There has been much hue and cry about the so-called derision of the Fundamental Right to privacy by the new IT Rules, 2021.

I will analyse the apparatus and genesis of the rules and rebut arguments concerning violation of privacy and other such contentions.

What is the Ambit of Rules?

The Primary Purpose of the said rules is to ‘regulate’ –

1. Code of Ethics for Digital Media Publishers: The Rules prescribe the code of ethics to be observed by publishers of digital media including:

 (i) news and current affairs content providers, and

(ii) online curated content providers (also known as OTT platforms). 

For news and current affairs, the following existing codes will apply:

 (i) norms of journalistic conduct formulated by the Press Council of India,

(ii) programme code under the Cable Television Networks Regulation Act, 1995.

 For OTT platforms, the requirements include:

 (i) classifying content in age-appropriate categories as specified,

(ii) implementing an age verification mechanism for access to adult content, and access control measures such as parental controls, and

(iii) improving accessibility of content for disabled persons.

2. Significant social media intermediaries:

Who is a Significant social media intermediary?

Social Media Companies who have more than 50 lakh users.

Compliance : Additional due diligence to be observed by these intermediaries include:

(i) appointing a chief compliance officer to ensure compliance with the IT Act and the Rules,

(ii) appointing a grievance officer residing in India, and

(iii) publishing a monthly compliance report.
 

3. Intermediaries which provide messaging as a primary service (like WhatsApp, Signal, Telegram etc.) must enable the identification of the first originator of the information on its platform, as per Rule 4(2) of the Act.
4. This originator must be disclosed if required by an order from the Court or the government.  Such order will be passed for specified purposes including investigation of offences related to sovereignty and security of the state, public order, or sexual violence. 
5. No such order will be passed if less intrusive means are effective in identifying the originator of the information. 
6. The intermediary will not be required to disclose the contents of any communication.  If the first originator 2is located outside India, the first originator of that information within India will be deemed to be the first originator.

• Now, why were the rules promulgated?

Simply because the digital sphere remains perilously unregulated; absence of competent and robust regulations to govern the conduct of such entities has a significant propensity of giving way to impunity and anarchy, which is in any case unjustifiable and uncharacteristic of a society based on the rule of law.

• As mentioned earlier, I intend to focus upon Part II i.e., SSIMs and their regulation under the said Rules.

There have been controversies especially regarding Social Media Regulations, going as far as  certain Users of Instagram sharing their contact credentials as stories under the fear of an abrupt ban of the platform by the Government of India – is is rather sad that these actions were governed not by an informed sense of the rules but by myopic conjectures.

These conjectures have only been accentuated after WhatsApp filed a petition in the Delhi HC alleging that the rules violate the right to privacy of the public at large and their own policy which prevents them from ‘decrypting messages’.

Following are the contentions posited by WhatsApp concerning the said rules :

#1 Violation of right to Privacy

WhatsApp is significantly objecting to Rule 4(2) –  identification of the first originator –

which allegedly is violative of the fundamental right to Privacy

WhatsApp cited the landmark judgement of the SC – Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. which pronounced Right to Privacy as a Fundamental Right under Art. 21 (Right to Life) of the Constitution.

WhatsApp said that “privacy is inextricably intertwined with the right to freedom of speech and expression because it protects people from retaliation for expressing unpopular, but lawful, views”.

• This statement is absolutely true but the right which is mentioned is not absolute after all.
• All Fundamental Rights under Part III of our Constitution are subject

to ‘reasonable restrictions’.

What are the reasonable restrictions?

• There are several Reasonable Restrictions enumerated under relevant article but here, Article 19(4) is relevant as it has legislative sanction regarding Regulation of Digital media under S.69(A) (1) of the IT ACT, 2000.

Article 19(4) says that  Nothing in sub clause (c) of the said clause shall affect the operation of any existing law in so far as it imposes, or prevent the State from making any law imposing,

1. in the interests of the sovereignty and integrity of India or
2.  public order or morality,
3. Friendly Relations with Foreign States
4.  reasonable restrictions on the exercise of the right conferred by the said sub clause

• What is also significant is that WhatsApp has said that Protecting people from retaliation for expressing unpopular, but lawful views comes under the right to Privacy and it is correct.  Actually, in principle, WhatsApp and the Centre are basically on the same page but much farther apart in practice.
• If WhatsApp only tolerates lawful content then why does it object to Rule 4(2) which only mandates revealing the Origin and NOT the contents for the purposes of law enforcement, should it violate these proscriptions under Article 19(4)?
• Pertaining to this WhatsApp has said that Rule 4(2) does not square with the ‘Three Part test’ – legality, need, and proportionality – which are caveats before infringing Personal’s Liberty and Privacy.

Let me elaborate,

Legality – On this principle WhatsApp has said that Rule 4(2) lacks Policy Competence under S.79 of the IT Act and such a provision should be sanctioned by the Parliament.

On the face of it, this seems like a very nuanced and researched argument, it is the very opposite.

WhatsApp has cited S.79 of the IT Act, the provisions of which are immaterial to a ‘Communication Intermediary’ like Whatsapp ’- it rather deals with Social Media sites like FB, Instagram, Twitter etc.

Need – As I said, absence of competent and robust regulations to govern the conduct of such entities has a significant propensity of giving way to impunity and anarchy; These are significant National Security Concerns to be addressed with alacrity which the Government is attributing top priority to.

Proportionality – These rules square with the ‘reasonable nexus’ of intent and result in so far as the Government is asking for the Credentials of the Source/Origin and NOT the Contents or any other sensitive information.

#2 Turns out Rule 4(2) does have legislative competence after all, contrary to WhatsApp’s belief

Here, S.69 is relevant which empowers Rule 4(2) of Origin Traceability.

S.69(3) (b) explicitly mandates such intermediaries to ‘intercept, monitor and DECRYPT information’.

This just shows us the nature of the fabricated argument of WhatsApp!

By the way, this IT Rules were promulgated 12 years ago- in 2009 and WhatsApp is objecting to it right now.

Moreover, when the idea of ‘origin traceability’ in particular was floated in 2018, WhatsApp again did not object to the intent and apparatus of the rule in contention now!

This is nothing but an attempt of ‘last resort’ by WhatsApp to mollify and appease it’s users over concerns of privacy.

Now this is more ironic, considering the fact that WhatsApp itself promulgated its own ‘Privacy Policy’ which neither protects privacy nor is a pro-user policy.

#3 Hypocrisy of Whatsapp Exposed

WhatsApps actions are nothing but hypocritical, it is one hand WhatsApp intends to share one’s metadata, essentially EVERYTHING beyond the conversation’s actual text and on the other, WhatsApp is objecting to a ‘systemic invasion of privacy’ of its users by the Government when the Govt only intends to obtain the ‘Origin’ NOT the ‘Content’; and ONLY in circumstances where the Origin’s act is ‘Unlawful- violative of the reasonable restrictions’

This ‘Everything’ mentioned above includes your mobile phone number, user activity, and other basic information of the WhatsApp account.

The new Whatsapp policy contradicts the recommendations of the Srikrishna Committee report, which forms the basis of the Data Protection Bill 2019, with regard to ‘Data Localisation’ and ‘Commercial Exploitation of Metadata’.

#4 End-2-End Encryption is not Rocket Science, WhatsApp is highlighting the so-called impervious nature of the technology to escape liability.

 In Antony Clement Rubin v. Union of India;

It was suggested by a petitioner ‘that tracing of the originator can be done by adding information of the originator with each message and displaying the same during decryption’, when the court rejected linking Aadhar to Social Media Accounts pursuant to the Puttaswamy Judgement.

Thus this tells that End-to-End Encryption is not an unsolvable chimera and many ways could be found around it., there needs to be more stakeholder consultation to find a way out accordingly.

#5 Myopia of Whatsapp

WhatsApp is relying on the Puttaswamy Judgement to harp about violations of privacy and at the same time it deems these ‘reasonable restrictions’ under Art. 19(4) of Constitution and S.69 of IT Act to be prejudicial to the ‘Three Part Test’ of Puttaswamy Judgement– is this not implicitly riding on a Case Law barely evolved 4 years ago to abnegate a hardwired Constitutional Provision evolved as early as 1951 by our founding fathers and upheld in several cases- the point being is a contest between a tried and tested scheme integral to our Constitutional Architecture versus a Case Law, which is of no less importance, but is still nascent one and moreover subject to reasonable restrictions i.e subject to the very thing it is contesting!

#6 Origin Traceability is not the main intent of the IT Rules

This debate about the ‘sacrilege’ of our Right to Privacy has unfortunately overshadowed the primary intent of the part of the Rules which regulates Social Media intermediaries- It is simply to expedite and Grievance Redressal Process and hold Social Media Companies accountable for their inaction to flag and remove ‘content of deleterious nature’ eg. Content containing such data or communication links being used to commit an ‘unlawful act, as per the provisions of the IPC and the relevant Acts and the time of the commission of the act’.

#7 Lastly, Social Media Companies CANNOT escape liability if they refuse to take down a deleterious post

The IT Rules explicitly mention that S.79 (2) (a) and (b) will NOT preclude removal of Access to Information and Content prejudicial to public order.

This is quite interesting as S.79(1) says that ‘intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.’

But, at the same time S.79(3), which is an exception to S.79(1) says that

Intermediaries will NOT be protected from liability(Civil or Criminal) IF–

(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act;

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.— This provision is of paramount importance in the context of the refusal of certain social media entities to remove deleterious contect expeditiously even after repeated intimations about their inaccuracy and propensity to harm public order!

Thus on this backdrop I hope that the Delhi HC would take all aspects into consideration and would mandate entities like Whatsapp to follow the law of the land.

The outcome of this petition would certainly set a landmark precedent which would substantially impact the conduct of entities like Twitter, FB, Instagram and others.

Social Media entities must internalize that the Rule of Law is the Order of the Day and Ease of Doing Business does not mean License to operate with Impunity.

 By Malhar Satav.