Delhi High Court issues directions and guidelines on the takedown of Non-Consensual Intimate Images (NCII) and personal data/information

In a case involving takedown of sexual and child abuse content by search engines, the Delhi High Court emphasized the right to privacy, and the right to be forgotten of individuals. After reviewing the IT Act and Intermediary Rules along with SC Judgments and Constitutional provisions, the Court stated that intermediaries cannot wash off their hands under the new rules, and have an obligation to monitor and remove Non-Consensual Intimate Images (NCII) after receiving grievances or court orders. In its Judgment, the Court gave directions and recommendations to different stakeholders. The relevant para reads as follows:

"61. In view of the foregoing observations, this Court deems it fit to render the following directions and recommendations to the Respondent Intermediaries, the Ministry of Electronics and Information Technology (MEITY), as well as the Delhi Police, for ensuring that cases of the instant nature are dealt in a manner that minimises the trauma caused to the victim and resolves the problem at hand expeditiously:

i. On approaching the Court for a takedown order in a matter involving NCII content, the Petitioner must, along with the petition, file an affidavit in a sealed cover identifying the specific audio, visual images and key words that are being complained against, in addition to the allegedly offending URLs for ex facie determination of their illegality.

ii. The Grievance Officer, as defined under Rule 2(1)(k), who is appointed by the intermediary for receiving complaints of the users/victims must be appropriately sensitised. The definition of NCII abuse must be interpreted liberally by the intermediaries to include sexual content obtained without consent and in violation of an individual's privacy as well as sexual content obtained and intended for a private and confidential relationships.

iii. The "Online Cybercrime Reporting Portal", which is a central platform available on cybercrime.gov.in, must have a status tracker for the complainant, commencing from filing of a formal complaint to the removal of the offending content. The portal must specifically display the various redressal mechanisms that can be accessed by the victim in cases of NCII dissemination. This display should be in all languages specified in the Eighth Schedule. The cybercrime.gov.in website, along with every other website of Delhi Police, should also notably display the contact details/address of each District Cyber Police Station present in the National Capital Territory of Delhi.

iv. On the receipt of information, noting the nature of NCII content which is punishable under Section 66E of the IT Act and the distress that its continued existence may cause to the victim, the Delhi Police must immediately register a formal complaint in order to initiate an investigation and bring the perpetrators to book as soon as possible so as to prevent the repeated upload of the unlawful content.

v. Every District Cyber Police Station must have an assigned Officer who must liaise with the intermediaries against which grievances have been raised by the victim who has approached the Delhi Police and an endeavour should be made to ensure that the grievance is resolved within the time schedules stipulated under the IT Rules. The intermediaries are directed to cooperate unconditionally as well as expeditiously respond to Delhi Police, and thereafter follow the time schedules under the IT Rules.

vi. A fully-functioning helpline which is available round-the-clock should be devised for the purpose of reporting NCII content. Operators and individuals manning this helpline must be sensitised about the nature of NCII content and must, under no circumstances, indulge in victim-blaming or shaming the victim. Considering the impact that NCII content has on the mental health of its victims, these operators should also have a database of organisations with registered counsellors, psychologists and psychiatrists available for reference to the victims. The Delhi Legal Services Authority may also be apprised and engaged in case the victims need legal aid.

vii. Search engines must employ the already existing mechanism with the relevant hash-matching technology on the lines of the one developed by Meta as has been discussed above. They cannot be allowed to avoid their statutory obligations by stating that they do not have the necessary technology, which is patently false as has been exhibited during the course of hearing.

viii. The reporting mechanism under Rule 3(2)(c) of the IT Rules must be conveyed to the users by the intermediaries by way of prominent display of the same on the website of the intermediary. It is necessary for users to be made aware of the reporting mechanism and the onus for educating the users lies on the intermediaries.

ix. The timeframe as stipulated under Rule 3 of the IT Rules must be strictly followed without any exceptions, and if there is even minor deviation from the said timeframe, then the protection from liability accorded to a search engine under Section 79 of the IT Rules cannot be invoked by the search engine.

x. When a victim approaches a Court or a law enforcement agency and obtains a takedown order, a token or a digital identifier based approach must be adopted by search engines to ensure that the de-indexed content does not resurface. This means that the user/victim may be assigned a unique token upon initial takedown of NCII content. If the user/victim subsequently discovers that the same content has resurfaced, then it is the responsibility of the search engine to use the tools that already exist to ensure that access to the offending content is immediately ceased without requiring the victim to approach the Courts or other authorities again and again for removal of the same. The search engine cannot insist on requiring the specific URLs from the victim for the purpose of removing access to the content that has already been ordered to be taken down, and the victim cannot be made to face humiliation or harassment by having to approach the authorities or Courts seeking the same relief.

xi. As a long-term suggestion, a trusted third-party encrypted platform may be developed by MEITY in collaboration with various search engines under Rule 3(2)(c) for registering the offending NCII content or the communication link by the user/victim. Accordingly, the intermediaries in question may assign cryptographic hashes/identifiers to the said NCII, and automatically identify and remove the same through a safe and secure process. This would reduce the burden on the victim/user to constantly have to scour the internet for NCII pertaining to them and having to request for the removal/de-indexing of individual URLs. Utmost importance should accorded to the fact that the privacy of the user/victim must remain inviolable and the data collected for the purposes of using the hash- matching technology is not stored and misused. On account of the vulnerability of the data involved, the platform must be subject to greatest of transparency and accountability standards."

Source:?https://indiankanoon.org/doc/105980506/

#DelhiHighCourt #NCII #NonConsensualIntimateImages #RightToPrivacy #RightToBeForgotten #ITAct #IntermediaryRules #CyberCrime #OnlineSafety #BananaIP #DataProtection #DigitalRights