In an attempt to “bring clarity as well as to explain the nuances of the due diligence to be followed by intermediaries,” the Ministry of Electronics and Information Technology (MeitY) on November 1 published a set of Frequently Asked Questions (FAQs) on the IT Rules 2021. But the FAQs add to the arbitrariness and confusion around the rules on many fronts.
Although these FAQs are not part of any legal document and should not be considered as part of official rules, they are the closest we have to standard operating procedures (SOPs) which the government said will be released at a later date.
What is and what isn’t a social media intermediary?
Definition of social media intermediary: The IT Rules describe a social media intermediary as:
An intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.
What’s the problem here? The problem with this definition is that it is broad enough to cover various kinds of online entities that do not necessarily function like traditional social media companies. For example payment gateways that enable chat features between merchants and consumers qualify as social media intermediaries. Other unintended targets are SaaS companies like Freshworks and Zoho, business messaging products like Slack and Microsoft Teams, and edtech platforms like Byjus. We also had reports on how certain services, iMessage for example, do not have to comply with the rules even though they function similarly to other platforms that are covered. For these reasons, multiple stakeholders sought clarification on what qualifies as social media intermediary and what doesn’t.
Clarification provided by the government: The IT Rules FAQs clarify that social media intermediaries can be determined based on the following:
- Online interaction should be primary purpose: “To qualify as a social media intermediary, enabling of online interactions should be the primary or sole purpose of the intermediary. Therefore, typically, an entity which has some other primary purpose, but only incidentally enables online interactions, may not be considered as a social media intermediary.”
- What qualifies as online interaction? The FAQs states the following ground to determine “enabling of online interaction”:
- “Facilitates socialization/social networking, including the ability of a user to increase their reach and following, within the platform via specific features like “follow”/“subscribe” etc.”
- “Ability of enabling virality of content by facilitation of sharing. Virality, in this context, means the tendency of any content to be circulated rapidly and widely from one internet user to another.”
- “Offers opportunity to interact with unknown persons or users.”
Problem with the clarification:
- What services are exempt because of this? While this clarification is useful in excluding services like payment gateways or edtech platforms because their primary purpose is not enabling online interaction, there is still a lot of uncertainty around determining whether or not a platform qualifies. For example, if Apple is an intermediary, then the company’s primary purpose is building hardware and operating systems, and iMessage and FaceTime are ancillary services. Does this exempt iMessage? Does Strava, which fits the social networking criterion described above, get an exemption because it is primarily a fitness app? Do podcast apps that allow users to subscribe/follow qualify as social media intermediaries? Can platforms like YouTube and Vimeo ask for an exception because they primarily enable video sharing and interaction such as through comments is a secondary function?
- What about interaction between known users? Why is the government specifying interaction with “unknown persons or users” as a qualifying criterion? What defines an unknown user and does the interaction between known users not qualify as “enabling online interaction?”
Why are e-mail providers and online storage companies exempted? The IT Rules FAQs further throw in a curveball by explicitly exempting certain services:
Typically, any intermediary whose primary purpose is enabling commercial or business-oriented transactions, provide access to internet or search-engine services, e-mail service or online storage service, etc. will not qualify as a social media intermediary.
This adds to the arbitrariness of the rules because it does not explain why e-mail services like Gmail should be exempt when messaging platforms like WhatsApp are not. Don’t both kinds of services enable “online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.” Also, doesn’t this exemption allow online storage services like Google Drive and DropBox to become a place for sharing unlawful content such as rape content, revenge porn, or fake news? Furthermore, is WhatsApp Business which is primarily used for enabling commercial or business-oriented transactions exempt? And if so, can this be used as a loophole for criminals who can WhatsApp Business and avoid falling under the traceability mandate? Is Microsoft Teams exempt but not Skype because of the former’s focus on primarily enabling “business-oriented transactions?”
An earlier leaked version of the IT Rules indeed exempted intermediaries that enabled “commercial or business oriented transactions” from being categorised as social media intermediaries, but this was removed from the final rules for whatever reason. What prompted the government to reintroduce this concept through the FAQs? Earlier, we were at least clear that the rules are broad enough to include all kinds of entities, now we aren’t even sure about that because of the arbitrariness of how the government is applying these rules.
Can the nodal contact person and grievance officer be the same?
The IT Rules mandate significant social media intermediaries to appoint a Chief Compliance Officer responsible for ensuring compliance with the IT Act 2000, a nodal contact person for 24×7 coordination with law enforcement agencies, and a Resident Grievance Officer.
The Rules make clear that the Chief Compliance Officer and nodal contact person cannot be the same person, but it does not say anything with regards to the nodal contact person and Resident Grievance Officer being the same person. This has prompted some intermediaries to appoint the same person to both rules.
The IT Rules FAQs state that “the roles of the nodal contact person and the Resident Grievance Officer may be performed by the same person” but also adds that “the Government, through this rule, expects the intermediary to provide separate contact details for grievances submitted by users and the requests/orders made by the Government or authorized Government agencies, since the nature of requests might vary in view of different compliance timelines.” So which one is it — yes or no to having the same person for both roles?
Notifying users of content takedowns
The IT Rules require significant social media intermediaries to notify the user whose information is taken down or made inaccessible by the intermediary. This applies in scenarios where the content is removed or disabled by an SSMI “on its own accord,” but there was no clarity on what this means.
The IT Rules FAQs clarify that the term “on its own accord” implies, where SSMI:
i. “uses automated tools/filters or some national or international agency/ specialised organisation has identified child sexual abuse materials (CSAM) and related materials”
ii. “concludes that the content falls under the prohibited category as defined under any law for the time being in force”
iii. “is of the opinion that the content is blatantly illegal and notifying might harm the complainant in any way”
iv. “removes the content as advised by its Resident Grievance Officer in accordance with its grievance redressal mechanism.”
But the FAQs add some confusion here as well because it specifies that intermediaries only “need to notify the user in such cases falling under the categories (ii) and (iv) as mentioned above.” Does this mean if a platform removes some content for violating the platform’s policies it does not have to notify users?
Additionally, the FAQs appear to mention certain exceptions to the notifying rule: “There might be situations, e.g., in case of a bot activity or malware, terrorism related content, spam, etc., where the intermediary may not find it prudent to inform the user prior to taking down their content.” But there is again a lack of clarity here because the government does not clearly state the circumstances in which an intermediary can take down content without informing the user.
- Summary: IT Rules Clarifications From The Government And Some Comments From Us
- What Does The Indian Government’s FAQs On IT Rules 2021 Fail To Answer?
- Government press release on FAQs
- Guide: All You Need To Know About The New IT Rules, 2021
- Summary: Information Technology Rules 2021, And Intermediaries And Social Media Platforms
- Summary: Information Technology Rules 2021 And Digital News Publishing
- Summary: Information Technology Rules 2021 And OTT Streaming Services
Have something to add? Post your comment and gift someone a MediaNama subscription.