Intermediary Liability Guidelines and Due Diligence in India

Introduction

In 2024 one thing that can be surely said is that today people cannot live without the internet.

The Internet has become an indispensable part of one’s life from staying connected with people we are close to on social media sites, to ordering clothes, furniture, electronics, etc online. Today the virtual world is the world where through different mediums a number of activities take place. It is highly crucial to know the rights, responsibilities, and duties of these mediums. These mediums are known as intermediaries, an intermediary in layman’s terms refers to a person or an organization that helps two people or groups to reach an agreement, by being a means of communication between them. This concludes that applications like Facebook, Instagram, amazon, Flipkart and etc are intermediaries.

Intermediaries are widely recognized as essential moving parts in the wheel of exercising the right to freedom of expression on the Internet.

As per section 2 (w) of the Information Technology Act, an intermediary has been informed as with respect to any particular electronic records, any person who obtains, piles or spreads on behalf of another person. Most major jurisdictions around the world have introduced legislation for limiting intermediary liability to ensure that this wheel does not stop spinning. With the 2008 amendment of the Information Technology Act 2000, India joined the bandwagon and established a ‘notice and takedown’ regime for limiting intermediary liability. On the 11th of April 2011, the Government  of India notified the ‘Information Technology

(Intermediaries Guidelines) Rules 2011’ that prescribe, amongst other things, guidelines for administration of takedowns by intermediaries.

Section 79 of information and technology Act, 2000

Under Section 79 of the Information Technology Act, 2000, a network service provider (referred to as an intermediary) is not held responsible for any third-party information or data that they provide. This immunity applies as long as the intermediary can prove that the offense or violation occurred without their knowledge or that they took all necessary precautions to prevent such an offense.

In this context:

• A “network service provider” is any intermediary facilitating the service.
• “Third-party information” refers to any data handled by the intermediary while providing this service.

However, this protection is revoked if the intermediary has actively participated in or encouraged the illegal act—whether through conspiracy, assistance, threats, promises, or other means.

Section 79 of the Information Technology Act, 2000, also introduced the “notice and take down” provision, similar to practices in many other countries. According to this, an intermediary loses its immunity if, after receiving actual knowledge or notification that certain information, data, or communication linked to a computer resource it controls is being used for illegal activities, it fails to promptly remove or disable access to that material.

On the flip side, the section also suggests that internet service providers (ISPs), who act as intermediaries, can avoid liability if they can prove they were unaware of the offence and exercised due diligence. However, the act does not clearly state who would be held accountable in such cases, which could create legal challenges when dealing with offences related to third-party information or data.

Due Diligence Requirements for Intermediaries Under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2011

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules,

2011, outlined specific due diligence requirements that intermediaries must adhere to in India. These rules aimed to balance the protection of free speech with the need to prevent the misuse of online platforms for harmful purposes.

Key Due Diligence Requirements:

1.Publish Rules, Regulations, Privacy Policy, and User Agreement:

• Intermediaries must make these documents easily accessible to users on their platforms.
• They should be written in clear and understandable language, informing users about their rights and responsibilities.

2. Take Down or Disable Access to Harmful Content:

• Upon receiving notice or becoming aware of harmful content, intermediaries must promptly remove or disable access to it.
• This includes content that is illegal, harmful, or violates the platform’s terms of service.

3. Preserve Information for Investigation:

• Intermediaries must retain relevant information for a specified period to assist in investigations by law enforcement agencies.
• This can include user data, logs, and other relevant records.

4. Secure Computer Resources:

• Intermediaries must implement robust security measures to protect their systems and user data from unauthorized access or breaches.
• This includes measures like encryption, firewalls, and regular security audits.

5. Report Cyber Security Incidents:

•  Intermediaries must report cyber security incidents to the Indian Computer Emergency Response Team (CERT-In) and take appropriate steps to mitigate the impact.

6. Cooperate with Law Enforcement:

•  Intermediaries must cooperate with law enforcement agencies in investigations related to unlawful activities.
• This may involve providing information, assisting with investigations, or complying with court orders.

7. Appoint a Grievance Officer:

• Significant social media intermediaries must appoint a grievance officer in India to handle complaints from users.
• The grievance officer must respond to complaints within a specified timeframe and take appropriate action.

8. Implement a Voluntary Code of Conduct:

•  Significant social media intermediaries may develop a voluntary code of conduct for user-generated content.
•  This code can provide guidelines for users and may include measures to promote responsible online behavior.

9. Proactively Identify and Remove Harmful Content:

• Significant social media intermediaries must make reasonable efforts to proactively identify and remove harmful content, such as content depicting child sexual abuse or rape.
• They may use technology-based measures or other mechanisms to achieve this.

10. Display Notices Regarding Removed Content: When content is removed or disabled, intermediaries must display a notice to users attempting to access it, informing them of the removal and the reason.

Additional Considerations for Significant Social Media Intermediaries:

• Data Localization: In certain cases, significant social media intermediaries may be required to store user data within India.
• Fact-Checking: Intermediaries may be encouraged to partner with fact-checking organizations to combat the spread of misinformation.
• Content Moderation Practices: Intermediaries should have clear content moderation policies and practices in place to ensure a safe and respectful online environment.

Intermediary Guidelines, 2011 and the Shreya Singhal Judgement

In the landmark judgment of Shreya Singhal v Union of India, the Supreme Court also discussed the intermediary liability, “Section 79 is valid subject to Section 79(3)(b) being read down to mean that an intermediary upon receiving actual knowledge from a court order or on being notified by the appropriate government or its agency that unlawful acts relatable to Article 19(2) are going to be committed then fails to expeditiously remove or disable access to such material…. Similarly, the Information Technology “Intermediary Guidelines” Rules, 2011 are valid subject to Rule 3 sub-rule (4) being read down in the same manner as indicated in the judgment.”

Intermediaries Guidelines 2021

The Intermediaries Guidelines 2011 were superseded by Information Technology

(Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”). The new guidelines inter alia have brought a classification of intermediaries. They classified them into social media intermediary and significant social media intermediary, based on the number of users served by the intermediary. Significant social media intermediary, which has a higher threshold of registered users (50,00,000 (fifty lakh) as per a recent notification3), has certain additional obligations. Unlike the Intermediary Guidelines, 2011, these guidelines also regulate OTT channels and providers of news and current affairs on the internet under a different chapter.

According to the Rule 3, intermediaries are required to observe due diligence, such as prominently publishing on its website or application or both, the rules and regulations, privacy policy, etc. They have to inform the users beforehand about the prohibited content. Further, upon receiving actual knowledge in the form of an order by a court of competent jurisdiction or on being notified by the appropriate Government or its agency, the intermediary shall not host, store or publish any such prohibited information. In case, any such information is hosted, stored or published, the intermediary shall disable access to that information within 36 hours from the time of being notified. It shall also preserve such information and associated records for 180 days for investigation purposes, or for longer period as may be required by Government agencies or by the court. Intermediaries are also required to furnish information concerning verification of identity, or prevention, detection, investigation, or prosecution, of offences under any law or for cyber security incidents to the Indian Computer Emergency Response Team within 72 hours of the receipt of a lawful order. The intermediary shall also publish the name of the Grievance Officer and his/her contact details as well as mechanism for complaint. Grievance Officer shall acknowledge the complaint within 24 hours and resolve it within 15 days from the date of its receipt. Intermediaries are also required to remove or disable access to any content which exposes the private area of any person, or shows nudity or sexual act or conduct including artificially morphed images within twenty four hours from the receipt of a complaint.

A ‘significant social media intermediary’ has to observe certain additional due diligence4 such as appointing an Indian resident as Chief Compliance Officer, a nodal contact person for 24×7 coordination with law enforcement agencies and officers, and a Resident Grievance Officer and published monthly compliance report.

Conclusion

It is only logical that intermediaries cannot be made responsible for what third parties post on their platforms but to absolve them entirely from third-party liability would not be advisable in this hyperconnected world where companies like Facebook and Twitter are universes in themselves. Cambridge Analytica scandal showed the potential of these platforms. Facebook, which remains the first and often the only source of information for many people could influence the world in manners no one can, and could affect public order, markets, and entire democracies, on a very large scale. The point is to strike a balance between the two opposite ends of the spectrum. The bottom line is provide freedom to intermediaries to operate smoothly but have enough checks and compliances to prevent them from becoming uninhibited, archaic tech nations. Intermediary

Guidelines so far as the social media intermediaries are concerned (which cannot be said about the regulation of digital media and OTT platforms), have arguably struck the balance between the security of the State and privacy of the citizens.