The last few months have seen a flurry of activity on the regulation of the digital space. The government has amended the Information Technology Intermediary Rules, published a draft Telecom Bill (to replace the existing Telegraph Act, 1885), and released the much awaited draft Data Protection Bill, 2022. Together, these laws will completely redefine the way in which we experience the internet and the government’s control over such access.
How do you spend your day online? Which sites do you visit most frequently? Chances are – depending on your age – your answers would vary between Twitter, WhatsApp, Facebook, Instagram, Snapchat, and TikTok. The common factor behind all these platforms is that they are intermediaries – social media platforms where users post comments, photos, and videos to share with each other. Clearly, thus, intermediaries play an integral role in our digital interactions.
It is the regulation of such intermediaries that has become the focal point of debate over the last couple of years. The intermediary liability regime built in India, through Section 79 of the Information Technology Act and the accompanying Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (2021 IT Rules), has been used by central and state governments to direct intermediaries to block access to content.
What is the impact of the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022 (IT Rules 2022) on the architecture of the internet? Specifically, how does it facilitate a role for the government in moderating online speech?
It is left to the intermediaries to adopt a proactive censorship policy on taking down content. The amended rule now requires intermediaries to enforce their private contracts with users under the threat of criminal prosecution.
The IT Amendment Rules, 2022 amended the controversial provisions of the 2021 IT Rules (which are the subject of a constitutional challenge in the courts), and have, somehow, made things worse. The combined impact of the 2021 and 2022 IT Rules is to impose a broad range of obligations on intermediaries under the guise of “due diligence”, which instead incentivise proactive censorship.
Three changes brought about by the IT Amendment Rules, 2022, which were published on 28 October 2022 require consideration:
First, Rule 3(1)(a) originally required intermediaries to prominently publish their privacy policies and user agreements on their websites and mobile apps so that users were aware of the terms of service governing their conduct on the platform. However, with the 2022 amendment, Rule 3(1)(a) now requires intermediaries to publish such agreements on their website/app and “ensure compliance of the same.”
Unfortunately, there are no guidelines that explain how to ensure such compliance. It is left to the intermediaries to adopt a proactive censorship policy on taking down content. The amended rule now requires intermediaries to enforce their private contracts with users under the threat of criminal prosecution. A failure to comply with the law shall result in the loss of a “safe harbour” for intermediaries and make them directly responsible for the content posted by their users. In this manner, the amendment impinges on private business.
Second, Rule 3(1)(b) of the 2021 Rules required intermediaries to simply inform users not to upload any information that fell within 10 widely worded proscribed categories (that is, information that is “obscene”, “ethnically objectionable”, “patently false”, and so on). This obligation has been changed in the IT Amendment Rules, 2022. Intermediaries must now inform users of their policies and “make reasonable efforts” to “cause” users not to upload information that falls within the 10 categories.
Once again, the focus shifts to intermediaries having to proactively remove content, to ensure, for instance, that users do not communicate “misinformation”. The broad nature of the 10 enumerated categories means that intermediaries are now the final arbiters of what constitutes obscenity, misinformation, patent falsity, and so on, with no incentive to keep content online.
The establishment of grievance appellate committees and their envisaged functioning is especially worrying because the law does not provide intermediaries or content creators with a right to be heard or to give evidence.
The upshot of the amendments to Rules 3(1)(a) and 3(1)(b) is that they are contrary to the spirit of the judgment of the Supreme Court in Shreya Singhal v Union of India (2015). The court held that a notice and take down approach that elevates intermediaries to decision-makers is unsuitable since “otherwise it would be very difficult for intermediaries like Google, Facebook etc. to act when millions of requests are made and the intermediary is then to judge as to which of such requests are legitimate and which are not.”
Third, and perhaps the most significant change brought about by the IT Amendment Rules, 2022, is the establishment of grievance appellate committees (GACs) to decide user appeals against the decision of intermediaries. A GAC comprises five members (one chairperson, two whole time members appointed by the government, and two independent members). Other than that the government shall decide the composition of a GAC, the 2022 amendment is silent about details regarding the appointment process and the minimum qualifications required for a person to be appointed to the committee. It also does not contain any safeguards to protect the institutional independence of a GAC, for instance, by ensuring its financial independence or creating an independent/all party selection committee.
What we know, however, is that the government will start becoming involved in the content moderation decisions of intermediaries through GACs, and effectively regulate the type of content posted online. By monitoring the content of one’s speech, the government has the ability to regulate conversations online, particularly of activists and civil society, and restrict the free dissemination of information.
The establishment of GACs and their envisaged functioning is especially worrying because the law does not provide intermediaries or content creators with a right to be heard or to give evidence before a GAC when it is deciding whether a particular content should be taken down.
Apart from concerns around government regulation, the IT Amendment Rules, 2022 also raise questions about the effectiveness of GACs. As noted by the Internet Freedom Foundation, a popular social media platform reported receiving around 46.85 lakh user complaints in just September 2022. Even assuming that 1% of these users decide to appeal against the intermediary’s decision to GACs, that would be nearly 50,000 complaints from one platform in one month. It is unclear whether the GACs have the capacity to manage such a high volume of complaints and carry out a discretionary exercise in a fair and effective manner.
The establishment of an appellate grievance redress mechanism through an executive notification is problematic because it allows the government to bypass parliamentary debate and procedure through excessive delegation. The benefits of having a public consultation are brought to nought since the elected representatives are unable to bring the concerns of the people over the 2022 amendment or the 2021 Rules to Parliament. Interestingly, after the Supreme Court’s judgment in Puttaswamy v Union of India (2018) (concerning the constitutional validity of the Aadhaar Act), the government enacted the Aadhaar and Other Laws (Amendment) Act, 2019 to establish a proper grievance redress and appeal mechanism.
Instead of responding to these concerns and improving the independence of the Data Protection Board, the government has postponed the specifics of the decision to the future.
In this manner, the IT Amendment Rules, 2022 are similar to the draft Digital Personal Data Protection (DPDP) Bill, 2022 that has been put out by the government for public comments. Much like the GAC, the DPDP Bill also suffers from the vice of excessive delegation. The DPDP Bill leaves important tasks to rules that will be prescribed by the government; these include the establishment of a Data Protection Board, the exemption provided to certain data fiduciaries, certain obligations to do with processing children’s data and data processing by “significant” data fiduciaries, and certain provisions relating to notice and “deemed consent.” Notably, the phrase “as may be prescribed” has been used 18 times in the Bill. This has allowed the central government to avoid the debate surrounding these provisions and postpone them to a vague undefined time in the future, with little guidance on what the future data protection framework (notified through Rules) will look like.
Much like the IT Amendment Rules, 2022, the government has tried to control the process of grievance redressal in the DPDP Bill, 2022. A Data Protection Board will be the regulator created under the DPDP Bill, 2022 and it will have significant powers to regulate the activities of data fiduciaries, including the biggest data fiduciary, the state. Thus, it is imperative for the regulator to maintain independence when it is evaluating the state’s actions.
Previous iterations of the DPDP Bill have witnessed a fierce debate on the composition of the regulator, as well as the composition (and independence) of the appointment committee. Instead of responding to these concerns and improving the independence of the Data Protection Board (earlier referred to as the Data Protection Authority), the government has postponed the specifics of the decision to the future, making it clear that it will have final control over the appointment process.
There is no question that the operation of intermediaries must be regulated. Intermediaries perform important public functions, often serving as a public town square. So, it is essential that they operate fairly and transparently. The manner of regulation must take the approach of a rights-respecting statutory framework that focuses on improving transparency and protecting user rights. It cannot adopt the manner of the IT Rules 2021 or the IT Amendment Rules, 2022, which ought to be repealed immediately.
Vrinda Bhandari is an independent lawyer practising in Delhi.
