Information Technology Rule, 2021 passed on 25th February 2021 since then it has sparked the debate about the Right to privacy, Freedom of speech, and expression, and is the government going to decide now what will their pupils watch. It deals with modern world problem like fake news, online abuse, online sexual exploitation, etc., and try to fix the liabilities upon the intermediaries.

The present article tries to explore every aspect of this rule which is affecting or will affect the functioning of the social media in the country but the vagueness of certain provisions and excessive liability on the intermediaries and the narrow definitions put this rule under scrutiny and need to revise certain provision.

Introduction
The world is living in the age of the internet from buying groceries online to selling shares in just one click is truly a miraculous feat achieved by mankind just like this another boon given by the internet is social media. Distance doesn't matter anymore it is just a number now people of different religion, caste, creed, language is interacting with each other and sharing their ideas and belief.

But just like any other thing social media has also two faces one which shows us a bright future and the second is pitch dark. Online bullying, Cybercrimes, financial frauds, sexual exploitation, are some examples of many evils that prevailed in the present time. Countries around the globe are trying to develop a legal framework to set the liabilities on the people who commit these crimes.

India also took a big step two decades ago by passing an IT Act 2000 but that act and some other rules passed in the last two decades were not sufficient to tackle the prevalent problems. That's why the present Indian government introduced new IT Rules 2021 which try to address the current scenario but like any other law, it has its triumphs and shortcomings below in the article author tries to address every aspect of the IT Rule 2021 which concern social media intermediaries.

History Of Social Media In India

India saw the first glimpse of social media in 2004 when the Orkut was launched by Google for the public. Orkut become very famous in India despite limited technological or educational advancement at that time. Google in 2007 launches Orkut in six different Indian languages i.e., Hindi, Bengali, Marathi, Tamil, Kannada, and Telugu and within six years after its launch i.e., in 2010 Orkut had almost a 19millions active users in India.[1]

Then Facebook launched publicly in 2006 and it took the world by storm by 2010 it had almost 24million active users in India and it beat the Orkut and become the most famous and used social media platform and its streak continues to date. During the same time frame many other social media platforms like Twitter, Instagram, WhatsApp, etc launch and become popular among every age group very rapidly.[2]

The last decade saw the tremendous technological advancement every person has smartphones in their hand with a fast internet connection and can access social media at their fingertips that's the reason Facebook, Instagram, and WhatsApp have the highest number of active users in India and presently India is the second-largest overall social media consumer in the world with the 639million active users.[3]

Effect Of It Rules 2021 On Social Media Intermediaries

1. Publishing Rules, Policy, and User Agreement:
   According to new IT rules, social media intermediaries and significant social media intermediaries has to publish their rules and regulation, Privacy Policy, and the User Agreement on their website or their application such that it is noticeable to the users every time they use the intermediary platform.[4]
   
   These rules, Privacy Policy, and User Agreement must specifically mention that their platform would not be used by the users to host, display, upload, modify, publish, transmit, store, update or share any information that belongs to some other person to which user has no right, or is defamatory to someone, or pornographic in nature, or discriminate racially, sexually or religiously or is harmful to the child, or infringes any copyright or trademark, or violates any law, or transmit any fake news of any kind, or threaten national security, or contain any virus.[5]
   
   In new IT Rules, the Intermediaries must send their user's constant reminders that if they don't follow their policies or rules and regulation then they have the right to terminate the user account or to remove the information posted by that user. It means that users will be getting a mail every year at least once from every social media platform where they have ever registered even just for fun and not using it currently.[6]
    
2. Removal of content or information from Intermediaries computer resources:
   Intermediaries on whose platform the information is stored, or published when received an order from the court which has jurisdiction in the matter or from the government or any competent government agency under clause (b) of sub-section (3) of section 79 of the IT Act then the intermediaries have to remove that information if that information is:
   
   • Threat to the sovereignty and integrity of India.
   • The danger for the security of the State.
   • Can harm friendly relations with foreign States.
   • Threat to public order.
   • Against decency or morality.
   •  about contempt of court, defamation, or incitement to an offense.
   • Against any law for the time being in force.[7]
   Some of these terms are vague and don't paint a clear picture on certain issues like decency and morality or defamation. Something immoral for someone can be fine by many others and the same goes for the defamation it gives a lot of power in the hand of the executive. So, it is very necessary to make a precise and clear guideline that helps the authority to take its course with precision.
   
   If such information is get published or stored by the intermediaries then they have to remove that information within thirty-six hours after receiving the order from the court or the government or any competent government agency. Removal of such information after receiving an order or voluntarily or under grievance redressal mechanism does not amount to the violation of clauses (a) or (b) of sub-section (2) of section 79 of the IT Act.[8]
   
   Any such information which is removed by the intermediaries after receiving the notice from the courts, or government, or any other competent government authority or voluntarily upon violation of their policy or by grievance redressal mechanism must be kept by the intermediaries as evidence without any alteration for at least one hundred and eighty days or as demanded by the court or other government agency who are lawfully authorized.[9]
   
   These rules might not affect the big players like Facebook, Twitter, or WhatsApp but they will put the extra financial burden on the small intermediaries because they have to develop their infrastructure even more to store the information which was asked by the authorities and have to hire the more manpower to maintain that infrastructure. Holding such information for a long time might cause a data leak which is a threat to the privacy of the user.
   
   However, some relief is provided to the intermediaries in case the information is temporarily or for a short period is stored automatically on the intermediary computer resource because of the in-built feature of that computer resource which doesn't involve any human interference and can't be changed by editing the algorithm and thus transmitted to another computer resource. In this case, intermediaries are exempt from the notice which is given by the court or government or by a competent government agency to host, publish or store the information which is mentioned above.[10]
    
3. Private data storage and safety:
   The social media intermediary must hold on to the information for one hundred and eighty days which they have collected from the user for his registration at their computer resources after the user has withdrawn his registration.[11]
   
   India still lacks for effective Data Protection Law so in this view how valid is this to allow the intermediaries to store the data of the users for one hundred and eighty days even after they delete their account from the intermediaries platforms. Which law guarantees the safety of this data which is made mandatory by the government to be stored by the intermediaries.[12]
   
   Intermediaries have to provide data to the government within seventy-two hours after receiving an order from the competent authorities which are mentioned above to the government agencies which are lawfully authorized to investigate the cyber security matters. But the order must be in writing and the reason for seeking such information must be mentioned.[13]
   
   The intermediaries shall not install or modify their technical configuration knowingly which changes the default functioning of their computer resources which violates any rule of law at that time. However, the intermediary may develop, produce, distribute or employ technological means which will help him to secure the computer resources and the information stored in them.[14]
   
   The intermediaries should secure their computer resources and the information stored within by following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011.[15]
   
   If any cyber security incidence took place, then the intermediaries should share the related information with the Indian Computer Emergency Response Team by the policies and procedures as mentioned in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.[16]
    
4. Grievance Redressal Mechanism:
   Intermediaries shall appoint the grievance officer and publish his name, contact details, and the mechanism by following which the users or the victims can register their grievances that violate any provision of IT Rules 2021 on their website, applications, or both.[17]
   
   The grievance officer must acknowledge the complaint of the griever within twenty-four hours and resolve the issue within fifteen days. And the orders received by the intermediaries from the court or the government or any competent government agency also must be acknowledged by the grievance officer. This rule increases the work pressure on Grievance Officer. Earlier they have thirty days to resolve the issue but now the timeline is reduced to fifteen days and they are the ones to deal with the order received from the authorities.[18]
   
   If the intermediaries receive a complaint in connection with the content which exposes the private area of the individual, which exposes an individual in partial or full nudity or which show an individual involved in a sexual act or transmit or publish electronically morphed images of the individual from the victim or someone on behalf of the victim then the intermediaries should take immediate and appropriate action to remove such content within twenty-four hours after receiving a complaint.[19]
    
5. Additional due diligence followed by significant social media intermediary:
   In addition to the above-mentioned rule of due diligence, significant social media intermediaries have to follow some additional rule which does not apply to social media intermediaries. And a time limit of three has been given to the significant social media intermediaries to comply with these rules.
    
6. Following are the rule that must be complied with by the Significant Social Media Intermediaries:
   • Appointment of the Chief Compliance Officer who should be the resident of India and he will be responsible for the compliance of the intermediary by all the rules and the regulation made under this act and will be liable in every proceeding which proceeds against the intermediaries for the non-compliance of the rule of the due diligence which is mentioned above. However, before making them liable they would be given a chance to be heard.[20]
      
   • The recent tussle between Twitter India and the Government of India has many aspects one of which is related to the appointment of the Chief Compliance Officer. Indian government blame Twitter India for non-compliance with the rule of the land and the matter went to Delhi High Court. Recently, the war came to an end when the lawyer representing the Government of India informed the court that Twitter India has appointed the Chief Compliance Officer, and hence there is no violation of IT Rules 2021.[21]
      
   • Other than the Chief Compliance Officer intermediaries should also appoint the Nodal contact person who must be the employee of the intermediary and the resident of India and its job is to coordinate with the law enforcement agencies and comply with the order made by them by the law.[22]
      
   • Redressal Grievance Officer should also be appointed who is the employee of the intermediary and the resident of India whose job is to deal with the Grievance Redressal which is mentioned above.[23]
      
   • Intermediaries have to publish the compliance report monthly which should contain the data of how many complaints were received and how many of them were resolved and the action taken on them and should also mention the communication link or the part of the information which was disabled by them.[24]
      
   • The significant social media intermediaries have to enable the identification of the first originator of the message in case they receive a judicial order passed from the court with authority over the matter or the order passed by the competent government agency under Section 69 as per the Information Technology (Procedure and Safeguards for the interception, monitoring, and decryption of information) Rules, 2009.[25]
      
   • Enabling such identification means that the intermediaries that use end-to-end encryption would have to disable it for all of its users whether they have committed any crime or not this poses a serious threat to the privacy of every user. WhatsApp recently went to the Delhi High Court to file a lawsuit against the Government of India that the new IT Rule 2021 violates the fundamental right of privacy of the people.[26]
      
   • However, such order can be passed only to prevent, detect, investigate, prosecute, or punishment an offense related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign states, or public order, or of incitement to an offense relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years.[27]
      
   • If there is no need to pass an order and the appropriate action could be taken by the conventional methods then the order should not be passed. And the intermediaries while compiling with the orders to disclose the first originator should not disclose the content of the messages of the first originator or any other information or information of any other users.
      
   • If the first originator is residing outside of India, then the first person who shares the content for the first time in India will be considered as the first originator.[28]
      
   • Significant social media intermediaries that provide advertising facilities to the people who hold copyright, or an exclusive license or entered into a contract which provides to publicize their product or information only through that particular social media intermediaries by which the product or the information reached more and more people by targeting the specific audience of that information or product and thus provide financial benefits has to be marked advertised, marketed, sponsored, owned, or exclusively controlled as per the case.[29]
      
   • Significant social media intermediaries should use AI technology to remove any unwanted materials on their computer sources like pornography, child sexual abuse, crime against women, or any other material which was earlier removed by the intermediaries under clause (d) of sub-rule (1) of rule 3. And should give a warning that such information has been removed by the intermediaries to the user who tries to publish such content or try to access such information.[30]
      
   • However, intermediaries should apply the all necessary and appropriate technical measures to protect the right of free speech of the user and their privacy too. The AI should be under continuous human observation following the mechanism developed by the intermediaries and it should be reviewed periodically.[31]
      
   • AI Technology is not a fully developed tech it's still a work in progress and giving such power in the hand of unfinished technology can be proved dangerous for the right to freedom of speech and expression. Over censorship is not an alien concept in many instances it has been seen AI has to curb the posts or comment which doesn't violate or violate little the policies of the intermediaries.
      
   • AI technology is a self-learning program that uses a vast amount of data to develop itself to facilitate the AI to examine this data intermediary has to develop the infrastructure to hold such a vast amount of data which is very costly and require a lot of manpower.
      
   • AI also is a kind of program which runs on code like any other program and that code is developed by some human and there is a great chance that it has flaws and some biases which will affect the decision-making of the AI and ultimately it will discriminate while censorship. There is no accountability for the mistake which is made by AI and there is a lack of transparency in the code writing of the AI. IT Rules 2021 also didn't shed light on the case of who will be held accountable if the AI done a mistake or does over censorship and what will be the procedure to overturn this mistake.
      
   • Significant social media intermediaries should have a physical address which they should mention on their websites and their mobile applications as well if they have any.[32]
      
   • Significant social media intermediaries should implement the proper grievance redressal mechanism by using which user can register their complaints easily in case if any of the provisions of the rule is violated. Such users should be provided with the unique ticket number so they can keep track of their application[33]
      
   • And it is the responsibility of the intermediaries to update complainants on the action they have taken on their complaint and if no action is taken then the reason for it.
      
   • Significant social media should allow their user in India to verify their account voluntarily by using appropriate methods or they can use their registered mobile number to verify their account. And the intermediaries should provide every such account with the symbol or mark which should be visible to all of the other users. Provided that such information should not be used unless the consent is given by the user.[34]
      
   • If a significant social media intermediary removes any information under clause (b) of sub-rule (1) of rule 3 on its own accord, then they should inform the user who has published such information or content why they have removed such information. And should allow the user to challenge the decision taken by the intermediary and request the restoration of such information and it should be decided within a reasonable time.[35]
      
   • The resident Grievance Officer of such intermediaries should make sure that the grievance redressal mechanism should run smoothly. Ministry can ask for information from the intermediaries regarding the removal of information published by the user.[36]
      
7. Compliance with order:
   Ministry can pass an order which requires an intermediary which is not a significant social media intermediary to comply with rule 4 of the IT Rules 2021 if the services of the intermediary are to transmit the information which can harm the sovereignty and integrity of India, security of the State, friendly relations with foreign states or public order.
   
   However, a reason to pass such an order must be in writing.
   
   The assessment of the risk will be done on the service provided by the intermediaries whether they provide the services in which users can attract each other or they provide service to publish the content which has a wide range of users and would result in spreading of such information.[37]
    
8. Non-observance of rules:
   Rule 7 of the IT Rule 2021 clearly states that if the intermediaries violate any rule, then they will be held liable and the appropriate action will be taken against them according to the law. This rule took away the immunity which was provided to the intermediaries by section 79(1) of the IT Act 2000.[38]
   
   This rule caused a panic among the intermediaries because not only they would be stopped from functioning in India they can also be held criminally liable for the content posted, published, shared, or edited by any other person.
    

Conclusion
The requirement of law to tackle cybercrime is eminent and it should be done promptly but it shouldn't be done at the cost of risking the privacy and security of the people. These laws are promising but still need improvements on many fronts like definitions should be clearer and the privacy of the users should be protected more effectively and the effective data protection law must be enforced.

Use of the Artificial Technology for deciding which content or information is violating the policy of the law is not effective because AI work on programming codes and codes can be flawed and AI is a self-learning program and there is no transparency from which data AI is learning and on what code AI is built.

End to End encryption is used by the intermediaries to protect the privacy of the user and to find the first originator of the messaged end-to-end encryption has to be disabled for all the users this will be a serious threat to the privacy of the users. We need a law that can guaranty our safety from cybercrime and at the same time protect our privacy and personal data.

End-Notes:

1. Venkat Ananth, "The rise, fall and subsequent death of Orkut", The Mint, 30 Sep 2014, available at: https://www.livemint.com/Consumer/zAYIirsyDYC2ZVcNxGkXcJ/The-rise-fall-and-subsequent-death-of-Orkut.html (visited on October 23, 2021).
2. Ibid.
3. Number of social network users in selected countries in 2021 and 2026, available at: https://www.statista.com/statistics/278341/number-of-social-network-users-in-selected-countries/ (visited on October 23, 2021).
4. Rule 3(1)(a) IT Rules, 2021.
5. Rule 3(1)(b) IT Rules, 2021.
6. Rule 3(1)(c) IT Rules, 2021.
7. Rule 3(1)(d) IT Rules, 2021.
8. Rule 3(1)(c) IT Rules, 2021.
9. Rule 3(1)(c) IT Rules, 2021.
10. Rule 3(1)(e) IT Rules, 2021.
11. Rule 3(1)(g) IT Rules, 2021.
12. Rule 3(1)(h) IT Rules, 2021.
13. Rule 3(1)(j) IT Rules, 2021.
14. Rule 3(1)(k) IT Rules, 2021.
15. Rule 3(1)(i) IT Rules, 2021.
16. Rule 3(1)(l) IT Rules, 2021.
17. Rule 3(2)(a) IT Rules, 2021.
18. Rule 3(2)(b) IT Rules, 2021.
19. Rule 3(2)(c) IT Rules, 2021.
20. Rule 4(1)(a) IT Rules, 2021.
21. Twitter Communications India Pvt. Ltd. & Ors. V. Union Of India & Ors., Writ Petition(s)(Criminal) No(s). 337/2020.
22. Rule 4(1)(b) IT Rules, 2021.
23. Rule 4(1)(c) IT Rules, 2021.
24. Rule 4(1)(d) IT Rules, 2021
25. Rule 4(2) IT Rules, 2021
26. Whatsapp LLC v/s. Competition Commission Of India & Anr., W.P.(C) 4378/2021 & CM 13336/2021.
27. Rule 4(1)(c) IT Rules, 2021.
28. Rule 4(1)(c) IT Rules, 2021
29. Rule 4(3)(a) &(b) IT Rules, 2021
30. Rule 4(4) IT Rules, 2021
31. Ibid
32. Rule 4(5) IT Rules, 2021
33. Rule 4(6) IT Rules, 2021
34. Rule 4(7) IT Rules, 2021
35. Rule 4(8)(a) & (b) IT Rules, 2021
36. Rule 3(8)(c) IT Rules, 2021
37. Rule 6 IT Rules, 2021
38. Rule 7 IT Rules, 2021