As new IT rules come into force on May 26, Facebook says it aims to comply
The CII and the US-India Business Council have written to the government for up to a one-year compliance window, particularly in the view of COVID-19.
Social media giant Facebook on Tuesday said it aimed to comply with the provisions of India’s new IT rules of intermediaries, which come into effect on Wednesday. The U.S.-headquartered firm added that it continued to discuss the issues related to the new guidelines with the government.
Replying to a query on its readiness to comply with the new guideline, a Facebook spokesperson said, “We aim to comply with the provisions of the IT rules and continue to discuss a few of the issues which need more engagement with the government. Pursuant to the IT Rules, we are working to implement operational processes and improve efficiencies. Facebook remains committed to people’s ability to freely and safely express themselves on our platform.”
The battle lines over encryption
The three-month deadline for social media platforms such as Facebook, Twitter and YouTube to comply with new stricter rules for intermediaries ends on Tuesday even as at least five industry bodies, including the Confederation of Indian Industry (CII )and the US-India Business Council (USIBC), have written to the government for up to a one-year compliance window, particularly in the view of the pandemic.
The Centre on February 25 notified the ‘The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021’, which make it mandatory for platforms such as WhatsApp, Signal and Telegram to aid in identifying “originator” of “unlawful” messages, while also requiring social media networks to take down such messages within a specific time frame, set up grievance redressal mechanism as well as assist government agencies in investigation. The ‘significant social media intermediary’ were given three months for compliance.
The industry has also raised concerns over potential unavailability of ‘safe harbour’ protection given to intermediaries under Section 79 of the IT Act, under the new rules. They have requested a re-think over a clause in the new rules which can lead to imposition of criminal liability upon the employees for non-compliance by intermediaries, asking for it to be dropped in the interest of ease of doing business.
Over the past two months, five industry bodies have written to the Ministry of Electronics and IT seeking an extension of six months to a year for compliance. While the CII, the Federation of Indian Chambers of Commerce & Industry (FICCI) and USIBC have asked for a minimum of one-year compliance window, Asia Internet Coalition (AIC) has recommended an extension of 6 to 8 months and U.S.-India Strategic Partnership Forum (USISPF) has sought an extension of six months.
In its letter, AIC, whose members include leading tech firms such as Google, Apple, Facebook and Twitter, has said that in the current climate, where India is dealing with the second-wave of COVID-19, intermediaries will find it extremely onerous to organise the capabilities and resources required to configure their operations with the fresh obligations imposed on them. These obligations include new frameworks governing the requests for information from the government, grievance handling of users, new avenues for blocking of content and the short set of timelines to respond to all these.
“As Intermediaries we will undertake a comprehensive mapping of the laws against our services and identify the modification and compliance requirements under these Rules. This will require legal, operational and technical changes which could include recruitment of significant numbers of fresh and uniquely qualified personnel to handle the responsibilities, the latter being particularly challenging given the various restrictions and human impact caused by the new wave of COVID-19,” AIC said.
Echoing similar views, USISPF said its members were facing difficulty in complying with the timelines stipulated for the transition to the newly notified rules which would require extensive capacity building, new operational models, product redesign, and personnel on boarding. “... the current timelines seem impossible to meet given the magnitude of the health crisis that is facing the country,” it said.
On imposition of criminal liability, the USIBC pointed out that the Rules stipulated that non-compliance by an intermediary would extend the possibility of imposing personal criminal liability on employees of intermediaries (such as the chief compliance officer of a significant social media intermediary). “This possibility of imposition of criminal liability of the employees of an intermediary is at odds with modern corporate criminal liability jurisprudence, which is leaning towards replacing criminal liability with monetary penalties, in the interests of ease of doing business and better enforcement of laws,” it said in the letter.
The CII, in its letter, noted that, “The IT Rules, 2021 impose certain obligations that are novel, for instance, with respect to expansion of the power to block content and the grounds on which such content can be blocked”.
It added that the rules also prescribed brief timelines to comply with orders and requests from the government and users for takedown, respond to information requests etc., which may not be sufficient given the volume of requests and the scope of the actions to be carried out by entities. “It is our submission that the scope of such requests should be limited to a few Central government agencies only,” the CII recommended.
Kazim Rizvi, founder of policy think-tank The Dialogue, told The Hindu that given that the digital ecosystem was replete with fake news, child sexual abuse material and radicalisation among other social vices, it was indeed crucial to regulate this space. “The IT Rules of 2021 is a much-awaited step in this direction, but we must be cautious that we do not end-up over-regulating this space which could chill not just free speech and business freedom but also have a deleterious impact on user privacy and national security,” he said.
Mr. Rizvi added that rendering the safe harbour immunity conditional to a “mandate for proactive monitoring and carte blanche takedown and legal assistance requests could lead to unwarranted mass censorship”. Additionally, the extant data retention mandate entailed risking privacy of users in India and abroad in addition to security risks and technical complexities which requires a lot of time for development and testing before integration with the existing ecosystem, he said.
Likewise, he noted that the originator traceability mandate in end-to-end encrypted platforms could end up weakening the security architecture of the platform. This could render the entire citizenry susceptible to cyberattacks by hostile actors, he said.
“It is important that stakeholders are consulted, especially technical experts, to discuss the challenges involved in technical mandates like proactive monitoring, traceability and data retention who can assist the State in recommending the way forward,” Mr. Rizvi said, adding that the implementation of the Rules should be delayed for such time till the inputs of the stakeholders were incorporated to ensure a progressive platform regulation regime in India.