Intermediary Liability under Information Technology Act, 2000

Introduction-

This age of technology has brought the ease and comfort same as the threat to personal and social life of a person and for the society as whole proving the saying that ‘science is a blessing and curse.’ we use various online platforms for our daily jobs from households to office or education where we do connect with another person or group of person and share and transfer the information with each other. This transfer of information done on the platform is called the intermediaries, meaning literally someone who act to arrange meeting of two person or group with each other, but in the IT law intermediary is ‘that online platform or service provider which transmits the information from a user to another user,’ which means that all that online websites or apps or the hosting services such as WhatsApp, facebook, twitteror shopping apps like Myntra Flipkartor game apps or any other website or platform online are intermediaries andthe law governing the behavior and actions ofintermediaries is “Information Technology Act 2000[1]”

What is an intermediary-

Intermediary is defined in the section 2(1)(w) of the IT Act 2000 as-

―intermediary‖, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes

With the definition given above we do proliferate that intermediaries as a term under this law is a broad one and scopes towards the online as well offline service providers, simply meaning the persons alongside the person who acts certain criterion for intermediaries will be treated with same manner as the online platforms.

The essential element needed for recognition as an intermediary is that-

• There must be a person(judicial)
• It is its work to receive; store or transmit the information it has gathered from its user.
• The information received, stored or transmitted must be on behalf of the user meaning the record or information must be unhindered or untouched and the end user receives the information same as the first user has sent for him.

Along with these the intermediaries also include telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes

Object of Regulation of Intermediaries-

The main objective for regulating the intermediaries is to set up their liabilities in case of any unlawful activity on their platform, for example platforms like twitter or Facebook which are kind of social media websites providing opportunities to the user to share their opinion and information, must be made clear of their liability and boundaries as to what content they should allow on their apps or services and what are obligation they should maintain, and this is what our law  provides under section 79 of IT Act 2000. The concept of safe harbors is presented in this section which aims to coat the intermediaries with the immunities and give them certain condition to fulfill so that the immunity may be retained.

The question is why we are talking of immunities and from what? To answer the first one the immunities is the most important reason why the social media, or online platforms are capable of serving their objective because if the platforms will be held liable for anything( such as a user on the facebook posts something on it which against law or on twitter someone says anything against the nation ultimately leading to the illegality) happening on it, they shall be very much limited because then they have to scrutinize all and every data, record and information which will cause them more trouble to do .

So that’s why the parliament has come up with two laws 1^st being the section 79 of IT Act another being the Information Technology Rules 2021 to beat up any such ambiguity as to whose liability falls for any offence.

Who is can be considered intermediary-

The intermediary is aperson or service provider online who does three things on behalf of their user –

• Transmits
• Stores
• Transfer; the record or the information.

So, anyone doing above three things is an intermediary.

Kind of Intermediary

The intermediary can be classifies sourced from

• IT Act 2021
• IT Rules 2021

There are following kinds of intermediary under the section 2(1)(w)

• Telecom Service Providers (TSPs)
• Network Service Providers (NSPs)
• Internet Service Providers (ISPs)
• Web-hosting Service Providers
• Search Engines
• Online-auction Sites
• Online Payment Sites
• Online Marketplaces (e-commerce sites)
• Cyber Cafe

Now the classification based on the IT Rules 2000 is-

• Social Media Intermediary (SMI)-Platform providing for online interaction between users for creating, sharing, and accessing content (e.g., small social networks).
• Significant Social Media Intermediary (SSMI)- These are the social media intermediary with over fifty lakh users, requiring a Chief Compliance Officer, Nodal Officer, and special due diligence rules
• Online Gaming Intermediary (OGI)-Platform enabling user access to online games. Must comply with new rules and online gaming self-regulatory bodies.

(Note; the above classification based on the IT rules is no true classification but a categorization of those intermediaries which lingeredas social media to which this law applies.0

Liability of the Intermediaries-

The liability of intermediaries is given out in the section 79 of the act where 2 subclauses, sub clause 2 and subclause 3, categorizesthe condition where in the liability of intermediaries is held. Subclause 1 simply declares that an intermediary is generally not responsible for illegal content posted by its users. This means that a platform like a social media site, search engine, or e-commerce marketplace gets legal protection and are shielded from liability for the actions, information, or data created and shared by a third party, the user.

This protection isn’t absolute, though. The intermediary can only demand for this immunity if it operates as a neutral host and strictly follows the due diligence guidelines and procedures, such as those laid out in the IT Rules, 2021. If the platform is actively involved in the creation of the illegal content, or if it fails to remove the content after being notified by the government or a court (as specified in sub-sections 2 and 3), the immunity is lost, and the platform can be held liable.

Sub-section (2) specifies the essential conditions an intermediary must meet to qualify for the legal “safe harbour” protection granted by Section 79(1). This sub-section ensures the platform is a neutral party.

For an intermediary to be immune from liability for user content, its function must be limited to a passive role, which means, Its job is only to provide a communication system for third parties to transmit or host information. The intermediary must not be the one who starts the transmission, chooses the receiver, or selects/modifies the content of the message and Crucially, the intermediary must also observe due diligence as required by the IT Act and follow any specific guidelines prescribed by the Central Government, such as the detailed requirements in the IT Rules, 2021 (like appointing a Grievance Officer and removing prohibited content).

Sub-section (3) of Section 79 outlines the situations where an intermediary loses the legal immunity granted by sub-section (1), thereby making it liable for user-generated content. This occurs when the intermediary moves from being a neutral platform to an active participant or a non-compliant entity.

The intermediary’s protection is removed if:

Active Participation in Unlawful Act: The intermediary has conspired, abetted, aided, or induced the commission of the unlawful act. This means the platform actively helped or encouraged the user to commit the illegal activity.

Failure to Act Upon Knowledge (Notice and Takedown): The intermediary fails to quickly remove or disable access to unlawful content after receiving actual knowledge or being formally notified by the appropriate government or its agency that the information is being used to commit an illegal act.

Obligation of the Intermediaries-

Section 67C of the Information Technology (IT) Act, 2000, is all about the legal obligation of intermediaries to preserve and retain information. It is the key provision that empowers the government to mandate data retention requirements for online service providers.

The section has two main sub clauses:

Sub-section (1) states that every intermediary must preserve and retain specific user’s information and records. The precise details—what information to keep, how long to keep it, and in what format—are defined by the Central Government through separate rules. This clause ensures that digital evidence is available for law enforcement and cybercrime investigation purposes.

Sub-section (2) serves as the enforcing clause as It specifies the punishment and any intermediary that intentionally or knowingly fails to follow the data preservation requirements set by the government is committing an offense. They are liable to face penalties, which can be up to twenty-five lakh rupees (a large fine), to ensure strict compliance with these crucial security and investigative mandates.

Judicial contribution –

Shreya Singhal v union of India 2015

The Shreya Singhal vs. Union of India (2015) case is a landmark ruling on free speech and intermediary liability. The Supreme Court struck down Section 66A of the IT Act and clarified Section 79 (safe harbour). It ruled that intermediaries must only remove user content upon receiving a take-down order from a court or government authority, not just a private complaint. This protected online platforms from self-censorship.

Google India Pvt. Ltd. V Vishakha industries Ltd. 2019

This case clarified that the protection of Section 79 is conditional and not absolute. Specifically, for incidents predating the 2008 IT Act amendment, the safe harbour provision did not exempt an intermediary from criminal liability under laws like the Indian Penal Code (e.g., for defamation). The court essentially held that if the platform, having the power to remove defamatory content after receiving actual knowledge, failed to do so, it could be deemed a publisher and lose the protection of Section 79. The matter was directed for trial to determine if the intermediary had indeed failed its due diligence.

Obligation of intermediaries under the IT rules

There are following obligation which an intermediary must fulfill-

General Due Diligence Obligations (Rule 3)-

Publish and Inform Rules:

Intermediaries must-

• Prominently publish Rules and Regulations, Privacy Policy, and User Agreement on the website or mobile application.
• Inform users about the specific types of objectionable content they must not host, display, or share (e.g., content that is obscene, defamatory, misleading, or violates sovereignty).
• Periodically (at least once a year) inform users of these rules and the consequences (such as termination of access) for non-compliance.

Grievance Redressal:

Intermediaries are to appoint a Grievance Officer and publish their name and contact details. The Grievance Officer must acknowledge complaints within 24 hours and he must resolve the complaint within 15 days.

Takedown and Content Removal:

They are obliged to-

• Remove or disable access to content related to nudity, sexual acts, or impersonation (including morphed images) within 24 hours of receiving a complaint.
• Remove or disable access to unlawful information (following a court order or a reasoned intimation from a senior authorized government officer) within 36 hours of receiving such notification.

Assistance and Record Keeping: Provide information or assistance (e.g., identity verification) to any lawfully authorized government agency for prevention, detection, investigation, or prosecution of any offense within 72 hours of receiving a lawful written order. Retain records (information, removed content, and user registration details after cancellation) for a minimum period of 180 days for investigative purposes.

Special obligation for Significant Social Media Intermediaries

They must establish a robust presence in India by appointing three resident employees: a Chief Compliance Officer, Nodal Contact Person, and Resident Grievance Officer. SSMIs must publish a monthly compliance report. Messaging services must enable the identification of the first originator of messages for specific, serious offenses (with a legal order). Furthermore, SSMIs must use automated tools to proactively detect and remove content related to rape and child sexual abuse and offer users a voluntary verification mechanism.

Beyond the general and SSMI-specific duties, the IT Rules, 2021, have been amended to introduce obligations for a new category and a supervisory mechanism for all intermediaries. The two main “other obligations” are:

1. Obligations for Online Gaming Intermediaries (OGIs)

Introduced by a 2023 amendment, these are specifc duties for intermediaries that offer online games:

Self-Regulatory Body (SRB) Verification: OGIs must ensure that any “online real money game” they host is a “permissible online game” that has been verified by a designated Self-Regulatory Body (SRB).

No Wagering: They must ensure the online game does not involve wagering on any outcome and offered in conformity with all Indian laws.

User Protection and KYC: They must inform users of the policy related to withdrawal or refund of deposits and the distribution of winnings. They are also required to implement a mechanism for the mandatory verification of users (KYC/Know Your Customer).

No Credit: OGIs are explicitly prohibited from financing or enabling the financing of their users for playing the games.

2. Grievance Appellate Committee (GAC)

Established by a 2022 amendment, the GAC is an external oversight mechanism, creating an indirect obligation on all intermediaries:

Appeals System: Users who are dissatisfied with the decision of an intermediary’s Grievance Officer can file an appeal with the GAC within 30 days.

Intermediary Compliance: All intermediaries are obligated to comply with the final decision issued by the GAC and report on that compliance on their website. The GAC endeavors to resolve appeals within 30 days.

Comparison with USCDA

Comparison with EU DSA

Evaluation and Future Reforms of India’s Intermediary Regulation-

India’s intermediary liability regime, as defined by the IT Rules, 2021, aims to achieve platform accountability but suffers from a critical tension with user rights. While the introduction of the Grievance Redressal Mechanism and the Grievance Appellate Committee (GAC) is a positive step toward user accountability, significant regulatory gaps persist. The traceability mandate for messaging services fundamentally compromises end-to-end encryption, posing a severe threat to privacy and security. Furthermore, the vagueness of prohibited content and the tight 36-hour takedown window incentivize platforms to over-censor content pre-emptively to avoid losing their safe harbour status, creating a chilling effect on free speech. To create a more transparent, accountable, and user-friendly ecosystem, reforms must include: replacing ambiguous content definitions with a clear risk-based harm assessment; withdrawing the traceability mandate in favour of enhanced metadata analysis for law enforcement; and legally strengthening the GAC as a quasi-judicial body to ensure user appeals against platform moderation are resolved transparently, fairly, and independently.

 Note:

[1] Act No 21 of 2000