What does it mean to lose safe harbour?

Image: Shutterstock

Let’s get a few of things out of the way: Protection from liability from third-party content—safe harbour—is not a privilege that the Ministry of Electronics and Information Technology (MeitY) grants to intermediaries; it is a default protection offered to the intermediaries as long as they comply with certain due diligence requirements. These requirements have been laid down in the Intermediary Rules that were notified by MeitY on February 25. The central government or its ministries cannot bestow or rescind this protection. Also, an intermediary does not cease to be an intermediary if it continues to provide the same services and perform the same functions; it will not become a publisher. It can only lose its right to offer safe harbour as a legal defence. 

If an intermediary is not in compliance, it automatically loses its safe harbour. This loss is NOT decreed by the executive, that is, MeitY even though it may be best placed to assess a company’s compliance. Loss of safe harbour does NOT mean that an intermediary cannot operate in India. It means that now it can be held liable for content that users post on its platform. 

Let’s say that the professor plans to rob the government’s mint in Mumbai, and for some reason, plans it out on Twitter, recruits his team there (let’s call them Delhi, Kolkata, Nagpur, Bengaluru and Chennai), and declares resistance against the government there. With safe harbour, Twitter or Facebook will not be held directly liable for being conspirator in this crime as long as they take down the problematic content on getting a court order or order from an authorised government agency, and assist the police with investigation. Without safe harbour, Twitter and Facebook may be held liable for this crime as conspirators even though they had no role in the heist. The Maharashtra police can now directly file an FIR against Twitter and Facebook for being conspirators. Whether or not the companies are culpable in the crime is a determination courts will have to make, but the platforms get embroiled at this stage without safe harbour. 

Now consider the fact that Twitter has over 1.8 crore users in India while Facebook has more than 41 crore users. Instagram has over 21 crore and the Indian version of Twitter, Koo, has over 65 lakh users. Imagine if all these platforms were held liable for every piece of problematic content posted on their platforms, despite having no control over what users post, and had to fight every criminal and civil case where they were the medium of communication and nothing more. 

Coming to Twitter. On June 15, the Ghaziabad police filed an FIR against a host of journalists and Twitter for spreading misinformation via a video showing Hindu men forcefully cutting the beard of an aged Muslim man. Ironically, Twitter was accused of not labelling the video as "misleading content". That development led to a spate of premature and incorrect articles declaring that Twitter has lost its safe harbour protection and is now a publisher. 

Legal experts as well as the government sources have confirmed to Forbes India that filing an FIR against Twitter is not an indication of loss of Twitter’s safe harbour status. That determination will be made by the court. 

A senior government official tells Forbes India that the loss of safe harbour provision does not mean that an intermediary ceases to be an intermediary and turns into a publisher. It just means that it becomes an intermediary without immunity from liability for third party content. Loss of immunity means that the employees can be held personally liable and such assessment can only be made by the courts, not by the executive or the police, they said. 

What happens if companies do not comply? 

The main fallout of non-compliance with the due diligence obligations is the loss of safe harbour, that is, platforms will become liable for illegal and problematic content that their users post.  

However, Sneha Jain, partner at Saikrishna & Associates, points out that non-compliance with the rules ought not to automatically lead to loss of safe harbour because safe harbour is an “affirmative defence”. “There are at least two division bench judgements [Amazon v Amway and MySpace v Super Cassettes] wherein loss of safe harbour status must be predicated on the intermediary actually abusing its intermediary status rather than being liable for third party content,” she says.

The rules, too, state that no liability can be imposed on an significant social media intermediary, that is, a social media intermediary with more than 50 lakh registered users in India without giving it the opportunity of being heard. It is not clear who will do the hearing or the adjudicating in such a case. 

Torsha Sarkar, policy officer at Bengaluru-based Centre for Internet and Society, said during a Forbes India discussion that liability will have to be assessed on a case-by-case basis for each piece of problematic content or transmission. She also clarified that not all communication is protected by safe harbour. Safe harbour extends only to that content for which an intermediary acts as a “dumb pipe” or to any transmission that is not initiated by the intermediary, whose recipient is not selected by the intermediary, and the intermediary does not select or modify the information in the transmission.

Is the loss of safe harbour automatic? What does it mean? 

Technically yes. If an intermediary is not in compliance, it automatically loses safe harbour as a legal defence. 

However, functionally, it plays out differently. “Under Rule 7 [of the Intermediary Rules], the loss of safe harbour is automatic and they are liable for prosecution but liability will only apply if some harm is caused to somebody,” says a senior advocate, who represents technology companies, on condition of anonymity. This means, until and unless a cause of action is initiated against some content posted on an intermediary in the form of an FIR or a petition, nothing will happen. In case cause of action is initiated, the courts will determine whether the intermediary is protected by safe harbour. 

“There cannot be a consequence without an act as a matter of law. There is no consequence provided for non-compliance except for losing safe harbour. Post that, if something is not complied with, they cannot plead safe harbour,” the senior advocate adds. 

But Raman Jit Singh Chima, senior international counsel and Asia Pacific policy director at Access Now, disagrees on whether or not loss of safe harbour for not complying with due diligence requirements is automatic. For him, it is “tricky and debatable” because under Section 79(2), which grants safe harbour to intermediaries, employs ambiguous language. Safe harbour is granted when the function of an intermediary is limited to being a communication service or when the intermediary does not initiate the transmission, select its receiver, or select or modify the information contained in the transmission. 

While these two scenarios are “or” situations, that is, safe harbour is granted in either case, Section 79 does not specify if the third scenario—that is where an intermediary observes due diligence requirements prescribed in the Information Technology Act and other guidelines that the government may prescribe—is an “or” or an “and” condition. This means, it is not clear just by virtue of following due diligence requirements any intermediary gets safe harbour, or must it also adhere to one of the first two conditions as well. The net effect of this, Chima says, is that if an intermediary does not fully comply with guidelines prescribed by the government, does the intermediary automatically lose safe harbour or not? For him, courts will have to determine that. 

He points out that the terms of service of MyGov, an SSMI under the rules, do not adhere to the contours laid down in the Intermediary Rules. Does it mean that MyGov will lose safe harbour?

Assuming a social media company with more than 50 lakh users—Chatterbook—has not complied with the Intermediary Rules.

Step 1: Two users post videos showing targeted violence on Chatterbook, but Chatterbook does not proactively take down this content. Nothing happens to Chatterbook at this stage. 

Step 2: Alice files an FIR against the two users of Chatterbook and Chatterbook itself for posting hate speech. 

Step 3: Unlike with safe harbour, when Chatterbook could have told the police on being summoned that it is protected by safe harbour, its senior employees—in all likelihood chief compliance officer and the nodal contact person, if Chatterbook has hired them—now have to go to the police station to answer questions. 

Step 4: Matter is taken up in the local court where Chatterbook attempts to avail legal immunity under safe harbour. 

Step 5: The judge could either agree with Chatterbook and say it still has safe harbour or it could hold Chatterbook responsible. In the latter case, the court will have to categorically state that Chatterbook has lost safe harbour for not complying with the Intermediary Rules. 

Ergo, the determination is made by the courts.

What is the problem then? Effectively status quo is maintained, is it not?

Not really. Earlier, if Twitter or Facebook were named in FIRs or court cases, they could just claim immunity under safe harbour. If the courts decree they have lost safe harbour as a legal defence, they have to actually fight against the charges levelled against them under the Indian Penal Code or other Indian laws, as the case may be. Much of it will have to be determined by the courts, says Tiwari. 

The specific case of the Ghaziabad police filing an FIR against Twitter is a tricky one because according to all experts Forbes India spoke to, the police cannot decide whether an intermediary has lost safe harbour as its legal defence. 

“The act of UP police, in directly charging Twitter, is directly opposed to the spirit of Section 79 and what the government intended. It is the UP police seeking to intimidate Twitter, knowing well that the law is actually meant to isolate [protect] the platform from this because there is no justification for a state police department for naming a tech platform for content posted by its users until and unless it can be categorically established that the platform was directly complicit in this. The act of naming it is an act of intimidation,” says Chima. “Section 79 was formulated to combat exactly this because in India, the process is punishment.”  

“Twitter may be able to afford to go to court and say that it is not liable but for smaller intermediaries, or for not-for-profit intermediaries [such as Signal], if they are named in an FIR, it has implications for their supporters and donors. They will have positively assert in a local court that they are protected by safe harbour. That is nothing but a perverse interpretation of law that is meant to guard an automatic, qualified safe harbour,” says Chima. 

And that is the biggest problem with loss of safe harbour—an intermediary will have to firefight on all fronts. It is important to remember that in India, complaints and FIRs are filed against social media companies en masse as an act of forcing companies to act. For instance, BJP leader Vinit Goenka in May 2021 had asked his supporters to file FIRs and petitions on charges of sedition against Twitter en masse to “protest” the advertisements from pro-Khalistan groups that Twitter allows on its platform. The Delhi high court had dismissed one such petition. Forbes India has seen copies of three petition copies that were filed in the Bombay high court and Gauhati high court. 

Can a non-compliant intermediary’s employees now be arrested? 

Technically yes. On March 5, the Wall Street Journal (WSJ) published an article titled ‘India Threatens Jail for Facebook, WhatsApp and Twitter Employees’. Days later, PTI and OpIndia reported that WSJ’s report was factually incorrect and misleading. 

However, closer analysis of the rules reveals that WSJ was correct in its assessment. The position of the chief compliance officer (CCO), a position that must be occupied by a senior employee of the company who is resident is India, is liable in any proceedings related to third-party content hosted by the social media company if the intermediary does not observe due diligence. This liability, as numerous experts told Forbes India, could translate into jail term under the IT Act. 

For Nikhil Narendran, partner at law firm Trilegal, this may, in fact, be unconstitutional. “The rules are issued under Section 79 and the parent legislation provides safe harbour if due diligence requirements are met. The rules have now gone beyond that and said personal liability could be imposed on the chief compliance officer. The question is how can you impute personal liability on an employee if the company fails to or does inadequate due diligence with respect to intermediary liability.”

Nayantara Narayan, disputes lawyer at Phoenix Legal who has represented Facebook and Instagram earlier, has a different perspective. While technically the chief compliance officer is personally liable for not complying with due diligence requirements, “an entire gamut of events have to take place before somebody ends up in jail”. “Before the liability can effectively accrue upon the employee, they can ask the court for protective measures and ask it to not take coercive steps against them”, she says.

Moreover, Forbes India has learnt that hiring for the three positions—chief compliance officer, nodal contact person, and resident grievance officer, especially CCO, has been particularly hard for some companies given that the CCO is personally liable for lack of due diligence from the company.

Even before the rules were notified, Twitter’s employees in India—especially its former director of public policy Mahima Kaul (she left the company in February) and Shagufta Kamran, senior manager of public policy—were often named in petitions and FIRs. While a painful and onerous process, it did not lead to their arrests. The same is true for public policy executives of Facebook and Google as well. 

Protecting employees from liability is actually what led to the inclusion of the safe harbour provision in the IT Act. In 2005, the managing director of Bazee.com (now ebay.in), Avnish Bajaj, was arrested by the Delhi police because a sexually explicit MMS video was listed for sale on the website, Udbhav Tiwari, public policy advisor at Mozilla, explained during Forbes India’s discussion. While the Delhi high court placed criminal liability upon Bajaj under Section 84 of the Information Technology Act, the Supreme Court overturned the decision and said that to attract liability, the director needed to have acted at the behest of the company. This particular case led to the amendment of the IT Act and inclusion of the safe harbour provision under Section 79. 

Tiwari highlighted that even countries like Russia and Turkey don’t impose criminal liability upon the heads of social media companies; they instead rely on high fines and potential blocks against entire sites and services. “Going after individual people within the company is a particularly coercive way of enforcing this action [content takedowns],” says Tiwari, “and while not unique to India, is raised as a threat far too often.”

At least in the case of Twitter, didn’t the Delhi high court give it a three-week extension to comply with the rules?

No. On May 31, in a writ petition filed by an advocate against Twitter’s non-compliance with the Intermediary Rules, Justice Rekha Palli ordered Twitter to file a rejoinder by June 21. While it is technically not an extension for Twitter to comply with the rules, functionally, it gives Twitter an argument—we have three more weeks to give an opinion on compliance in a matter that is sub judice. In the meantime, it could argue, that while the matter is sub judice, you cannot bring us to ill effect on this, Chima says, that is punish us directly or indirectly. It could argue that if you bring us to ill-effect, it would harm our ability to give an opinion in the court, he says. 

Narayan says the purpose of the rejoinder is for Twitter to explain where it is in terms of complying with the rules and if there are reasons because of which it has taken it longer to comply with them. The second wave of Covid-19 made it harder for larger companies to carry out their hiring process, as evidenced by at least two letters sent to MeitY by industry bodies. In an online discussion hosted by CUTS International on May 7, Rakesh Maheshwari, senior director and group coordinator for cyber law and e-security at MeitY, acknowledged the problem that companies have faced while complying with some of the requirements in the middle of a pandemic. He went on to say that in case companies need more time to comply, they should write to MeitY and MeitY would consider each such application. The two aforementioned letters did ask for a three-month extension on the compliance deadline while on May 27, Twitter publicly asked for a three-month extension. 

But the order makes a larger statement for Chima: “Even the judiciary is saying that we need time to understand what the rules say, what Twitter is saying and what the government is saying. The judge declined to pass an injunction against Twitter in the matter.”