Aditi covers technology, privacy, surveillance and cybersecurity. You can send tips at email@example.com or at firstname.lastname@example.org. Email for Signal/WhatsApp details.
Assuming a social media company with more than 50 lakh users—Chatterbook—has not complied with the Intermediary Rules.
Step 1: Two users post videos showing targeted violence on Chatterbook, but Chatterbook does not proactively take down this content. Nothing happens to Chatterbook at this stage. Step 2: Alice files an FIR against the two users of Chatterbook and Chatterbook itself for posting hate speech. Step 3: Unlike with safe harbour, when Chatterbook could have told the police on being summoned that it is protected by safe harbour, its senior employees—in all likelihood chief compliance officer and the nodal contact person, if Chatterbook has hired them—now have to go to the police station to answer questions. Step 4: Matter is taken up in the local court where Chatterbook attempts to avail legal immunity under safe harbour. Step 5: The judge could either agree with Chatterbook and say it still has safe harbour or it could hold Chatterbook responsible. In the latter case, the court will have to categorically state that Chatterbook has lost safe harbour for not complying with the Intermediary Rules. Ergo, the determination is made by the courts.What is the problem then? Effectively status quo is maintained, is it not? Not really. Earlier, if Twitter or Facebook were named in FIRs or court cases, they could just claim immunity under safe harbour. If the courts decree they have lost safe harbour as a legal defence, they have to actually fight against the charges levelled against them under the Indian Penal Code or other Indian laws, as the case may be. Much of it will have to be determined by the courts, says Tiwari. The specific case of the Ghaziabad police filing an FIR against Twitter is a tricky one because according to all experts Forbes India spoke to, the police cannot decide whether an intermediary has lost safe harbour as its legal defence. “The act of UP police, in directly charging Twitter, is directly opposed to the spirit of Section 79 and what the government intended. It is the UP police seeking to intimidate Twitter, knowing well that the law is actually meant to isolate [protect] the platform from this because there is no justification for a state police department for naming a tech platform for content posted by its users until and unless it can be categorically established that the platform was directly complicit in this. The act of naming it is an act of intimidation,” says Chima. “Section 79 was formulated to combat exactly this because in India, the process is punishment.” “Twitter may be able to afford to go to court and say that it is not liable but for smaller intermediaries, or for not-for-profit intermediaries [such as Signal], if they are named in an FIR, it has implications for their supporters and donors. They will have positively assert in a local court that they are protected by safe harbour. That is nothing but a perverse interpretation of law that is meant to guard an automatic, qualified safe harbour,” says Chima. And that is the biggest problem with loss of safe harbour—an intermediary will have to firefight on all fronts. It is important to remember that in India, complaints and FIRs are filed against social media companies en masse as an act of forcing companies to act. For instance, BJP leader Vinit Goenka in May 2021 had asked his supporters to file FIRs and petitions on charges of sedition against Twitter en masse to “protest” the advertisements from pro-Khalistan groups that Twitter allows on its platform. The Delhi high court had dismissed one such petition. Forbes India has seen copies of three petition copies that were filed in the Bombay high court and Gauhati high court. Can a non-compliant intermediary’s employees now be arrested? Technically yes. On March 5, the Wall Street Journal (WSJ) published an article titled ‘India Threatens Jail for Facebook, WhatsApp and Twitter Employees’. Days later, PTI and OpIndia reported that WSJ’s report was factually incorrect and misleading. However, closer analysis of the rules reveals that WSJ was correct in its assessment. The position of the chief compliance officer (CCO), a position that must be occupied by a senior employee of the company who is resident is India, is liable in any proceedings related to third-party content hosted by the social media company if the intermediary does not observe due diligence. This liability, as numerous experts told Forbes India, could translate into jail term under the IT Act. For Nikhil Narendran, partner at law firm Trilegal, this may, in fact, be unconstitutional. “The rules are issued under Section 79 and the parent legislation provides safe harbour if due diligence requirements are met. The rules have now gone beyond that and said personal liability could be imposed on the chief compliance officer. The question is how can you impute personal liability on an employee if the company fails to or does inadequate due diligence with respect to intermediary liability.” Nayantara Narayan, disputes lawyer at Phoenix Legal who has represented Facebook and Instagram earlier, has a different perspective. While technically the chief compliance officer is personally liable for not complying with due diligence requirements, “an entire gamut of events have to take place before somebody ends up in jail”. “Before the liability can effectively accrue upon the employee, they can ask the court for protective measures and ask it to not take coercive steps against them”, she says. Moreover, Forbes India has learnt that hiring for the three positions—chief compliance officer, nodal contact person, and resident grievance officer, especially CCO, has been particularly hard for some companies given that the CCO is personally liable for lack of due diligence from the company. Even before the rules were notified, Twitter’s employees in India—especially its former director of public policy Mahima Kaul (she left the company in February) and Shagufta Kamran, senior manager of public policy—were often named in petitions and FIRs. While a painful and onerous process, it did not lead to their arrests. The same is true for public policy executives of Facebook and Google as well. Protecting employees from liability is actually what led to the inclusion of the safe harbour provision in the IT Act. In 2005, the managing director of Bazee.com (now ebay.in), Avnish Bajaj, was arrested by the Delhi police because a sexually explicit MMS video was listed for sale on the website, Udbhav Tiwari, public policy advisor at Mozilla, explained during Forbes India’s discussion. While the Delhi high court placed criminal liability upon Bajaj under Section 84 of the Information Technology Act, the Supreme Court overturned the decision and said that to attract liability, the director needed to have acted at the behest of the company. This particular case led to the amendment of the IT Act and inclusion of the safe harbour provision under Section 79. Tiwari highlighted that even countries like Russia and Turkey don’t impose criminal liability upon the heads of social media companies; they instead rely on high fines and potential blocks against entire sites and services. “Going after individual people within the company is a particularly coercive way of enforcing this action [content takedowns],” says Tiwari, “and while not unique to India, is raised as a threat far too often.” At least in the case of Twitter, didn’t the Delhi high court give it a three-week extension to comply with the rules? No. On May 31, in a writ petition filed by an advocate against Twitter’s non-compliance with the Intermediary Rules, Justice Rekha Palli ordered Twitter to file a rejoinder by June 21. While it is technically not an extension for Twitter to comply with the rules, functionally, it gives Twitter an argument—we have three more weeks to give an opinion on compliance in a matter that is sub judice. In the meantime, it could argue, that while the matter is sub judice, you cannot bring us to ill effect on this, Chima says, that is punish us directly or indirectly. It could argue that if you bring us to ill-effect, it would harm our ability to give an opinion in the court, he says. Narayan says the purpose of the rejoinder is for Twitter to explain where it is in terms of complying with the rules and if there are reasons because of which it has taken it longer to comply with them. The second wave of Covid-19 made it harder for larger companies to carry out their hiring process, as evidenced by at least two letters sent to MeitY by industry bodies. In an online discussion hosted by CUTS International on May 7, Rakesh Maheshwari, senior director and group coordinator for cyber law and e-security at MeitY, acknowledged the problem that companies have faced while complying with some of the requirements in the middle of a pandemic. He went on to say that in case companies need more time to comply, they should write to MeitY and MeitY would consider each such application. The two aforementioned letters did ask for a three-month extension on the compliance deadline while on May 27, Twitter publicly asked for a three-month extension. But the order makes a larger statement for Chima: “Even the judiciary is saying that we need time to understand what the rules say, what Twitter is saying and what the government is saying. The judge declined to pass an injunction against Twitter in the matter.”