This article is written by Raunak Sood, a 4th year BBA LLB (Hons.) student studying at Bennett University, Greater Noida, pursuing Diploma in Advanced Contract Drafting, Negotiation, and Dispute Resolution from LawSikho.
Companies like Facebook, Apple and Alphabet who own messaging apps like I-message, WhatsApp and Google Messages have been the worst hit by the Impugned Rule (defined hereinbelow) It is necessary to understand the background of these messaging apps. These messaging apps are allowing users to communicate with each other with their highly encoded end to end encryption, thus giving their users privacy and security. In simpler words, when one user sends his message to another user, this means that a message or a phone call is taking place between the users themselves. It does not mean that the message is going to any third-party, which implies that nobody would be able to snoop on the call or the message sent between the parties.
- Impugned Rule: Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021– It is hereinafter called as the “Ethics Code”
- Whether Impugned Rule of the Ethics Code is unconstitutional?
- Whether Impugned Rule is ultra vires the Information Technology Act, 2000?
- Whether the Impugned Rule violates the Data Principles laid down in GDPR and SriKrishna Committee Report?
Issue 1. Whether Impugned Rule of the Ethics Code is unconstitutional?
The impugned rule is unconstitutional on the following grounds:
- Violation of Art 21.- The right to privacy has been declared a fundamental right in the case of KS Puttaswamy v. Union of India. Right to privacy is like an umbrella under which the right to remain anonymous is present. Herein, the impugned rule hurts the right to remain anonymous and it violates the root of the concept of end to end encryption and furthermore, the Impugned Rule asks all the social media intermediaries to identify the first originator of information and this violates the end to end encryption policy adapted by various messaging apps, shopping apps and OTT platforms, as well as infringes upon the right to privacy as the Impugned Rule does not set a time frame for the social media intermediary to recognize the first originator of information. Hence, all social media intermediaries have to keep track of each and every message being shared on their platforms. The Impugned rule is not legal and is violative of S.69A of the IT Act as there is no opportunity for judicial review before the Government asks the Social Media Intermediaries to disclose messages under the garb of National Security. It also seems that the Impugned Rule is targeting the private communications of Indian Citizens and it is not the least restrictive method to control the right of privacy.
- Violative of Art. 19(1)(a)- Professor Kaye once said that online privacy is important for the exercise of the right of free speech and expression. In the case of LIC v. Manubhai D. Shah, the Apex Court held that free speech includes the right to communicate through print media or any other communication channel and any attempt to strangle the same would be violative of Art.19(1)(a). There is a chilling effect on free speech because lawful communications between users of social media would be under surveillance and people would not have the freedom to speak freely and securely within their private space.
- Violative of Art.14 – In the case of Shayara Bano v. Union of India, the Apex Court held that the unreasonable laws are absolutely arbitrary, hence the Impugned Rule is arbitrary because it causes more harm than good, and goes against the legislative intent of the IT Act because the Parliament never envisaged that the Government should be able to know about communications taking place between various individuals let alone the First Originator of Information.
Issue 2. Whether the Impugned Rule is ultra vires the Information Technology Act, 2021?
The Impugned Rule cannot be said to have the force of law because Rule 4(2) has been made under delegated legislation. The Impugned Rule has been made by the IT Ministry and delegated legislation and rules made under such legislation cannot lie outside the purview of the Parent Statue. The Impugned Rule is ultra vires the IT Act on the following grounds:
- Violative of the legislative intent: It was held by the Apex Court in the case of Bombay Dyeing v. Bombay Environment Action group that any delegated legislation falling afoul of the legislative object of the parent statute could be struck down. The preamble of the IT Act, 2021 provides for a substitute to paper-based approaches of communication and uploading of information, and the legislative intent seeks to introduce uniformity, but the same legislative intent is being threatened when social media intermediaries are asked to identify the first originator of information.
- Ultra Vires S. 69A and 79- Section 69A allows the Central Government to block access to content over its platform or give out the procedures and safeguard whereas Impugned Rule is neither a procedure nor a safeguard and it is a settled law. In the case of Kunj Behari Lal Butail v. State of HP it was held that rules made under a statute should not travel beyond the scope of the statute or be repugnant thereto. Hence, the Impugned Rule is transgressing and is ultra vires to S.69A of the IT Act, 2021.
Section 79 gives immunity to social media intermediaries for whatever activity is being done by third parties on their platforms, but nowhere in S.79 is there any mention of enabling the Government to identify the first originator of the information. It is the Parliament which is allowed to take on the essential legislative functions as laid down in the case of In re Delhi Laws, 1912 and it is iterated that there is no clear policy mentioned in S.79 to identify the first originator of information. And furthermore, S.79 only gives powers to the Central Government to prescribe for “due diligence” but Impugned Rule falls outside the scope of the word due diligence because it opens a trap door for netizens to understand the limits of data being generated. Hence, it is concluded that the Impugned Rule is ultra vires S. 79 of the IT Act, 2021.
Issue 3. Whether Impugned Rules violate data principles laid down in GDPR and Srikrishna Committee Report?
The Impugned Rule is violating the principle of Data Minimization laid down in Article 5(1)(c) of the GDPR that states that a minimum amount of data should be stored to fulfill the purpose for which your organization needs it, the data should be adequate, relevant and limited to the purpose. Herein the purpose of social media and other shopping apps is to connect and distribute goods but the Impugned Rule allows traceability which defeats the Data Minimization Principle of being relevant, limited and adequate. In the Justice Srikrishna Committee Report, it is stated that firstly, the purpose should not be specified in a vague manner and secondly there should be a fair and just usage of data with regard to the minimum data collected from the data fiduciary. In this case the Social Media intermediaries like Apple, Facebook, Whatsapp, Google are the data controllers and users are the data fiduciaries but the Impugned Rule asks the data controller to collect massive amounts of data which is not relevant to the purpose of messaging between two individuals and hence, the Data Minimization Principle and Sections 5 and 6 of the Personal Data Protection Bill have been made a dead letter of law even before the Bill could become an Act.
In the Facebook Cookies Case, Facebook Incorporated and Facebook Ireland were placing cookies on the web browsers of the users and visitors of the website without giving any kind of notification or information. Hence, after being found out by the French Authorities, Facebook was fined Euro 150000 for excessively collecting the personal data of users. If the Impugned Rule is allowed to remain and is not struck down, the same thing will take place i.e. excessive collection of user information without even informing the users so that the first originator of information can be determined easily.
It is important that the integrity and security of the communications is ensured because every citizen has the fundamental right to privacy and freedom of speech and expression. The same freedom of speech and expression should even extend to private spaces and allow people to communicate over the borderless internet. The Impugned Rule seeks to destroy that very nature of a borderless internet by snatching the rights of users like doctor-patient, attorney-client etc. to communicate freely without anybody recording, copying or snooping upon their conversations.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/L9vr7LmS9pJjYTQ9