cyber security due diligence in M&A

This article is written by  Preethikha AR pursuing a Diploma in US Intellectual Property Law and Paralegal Studies. This article has been edited by Ruchika Mohapatra (Associate, Lawsikho). 

This article has been published by Sneha Mahawar.


The Internet and social media have become an inevitable part of life in today’s world. There exists no business without an online platform. Almost all kinds of commercial trade require an online presence to become successful. From online shopping to big business dealings and e-commerce everything is done digitally like advertisements, customer feedback, interactions, etc. These platforms that connect people worldwide are called ‘Intermediaries’ and they play a vital role in e-commerce by making communication between two extremes possible. 

In the digital era, people all over the world rely on social media for news, entertainment, etc. People working from home can do their job by sitting in one corner of the room, all made possible because of the internet. At this time, it is highly perilous to trust anything and everything that pops up on the internet because of fake news being spread and read and relied upon by millions. It is important to ensure that sources are reliable and trustworthy. The intermediary who only delivers the information to the public at large should not be made responsible for anything posted online by the content creators. 

This often calls into question: Is it right to make intermediaries liable for third-party’s actions of posting infringing or abusive content on their platform though they don’t actively participate in the creation of the same? Can intermediaries alter the content of the user if they feel it is unethical to post such content? If intermediaries modify such reprehensible content, does that not mean infringing the owner’s right to privacy and right to freedom of speech and expression, as the intermediary’s job is only to post the content and not decide whether the content is legitimate?

This article aims to provide answers to these questions by presenting an efficient and methodical approach through a comparative analysis of different jurisdictions in India and the US vis-à-vis the safe harbour mechanism. 

What is a safe harbour provision

A safe harbour is a provision in a statute or a regulation that specifies that certain infracting conduct will be deemed not to violate a given rule. A Safe Harbour provision is a legal provision to eliminate legal liability in certain situations as long as certain conditions are met. Safe Harbour acts as a protective shield against any legal liability expected from immoral acts of third parties. If social media platforms don’t act in accordance with the new rules, their indemnity will be taken away according to Section 79 of the Information Technology Act. Safe harbour provision grants protection from liability or penalty provided they satisfy certain rules of the IT Act. Intermediaries were permitted to use the safe harbour principle to safeguard themselves from being held liable for criminal actions of an external party that was carried out without the knowledge of the intermediary. 

Who are intermediaries and what do they do

According to Section 2(w) of the Information Technology Act 2000, an “intermediary”, with respect to any particular electronic records, is defined as “any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-marketplaces and cyber cafes”. The term “Intermediary” refers to a coordinator who enables the dissemination of information on the internet between the content producer and users across the globe. The intermediaries are supposed to deal with various forms of information ranging from benign to harmful on the spectrum. 

An intermediary is a person or third party who acts as a bridge between two parties. They act as a source of communication where there is no direct interaction between the parties thereby enabling a smooth exchange of information. It is only through the intermediary that data is passed and work is done. Digitally speaking, intermediaries are platforms that are responsible for disseminating a small amount of information to a large number of people in one go. In most countries, intermediaries are provided with indemnity against the infringement of IP.

Why were safe harbour provisions introduced (Section 79 of Information Technology Act 2000)

The safe harbour protection for e-commerce marketplaces is an important aspect that deserves careful consideration. The concept of “safe harbour” under Section 79 of the IT Act, 2000 acts as a defence for the intermediaries but there are some instances where Intellectual Property Rights are openly violated by the intermediaries. Safe harbour protection acts as inherent security granted to intermediaries against the imposition of liability for acts done by third parties. 

Safe harbour provisions were introduced to protect intermediaries from becoming liable for the acts of third parties provided the intermediary observed ‘due diligence’. Section 79 of the IT Act provides protection to intermediaries from being held liable for data, content, and information that they have no personal knowledge of, shared by users through them. Under Safe harbour, intermediaries are protected from third-party information and data made available or hosted by him thereby acting as a defence. Safe harbour spares intermediaries from any form of liability unless they were aware of any illegal content being broadcasted on their platform. 

Section 79 of the Information Technology Act 2000 introduced the safe harbour immunity clause that protected an intermediary from being held liable for third-party content on its platform and affords broad-ranging legal immunity – provided the intermediary observed ‘due diligence’ and followed certain ‘guidelines’ as prescribed by the Central Government. In cases where due diligence laid down by the Government is not followed by the intermediary, it would be made liable for third-party’s actions even though the same were done without the knowledge of the intermediary. 

Information Technology Intermediary Guidelines and Digital Media Ethics Code rules 2021 

The Information Technology (IT) Rules, 2021, were framed by the Union Government in the exercise of powers under Section 87 (2) of the IT Act, 2000 and in supersession of the earlier Intermediary Guidelines Rules, 2011. Under this, large digital platforms with over 5 million users will have to publish periodic compliance reports every month. The Rules prescribe a framework for the regulation of online content by issuers of current affairs, news and audio-visual content. All intermediaries, including OTT platforms and digital portals in India, are required to provide a grievance redressal mechanism for resolving complaints from the users. These rules aim to empower netizens for timely resolution of their grievances with a mechanism for redressal and assistance of a Grievance Redressal Officer (GRO) residing in India. 

Rule 4(1)(d) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, requires social media channels to publish monthly compliance reports mentioning:

  1. Details of complaints received and actions taken thereon, and
  2. A number of specific communication links or parts of information that the social media platform has removed or disabled access to as part of proactive monitoring.

If intermediaries are go-betweens, will they be accountable for all that is being shared by the third party

It is of a wrong conception that anything said and communicated by a third party will hold the intermediary liable. Intermediaries are only a way of communication between people and they are not responsible for whatever is being done by others. They are middlemen in a process or transaction. And to avoid this situation where the intermediary will be held liable for the acts of the third party, safe harbour provisions were introduced to safeguard and protect intermediaries from third-party infringers. 

The main function of an intermediary is to transmit the information which it has received. The intermediary as such doesn’t create or assist in creating such information. Creators of the original content are third parties who send it to the intermediary thereby transmitting it to other users. Intermediary acts as a mode of communication to share information between the content creator and the users. To hold the intermediary responsible for subject matters posted on the platform by a third party is unreasonable as tracking immense amounts of data exchanged online is impossible and not just that, it will also amount to infringement of the fundamental rights of the user. 

Intermediary liability 

Intermediary liability takes place when the government can hold technological intermediaries, such as Internet Service Providers and websites, liable for unlawful content created by users of those services. Intermediaries will lose their safe harbour protection if it fails to comply with the revised 2021 legislation. This means that any person can initiate legal action against such intermediaries for any illicit third-party content amounting to infractions, consequently holding intermediaries liable for the same. So as to avoid such prosecution and imposition of arbitrary penalties, the ‘safe harbour’ principle provides security to such entities. Safe harbour exempts intermediaries from any form of liability unless they are aware of the illegal content being transmitted on their platform. 

Safe harbour provisions in India

Section 79 of the IT Act, 2000 says that any social media intermediary will not be on the radar of legal action for any third-party information made available or hosted by them. It further implies that the available protection shall be applicable only when the said intermediary does not initiate the transmission of the message, or modify any information contained in the transmission. It means if a social media platform acts as a bridge to pass information from one person to another without impeding, then it will not be liable for any legal action.  

However, if the intermediary upon receiving the notification by the government or an appropriate agency that any information, data, or communication link controlled by it, is being used to commit any unlawful act and the intermediary fails to remove such material from its platform, then it may face legal prosecution as the case may be.

New rules under  IT Act, India

Earlier, the law allowed internet intermediaries to enjoy wide-ranging immunity from legal liability. For example, while news channels and broadcasters have always functioned under the threat of legal liability for social media scandals and other speech-related offenses, intermediaries have escaped liability despite being publishers because of the immunity offered by Section 79. 

The basic theme of the new rules is the enforcement of new protection on Internet intermediaries seeking to enjoy the legal immunities offered by Section 79 of the Information Technology Act. The new law requires internet liaisons, especially significant social media intermediaries (namely Facebook, YouTube, and WhatsApp) to earn the privilege of legal immunity by discharging certain duties and responsibilities under Indian law. These duties include creating a functional grievance redressal mechanism, a proper takedown system, the appointment of India based compliance officers, deployment of automated filtering software, traceability requirements for certain specific purposes, right of users to seek verification of their accounts, identification of a physical address for the purpose of service of legal notices and few more. If an internet intermediary fails to abide by these new rules, they lose the immunities offered under Section 79.

“Active Participant” under safe harbour protection

In the case of Christian Louboutin Sas V. Nakul Bajaj And Ors. (Louboutin Case), Delhi High Court while deciding on the liability of the e-commerce platform, “”, drew a distinction between ‘active’ and ‘passive’ intermediaries. The Single Judge Bench held that determining whether an e-business platform is entitled to safe harbour protection under Section 79(1) will solely depend on whether it plays an “active” or a “passive” role while operating such a platform. 

The Court observed that “when an e-commerce website is involved in or conducts its business in such a manner, which would see the presence of a large number of elements enumerated above, it could be said to cross the line from being an intermediary to an active participant”. 

It further held that, “any active contribution by the platform or online marketplace completely removes the ring of protection or exemption which exists for intermediaries under Section 79”.

Thus, for claiming exemption from liability under Section 79(1) of IT Act, that an intermediary shall not be liable for any third-party information, data, or communication link made available by it, what is required to be assessed is whether the intermediary fulfils the conditions prescribed under Section 79(2) and Section 79(3) of the IT Act or not.

Tussle with Twitter

The Union Government informed the Delhi high court that Twitter has lost its immunity from criminal prosecution for content on its site due to the failure to appoint grievance redressal officers as per the new Information Technology rules. Non-compliance amounts to breach of the provisions of the IT Rules, 2021 which led Twitter to lose its immunity conferred under Sec. 79 (1) of the IT Act 2000, the Information and Technology ministry said in an affidavit filed in the court. But then, Twitter has claimed that it has taken steps to comply with the new Rules including appointing an interim Chief Compliance Officer and has finally complied with the new Information Technology rules in India. According to the government’s lawyer, Twitter has now appointed a Chief Compliance Officer (CCO), a Resident Grievance Officer (RGO), and a nodal contact person; effectively fulfilling the basic requirements of the new law. 

Safe harbour provisions in the US

Under U.S. law, internet companies are generally exempted from liability for the material users post on their networks. As part of the broader review of online networking websites, the United States Department of Justice (DOJ) analysed Section 230 of the Communications Decency Act of 1996, which provides immunity to online platforms from liability for third-party content and removal of the same in certain circumstances. Section 230 of the CDA 1996 prevents online intermediaries from being treated as the producer of content. It states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

This means that the intermediary will not be accountable for the content or kind of book available when he is just a bookstore owner.

Facebook, Twitter, WhatsApp, and Google were given the ultimatum to comply with the new rules as they run the risk of losing their status as “intermediaries” if they do not comply with the revised regulations. The intermediaries have sent details of the Grievance Officer, Chief Compliance Officer, Nodal Contact Person with the IT Ministry as required under the new rules. In this, Twitter was the odd one out as it did not share details of the Chief Compliance Officer until recently. The new digital rules ask social media companies like Google, Facebook, and Twitter to identify within 36 hours the originator of a flagged message as well as to conduct additional due diligence. 

Social media giants under IT Rules, 2021


Google removed 104,285 pieces of bad content under various categories like Copyright, Trademark, Court Order, Graphic Sexual Content, Circumvention, and others based on user complaints in January this year. The tech giant received 33,995 complaints from users in India. These complaints were related to third-party content that is believed to violate local laws or personal rights on various Google platforms – ‘an increase from 94,173 pieces of bad content removed in December’, the tech giant said in its monthly report in compliance with the new India IT Rules 2021.


In the first report for the period between 15 May and 15 June 2021, Facebook said it took action against content that violated its community standards across 10 different categories or what the company calls policy areas. It has taken action against 25 million spam content with a 99.9% proactive rate.


Instagram, owned by Facebook, adopted a proactive monitoring mechanism and took down more than 18 lakh abusive content from its platform. In the monthly compliance report, both these social media companies claimed that they have removed posts against the dignity of women and children.

Grievance redressal and compliance mechanism

Under the Grievance Redressal Mechanism, the intermediary should publish on its website:

  1. Name and contact details of the Grievance Redressal Officer(GRO),
  2. Complaint mechanism by which the victim may file a complaint. 

The Grievance Officer has to acknowledge the complaint within 24 hours and take necessary steps within 15 days. The intermediary shall take all reasonable and practicable measures for removing or disabling access to explicit content hosted, published, or transmitted by it within 24 hours of receiving the complaint. 


Non-compliance would inevitably mean that the intermediaries would be deprived from claiming the advantage of the safe harbour principle and eventually become liable for acts committed by its users even though the intermediary was uninformed about the same.

It is more likely that third parties would be perturbed and file constitutional challenges against these rules. Though Twitter refused for a quite reasonable span of time, it ended up adopting the new IT rules of India. The penalty for non-compliance of rules is much more severe in India. Ergo, the intermediaries ought to comply with the Information Technology Rules 2021 to secure themselves from penalizations and to avoid losing the immunity of ‘Safe Harbour’.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here