Information Technology Rules, 2021 (Guidelines for Intermediaries and Digital Media Ethics Code)

On 25 February 2021, the Ministry of Electronics and Information Technology (MeitY) notified the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (Rules) in consultation with the Ministry of Information and Broadcasting (MIB). The Rules have been issued pursuant to the government’s rule making powers under Section 87 of the Information Technology Act, 2000 (IT Act) which includes rules in relation to the guidelines to be followed by intermediaries, and blocking of access to content under the IT Act. The Rules supersede the erstwhile Information Technology (Intermediary Guidelines) Rules, 2011 (Old Intermediary Guidelines), and considerably expand the scope to impose additional obligations on social media intermediaries and digital media entities.

Changes to the Old Intermediary Guidelines have been in the pipeline for years. In 2018, draft amendments to the Old Intermediary Guidelines were released by MeitY for public consultation (2018 Draft). Since then, Indian courts have discussed issues such as the dissemination of fake news and sexually violent/ explicit content on intermediary platforms, and the traceability of originators of messages or information on messaging platforms, highlighting the need for an updated legal framework that promotes accountability.

At the same time, multiple public interest litigations have been filed before various high courts seeking regulation of online content published by over the top (OTT) platforms. While the industry has adopted various self-regulatory codes to address the MIB’s concerns, the government has time and again expressed its dissatisfaction and found the codes to lack independent third-party monitoring.

These Rules seek to address all these issues and to regulate the following categories of intermediaries and digital media entities:

• Intermediaries and social media intermediaries (including significant social media intermediaries)
• Publishers of news and current affairs content, including news aggregators, news agencies, and individual news reporters to the extent they are transmitting content in the course of a systematic business, professional or commercial activity; and
• Publishers of online curated content, which appear to include publishers (including individual creators) transmitting content in the course of a systematic business, professional or commercial activity.

PART A – INTERMEDIARIES

Obligations applicable to intermediaries

Under the IT Act, intermediaries will be entitled to safe harbour protections from liability in relation to any third-party information, data, or communication link made available or hosted by them (Safe Harbour Protection) if they observe due diligence, as prescribed under the Rules (Due Diligence Requirements), and additionally meet the content neutrality conditions under section 79 of the IT Act.

The Rules transpose the requirements that existed under the Old Intermediary Guidelines (such as the requirement to prominently publish the terms of use, privacy policy and user agreement), and prescribe the following additional requirements:

• Annual notifications to users: All intermediaries must periodically, and at least once every year, inform its users of any change to the rules and regulations, terms of use or privacy policy and the consequences of non-compliance (such consequences include the termination of the access/usage rights of the user and/or the removal of non-compliant information).The Rules expand the list of prohibited information under the Old Intermediary Guidelines to include any information that (i) is patently false and untrue and has been written or published with the intent to harass or mislead for financial gain, or cause injury to any person; (ii) is patently false or misleading, but is knowingly and intentionally communicated and can be reasonably perceived as a fact; and (iii) is invasive of a person’s bodily privacy and is insulting or harassing on the basis of gender.
• Take down procedure: The Rules prescribe the following take-down procedure:
  • In line with section 79(3)(b) of the IT Act, the Rules provide that upon receipt of actual knowledge in the form of a court order or upon being notified by the appropriate government or its agency, the intermediary should not host, store or publish any unlawful information. The intermediaries must remove or disable access to unlawful content within 36 hours from the receipt of such order or direction and may also voluntarily take down any prohibited information. Compliance with take down requests or voluntary removal of information will not dilute the Safe Harbour Protection.
  • As a limited exception to the requirement of a court order mentioned above, on receipt of any complaint from an individual or person on their behalf regarding content which is prima facie in the nature of any material depicting nudity or any sexual act, or the impersonation of any person including artificially morphed images, the intermediary must take all reasonable measures to remove or disable access to such content within 24 hours of receipt of the complaint.

  This will not apply to information that is temporarily or transiently stored by the intermediary in an automatic manner, and which does not involve any human, automated or algorithmic editorial control.

• Grievance redressal mechanism: In addition to the requirement to appoint a grievance officer and publish their name and details as provided under the Old Intermediary Guidelines, the Rules require an intermediary to constitute a grievance redressal mechanism and to acknowledge receipt of user complaints within 24 hours and resolve disputes within 15 days (as compared to the earlier requirement of 30 days). The grievance officer is also required to receive and acknowledge any order, notice or direction issued by the appropriate government, competent authority or a court.
• Retention of records: Intermediaries must retain information and user registration records for a period of 180 days (as compared to the earlier requirement of just 90 days) from (i) date of removal or disabling access to any unlawful information pursuant to receipt of actual knowledge or on voluntary basis or upon receipt of any grievances received by it and (ii) additionally in case of any cancellation of registration or withdrawal of a user.
• Assistance to the Government Agencies: While there was always a requirement to provide any information or assistance to authorised government agencies for verification of identity, prevention, detection, investigation or prosecution of unlawful offences or for cyber security incidents, the Rules require this information to be provided within 72 hours from the receipt of the order.

Download PDF to read more