for IT Rules: Clarity on sections 69 (A), 79 of IT Act, liability of cos likely”, Indian Express, 27 September 2021, Available at URL: https://indianexpress.com/article/business/sop-for-it-rules-clarity-on-sections-69-a-79-of-it-act-liability-of-cos-likely-7536194/
6 See, MeitY, Notification No. S.O. 942(E), Dated 25 February 2021, Available at URL: https://egazette.nic.in/WriteReadData/2021/225497.pdf; “In exercise of power conferred by clause (v) of sub-rule (1) of rule 2 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Central Government hereby specifies fifty lakh registered users in India as the threshold for a social media intermediary to be considered a significant social media intermediary.”
7 See, PTI, “MeitY to issue FAQs on Intermediary Guidelines soon: Officials”, Economic Times, 29 October 2021, Available at URL: https://government.economictimes.indiatimes.com/news/governance/meity-to-issue-faqs-on-intermediary-guidelines-soon-officials/87361349