Decoding The New IT Rules

On 25th Feb 2021, the Ministry of Electronics and Information Technology notified the new IT rules, which supersedes the earlier rules of 2011. The purpose of this note is to understand the new rules with respect to its various aspects - a) mapping with the IT Act of 2000 (amended in 2009); b) additional obligations it imposes; c) risks of executive overreach; d) implementation challenges; e) benefits to the consumers, etc. While doing so, I will pose various questions and answer them as we proceed to investigate these rules.

But before doing so let's understand who is this rule is applicable and how this entity is placed in the IT Act of 2000.

Who is this rule applicable?

This rule is applicable to an "intermediary" which is defined on page 3 of the amended IT act of 2000 reproduced as under.

"intermediary", with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online - auction sites, online - market places and cyber cafes"

How an "intermediary" is placed in the IT Act?

IT act is applicable to all individuals and corporates. But, it will be unfair to implicate an intermediary who simply stores or transmits content created by its users (see above definition). Hence, section 79 of the amended IT Act provides the intermediary with immunity under the Act. However, this immunity is not absolute but loaded with some conditions - which are defined in the same section (79) of the IT Act.

How do the new IT Rules Map with the IT Act of 2000?

The clause 2c of section 79 of the IT Act says that the intermediary shall have immunity, only if it observes due diligence while discharging his duties under the act, and also observe such other guidelines as the Central Government prescribe on this behalf. A portion of these new rules (applicable to an intermediary) details this due diligence as mentioned in the IT Act. Also, the IT Act empowers the Central Government to issue direction to an intermediary to monitor, decrypt and block information (section 69 & 79(3b) of amended IT Act 2000). These rules stipulate the steps that the intermediary needs to undertake in order to monitor, decrypt and block information so requested by the government or a competent court from time to time.

How are new IT Rules different from the old Rules (of 2011)?

The new IT Rules has expanded the earlier Rule of 2011 by posing additional obligations on a) social media intermediary, b) significant social media intermediary - which are just subclassifications of "intermediary" (as defined in the original IT Act). Please note, these new subclassifications are neither part of the amended IT Act, nor part of the old Rules of 2011. The definitions of the sub-classifications are produced under.

Clause 2(w) of New Rules - "social media intermediary" means an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.

Clause 2(v) of New Rules - "significant social media intermediary" means a social media intermediary having a number of registered users in India above such a threshold as notified by the Central Government.

Also, these new Rules have included a new chapter (Part III) to define - Code of Ethics and Procedure and Safeguards in Relation to Digital Media.

What are the key obligations of subclassified Intermediaries?

The new rules mandate the "significant social media intermediary" with 50 lakhs users or more to-

a) Appoint a Chief Compliance Officer who shall be responsible for ensuring compliance with the Act and rules made thereunder and shall be liable in any proceedings relating to any relevant third-party information, data, or .......[Clause 4(1a)]

b) Enable identification of the first originator of information on its computer resource as may be required by...[Clause 4(2)]

c) Endeavor to deploy technology-based measures, including automated tools or other mechanisms to proactively identify information that depicts any act or simulation in any form depicting rape, child sexual abuse or conduct, whether explicit or implicit, or any information which is exactly identical in content to information that has previously been removed or access to which has been disabled on the computer resource...[Clause 4(4)]

What are the challenges of the subclassified Intermediaries?

Chief Compliance Officer will be in constant threat of going behind bars in case the company fails to comply with the demands of the government. More so when some requirements (in the New Rules) are vague and cannot be technically complied with fully without breaking the encryption settings of the platform. Also, there is a constant risk of misinterpretation (overinterpretation) of some of the clauses of the New IT Rules, thereby posing a constant operational threat to the company concerned.

Which clause need end-to-end encryption to be broken?

Clause 4(2) asks the intermediary to enable identification of the first originator of the information on its computer resources. Note the word "information". Hence, a simple interpretation of this requirement could be that the GOI will provide the intermediatory with the information (message) for which the intermediary has to provide the government with the name of the user who first sent out this information. In other words, who is the creator of the targeted content? Now in order to enable this capability, the intermediary has to map this "message" with all other messages sent out by all, for it to be able to identify the "first originator". As without such mapping, it will not be possible for the intermediary to identify the user who sent first sent out the "message". Hence, to enable that mapping the intermediary has to read the messages of all users, thereby breaking the end-to-end encryption of the platform - making the platform totally useless.

Which clause is vague and unimplementable?

Clause 4(4). As it talks about the significant social intermediary shall make an endeavor to deploy technology-based measures, including automated tools to proactively identify information and ....... display a notice to any user attempting to access such information...

Now, the word "endeavor" is not defined in the IT Rules, thereby making it vague and open to misinterpretation and abuse. That too when the neck of the Chief Compliance Officer is on the line. A regulation with such penal provisions has to be clear and measurable and cannot be left open to interpretation.

What is the problem with blocking rules?

The IT rules under section 69 (page 12) empowers the GOI to direct blocking of information that it finds not in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign states, or public order or for preventing incitement to the commission of any cognizable offense relating to above or for investigation of any offense. In order to enable such blocking the GOI has come up with blocking rules which are called Procedure and safeguards for blocking for access of information by the public (Rules, 2009) to make such requests. However, no such safeguards exist (to preserve the interest of the common man) for blocking information under 79 of the IT Act. This potentially can be misused and might result in legal content getting blocked, which might be detrimental to the interest of the common man.

Conclusion

The New IT Rules of 2021 are much more elaborative than the earlier rules of 2011. This the GOI might have done with an intent to enable faster execution of its directives. But as mentioned above, many of the provisions of the New Rules are vague and are open to interpretation. In light of this vagueness, is it fair to impose Clause 7 (page 26) - which makes the intermediary lose total immunity under the IT Act 2002 in case it fails to observe any of the stated rules, thereby opening it to all kinds of punishments, including jail terms?

(Views expressed are of my own and do not reflect that of my employer)

PS: Find the list of other relevant articles in the embedded link.