Mahesh D
Introduction
The paradox of safeguarding individual rights while upholding state obligations is a persistent issue for all cultures and time periods. The legal and philosophical problem of this paradox is that “when if ever, can the rights of individual or group entities be curtailed because those in power deem it necessary or expedient to do so.” This problem remained at the forefront on the modern lawscape of India. In this country, we have seen arrest of two girls in Mumbai for a Facebook post questioning the violent reaction to the demise of the political leader and we have witnessed the arrest of senior journalist for writing critical accounts of actions of policies of government. Such live and ongoing issues are exacerbated by the formulation of The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 [hereinafter referred as IT Rules 2021] in this digital age.
Identifying the first originator of information- Rule 4(2) of the IT Rules
The abovementioned rules were formulated by the directions of the Supreme Court of India in two judgements — the Prajwala Letter case of 2018 and Facebook case in 2019 —wherein Government of India is obliged to frame necessary guidelines to eliminate child pornography and related contents in online platforms and other applications and finding out the persons, institutions, and bodies who were the originators of such content messages. This opinion of Court was embodied in Rule 4(2) of IT Rules 2021 which mandates significant social media intermediaries to identify the first originator of information when ordered by a court or government authority. Though the intent of rule is to trace limited information only when the message is in public circulation, the problem arises in private messages on social platforms such as direct messages in Instagram or WhatsApp messages wherein implementing traceability would break end-to-end encryption resulting in disproportionate state intrusion into user privacy, fostering chilling effect on user’s freedom and instilling collateral censorship on intermediary immunity.
Inseminating the chilling effect on the user’s freedom
Let us examine by example wherein a person acting in good faith takes a screenshot and resends it, copies a message and shares it, or forwards an article received via email on WhatsApp. They might still be implicated as the first originator under this contested rule if no other source is identified. This rule or any other legislation does not specify what constitutes “First Originator” implicating its vague nature and the overbroad term “identification” does not specify the exact guidelines and responsibilities of intermediaries in ascertaining the information, leading to ambiguity and potential misuse in the tracing of originators. Thus, this vague and overbroad nature of Rule 4(2) of IT Rules 2021 impermissibly delegates basic policy matters to administrative authorities for resolution on an ad hoc and subjective basis, with the attendant dangers of arbitrary and discriminatory application and leading to chilling effect of freedom of speech and expression enshrined under Article 19(1)a of the Indian Constitution.
Instilling collateral censorship on the intermediaries
The second concern on Free speech is that the law [particularly Section 79 of Information Technology Act, 2000 read with Rule 7 of IT Rules,2021] often restricts the liability of an intermediary for the speech it carries. And rightly so, because imposing liability of third-party content on intermediaries can induce them to filter out questionable content and this “collateral censorship” risks suppressing much lawful, even highly beneficial, speech. The term “collateral censorship” refers to instances where a private intermediary suppresses the speech of third parties to avoid potential liability for that speech hosted on their platform. This poses a significant issue, as some of the restricted content might actually be lawful and even socially beneficial. Therefore, penalizing facilitators that assist people in expressing themselves harms public discourse, thereby imposing a significant chilling effect on freedom of expression. Such restrictions not only impede the rights of the individual but also duties of the corporation who is instrumental in improving governance and promoting human rights.
Identifying User’s Right to Privacy as Anonymity
The anomaly of mandating intermediaries to facilitate the identification of the first originator of information on the end-to-end messaging platform like WhatsApp poses a significant threat to privacy wherein undermining the rights of hundreds of millions of Indian Citizens who rely on those platforms to keep their messages private. On this aspect, the Supreme Court of India held in the case of Supreme Court of India v. Subhash Chandra Agarwal that “Privacy and confidentiality encompass a range of rights, including the protection of identity and the freedom to remain anonymous in which Anonymity allows individuals to avoid identification.” Furthermore, end-o-end encryption not only protects privacy but also strengthens communication security and preserves the integrity of information.
Disproportionate State intervention in the User’s Right to Privacy
The second aspect is that the impugned Rule 4(2) fails the three-prong test for determining any state action intruding individual privacy outlined in Puttaswamy I. Firstly, it fails the test of legality as a delegated provision without express parliamentary authorization and travels beyond the scope of parent statute i.e., Section 87(2)(z), (zg) and Section 79 of Information Technology Act 2000. Secondly, the impugned rule fails the test of necessity as there is no guarantee against arbitrary state action. The impugned rule permits judicial oversight as an alternative to the Union Home Secretary under the Information Technology Rules 2009. However, it is highly likely that the central government may favour the Union Home Secretary over judicial intervention, making the rule susceptible to misuse or arbitrary orders which also violates Article 14 of the Indian constitution. Thirdly, this also fails the test of proportionality as the rule mandates in breaking end to end encryption which infringes fundamental rights without employing the “least restrictive means.” Since it is impossible to anticipate which message might be subject to a tracing order, intermediaries like the Petitioner would be compelled to develop mechanisms to identify the first originator of every communication sent on their platforms in India indefinitely, thereby infringing on the privacy of even lawful users. Therefore, this impugned rule imposes an unconstitutional burden on privacy and liable to be severed down.
Violation of Principles Enshrined In general data protection regulation, 2016
The Rule 4(2) of IT Rules represents a direct affront to the foundational principles of the General Data Protection Regulation [hereinafter referred as “GDPR”] which is revered as the “golden standard” for data protection across the world. At its core, the rule suffers from a critical flaw wherein the term “first originator” remains undefined. Neither the provisions of IT Act,2000 nor the IT Rules,2021 provided clarity on the term, leaving the individuals, intermediaries and entities to grapple with an abstruse concept which sets the stage for potential misuse of power. Thus this obscurity runs contrary to the “Principle of Purpose Limitation” under Article 5(1)(b) of the GDPR. Even more troubling is the practical impossibility of tracing the first originator in today’s digital landscape. Every time data is saved locally and reposted, new chains of data emerges, fragmenting the original flow. The result? A labyrinth of circulating data chains rendering the concept of identification of first originator to no use. Such overbroad processing results in excessive and unnecessary processing of data contravening the “Principle of Data Minimization” under Article 5(1)(c) of the GDPR. Lastly, the most egregious aspect of Rule 4(2), lies in its reliance on breaking end to end encryption to trace the first originator of information. Such disproportionate use of measure with no consideration for the rights of the data principal not only jeopardizes privacy but also contravenes the norm prescribed under Article 6(1)(f) of the GDPR, which mandates a lawful basis for processing personal data wherein this impugned rule strikes at the heart of the balance between legitimate interests and the fundamental rights of the data principal. Therefore, Rule 4(2) of IT Rules 2021 is not just flawed rather it is a regressing move of the state which threatens individual rights along with the integrity of global data protection standards.
Suggestion and Conclusion
To address the challenges of Rule 4(2) of the IT Rules, 2021, this blog suggests that certain reforms are required to strike a balance between regulation and fundamental rights. It is important to define “first originator” with precision so that overbroad applications are avoided and the chilling effect on free speech may be removed. Furthermore, there is need of mandatory judicial oversight which should replace the optional provision in this rule to prevent arbitrary state actions. Objective mechanisms such as the “Press-information-Bureau FACT model” under Rule 3(b)(v) should be adopted to eliminate subjective bias and ensure transparency and accountability. To conclude, safeguarding liberty of the individual in this digital age requires clarity, subjectivity, accountability, and robust safeguards to protect freedom of expression and privacy and to address emerging technological challenges.
The Author is a second-year students at Tamil Nadu National Law University
Picture Credit: Indian Liberals
Constitutional Law Society 
Leave a comment