The Ministry of Electronics & Information Technology has finally issued clarifications on the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, in the form of Frequently Asked Questions (FAQ).
The 28-page document goes through the purpose of the new rules, the major changes over the 2011 rules, some questions on fundamental rights to freedom & privacy, who do they apply to, which entities qualify as intermediaries, and the nature of due diligence that intermediaries have to follow.
Here are some key clarifications.
The Right to Privacy & Traceability
MeitY says the Rules have a clear focus on protecting the online privacy of individuals. Hence, the Rules include mandate intermediaries to convey to users that they should not share information that is invasive of another person’s privacy [Rule 3(1)(b)]. The rules also require intermediaries to inform users that they can terminate access in case of non-compliance with their privacy policies [Rule 3(1)(c).
On nudity or sharing of morphed images, MeitY says that an affected individual can make a complaint to the intermediary. Upon receiving the complaint, the intermediary is obliged to remove the content within 24 hours of receiving the complaint.
Traceability: MeitY says that intermediaries “do not enjoy the authority to identify” users themselves. They must identify the “first originator” only upon receiving directions from the competent authority.
Further, the competent authority [as per IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009] shall not pass traceability orders “when other alternative measures are available”.
End-to-End Encryption: MeitY suggests using ‘hash value‘ to identify the first originator of a message. It suggests using a method “wherein identical messages will result into a common hash (message digest) irrespective of the encryption used by a messaging platform”. However, intermediaries are free to come up with alternative technological solutions to implement this rule.
MeitY justifies the requirement saying:
Intermediaries also functioning as “News Aggregator”
There is still no clarification on this front. MeitY says that entities functioning both like an intermediary as well as a “news aggregator” or “publisher of news and current affairs content” make seek further clarifications from the Ministry of Information & Broadcasting (MIB).
Who is an intermediary?
When the ministry issued the 2021 intermediary guidelines, there was much confusion regarding who is an intermediary. The issue was nuanced since apps like Teams and Slack also enabled messaging. MeitY has now clarified the space.
It says the new Rules define ‘social media intermediary’ as an intermediary which ‘primarily or solely’ enables online interaction between two or more users”. Therefore, an entity which has some other primary purpose but only “incidentally” enables online interactions, may not be considered as a social media intermediary.
Interactive features that may clarify the scope of the phrase “enables online interaction” inter-alia as follows:
- facilitates socialization/ social networking including the ability of a user to increase their reach and following, within the platform via specific features like “follow”/ “subscribe” etc;
- Offers opportunity to interact with unknown persons or users;
- ability of enabling virality of content by facilitation of sharing. Virality, in this context, means the tendency of any content to be circulated rapidly and widely from one internet user to another.
Who will not qualify as an intermediary? Any intermediary who:
- enables commercial or business-oriented transactions,
- provides access to internet or search-engine services,
- e-mail services or online storage services, etc.
What data shall an intermediary store after cancellation of registration?
The 2021 intermediary guidelines warrant an intermediary to store information collected from a user for registration for 180 days after cancellation or withdrawal of such registration. However, should an intermediary just store only data collected at the time of registration? Or should the intermediary also store post-registration data, e.g. user log?
On this issue, MeitY says it will vary from platform to platform. Intermediaries should refer to IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and notifications under Section 67C of the IT Act, 2000.
Nodal Contact Person and the Chief Compliance Officer cannot be the same
There seemed to be some confusion with the appointment of a Nodal Contact Person (NCP), the Resident Grievance Officer (RGO), and the Chief Compliance Officer (CCO). Especially so with Twitter, which appointed an RGO and NCP, but failed to appoint a CCO.
Now, the Ministry has said that the CCO and the NCP cannot be the same person. On the other hand, the roles of the NCP and the RGO “may be performed by the same person”. Having said that, MeitY suggests that it is “desirable” to appoint separate persons for the role of NCP and RGO.
Further, a parent significant social media intermediary can appoint common officers across its products/ services.
Must give reason for action taken/ not taken?
MeitY says that the objective of Rule 4(6) is to promote two-way communication between the aggrieved user and the intermediary. However, in case of a frivolous complaint, the intermediary can cite the nature of the complaint for any action not taken. The Ministry says, “the idea is to promote accountability while giving flexibility”.
In the case of suspected bots, there may be situations where the intermediary may not find it prudent to inform the user prior to taking down their content. in such scenarios, MietY ‘expects’ intermediaries to undertake steps to effectively counter bot activity.
Here’s a copy of the rules for you.