India: Draft Intermediary Liability Rules, 2018: Docking At Unsafe Harbours?

1. Introduction

The Information Technology Act, 2000 ("IT Act") defines an "intermediary" to be a person¹ who receives, stores, transmits or provides any service with respect to an electronic record² on behalf of another. It is common knowledge that majority of general public internet is under control of behemoth intermediaries such as Google, Facebook, Twitter, WhatsApp, etc. In keeping with international best practices, section 79(1) of IT Act grants intermediaries immunity from any illegality perpetuated by virtue of third party information hosted by them. However, one of the pre-conditions for availing this immunity is the intermediaries ensuring requisite due-diligence in accordance with the Information Technology (Intermediaries Guidelines) Rules, 2011 ("2011 Rules"). On December 24, 2018, the Ministry of Electronics & IT ("Meity") released the Draft Intermediary Liability Rules, 2018 ("Draft Rules") with the intent of substituting the 2011 Rules. The purpose of these Draft Rules is to curb misuse of social media by anti-social elements that spread fake news, recruit terrorists, spread disharmony and incite violence.³

This newsletter seeks to critically examine key rules of the Draft Rules, comprehend implications for intermediaries and evaluate effectiveness qua stated objectives.

2. Interception, Monitoring and Decryption of Information

Rule 3(5) of the Draft Rules prescribes that within 72 hours of receiving a lawful order, an intermediary shall provide information or assistance as requested by a government agency in matters concerning: (i) security of the state, (ii) cyber-security, (iii) investigation, detection, prosecution or prevention of offence(s), (iv) tracing out of originator of information required by legally authorized government agencies, and (v) those connected with or incidental to (i) to (iii). In our view, rule 3(5) presents the legal and practical issues below.

2.1 What Constitutes a "Lawful Order"?

Rule 3(5) states that intermediaries' obligation to provide requested information or assistance triggers on receipt of a lawful order. The Draft Rules do not indicate whether such lawful order is a judicial or administrative order. We can presume that it shall include an administrative order on the basis of the:

• IT (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 ("Cyber-Security Monitoring Rules") wherein only Deputy Secretaries of government agencies who have been authorized by Secretary, Government of India ("GoI"), Department of Information Technology, can send requisition to intermediaries for disclosure of information. This requisition must relate to cyber-security purposes as enumerated under rule 3(2) of Cyber-Security Monitoring Rules.
• IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 ("Interception Rules"), wherein interception, monitoring, or decryption of information stored in a computer resource is permitted only pursuant to an order of a (i) Secretary, Ministry of Home Affairs ("MHA"), in case of Central Government; or (ii) Secretary in charge of the Home Department, in case of State Government or Union Territory. Under Interception Rules, interception, monitoring or decryption of information can occur only if it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states, public order or for preventing incitement to the commission of any cognizable offence or investigation of an offence ("Lawful Grounds").
• The MHA has through section 69(1) of IT Act read with rule 4 of Interception Rules authorized 10 government agencies to conduct such interception, monitoring or decryption of any information stored or transmitted in a computer resource if the request is basis any of the foregoing Lawful Grounds.⁴ Therefore, it seems that a requisition from such government agencies shall constitute a lawful order.

2.2 Vagaries of Draft Rule 3(5)

Rule 3(5) does not make reference to Cyber-Security Monitoring Rules, or Interception Rules as forming basis of a lawful order. Consequently, there may be a situation where government agencies submit requests to intermediaries for procuring information or assistance without proper authorization. If the intermediaries in turn comply with such requests in a bid to retain their immunity under section 79(1) of IT Act, they would violate Cyber-Security Monitoring Rules and Interception Rules, thereby exposing them to liability for allowing unauthorized incursions.⁵ Further, some government agencies may seek to evade safeguards built in the Interception Rules and Cyber-Security Monitoring Rules by making use of this ambiguity in rule 3(5). Such unauthorized and illegal interception, monitoring or decryption would be an incursion against the right to privacy of originators of information, which would fail the three-fold test of legality, necessity, and proportionality laid down by the Supreme Court of India in Puttuswamy.⁶

To view the full article please click here.

Footnotes

1 Person includes individuals and body corporates such as companies, limited liability partnerships, etc

2 Electronic record means data, image, or sound, stored, received or sent in an electronic form

3 Draft IT Rules issued for public consultation, available at http://pib.nic.in/newsite/PrintRelease.aspx?relid=186770 (Last accessed on February 13, 2019)

4 S.O. 6227(E) dated December 20, 2018

5 Rule 21 of Interception Rules and Rule 6 of Cyber-Security Monitoring Rules.

6 Reported as (2017) 10 SCC 1

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.