Issues on compliance with the I.T. (Intermediary Guidelines & Digital Media Ethics Code) Rules, 2021
This article looks at the main issue in Part 2 i.e. Intermediary Guidelines vide Rules 3 and 4, which is contentious in terms of compliance for some intermediaries!. The Rules here were notified on 25.02.2021 effective from 26.05.2021.
The Information Technology Act, 2000 was enacted further to a U.N. Resolution in 1997 adopting a model law on e-commerce. The said law in addition to providing for e-commerce and effective delivery of the Govts. services in India sought to amend other relatable laws within the existing framework. Along with the growth in e-commerce came other issues which necessitated further expansion of the law. Incidentally albeit the punitive and prosecutory aspect not being the focal point of this law the same has over the past decade been a focal point of contention post the I.T. Amendments Act, 2009 and the Procedure and Safeguards for interception, monitoring and decryption of information Rules, 2009, I. T. (Intermediaries Guidelines) Rules, 2011, the notification in 2018 under the 2009 rules and now the instant Rules of 2021 (replacing the aforesaid 2011 rules).
Issues of Contention.
Rule 3(1). Due Diligence by Intermediary:
(d.) an intermediary, on whose computer resource the information is stored, hosted or published, upon receiving actual knowledge in the form of an order by a court of competent jurisdiction or on being notified by the Appropriate Government or its agency under clause (b) of sub-section (3) of section 79 of the Act, shall not host, store or publish any unlawful information, which is prohibited under any law for the time being in force in relation to the interest of the sovereignty and integrity of India;
(j.) the intermediary shall, as soon as possible, but not later than seventy two hours of the receipt of an order, provide information under its control or possession, or assistance to the Government agency which is lawfully authorised for investigative or protective or cyber security activities, for the purposes of verification of identity, or for the prevention, detection, investigation, or prosecution, of offences under any law for the time being in force, or for cyber security incidents: Provided that any such order shall be in writing stating clearly the purpose of seeking information or assistance, as the case may be;
Provided further that if any such information is hosted, stored or published, the intermediary shall remove or disable access to that information, as early as possible, but in no case later than thirty-six hours from the receipt of the court order or on being notified by the Appropriate Government or its agency, as the case may be;
Rule 4. Additional due diligence to be observed by significant social media intermediary.
(2) A significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under section 69 by the Competent Authority as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009*, which shall be supported with a copy of such information in electronic form:
*As regards the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009 these rules while providing safeguards on interception, monitoring, decryption and disclosure of decrypted information elaborately deals with the compliance required of an intermediary that may be sought by the competent authority and such delegated officials including the Police and other organisation (such as IB, NCB, ED, CBDT, DRI, CBI, NIA, R&AW, DSI, Police Commr., Delhi vide notification dt.20.12.2018), in relation to issuing directions for decryption, interception or monitoring or decryption of information sans territorial jurisdiction, which may include any specific information being sought for. The intermediary is also expected to maintain appropriate records vide the services of designated officials for the same.
From a bare reading of the rules herein it is clear that the named executive authorities of the State are fully authorised to demand any data as required from an intermediary, while so also demand such action be taken against those named or so directed. It may be said that the above referred amendments and rules were brought in soon after the Bombay terror attacks, in 2008 – 09 to allow the executive machinery access crimes supposedly committed through the online platforms provided by various intermediaries.
While appreciating the initiative, the cause for concern here amidst the intermediaries arise on account of the numerous precedents on targeted or vindictive usage by executive authorities over the past decade since the amendments to the I.T. Act, 2000, the rules referred supra were notified in 2009 and the S.O.P. Rules for Intermediaries in 2011 and the notification on delegation of competent authority in 2018. The delegated executive authorities have time and again issued requests/ directives to reveal decrypted information with little concern for privacy of the individual under the garb of security of the State being at stake. In addition there have been many instances where punitive action has been demanded by means of tracking/ blocking various individuals/ organisations. The standard justification once again by the govt. time immemorial being the same was necessitated in the interests of the security of the State. It is in this context that the fears of the intermediaries gain value.
Challenging the amendments vide the I.T. Amendments Act, 2009, the Procedure and Safeguards for interception, monitoring and decryption of information Rules, 2009, and the G.O.s of 2018 were the PILs filed by Internet Freedom Foundation and others before the Supreme court, India. In these pending writ petitions the amendments vide S.69(2) read with S.87(2)(y) amid others were challenged as against their constitutional validity. An important contention in the proceedings raised as a ground amid the incursions into the private domain in the course of investigation is, traditionally, these (search and seizure) are within the exclusive domain of the judiciary alone (akin to the judiciary’s power to issue warrants for search (including production of documents) and seizure of premises) whereas the same are now being delegated to agencies including the Police and other organisations such as IB, NCB, ED, CBDT, DRI, CBI, NIA, R&AW, DSI, Police Commr. Delhi. This is a genuine concern considering that the agencies mentioned are executive in nature and despite their claimed autonomy are easily influenced by the government.
Addressing the Issue.
a. In this context one may say that the govt. (read prosecution) vide the S.91 – 104 of the Cr. P. C., 1973 is already vested with numerous powers entailing to cause production of documents, search and seizure powers that may be used against any person when authorised by a court of law. The exercise of these powers is guided by various judgements of the Apex court and to a large extent the manner of exercising them is settled law. Hence to vest an executive authority with such powers does not arise whatsoever be the named urgency.
b. Further considering the law as it stands today post the Shreya Singhal case of the Apex court (dt.24.03.2015 where S.66A was struck down as ultra vires), S.79 is valid subject to S.79(3)(b) (of the said I.T. Act, 2000 introduced vide I.T. Amendment Act, 2009) being read down to mean that an intermediary upon receiving actual knowledge from a court order or on being notified by the appropriate government or its agency that unlawful acts relatable to Art.19(2) are going to be committed then fails to expeditiously remove or disable access to such material. It is apparent that the new Guidelines Part 2 Rules 3 and 4 are subject to the aforesaid judgment.
In conclusion while giving credence to the fears of the intermediaries it may be seen that there needs to be a system of check and balance in the exercise of powers of a competent authority under the Rules. As seen more often than not there has been an overreach and lack of accountability in the exercise of these powers by the executive authorities (with delegated powers) under the garb of security of the State! Given the precedents here the possibility of gross misuse by executive authorities (with delegated powers) the situation is best served when the powers of search and seizure that includes interception, monitoring, decryption and disclosure of decrypted information remain a subject matter under the domain of the judiciary as evinced in the Cr. P.C., 1973 and exercised under judicial scrutiny.
!Part 3 of the said code dealing with Digital media ethics will be discussed shortly. Here many digital media enterprises have voiced concern stating that they are already bound by the regulations of Press Council under the Press Council Act, 1978 and the News Broadcasting Standards Authority.