The Indian government made 20,805 requests for user data – including 861 emergency requests – to Facebook between July and December 2018, the company’s revealed in its latest Transparency Report. The report said Facebook provided “some data” in response to more than half (53%) of these requests, which involved 27,410 Facebook accounts. By comparison, Facebook had received 16,580 data requests from the government, involving 23,047 accounts, in the first half of 2018. Since 2013, the number of such requests has gone down over a six-month period only once, between July-Dec 2014 and Jan-June 2015. Its worth noting that the government made 3,245 requests in the first half of 2013. Facebook for its part says, “We respond to government requests for data in accordance with applicable law and our terms of service. Every request we receive is carefully reviewed for legal sufficiency and we may reject or require greater specificity on requests that appear overly broad or vague.”

Emergency and legal requests

The company disclosed how many user data requests were accompanied by a legal process (legal process requests) and how many were not (emergency requests). The number of emergency requests for data by the Indian government rose to 861 from 617 in the first half of 2018, and Facebook said it produced some data in response to 46% of them. The number of such requests has been increasing steadily since Jan-June 2016, when just 42 were made. Legal process requests were up to 19,944 from 15,963 in the previous six months (see below), and the company responded to 54% of them. These, too, have risen steadily over the years, from 6,282 requests in the first half of 2016.

Preservation requests

Facebook also received 1,900 requests to preserve account information from the Indian government in July-Dec 2018. The requests involved 2,800 accounts. These have also increased gradually since Jan-July 2016, when 609 such requests were made for information in 850 accounts. Facebook wrote, “We accept government requests to preserve account information pending receipt of formal legal process. When we receive a preservation request, we will preserve a temporary snapshot of the relevant account information but will not disclose any of the preserved records unless and until we receive formal and valid legal process.”

The new Safe Harbour rules

In December last year, MeitY released proposed amendments to the Intermediary Liability Rules, 2011, pitching changes that will place larger responsibility on intermediaries and platforms for what their users do and post on the platform. The major amendments proposed are:

  • Traceability, and information within 72 hours: The new rules require platforms to introduce traceability to find where a piece of information originated. For this, platforms may have to break end-to-end encryption. The rules require the intermediary to hand over information or assistance to government bodies in 72 hours, including in matters of security or cybersecurity, and for investigative purposes. [Rule 3(5)]
  • Platforms are required to be registered under the Companies Act, have a physical address in the country, have a nodal officer who will cooperate with law enforcement agencies, etc. [Rule 3(7)]
  • Platforms have to pull down unlawful content within a shorter duration of 24 hours from the earlier 36 hours. They also have to keep records of the “unlawful activity” for 180 days – double the period of 90 days in the 2011 rules – as required by the court or government agencies [Rule 3(8)]
  • Platforms have to deploy tools to proactively identify, remove and disable public access to unlawful information or content. [Rule 3(9)]
  • The new rules insert a monthly requirement on platforms to inform users of the platforms’ right to terminate usage rights and to remove non-compliant information at their own discretion. [Rule 3(4)]