Internet, the “can’t do without” of the time and age. It brought interactive digital communication which is popularly institutionalised as social media- you can blog, share photos, game, be part of networks and actually share most liberally.
The middle man between you and the internet – the intermediaries are the ‘any person who on behalf of another person, receives, stores or transmits any particular electronic record or provides any service with respect to that record’. In legal parlance, the Intermediary.
Facilitating transmission or exchange of information over the internet, acting as carriers of messages to transfer the information from one place to another without any further involvement in the process- is what the intermediary does.
With a high degree of accountability for the information they hold and responsibility to offer legitimate privacy rights to the owners of this information, intermediaries carry substantial power over handling, management and being custodians of data principal’s information.
To offer incentive and hold them partners in the enforcement of strong data security and privacy laws, concept of “Safe harbour” or immunity, exists under the Information and Technology Act and the Rules thereunder.
SAFE HARBOUR EVOLUTION
What is Safe Harbour?
Simply put, Safe harbour is immunity, it exempts intermediaries who host, store and disseminate data, from any form of liability unless they were aware of any illegal content being stored and transmitted on their platform, which was not acted upon under a reasonable span of time.
It, primarily protects the intermediaries from liability of third party acts.
- Is safe harbour granted to intermediaries sufficient to protect them from the acts of their users/ subscribers?
- Can intermediaries be held liable for any unlawful or scrupulous content, product or service posted on their respective website, platform by a third party and to what extent?
S. 79 of the Information technology Act, 2000 (“IT Act”) states that an intermediary shall not be liable for any third party information, data, information, or communication made available or hosted by it. Rule 7 of IT Rules, 2021 lays down penalty for non-observance of rules, which would amount to stripping of Safe Harbour position as an immunity and shall be liable for punishment under the provision of the act and Indian penal code.
Safe Harbour provisions are trade-offs which require intermediaries to observe guidelines which impose a need for due diligence, appointment of compliance, grievance and nodal officers and efficient dismissal of complaints while abiding by the Rules. See flowchart. [1] It on the harsh extreme allows the authorities to take criminal action against the offenders under the Indian Penal Code.
Judicial intervention by IP owners have secured an established process of notice-and-take-down for infringing content. MySpace Inc. v. Super Cassettes Industries Ltd.[2] being a notable judgement where the single judge bench of Delhi HC was overruled by a division bench of the same court stating-
Intermediaries could be held liable only when they have actual or specific knowledge and not constructive knowledge of the existence of infringing content on their websites, in the present case this would not amount to Myspace having actual control, actual knowledge nor a reason to believe that the content uploaded on its website may be infringing of third party rights. Delhi HC went on to state that, as intermediaries only act as conduit for exchange of information between users, they are not equipped and cannot be obligated to pre-screen and verify all such content that is stored on their websites.
Section 79 limits intermediary’s duties to a degree and thus, courts did not entertain claims by IP owners which require intermediary to screen and police its platform to prevent future infringement.
In Christian Louboutin SAS v. Nakul Bajaj[3], amongst others, the Single Judge of the Delhi High Court ordered particular intermediaries to take steps to reduce counterfeiting, like:
- Disclosure of seller details
- Assurance from sellers that goods are genuine, failing which goods would not be listed.
Some judgements were reversed in appeal and some reserved, because Safe Harbour protections are not easy to overturn and the courts believe that these protections cannot be denied without trial.
In an interesting turn of events, leading social media content intermediary, Twitter, was caught in cross fire with the ruling Indian Government which claimed that Twitter had failed to comply with the Intermediaries Ethics Code/ Rules released under the IT Act. Twitter failed to appoint the 3 mandatory resident officers under the Rules, Grievance, Compliance and Nodal Officer. Amongst other things, these appointed officers would also be the ones to execute and implement take-down-notices issued by the authorities. Read more here.
Arguably, Twitter claimed to have been caught in COVID-19 disruption and has asked for time to comply with this requirement. In the backdrop 5 days ago, Twitter launched its Verification Policy which undertakes its own checks and balances regarding the veracity of the curated content and the veracity of the person Verified Accounts sharing it on the platform.
The legal questions at a cross point with the evolving laws is somewhat like this-
- Should the intermediary be compelled to comply with a take-down-notice without verifying it against its internal policies?
- If not, then what is recourse to the intermediary who may be sued by a third party for unlawful take down? And what does the Terms and Use and Policies on the site serve?
Frustration has been brewing between the ruling Government and the OTAs and intermediaries in India in recent times. What started as a move for Content regulation is waging into content control. Companies are unlikely to relent on that front, easily.
In another interesting turn of events WhatsApp, which has failed to implement its new Privacy Policy in India and has not succeeded in demonstrating to Indian Government the basis of its new privacy policy which it claims is better privacy. WhatsApp has filed a petition in Delhi High Court suing and stating that the requirements of the IT Rules are in violation of India’s constitution. That is a hard to refute claim.
INDIA IS CATCHING UP OR ATLEAST SO WE BELIEVE
Without firmed up Data Privacy laws and an evolving Intermediary Rules, India is moving into complex situations with the Tech companies, which it can not ignore. Also, these conflicts are not likely to aid the framing of strong laws and as seen incase of Twitter, patchy implementation.
What is takedown notice?
While in practice it is not a hard to get notice, as we have seen, but
section 79 of the IT Act, 2000 alongside a few other authorising provision set the governing law of intermediary liability in India. Section 79’s significance is for two reasons-
- An exempting provision, for intermediaries against third party content;
- permits the central government to determine guidelines, rules and compliance to be followed for retaining immunity against third-party content.
The new IT Ethics Rules, 2021, the government has empowered itself to issue takedown notice/orders to intermediaries as per S. 69A of the IT Act, 2000. These grounds for take downs notice always tend to overlap between S. 69A and S. 79 of the IT Act.
For the safe harbour immunity the intermediaries have to comply with S. 69A making them bound to adhere to a take-down request for offensive content within 36 hours. In adhering to this, the Intermediary is unlikely to check the box on freedom of speech and with government demanding information on the source of it, more of WhatsApp and Twitter incidents may be expected.
Compliance with Takedowns
Complying with takedowns is an adherence obligation on intermediaries with added burden to demonstrate that it had no knowledge about the unlawful content.
India’s issues do not seem as linear. With growing acceptance and need to a degree, of online social media platforms, their regulation pose a challenge. The apex court, of India is contemplating –
Are we moving to a “ought to have known” standard from “did not know”? And do we need a new hypothesis of intermediary liability, which is limited but caries with degrees of potential severity?
What makes it Complex?
With an inclusive definition Intermediaries include non-exhaustive list of Internet Service providers (“ISPs”) and website that provides user-generated content.
This makes it complex, with a vicarious liability at play service providers become accountable for illegal act of users of their platform. They don’t call it vast -vast net for no nothing, the expanse of the internet makes it a task for intermediaries to monitor, screen and regulate the data flowing through.
Plus, failure to protect risk it becoming a unsafe, unsecure place for users.
IT Rules, 2021 statutorily recognise the judicial principles, but expand take down rights.
Take down requirements:
The new Rules rely on the principle of actual knowledge and require take down pursuant to order or voluntarily. Upon actual knowledge through a court order, or appropriate government/its agency’s notification of a take down of unlawful information being against sovereignty and integrity of India, state security, friendly relations with foreign states, public order, decency or morality, contempt of court, defamation, incitement to an offence, or any information which is prohibited under any law, intermediary must acknowledge receipt and take down within 36 hours,
- Broaden legal reform- Harmonize the law on content takedown
Content takedown is administered through two different provisions under the IT Act, 2000.
- A 24-hour turnaround for takedown; and
- a 48-hour timeframe to respond to a government request.
Such differing procedures are confusing internet censorship.
- Scope and extent of law- A flexible framework required.
Regulation of illegal content online cannot be one-size-fits-all. Accordingly, a good law on content takedown must account for the nuances existing in the way intermediaries operate and the diversity of speech online.
- Missing procedural safeguards
The Takedown process does not mandate a process through which a user is notified of takedown being undertaken. Ability to takedown content does not translate into accuracy of the action taken, and the current rules do not address this.
INTERMEDIARY RULES A CATCH ALL
The 2021 Rules- were fast tracked without taking into consideration the pre-legislative consultation or public comments, where the government seeks recommendations in a transparent process. Promising profound implications already visible, these Rules do not seem to have passed the stress test.
[2] 2017(69) PTC1 (Del)
[3] 2018 (76) PTC 508 (Del)