The Global Network Initiative (GNI), which counts Facebook, Google, Vodafone, and Wikimedia Foundation among its members, has called on the Indian government to revise the IT Intermediary Rules 2021 and engage in a open process to address the issues that the rules aim to address.
In a letter to Union IT Minister Ravi Shankar Prasad sent on Tuesday, the GNI said that while they recognise the importance of addressing abuse of digital tools and appreciates redressal measures around content decisions in the Rules, there are concerns that remain unaddressed or have been exacerbated. The Initiative also counts the Centre for Communications Governance at the National Law University, Delhi and Digital Empowerment Foundation among its members.
The Initiative added that the notification of the rules took many of its members by surprise given that the lack of formal response to the earlier consultation and lack of clarity on if/when the 2018 draft amendment would be notified.
We stand ready to support content regulations in India that will be effective in addressing the legitimate concerns around online harms, while respecting the human rights principles of legality, legitimacy, and necessity and proportionality that India is committed to upholding.
The GNI’s concerns include the extensive range of companies and content covered by the Rules; the lack of definitional clarity around key terms and expectations; disproportionate access to user data, including provisions that may undermine encryption; and overbroad enforcement authorities. “Each of these concerns on its own can negatively impact freedom of expression and privacy in India; together, they create significant risk of undermining digital rights and trust in India’s regulatory approach to the digital ecosystem,” the Initiative said.
Major concerns submitted to Government
- Due diligence applied uniformly across intermediaries: Due diligence requirements the uniformly applicable to a wide range of intermediaries, including ISPs, web hosts, content delivery networks, email services, and others, without accounting for differences in position, resource, and ability. Rule 6 created “unchecked, unilateral” power to MEITY to require any intermediary to follow the same requirements as a social media intermediary.
- Scope goes beyond intermediaries: Including publishers of news and online curated content under the code significantly expand the scope of the Rules beyond intermediaries, something which was not deliberated by Parliament and does not seem justifiable under the parent IT Act.
- Wide application on news publishers: The lack of definitional clarity around these categories make it appear as if Part III of the Rules could apply to domestic and international news outlets, subscription newsletters, and citizen journalists alike, regardless of their size.
- Definitional uncertainty: For instance, what is “harmful to a child”, what misleading information is present goes against the Shreya Singhal judgement which struck down of Section 66A of the IT Act.
- Issues with due diligence requirements: The onerous nature of the due diligence requirements are challenging for smaller companies and not-for-profit intermediaries. Short timelines limit companies’ ability to review government demands and user complaints appropriately. While content decisions involving urgency deserved to addressed quickly, mandating a short timeline for all content decisions can defeat the goal and “will almost certainly lead some intermediaries to adopt a ‘remove first, ask questions later’ approach”.
- Government demands: The Rules grant a “broad range” of government authorities to block content and access user data. The powers granted to the I&B Ministry to issue emergency orders is a new power that is not “warranted or justifiable” under the parent act.
- Challenges around traceability: While the traceability requirement is restricted to significant social media intermediaries (SSMIs), the Rules are not clear on what qualifies as a messaging service. Traceability requirements create risks for privacy and data protection. While limitations on use of this authority (only for serious offences, using less intrusive means) may be well-intentioned, “they do not sufficiently mitigate the disproportionate technical, human rights, and economic impacts of this requirement”. SSMIs would have to alter their services to capture and maintain all records of user communications, including location. This will increase risks of privacy infringements, data breaches, leaks, attacks, etc.
- “These considerations are underscored by concerns some have expressed about how orders are authorized and enforced under section 69 of the IT Act, given excessive secrecy and limited procedural safeguards. Under rule 4(2), orders to trace originators can not only be issued for the investigation or prosecution of serious offences, but also for prevention or detection of them.”
- Limits to anonymity can chill free speech, worsened by the fact that all SSMIs have to provide voluntary user verification, especially in the context of calls to link Aadhaar with social media.
- Enforcement: The Rules state that companies can lose their safe harbour under Section 79 of IT Act, if they fail to comply with any element of the rule. This poses “significant risk of litigation for the full range of intermediaries”, in addition to the existing penalties for non-compliance. SSMIs are required to have three different employees located in India. One of them, the Chief Compliance Officer, can be held personally liable for any company failure to meet the due diligence requirements. “This can put SSMIs in an impossible position when the law of the country where they are based prohibits a disclosure to a governmental entity in India, but complying with that prohibition subjects an on-the-ground employee to a substantial prison term,” the Initiative said.
- “These broad penalties and enforcement authorities, when taken in combination with substantial expectations for intermediaries to prohibit and aggressively police vaguely defined forms of content, engineer access to data, and fulfill onerous due diligence requirements, will pose substantial burdens on intermediaries of all sizes and across the technology stack,” GNI said.
Read GNI’s full analysis and letter to the Minister here.
- Guide: All you need to know about the new IT Rules, 2021
- 5 Bullets Dodged By OTT Streaming Services In The IT Rules 2021 Rules
- IT Rules 2021: Can The Indian Government Use Section 69 Of IT Act To Censor Digital Media?