Social media giant Facebook is considering a legal challenge to India’s new guidelines for digital media intermediaries on the basis of an individual’s right to privacy, according to sources close to the company. Facebook is considering filing an appeal alone or jointly with social media peers who will be affected by the rules.
The new guidelines — the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 — require significant social media intermediaries (those with at least 50 lakh registered users) to appoint a grievance officer, chief compliance officer and nodal person of contact, besides requiring them to comply with government orders for the takedown of certain content deemed to be in violation of the law.
According to sources, who spoke on the condition of anonymity, the social media giant is going to challenge the section of the recently released guidelines that requires social media platforms to identify — upon receiving orders from a court or the government — the ‘first originator’ of information, which the government feels could jeopardise the sovereignty and integrity of India, or includes sexually explicit or child sexual abuse material. This section, according to the source, will require the company to remove the end-to-end (E2E) encryption for chats.
Facebook didn’t respond to Inc42’s queries for this story.
Tech experts have pointed out that the implementation of the said provision will mean breaking the encryption of messages on platforms such as WhatsApp, Telegram and Signal, thus compromising user privacy. Though the rules state that the provision wouldn’t be used to look into the contents of the messages between individuals, the Internet Freedom Foundation (IFF) claimed methods that seek to implement traceability in a manner compatible with E2E are vulnerable to spoofing i.e. where nefarious actors falsely modify the originator information to frame an innocent person.
More details about Facebook’s proposed legal challenge aren’t known. Legal experts said that such a challenge would be structured around the argument that implementation of the provision would mean that WhatsApp, which is Facebook’s group company, would have to break E2E, which in turn will violate users’ fundamental right to privacy.
Although, the government could argue that traceability of certain messages is a ‘reasonable restriction’ on the fundamental right to privacy, for safeguarding national security.
Notably, while the Personal Data Protection Bill, 2019, also directs data fiduciaries to make a host of arrangements for safeguarding user privacy, Clause 35 exempts the government or any of its agencies from the application of the bill, on grounds of national security.
Namita Vishwanath, a partner at IndusLaw, told Inc42 that under Section 79(3) of the Information Technology Act, 2000 (IT Act), intermediaries were required to intervene only upon being notified by the appropriate government that the platform was being used to commit any unlawful act. However, the new rules provide broad-based powers to the government which require significant social media intermediaries, like Facebook, to cooperate even before any unlawful act has been committed.
“The new rules require intermediaries to cooperate in relation to the ‘detection’ or ‘investigation’ of an offence – which goes beyond the scope of ‘preventive’ action afforded to the Government under Section 69A of the IT Act (which itself is not to be implemented without its own set of checks and balances),” added Vishwanath.
Vishwanath felt that Facebook’s legal challenge could be structured around how the government has exceeded the scope of the powers granted to it under Sections 79(3) and 69A of the IT Act.
The new rules also state that where the first originator of the ‘unlawful’ information is based outside India, the first originator of that information within India will be held liable for the offence. Vishwanath felt this particular instance could also be challenged by Facebook.
“The accountability being accorded to the first originator of the message in India although the message may have originated outside of India appears to have been included as a matter of ‘convenience’ as far as implementation is concerned, especially since the IT Act does provide for extraterritorial jurisdiction,” she said. “This could potentially be challenged as being unfair and not in the interest of justice.”
A legal expert told Inc42 that implementation of the contentious ‘first originator’ clause would be fair when all decisions are referred to an impartial committee constituted specifically for this purpose. This would prevent misuse of the provision. The present rules don’t include such an arrangement.
A detailed overview of the various provisions in the guidelines can be found here.
The full guidelines can be accessed here.
With inputs from Deepsekhar Choudhury.
Update: March 2, 2021, 8:03 pm – The previous version of the story erroneously mentioned ‘Personal Data Protection Bill, 2021’. The same has been corrected to ‘Personal Data Protection Bill, 2019’.