While the internet ecosystem has been extremely busy with an acrimonious jostling between “data rationalists” and “data emotionalists” for the last two years, both sides have missed the elephant in the room—i.e. the draft amendments to the Rules governing safe harbour provisions enshrined in Article 79 of the Information Technology Act, 2000. Since the formation of the new government at the Centre, as per the recent media coverage, there seems to be some positive news for data rationalists: the issue of data seems to have been detached from the e-commerce policy for the time being, and there appears to be serious rethinking of some of the more restrictive provisions of the draft privacy and data protection Bill.
The engagement over data between the stakeholders is going to be protracted, but the draft revised Rules are a clear and present danger. It is well known that since the amendment of the IT Act in 2008 and the notification of the Rules in 2011, the consumer internet businesses have thrived, inviting much foreign direct investment (FDI) and even more foreign investments in Indian start-ups by global investors and companies alike.
Consequently, the Indian digital start-up system is booming—young founders, it has been seen, are aiming for nothing less than unicorns (usually a privately-held start-up company valued at over $1 billion). The primary reason for this is that in the form of a secured and safe harbour, the Rules have so long provided a very clear framework of how intermediaries should be treated in the world’s largest free-market open economy.
All that is set to change now, with the possible notification of the new Rules that make the safe harbour very unsafe for any internet company to sail into, and how?
The current provisions of the intermediary guidelines state that an internet intermediary is granted safe harbour on three conditions:
1. The service provider merely provides access to communication systems over which information made available by the third parties is transmitted or temporarily stored;
2. The service provider does not initiate the transmission, or in any way selects the receiver or modifies the content; and
3. The intermediaries follow due diligence while discharging their duties.
By a Supreme Court ruling in 2014, knowledge was redefined to be actual knowledge and the process was determined to be notice and take down.
Under the new draft Rules, inter alia, the following provisions have been added:
Section 3(5): “The intermediary shall enable tracing out of such originator of information on its platform.”
Section 7: “The intermediary who has more than 50 lakh users in India … shall: (i) be a company incorporated under the Companies Act, 1956, or the Companies Act, 2013; (ii) have a permanent registered office in India with a physical address; and (iii) appoint in India a nodal person of contact and alternate senior designated functionary, for 24×7 coordination with law-enforcement agencies…”
Finally, Section 9: “The intermediary shall deploy technology-based automated tools or appropriate mechanisms, and with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.”
Here are the specific problems with the draft changes.
Section 3(5), the most powerful platform for P2P networking does not need to collect “track back” information for its business needs. Why empower it to collect from India? Most of the companies that provide “digital” services to Indian companies—both online and offline—do not need to have permanent offices and establishments in India as would now be required under the new Section 7. Why deprive Indian companies from their services? Finally, why allow proactive monitoring of content of Indian citizens under the garb of law-enforcement requirements under Section 9?
Furthermore, in addition to the unacceptable fact that the tail, i.e. the Rules, cannot wag the dog, i.e. the parent Act, it appears that the Rules are meant to throw the baby out with the bathwater. A problem that is perceived to be created by not more than four companies (the problem probably being sharing data with law-enforcement agencies without going into the long-drawn MLATS, or the mutual legal assistance treaties, process) is sought to be solved by making new Rules that affect literally hundreds of companies, most of which are founded and managed by Indians and readily share data with law-enforcement agencies even if the data is located outside India!
Here are a few recommendations as a compromise:
1. Do not empower the intermediaries vis-a-vis the citizens more than they are under section 3(5);
2. To determine the impact of an intermediary, 50 lakh users is paltry, probably 10% of internet users is appropriate, i.e. 50 million (5 crore) average annual users;
3. One permanent representative in the form of a nodal officer should suffice, instead of the entire “permanent establishment”; and
4. Do not give any intermediary the power to monitor user content proactively even in the name of “automated tools”.
At a time when the ground situation is such that every intermediary in India has to fight with either a state government or individual ministries to ensure, extend and secure the safe harbour provisions, the intermediaries are faced with the safe harbour becoming very unsafe for them! Also, at a time when some intermediaries are perceived to have control over users and even governments, please do not empower them more legally and, finally, when the government is relying on the intermediaries for development, economic growth, innovation and social transformation, the new Rules for what they are suggest that the government’s stated goals are at odds with its policies.