About the author:
Pulkit Khare is a 4th Year B.A. LL.B(Hons.) student at The National University of Advanced Legal Studies, Kochi.
“The transformative potential of the digital social platform to improve lives in India and elsewhere shall be balanced with the potential for discrimination, exclusion and harm.”
The Government had issued two notices to Social Media Platforms (SMPs) regarding the proliferation of Fake News in their platforms. This had resulted in incidents of mob lynching around the country and raised National Security concerns. It had bottled down to WhatsApp as one of the primary targets in the SMPs asking for regulations to be implemented or else, to suffer actions. The earlier notices had led to widespread panic to the head honchos of the SMPs primarily because the Government was pushing its responsibility as liability on to the key managerial personnel of the SMPs.
The notices issued had been set out to discipline WhatsApp and other similar SMPs by asking it to regulate the content. This was a directive to implicitly break the end to end encryption provided by them and scrupulously sift out irregular and menacing fake content. Faced with the conundrum of violating either the privacy or the Information Technology laws of the Country, another issue has now come to light with the Government planning to issue a Third notice and criticizing non-appointment of a Grievance Officer by WhatsApp.
Road developing to the Third notice
In response, WhatsApp had developed mechanisms such as the ‘forwarded’ feature in the application to trace the originator of the message along with the issuance of informational materials and advertisements for identification of such Fake News items. Thus, it did not succumb to the Government pressure. It was also asked to appoint a Grievance Officer much like what its parent company Facebook has, within a set time frame.
Whatsapp did not waiver from its stance of non-regulation of the individual messages in its platform which attracted criticism from the Government as to the inadequacy and ineffectiveness of such measures.
Why are the SMP’s threatened by the Third notice? The Government has clarified that it believes that WhatsApp has the technical knowhow to safeguard privacy and at the same time respond to specific cases in which data can be regulated. The Third notice is now expected to be a mandate seeking the SMPs to start building technological infrastructure and set up a local office in India which shall be inclusive of a Grievance Officer and facilities to store financial data locally until the law regarding cybersecurity in the form of guidelines is brought out.
Impact of the Third notice, is it in the right direction?
The Third notice is set to bring about three material changes in the intermediary regime as regards the storage of data or information, regulation upon mischief by the intermediary and finally the Government’s law enforcement role through regulation of metadata.
Firstly, the accumulation of data with the intermediary is sought from the SMP to be stored locally. The Government, in its plans to regulate and protect data, appointed a committee which came out with the Data Protection Committee Report (hereinafter ‘Data Report’) on 27, July 2018. One of the observations made by the committee was that localization of data shall be done only when necessary for law enforcement. It was finally recommended that at least one copy of the data shall be maintained within India by the Data Fiduciary. Hence, the mandate would necessarily be an additional burden on SMPs to develop digital infrastructure in India and simultaneously give access to the security agencies in cases of law enforcement.
Secondly, the Government has sought WhatsApp to hire a Grievance Officer in India who shall expeditiously remove sinister messages once such direction is intimated by the Government or an agency or any person to it. To this WhatsApp has indeed hired a Grievance Officer “for” India but who is not “in” India. The role of the Grievance Officer which is sought by the Government is similar to that under the Data Report of “Data audit” which is to assess whether a significant data fiduciary’s processing activities and policies are in compliance with the applicable data protection law. This measure is primarily a law enforcement task under the garb of due diligence of the SMP. Since the Grievance Officer would be entitled to have access to the data and take decisions with regard to content that may have adverse impact through its proliferation.
Thirdly, post the second notice, the Government has reconsidered its stance from regulation of the whole data by the SMPs to application of the role of data analytics for tracing and attributing the originators. The Government had earlier sought to push all the law enforcement responsibility on the SMPs but has had a change of heart and now seeks the SMPs to analyze only such messages which have proliferated above a certain threshold. With WhatsApp rejecting earlier requests of tracing the ‘origin’ of the messages, it is much likely that this stance is likely to be turned down in the future.
The scope of the Third notice will water down the earlier notices but the new notice places an additional burden on SMPs where the Grievance Officer will be sought to be appointed in India. Though the new stance shall be a welcome step in some regard it shall be critical since the operations of Whatsapp are now sought to be localised.
With the localization of operations and storage of data, the Government seeks to achieve its objectives through enhancing its scope under section 67C of the Information Technology Act, 2000 (hereinafter ‘IT Act’) which reads as:
67C. Preservation and retention of information by intermediaries. –
(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner format as the Central Government may prescribe.
(2) any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to fine.
This measure would empower the Government for directing the SMP to retain and preserve the data on its platform and shall be open for regulation under powers exercisable within sections 69, 69A and 85 of the IT Act. This has raised a pivotal tussle between two fundamental rights i.e. the right to privacy and balancing the interests of reasonable restrictions under Article 19(2) of the Constitution.
Such measures shall only be strictly implemented once guidelines on cyber-security are put into force under Section 79 of the IT Act. Therefore, the Government is planning to issue the Third notice along with the accepted guidelines on intermediaries. This step will place liability on the SMP’s to regulate without violation of the fundamental rights of the individuals on SMP platforms.
Though the scope of IT Act extends to contraventions committed by any person outside India bringing such actions to force is a difficult process. Due to the non-adherence to Indian Laws by SMPs, the Government has sought to expand its jurisdiction to bring about strict compliance of measures within India through localization of the SMPs. With the Government aiming and collaborating with various foreign seated SMPs for law enforcement, it does not want to kill the mockingbird by blocking access to it. This situation can rightly be termed to be an apparent imperfection of the Government’s ability to enforce law which is sought to be remedied through compliance of intermediaries (SMPs) with regard the Third notice. A clear highlight is the fundamental tussle between grounds of Right to Privacy and Constitutional restrictions on freedom of speech and expression. This scenario shall subject the provisions of Information Technology Act, 2000 to a stricter scrutiny, once the Personal Data Protection enters into force.
 Litigations, as well as measures extending upto banning them [a measure possible under Section 69A, Information Tehcnology Act, 2000.
 In the digital economy, depending on the nature of data that is shared, the purpose of such sharing and the entities with which sharing happens, data principals expect varying levels of trust and loyalty. For entities, this translates to a duty of care to deal with such data fairly and responsibly for purposes reasonably expected by the principals. This makes such entities “data fiduciaries”. [the view is expressed in Data report, pg. 8 (‘Data Fiduciary’ is similar to the term ‘Intermediary’ used for SMPs under the Information Technology Act, 2000)]
 Since the Government will find it difficult to hold such person liable if he remains outside the jurisdiction of India.
 Section 1(2) Information Technology Act.
 Innocent SMPs who have been injured or are under the process of being blocked through presence of menacing activities on their platform.