Ever since the enactment of the Information Technology Act, 2000 (the IT Act), the treatment of intermediary liability has been pendulous. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 Rules”), however, have brought about the most significant changes for intermediaries in terms of increasing due diligence obligations and liability in cases of non-compliance, the effects of which are already beginning to be felt.
In this article, we attempt to analyse how the 2021 Rules affect intermediaries and digital media entities from a compliance perspective and the consequences of non-compliance, especially for intermediaries.
How has intermediary liability evolved?
In order to contextualise the 2021 Rules, we start by tracing the evolution of intermediary liability when only network service providers were exempted from liability under the IT Act. The need to expand the contours of safe harbour provision was recognised, from a legislative perspective when in the year 2008, the CEO of an e-auction website Baazee.com was charged under the Penal Code and IT Act on account of an obscene video being uploaded on the website by a user. Subsequently, the IT Act was amended to protect intermediaries, which merely acted as platforms for transmission of information, from the liability for offences committed without their actual knowledge. The definition of an intermediary was expanded to include online payment sites, search engines, internet service providers, etc., and exemption was granted to intermediaries from liability arising under “any law”, as opposed to the limited protection from offences only under the IT Act provided earlier.
Following the 2008 amendment, whether an intermediary could claim safe harbour hinged largely on two factors i.e. actual knowledge about the unlawful act and compliance with due diligence obligations, as prescribed. Under the Information Technology (Intermediaries Guidelines) Rules, 2011 (2011 Rules), an intermediary was required to remove unlawful content on its platform once it acquired knowledge of such content by itself or from an aggrieved individual. Notably, the Supreme Court in Shreya Singhal v. Union of India judgment, read down “actual knowledge”, to state that actual knowledge can be attributed to an intermediary only when there is a court order or notification from an appropriate government authority apprising the intermediary of unlawful content over its platform.
Over the last decade however, the role of intermediaries has increased significantly with large-scale adoption of social media platforms as a primary mode of communication and dissemination of information. Digital media also attained mainstream relevance, thereby attracting the attention of the Government to regulate such platforms. The 2021 Rules are therefore a threshold step towards such regulation.
Scope of the 2021 Rules
The 2021 Rules are divided into two parts based on their applicability. While Part II regulates intermediaries, Part III is applicable to digital media including an intermediary, publishers of news and current affairs or publishers of online curated content.
In a significant departure from the 2011 Rules which regulated all “intermediaries” without any distinction in terms of their user base or the content hosted on their platform, the 2021 Rules classify the regulated entities into the following types, namely:
(a) Social media intermediary with less than 50 lakh registered Indian users.
(b) Significant social media intermediary (SSMI) with more than 50 lakh registered Indian users.
(c) Publisher of news and current affairs content including news aggregators.
(d) Publisher of online curated content which covers all online streaming platforms including over-the-top (OTT) platforms.
Due diligence obligations under the 2021 Rules
In order to claim safe harbour under the IT Act, the intermediaries must necessarily undertake and comply with various obligations prescribed thereunder. With the 2021 Rules having come into effect from 26-5-2021, intermediaries are, at one end of the spectrum of compliance, required to prominently publish rules and regulation on their website informing its users about the type of information which must not be stored or transmitted on the intermediary’s computer resource (prohibited information). At the other end of diligence obligations, intermediaries, upon receiving actual knowledge in the form of an order from a court or notification from an appropriate government authority that certain information hosted by it is prohibited information, must remove or disable access to such information within 36 hours of the receipt of such order or notification.
Notably, no such order is required when an individual complaint is received about sexual imagery and the intermediary must take down such content within 24 hours of the receipt of the complaint. Intermediaries are also required to provide any information under their control or possession, within 72 hours of receipt of an order in this regard, to a government agency for investigation, detection or prevention of cybersecurity incidents or offences under any law.
Another important change is the requirement to appoint a grievance officer (also prescribed under the 2011 Rules) and publish his/her name and contact details prominently on its website. Building on the 2011 Rules, the 2021 Rules make it obligatory upon the grievance officer to acknowledge any order, notice or direction issued by a court or a government agency or a complaint received from an individual user or victim. Further, a complaint must be disposed of within a period of 15 days from its receipt (as opposed to one month under the 2011 Rules).
In addition to the other due diligence requirements prescribed for all intermediaries, SSMI’s are required to comply with additional obligations which inter alia include establishing a physical contact address in India; and the appointment of a chief compliance officer who will be liable for the failure of an intermediary to observe due diligence and a nodal contact person (available 24×7) to ensure compliance with orders of courts and to coordinate with law enforcement agencies, as also a resident grievance officer who shall be responsible for grievance redressal of its users.
Regulatory regime for digital media
While the IT Act did not originally envisage regulation of digital media, the 2021 Rules impose various obligations on digital media entities which carry out systematic business of making content available within India. These digital media entities would essentially include publishers of news and current affairs and publishers of online curated content (publishers), who shall adhere to a Code of Ethics (Code) prescribed under Part III of the 2021 Rules. Interestingly, even foreign news publishers with an online presence in India shall be regulated by this Code.
The 2021 Rules also mandate a three-tier grievance redressal mechanism to entertain any complaints of violation of the Code. At Level I, a grievance officer is required to be appointed by the publisher itself. If a grievance is not redressed by grievance officer within 15 days, the grievance is automatically escalated to Level II which is the self-regulating body of one or more publishers or their associations. At Level III, the 2021 Rules provide for establishment of an inter-departmental committee which shall hear grievances from the decision of the self-regulating body or other complaints about violation of the Code.
Consequences of non-compliance of the 2021 Rules
For intermediaries, a failure to observe the 2021 Rules and comply with the due diligence requirements under Part II thereof disentitles them from claiming safe harbour under Section 79 of the Information Technology Act, 2000 (IT Act). Consequently, the intermediary becomes liable for offences under various laws including the IT Act and the Penal Code, 1860 (IPC), as the case may be.
Further, if an intermediary fails to furnish information required by a law enforcement agency, or fails to block public access to information when so directed, the IT Act prescribes that such offences are punishable with imprisonment of a term, which may extend up to seven years along with a fine. Additionally, provisions of the IPC ranging from criminal conspiracy, sale of obscene books, etc., deliberate and malicious acts intended to outrage religious feelings to criminal defamation and in some cases criminal breach of trust and cheating, may also be attracted, as observed in cases involving intermediaries.
Considering the broad nature and extent of compliances prescribed under the 2021 Rules, that impose a higher threshold of diligence upon intermediaries and more particularly significant social media intermediaries (SSMIs), the immediate effect is that of inadequate or improper compliance of the 2021 Rules, divesting the intermediaries of the safe harbour under the IT Act. Consequently, this results in exposure, at the very least, to a higher number of criminal allegations and complaints being registered where intermediaries also become liable.
As regards digital media entities, the 2021 Rules specify that they will be held liable under any law contravened by them, irrespective of adherence to the Code of Ethics prescribed under the 2021 Rules. This becomes especially relevant in the present day since the threat of attracting criminal allegations by digital media platforms has become all the more prevalent, with instances of complaints or FIRs being registered against content hosted on video sharing and OTT platforms in the recent past.
Interestingly though, the 2021 Rules itself do not specify penal consequences for non-compliance by the digital media entities. Rather, the 2021 Rules empower the self-regulating body or the Ministry of Information and Broadcasting (on the recommendations of the inter-departmental committee) to, inter alia warn, censure, admonish a publisher, require apology, delete or modify content to prevent incitement to a cognizable offence and issue orders for blocking of content under Section 69-A of the Act.
Taking notice of the same, the Supreme Court in a recent order observed that “a perusal of the Rules indicate that the Rules are more and more in the form of guidelines and have no effective mechanism for either screening or taking appropriate action for those who violates the guidelines”.
Compliance with takedown orders
Another important aspect concerning compliance with takedown orders is the obligation to not store or host any unlawful information (which is defined rather broadly) upon receiving actual knowledge in the form of a court order or on being notified by the Government or its agency, and to further “remove or disable access” within 36 hours from the receipt of such a court order or notification by the Government or its agency. While issuing a takedown order, the court may direct an intermediary to disable or de-index unlawful content globally. Further, if an intermediary fails to comply with the takedown orders issued by a court, the officers in charge of its affairs may become liable for prosecution. Interestingly, however, it is not explicitly specified in the 2021 Rules that the notification of takedown from the Government or its agency has to be in writing, in the absence of which there may be some potential for misuse.
The 2021 Rules also impose an obligation to preserve information and associated records of information that has been removed, for a period of 180 days for the purpose of investigation, or a longer period if required by a court or a government agency. Pertinently, this condition also applies in cases where the information has been removed based on grievances received under the prescribed grievance redressal mechanism of intermediaries.
Identification of first originator
Significantly for SSMIs, an additional obligation is imposed to enable the identification of the first originator of information, if required by a judicial order passed under Section 69 of the IT Act and the rules thereunder. While the 2021 Rules clarify that such an order shall be passed for prevention, detection, investigation, prosecution or punishment of “serious” offences, which are punishable with imprisonment for a term of not less than five years, a direct implication of this is the possibility of compromising the end-to-end encryption of the messages that may be provided by the intermediary.
It is also interesting to note in this regard that in case the first originator of any information is located outside India, the first originator of the information within India shall be deemed to be the first originator of the information.
Another aspect that is of relevance for SSMIs is that the 2021 Rules encourage deployment of technology-based measures, including automated tools or other mechanisms, which at present appear to be mainly for identifying sexually explicit content. However, this aspect entails careful consideration of various legal and ethical issues when being implemented practically.
Achieving a fine balance
At first glance, the 2021 Rules cast a wide net over the various intermediaries and digital media platforms and seek to achieve several objectives with an intent to regulate the online space. The significance of intermediaries, and especially SSMIs, in the present day and age cannot be overstated, as online spaces are a ubiquitous and relevant part of society. Considering the direct impact intermediaries have on society and polity, a regulation was in the offing. However, the lack of a robust consultation process while formulating the 2021 Rules has raised cause for concern and criticism with several challenges being filed against them which are now under judicial scrutiny. The effects of non-compliance have also been made apparent, with clear indications being given to intermediaries to comply with the 2021 Rules, despite subsisting challenges being pending.
Many questions however remain. Whether the stated intent of the 2021 Rules to empower the common user is attainable? Whether due diligence obligations imposed on intermediaries are practical or enforceable uniformly even across the new classifications? Whether the penal consequences associated with non-compliance of the 2021 Rules are commensurate with the offences an intermediary may be charged with?
Added to this is the aspect that while the 2021 Rules appear to augment the ability of law enforcement agencies to access information from intermediaries, whether sufficient safeguards can be exercised to prevent overreach or abuse.
It also remains to be seen how the Government or its agencies utilise the takedown provisions or how the grievance redressal mechanisms introduced under the 2021 Rules are practically implemented. The discourse on regulation of digital media entities is a separate discussion altogether.
While the 2021 Rules are under challenge before various High Courts, by SSMIs, independent media and civil society organisations, another important question, that necessarily falls for consideration is the effect the rule will have on user engagement and online discourse, especially from free speech and privacy perspective, where maintaining a fine balance is imperative for a democracy.
† Partner, Cyril Amarchand, Mangaldas.
†† Senior Associate, Cyril Amarchand Mangaldas.
††† Associate, Cyril Amarchand Mangaldas.
 S. 79 of the IT Act incorporates a safe harbour provision shielding online intermediaries from liability under various laws, for any unlawful content uploaded by their users.
 Avnish Bajaj v. State (NCT) of Delhi, 2004 SCC OnLine Del 1160 : (2005) 79 DRJ 576.
 S. 2(w), IT Act.
 (2015) 5 SCC 1.
 R. 2(i), 2021 Rules.
 R. 2(w), 2021 Rules.
 R. 2(v), 2021 Rules.
 Government of India, Ministry of Electronics and Information Technology, F.No.16(4)/2020-CLES (25-2-2021), <https://images.assettype.com/barandbench/2021-02/da6bb41f-8289-4148-9b99-308cf1ed21b6/Significant_Social_Media_Intermediary.pdf>.
 R. 2(t), 2021 Rules.
 R. 2(o), 2021 Rules.
 R. 2(u), 2021 Rules.
 R. 3, 2021 Rules.
 R. 3(2)(b), 2021 Rules.
 R. 4, 2021 Rules.
 R. 11, 2021 Rules.
 R. 12, 2021 Rules.
 R. 13, 2021 Rules.
 Ss. 69 and 69-A, IT Act.
 S. 120-B, IPC.
 Ss. 292 and 293, IPC.
 S. 295-A, IPC.
 S. 499, IPC.
 Ss. 406, 408, IPC.
 Ss. 415 and 420, IPC.
 R. 9(2), 2021, Rules.
 Aparna Purohit v. State of U.P., 2021 SCC OnLine All 179.
 R. 12(4), 2021, Rules.
 Supra note 9 (order dated March 5, 2021).
 R. 3(d), 2021 Rules.
 “… which is prohibited under any law for the time being in force in relation to the interest of the sovereignty and integrity of India; security of the State; friendly relations with foreign States; public order; decency or morality; in relation to contempt of court; defamation; incitement to an offence relating to the above, or any information which is prohibited under any law for the time being in force.”
 X v. Union of India, 2021 SCC OnLine Del 1788.
 Id. at para 93; S. 85, IT Act.
 R. 3(2), 2021 Rules.
 R. 4(2), 2021 Rules.
 SDS Infratech (P) Ltd. v. National Faceless Assessment Centre Delhi, WP (C) No. 6272 of 2021 filed on 10-3-2021.
 Praveen Arimbrathodiyil v. Union of India, WP (C) No. 9647 of 2021, order dated 9-4-2021(Ker); Foundation for Independent Indian Journalism v. Union of India, WP (C) No. 3125 of 2021, order dated 28-6-2021.