by Sanad Arora
The enactment of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 replaces the old rules and brings in major reforms to the treatment of ‘intermediary liability’ under the Information Technology Act, 2000 (IT Act). The disapproval shown by the actors who are affected by the new rules has made it a subject of media hype and public discourse. These rules have also been challenged before three separate High Courts in our country. Considering the furore around these rules, this article attempts to decipher them and provide a critical evaluation for the same. This article is divided into three parts, the first part concerns itself with explaining the background of ‘intermediary liability’ in India via case law; the second part provides for critical analysis of the Intermediary Guidelines, for the sake of brevity this is restricted to the provisions which are prima facie in conflict with settled law; and the third part consists of the conclusion.
Background of ‘Intermediary Liability’
The question around ‘intermediary liability’ in India emanates from the case of Avinash Bajaj v State. The case revolved around the posting of obscene content on the website ‘www.bazee.com’ by Ravi Raj, who was a student of IIT Kharagpur. It was in the FIR of another case involving Sharat Babu Durgamati and Avinash Bajaj that the Supreme Court (SC) propounded the law on intermediary liability. In the present case, Sharat was discharged under Section 67 of the IT Act, but was still being proceeded against under Section 292 of the Indian Penal Code 1860 (IPC). The SC in the present case placed reliance on the judgment in Shreya Singhal and held that Section 79 of the IT Act, must apply ipso facto and ipso jure to electronic forms of publication and transmission by intermediaries, since it explicitly uses the non-obstante clauses and has an overriding effect on any other law in force. Section 292 of the IPC dealt with the sale of obscene material in the form of books, but the case at hand dealt with obscene material in electronic form and has a nexus with the electronic record, which is why the protection and the effect of Section 79 cannot be negated. Moreover, the Court also reaffirmed the settled principle that a special law will always prevail over the general law. On reading Section 79 and Section 81 of the IT Act together, it can be inferred that the IT Act would have an overriding effect over a criminal act (the IPC) that falls within its ambit. Once the proceedings under the special act have been set aside, the offender also gets out of the net of Section 292 IPC because of the exemption granted to the intermediary under Section 79 and no proceedings would lie against such an accused.
It would be pertinent to note that the above ruling is concerning the unamended Section 79, since the offence was committed in 2004 and the amendment came into effect in 2009. It is the Delhi High Court’s judgment in Myspace Inc. v Super Cassettes Industries Ltd. which pertains to the application of the amended Section 79, that can be regarded as the first authoritative judgment on ‘intermediary liability’. The case was about copyright infringement, wherein Super Cassettes alleged infringement of their copyright when a song was uploaded on Myspace’s website.
The Court in the present case emphasised that actual and specific knowledge was being provided to the intermediary, however in such cases reception of ‘knowledge’ by the intermediary via a court order is not necessary and can also be provided through other means. It was further propounded by the Court that unlike ‘real space’, it is impossible to identify infringing content out of the millions of uploaded videos in the ‘virtual world’ and requires ‘actual or specific’ knowledge being provided to the ‘intermediary’; the Court thus made it mandatory for the complainant to provide knowledge of the ‘actual content which is being infringed’ to the ‘intermediary’ in URL form.
In the case of Kent Ro Systems Ltd. & Anr. v Amit Kotak & Ors., the petitioner made eBay a party to a copyright infringement suit because it had advertised, offered to sell, and sold the product that allegedly infringed the petitioner’s copyright. The Court held in favour of eBay and propounded that the intermediary can’t be tied down with the obligation of verifying before posting any content on its website whether such content is violating any person’s intellectual property rights or not; if such an obligation were bestowed to an intermediary, then it would be transformed into a body which has to determine whether there is any infringement of intellectual property rights or not and the IT Act does not contemplate any such responsibility upon the intermediary.
In Christian Louboutin v. Nakul Bajaj and Ors., the Court differentiated between ‘an active participant’ and an ‘intermediary’. It was alleged by the petitioner that the respondent had engaged in trademark infringement by selling counterfeit products on websites under the petitioner’s name. However, since the respondent hadn’t sold any products of the petitioner on its website yet, the Court did not hold the respondent liable. The respondent tried to claim exemption from liability under Section 79, but the Court did not grant the respondent any exemption and held that the respondent was not an ‘intermediary’ but an ‘active participant’. The Court explained that the respondent’s role was more than that of an ‘intermediary’ since it was involved in identifying the sellers, enabling the sellers actively, promoting them, and selling the products in India. The Court also placed reliance on the judgment of Google Inc. v. Louis Vuitton Malletier SA & Ors. and culled out certain principles highlighting the characteristics of an ‘intermediary’: “The intermediary gets the benefit of the exemption for being a ‘mere conduit’ and for ‘caching’, when it is not involved in the information which is transmitted/translated. In order to constitute a mere conduit, the service provider should not initiate the transmission, select the receiver of the transmission, or select or modify the information contained in the transmission. g. The storage of the information has to be automatic, intermediate and transient.” The Court held that, “So long as they are mere conduits or passive transmitters of the records or of the information, they continue to be intermediaries, but merely calling themselves as intermediaries does not qualify all ecommerce platforms or online market places as one.”
The issue of ‘intermediary liability’, resurfaced in the latest case of Google Pvt. Ltd. v Vishakha Industries , where Google wanted protection under Section 79 of the IT Act. However, it was only after the amendment in 2009 when Section 79 became an umbrella provision and granted protection to the intermediary against offences committed under any statute. Before the amendment, the protection was restricted to just the penal provisions of the IT Act. The SC while relying on the Shreya Singhal judgment opined that even though there was no ‘actual knowledge’ of the unlawful act committed by Google, it did not receive any notice from a court or a government authority. Google could not claim an exemption under Section 79 of the IT Act because the defamation case was made before the amendment, and the amended section cannot have a retrospective effect.
The law concerning ‘intermediary liability’ is still at a nascent stage, but it can be observed from the aforementioned judicial pronouncements that the courts have adopted a very pragmatic and balanced approach, instead of adopting a hostile attitude towards intermediaries when it comes to their responsibilities. From upholding the law of ‘actual knowledge’ as provided in Shreya Singhal to not pressing excessive obligations on intermediaries for carrying out over-the-top due diligence in My Space and Kent Ro, the courts have carefully considered the nature of these entities before passing their judicial pronouncements. However, the Indian intermediary liability framework before the enactment of the new laws had provided blanket exemptions to the intermediaries which are too moderate of an approach. With the internet becoming more accessible across the country, a revaluation of the liability standards is needed, which is why amending the Intermediary Guidelines is a requirement. Whether they have been up to the task or not, is discussed in the next part.
Analysis of Intermediary Guidelines
Issues with Rule 3 of the Intermediary Guidelines, 2021
On 26th July 2018, the Law Minister of India, Ravi Shankar Prasad voiced his intent in the Rajya Sabha, to revise the IT Act and to increase the policing of social media entities via strengthening the implementation aspects of Section 79, because of the misuse of social media which had resulted in increased violence and lynching. On a thorough read, the Intermediary Guidelines, 2021 show promise to increase regulatory oversight practiced by the entities regulated by it, but whether that promise translates to these entities becoming more accountable for the content which they host or not, is up for debate.
In the Shreya Singhal judgment, rule 3(4) of the Intermediary Guidelines, 2011 was read and restricted to just the provisions of Article 19(2) of the Constitution of India, 1949. Rule 3(1)(d) of the Intermediary Guidelines 2021 is pari materia to rule 3(4) of the 2011 guidelines which means that any court order or notification issued by a Government Authority cannot go beyond the limits of Article 19(2) to mandate an intermediary to not host, publish or store unlawful information. However, rule 3 of the guidelines mentions vague categories such as, ‘harm to child’ and ‘insulting or harassing on the basis of gender’ which can be used as grounds for issuing a notification or court order for imposing restrictions on the intermediary as contemplated under rule 3(1)(d) of the 2021 guidelines. The SC in Shreya Singhal also opined that for a restriction on speech to be reasonable, it must be narrowly tailored to restrict only what is necessary. The aforesaid grounds for imposing restrictions on intermediaries are neither defined nor narrowly tailored and so, clearly contravene the law propounded in the Shreya Singhal judgment. One of the grounds under rule 3(1)(d) of the 2021 guidelines is ‘intentionally communicates any information which is patently false or misleading in nature but may reasonably be perceived as a fact’. The first part ‘intentionally communicates any information which is patently false’ is clearly worded where it asks users of the intermediary to not post any manifestly false information, but the second part ‘misleading in nature but may reasonably be perceived as a fact’ is essentially placing an obligation on the user to not host or display any information which would fall under the category of ‘misleading fact’. To determine whether a fact is misleading or not is based on subjective/value judgment and such a provision is vague in nature and certainly doesn’t fall within the eight subjects as provided in Article 19(2). The Apex Court in Shreya Singhal distinguished between the forms of speech which are discussion, advocacy, and incitement and Article 19(2) would only be applicable when the impugned form of speech reaches the level of incitement. Thus, it can be inferred that other forms of speech even if they are distasteful, are liable to receive protection under the Constitution. Bearing in mind the loosely worded and vague provisions in rule 3 of the Intermediary Guidelines 2021, it can be deduced that the Parliament instead of legislating rules which might ensure fair intermediary accountability are envisaging provisions to increase censorship of content which iscertainly should not be the aim of these guidelines.
Issues with Rule 4(2) of the Intermediary Guidelines, 2021
Part II of the Intermediary Guidelines 2021 also makes a distinction between social media intermediaries (SMI) and significant social media intermediaries (SSMI) based on the number of registered users. If an SMI has more than 50 lakh registered users it would be treated as an SSMI, as per sections 2(v) and 2(w) of the guidelines. Since SSMIs have a greater number of registered users, they would also have to follow a higher standard of restrictions and scrutiny under rule 4 of Part II of the guidelines. Under rule(4)(2), an SSMI has to enable the identification of the first originator of the message in pursuance of a court order or an order passed under Section 69 by a competent authority as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009 or ‘decryption rules’. It would also be imperative to note that several safeguards concerning the decryption of information are provided under rule 3 of the decryption rules and it is also stated as a proviso under rule 4(2) of the Intermediary Guidelines, 2021 that such a step should only be taken under exceptional and unavoidable circumstances. However, it doesn’t mean that rule 4(2) is without flaw. The SC recognized the right to privacy as a fundamental right guaranteed under Article 21 of the Constitution in K.S. Puttaswamy v. Union of India (Puttaswamy I), and laid down a three-pronged test which had to be satisfied in its entirety, if the State had to take any action that infringed upon the right to privacy of its citizens: (i) there must be a valid law justifying the encroachment on privacy; (ii) the law must be reasonable and “guarantee against arbitrary State action”; and (iii) the means adopted by Parliament must be proportional to the object and needs of the law.
At first blush, it can be inferred that rule 4(2) of the Intermediary Guidelines, 2021 violates the test of proportionality because it essentially requires SSMIs which have a messaging feature available to completely do away with the encryption on their messaging services. Facebook in its challenge to rule 4(2) has also averred in its petition that for intermediaries to comply with rule 4(2) of the Intermediary Guidelines, 2021 they would have to create a mechanism that permits such identification for any such communication in response to a government direction. This mechanism would permit the identification of such communications sent by any user in India, including the vast majority who use this messaging feature lawfully. In the 2019 judgment of Indian Hotels & Ass’n (AHAR) v. State of Maharashtra Restaurant, the SC held that the surveillance of even public behaviour in public places constitutes an unlawful invasion of privacy, in violation of Puttaswamy I. If by the standards set in Puttaswamy I, surveillance of public behaviour is prohibited, then stemming from the above argument, enabling the government to surveil all the users of intermediaries who offer messaging services, is a much graver infringement of their right to privacy, since messaging is an inherently private means of communication. Furthermore, the form of surveillance as contemplated under rule 4(2) extends to any communication undertaken by the individual, irrespective of the time or place. Rule 4(2) also does not impose a time limit on the data which has to be stored by the intermediaries, which essentially means that the Government can direct the intermediary to trace the first originator of the message even years after it has been sent. The decryption rules read with the Intermediary Guidelines 202 reveal that such surveillance can be ordered by the head or the second senior-most of the security and law enforcement agency officer working at the Central Level. On a cumulative reading of the relevant provisions, it can be concluded that Central Government would have the authority to mandate the intermediaries to furnish the identity details of the first originator of any text. Such powers seem highly disproportionate, since the privacy of every lawful user of encrypted messaging services would all have to compromise, just so that the government can identify potential criminals.
The SC in Puttaswamy II held that there should be strict observance of the principles of ‘data minimisation’ and in paragraph 787 of its judgment observed that the statutes in contention were unconstitutional and violative of the principle of ‘data minimisation’. The ‘data Minimisation’ principle dictates that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfill that purpose. Concerning rule 4(2), for the intermediary to identify the first originator of the message, it would have to keep a record of all the information ranging from: (i) who all exchanged a message, and (ii) the exact message or certain details which uniquely describe a message so that the information in question may be matched against it. This will be required for every message exchanged over the service provider’s platform to enable tracing the first originator of any message. All this data would have to be collected by the intermediaries to comply with the directions under rule 4(2) of the Intermediary Guidelines, 2021. Whereas earlier, they were clearly not keeping track of such data because it was in no way necessary to provide their service, thus clearly undermining the principle of ‘data minimisation’.
Lastly, rule 4(2) also stands ultra vires of the IT Act and hence should be stuck down. The SC in a plethora of judgments has held that delegated legislation ceases to become valid if it is ultra vires the parent statute. The Intermediary Rules, 2021 are framed under section 87 subsection 1, and clauses (z) and (zg) of sub-section (2) of section 87 of the Information Technology Act, 2000. On reading these provisions together, it can be inferred that the Government has prescribed the Intermediary Guidelines 2021 under sections 87, 69A and Section 79 of the IT Act. Section 69A is concerned with the authority of the government to issue orders to block online content. Section 79 is the ‘safe harbour’ provision which grants exemption to intermediaries from any liability arising out of hosting third-party content on their platforms and the ‘due diligence’ which has to be undertaken by them as advised by the Central Government. Nowhere are these two provisions enabling the Central Government to make rules concerning mandating the intermediaries which offer end-to-end encrypted messaging services or any kind of messaging services for that matter, to identify the first originator in India. As noted earlier, it is settled law that the conferment of rule-making power by an Act does not enable the rule-making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent therewith or repugnant thereto. From an analysis of the provisions under which the Intermediary Guidelines, 2021 are framed, it can be determined that rule 4(2) is ultra vires Section 69A and Section 79.
Issues with Part III of the Intermediary Guidelines, 2021
The Intermediary Guidelines 2021 has increased the scope of actors to whom the rules apply. The Intermediary Guidelines, 2011 only sought to regulate intermediaries as defined in Section 2 subsection 1 clause of the IT Act, 2000, whereas the Intermediary Guidelines, 2021 via rule 8 in Part III bring within its ambit (a) publishers of news and current affairs content; and (b) publishers of online curated content, who shall be administered by the Ministry of Information and Broadcasting, Government of India. The proviso under rule 8 also makes rules 15 and 16 of the 2021 guidelines applicable to intermediaries. The issue with rules 8 and 9 is very similar to that of rule 4(2) as both of them were made in excess of the provisions of sections 69A and 79 of the IT Act and hence is ultra vires of the parent act. Moreover, the SC in Shreya Singhalalso observed that section 69A which deals with the blocking of content only deals with ‘Government agencies’ and ‘Intermediaries’ and secondly, any necessity arising to block any content is only restricted to the subjects set out in Article 19(2). It is important to address that neither section 69A nor section 79 under which the Intermediary Guidelines, 2021 have been prescribed, are concerned with ‘publishers of news’ and ‘publishers of online curated content’ and these two entities have only been defined in the Intermediary Rules, 2021. Both sections 69A and 79 refer to intermediaries which are distinct from ‘publishers of news’ and ‘publishers of online curated content’ as can be analysed from their definitions provided in the IT Act, 2000 and the Intermediary Guidelines, 2021. Thus, it can be argued that Part III of the Intermediary Guidelines, 2021 has been enacted over the IT Act, 2000 and by extension ‘travel’s beyond’ and is ultra vires of its parent legislation and is liable to be struck down.
In light of the above discussion, it would be crucial to mention the stay order granted by the Bombay High Court in the case of Agij Promotion of Nineteenonea Media Pvt. Ltd. & Ors. v. Union of India . While granting the said stay order concerning rules 9 and 14(5) of the Intermediary Guidelines, 2021 it was observed by the Court that Central Government was imposing restrictions that were beyond sections 69A and 79. The Court went on to state that rule 9 of the guidelines suffers from two legal infirmities – The first being that Section 87 of the IT Act does not confer any such power upon the Government to make provisions like rule 9. Secondly, the ‘Code of Ethics’ under rule 9 makes it mandatory for the entities under rule 8 to adhere to the norms of Journalistic Conduct of the Press Council of India under the PC Act and Programme Code under Section 5 of the Cable Television Networks (Regulation) Act, 1995. According to the Court, “It is prima facie difficult to comprehend as to how such fields which stand occupied by independent legislations can be brought within the purview of the impugned rules and substantive action can be taken for their violation under the impugned rules.” The Court further went on state that, “The Norms of Journalistic Conduct are the guidelines framed by the PCI laying down the standards of conduct which each journalist/editor/publisher ought to strive to maintain in the discharge of his/her duties as a member of the Press. The sanction behind the code, as is evident, is moral and not statutory.” The Court also stayed the application of rule 14(5) which penalised the entities under rule 8 for violation of the ‘Code of Ethics’ under rule 9.
From a bare-bones analysis of the Intermediary Guidelines 2021, it can be understood that the Central Government has misconceived the issue of ‘intermediary liability’ and instead of making provisions that ensure content regulation and accountability on the part of intermediaries with regard to what is hosted on their platforms, the Central Government has enacted provisions which are more focused towards the curtailment of free speech. For example, in the Shreya Singhal the Supreme Court held that ‘actual knowledge’ under Section 79 would only be said to be received by an intermediary via a Court order or Government notification. By doing so, it shifted to the burden of compliance to the users of that intermediary instead of the intermediary. The Central Government was provided with an excellent opportunity via the Intermediary Guidelines, 2021 to shift that burden back to the intermediaries. For example, by diluting the requirement of ‘actual knowledge’ as observed in Shreya Singhal and prescribing a more user-friendly and cost-efficient mode for delivering the intermediary with ‘actual knowledge’, such as a mandatory grievance redressal portal to be set up by all intermediaries and imposition of a statutory time limit on answering such grievances, but it failed to do so. As earlier noted in Part II of this article, the Hon’ble Law Minister of India had an issue with the increased use of social media to incite violence. To remedy that instead of doing away with all encryption on private messaging, the Government could have directed the intermediaries to substantially increase the number of moderators they hired and remove any content which violated the standards set under rule 3 of the Intermediary Guidelines, 2021, followed by penal consequences if they fail to adhere to it. As a safeguard, the Government could have also added the requirement of providing sufficient reason when such content is removed by a moderator so that entities whose content was removed had the option of assailing such action through a writ petition under Article 226 of the Constitution. Since most of these incidents of lynching and mass violence happen through a cooperative effort on the part of the perpetrators, a necessary prerequisite is the formulation of herd-mentality which is enabled by mass communication platforms. WhatsApp now enables a chat group of 256 people and also facilitates mass communication. Maybe the Government could have opted for the ‘selective removal’ of encryption on chat groups involving more than a certain number of people as it may deem fit, to monitor such mass communication. The argument concerning ‘intermediary liability’ is not that these intermediaries should be let go of scot-free in case they fail to do their part to regulate online speech/content. It is important to emphasise that even in Silicon Valley, intermediaries have been accused of not taking sufficient steps with respect to monitoring the content which they host on their platforms, primarily because proactive monitoring of content also leads to an increase in costs which they do not want to undertake. Intermediary regulation has become necessary considering the influence that these entities exercise in today’s world. Intermediaries should face trial if they are found to be negligent in fulfilling their legal obligations. The most important aspect is that such regulation should not come at the expense of the privacy of citizens and the creation of a ‘chilling effect’ on lawful speech and therefore, less restrictive measures must be adopted.
 The Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines”) (2011)
 ‘How (Not) to Regulate the Internet: Lessons From the Indian Subcontinent’, Lawfare, 23 September 2021, https://www.lawfareblog.com/how-not-regulate-internet-lessons-indian-subcontinent.
 2008 (150) DLT 769.
 My Space Inc. vs Super Cassettes Industries Ltd., [236 (2017) DLT 478]
 [2017 (69) PTC 551 (Del)]
 Christian Louboutin SAS v. Nakul Bajaj & Ors, [2018(76) PTC 508(Del)]
 (C-236/08),  R.P.C. 19.
 Supra Note 6.
 Supra Note 7.
 Nikhil Pahwa, ‘Govt of India Says Law of Abetment Applies to Social Media Platforms If They Do Not Act on Large Scale Misuse’, MediaNama (blog), 27 July 2018, https://www.medianama.com/2018/07/223-govt-law-abetment-social-media-fake-news/.
 The Constitution of India, 1949.
 (2017) 10 SCC 1.
 Facebook INC v Union of India , accessed 19 January 2022, https://www.forbesindia.com/media/supplement_pdf/Facebook_Petition.pdf
 (2019) 3 SCC 429.
 ‘D | European Data Protection Supervisor’, accessed 19 January 2022, https://edps.europa.eu/data-protection/data-protection/glossary/d_en.
 ‘The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021’, PRS Legislative Research, accessed 18 January 2022, https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021.
 Kerala State Electricity Board v. Indian Aluminium Co., AIR 1976 SC 1031, Maharashtra State Board of Secondary and Higher Secondary Education v. Panitosh Bhupesh Kumar Seth, AIR 1984 SC 1543, Baleshwar Pd. Srivastava v. Smt. Sita Devi AIR 1976 All 338, Dwarkanath v. Municipal Corp. AIR 1971 SC 1844, Kunj Behari Lal Butail v. State of H.P., (2000) 3 SCC 40, ADM (Rev.) Delhi Admn v. Sri Ram (2000) 5 SCC 451.
 Kunj Behari Lal Butail v. State of H.P., (2000) 3 SCC 40.
 The Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines, 2011”).
 Writ Petition (L.) NO.14172 of 2021.
 Abhay Shukla, ‘Lynchings in India: A Doctor Explains the Pathology of Normalising Extreme Violence’, Text, Scroll.in (https://scroll.in), accessed 21 January 2022, https://doi.org/10/lynchings-in-india-and-the-pathology-of-normalising-extreme-violence.
 See, Prashant Reddy, ‘Back To The Drawing Board: What Should Be The New Direction Of the Intermediary Liability Law? SSRN’, accessed 21 January 2022, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3675784.