The Union government’s Cabinet Committee on Security recently gave clearance to the Home Ministry’s NATGRID project.  The project aims to allow investigation and law enforcement agencies to access real-time information from data stored with agencies such as the Income Tax Department, banks, insurance companies, Indian Railways, credit card transactions, and more.  NATGRID, like a number of other government initiatives (UIDAI), is being established through governmental notifications rather than legislation passed in Parliament.  The examination of this issue requires an assessment of the benefits of legislation vis-a-vis government notifications. Government notifications can be issued either under a specific law, or independent of a parent law, provided that the department issuing such notification has the power to do so.  Rules, regulations which are notified have the advantage of flexibility since they can be changed without seeking Parliamentary approval. This advantage of initiating projects or establishing institutions through government notifications is also potentially of detriment to the system of checks and balances that a democracy rests on.  For, while legislation takes a longer time to be enacted (it is discussed, modified and debated in Parliament before being put to vote), this also enables elected representatives to oversee various dimensions of such projects.  In the case of NATGRID, the process would provide Parliamentarians the opportunity to debate the conditions under which private individual information can be accessed, what information may be accessed, and for what purpose.  This time consuming process is in fact of valuable import to projects such as NATGRID which have a potential impact on fundamental rights. Finally, because changing a law is itself a rigorous process, the conditions imposed on the access to personal information attain a degree of finality and cannot be ignored or deviated from.  Government rules and regulations on the other hand, can be changed by the concerned department as and when it deems necessary.  Though even governmental action can be challenged if it infringes fundamental rights, well-defined limits within laws passed by Parliament can help provide a comprehensive set of rules which would prevent their infringement in the first place. The Parliamentary deliberative process in framing a law is thus even more important than the law itself.  This is especially so in cases of government initiatives affecting justiciable rights.  This deliberative process, or the potential scrutiny of government drafted legislation on the floor of Parliament ensures that limitations on government discretion are clearly laid down, and remedies to unauthorised acts are set in stone.  This also ensures that the authority seeking to implement the project is The other issue pertains to the legal validity of the project itself.  Presently, certain departmental agencies maintain databases of personal information which helps them provide essential services, or maintain law and order.  The authority to maintain such databases flows from the laws which define their functions and obligations.  So the power of maintaining legal databases is implicit because of the nature of functions these agencies perform.  However, there is no implicit or explicit authorization to the convergence of these independent databases. One may argue that the government is not legally prevented from interlinking databases.  However, the absence of a legal challenge to the creation of NATGRID does not take away from the importance of establishing such a body through constitutionally established deliberative processes.  Therefore, the question to be asked is not whether NATGRID is legally or constitutionally valid, but whether it is important for Parliament to oversee the establishment of NATGRID. In October 2010, the Ministry of Personnel circulated an “Approach paper for a legislation on privacy”.  The paper states: “Data protection can only be ensured under a formal legal system that prescribes the rights of the individuals and the remedies available against the organization that breaches these rights. It is imperative, if the aim is to create a regime where data is protected in this country, that a clear legislation is drafted that spells out the nature of the rights available to individuals and the consequences that an organization will suffer if it breaches these rights.” As the lines above exemplify, it is important for a robust democracy to codify rights and remedies when such rights may be potentially affected.  The European Union and the USA, along with a host of other countries have comprehensive privacy laws, which also lay down conditions for access to databases, and the limitations of such use.  The UIDAI was established as an executive authority, and still functions without statutory mandate.  However, a Bill seeking to establish the body statutorily has been introduced, and its contents are being debated in the Parliamentary Standing Committee on Finance and the Bill has also been deliberated on by civil society at large. A similar approach is imperative in the case of NATGRID to uphold the sovereign electorate’s right to oversee institutions that may affect it in the future.  

On June 6, 2022, the Ministry of Electronics and Information Technology released the draft amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021) for public feedback.  The IT Rules were notified on February 25, 2021, under the Information Technology Act, 2000 (IT Act).  The Ministry noted that there is a need to amend the Rules to keep up with the challenges and gaps emerging in an expanding digital ecosystem.  In this blog post, we give a brief background to the IT Rules, 2021 and explain the key proposed changes to the Rules.

Background to the IT Rules, 2021

The IT Act exempts intermediaries from liability for user-generated content on their platform provided they meet certain due diligence requirements.  Intermediaries are entities that store or transmit data on behalf of other persons and include telecom and internet service providers, online marketplaces, search engines, and social media sites.  IT Rules specify the due diligence requirements for the intermediaries.  These include: (i) informing users about rules and regulations, privacy policy, and terms and conditions for usage of its services, including types of content which are prohibited, (ii) expeditiously taking down content upon an order from the government or courts, (iii) providing a grievance redressal mechanism to resolve complaints from users about violation of Rules, and (iv) enabling identification of the first originator of the information on its platform under certain conditions.  It also specifies a framework for content regulation of online publishers of news and current affairs and curated audio-visual content.  For an analysis of the IT Rules 2021 please see here.

Key changes proposed to the IT Rules 2021

Key changes proposed by the draft amendments are as follows:

  • Obligations of intermediaries:  The 2021 Rules require the intermediary to “publish” rules and regulations, privacy policy and user agreement for access or usage of its services.   The Rules specify restrictions on the types of content that users are allowed to create, upload, or share.  The Rules require intermediaries to “inform” users about these restrictions.  Proposed amendments seek to expand the obligation on intermediaries to include: (i) “ensuring compliance” with rules and regulations, privacy policy, and user agreement, and (ii) "causing users to not" create, upload, or share prohibited content.
     
  • The proposed amendments also add that intermediaries should take all reasonable measures to ensure accessibility of their services to all users, with a reasonable expectation of due diligence, privacy, and transparency.   Further, intermediaries should respect the constitutional rights of all users.  The Ministry observed that such a change was necessary as several intermediaries have acted in violation of the constitutional rights of citizens.
     
  • Appeal mechanism against decisions of grievance officers:  The 2021 Rules require intermediaries to designate a grievance officer to address complaints regarding violations of the Rules.  The Ministry observed that there have been instances where these officers do not address the grievances satisfactorily or fairly.  A person aggrieved with the decision of the grievance officer needs to approach courts to seek redressal.  Hence, the draft amendments propose an alternative mechanism for such appeals.  A Grievance Appellate Committee will be formed by the central government to hear appeals against the decisions of grievance officers.  The Committee will consist of a chairperson and other members appointed by the central government through a notification.  The Committee is required to dispose of such appeals within 30 days from the date of receipt.  The concerned intermediary must comply with the order passed by the Committee.  Note that the proposed amendments do not restrict users from directly approaching courts.
  • Expeditious removal of prohibited content:  The 2021 Rules require intermediaries to acknowledge complaints regarding violation of Rules within 24 hours, and dispose of complaints within 15 days.  The proposed amendments add that the complaints concerning the removal of prohibited content must be addressed within 72 hours.  The Ministry observed that given the potential for virality of content over internet, a stricter timeline will help in removing prohibited content expeditiously.

Comments on the draft amendments are invited until July 6, 2022.