Information Technology (Intermediaries Guidelines)
Rules 2011 of India have been prescribed to take care of the Internet
intermediary legal framework of India. This is a crucial area that
required a sound techno legal regime.
The Gazette Notification numbered G.S.R. 314(E),
dated 11-04-2011, formulated the Information Technology
(Intermediaries Guidelines) Rules, 2011 of India. These rules provide
the rights and responsibilities of internet intermediaries in India.
If the Internet intermediaries follow these rules and exercise proper
cyber due diligence, they are entitled to a “safe harbour
protection”. Otherwise, they are liable for various acts or
omission occurring at their respective platforms once the matter has
been brought to their notice.
Perry4Law
and
Perry4Law
Techno Legal Base (PTLB) are providing the legal position
regarding Internet intermediary liability in India under the IT Act
2000 in general and Information Technology (Intermediaries
Guidelines) Rules, 2011 of India in particular.
The salient features of the same are as follows:
(1) The Information Technology (Intermediaries
Guidelines) Rules, 2011 of India have been formulated by the Central
Government in exercise of its powers conferred by clause (zg) of
subsection (2) of section 87 read with sub-section (2) of section 79
of the Information Technology Act, 2000 (21 of 2000).
(2) Definitions — (1) In these rules, unless the
context otherwise requires,–
(a) “Act” means the Information Technology Act,
2000 (21 of 2000);
(b) “Communication link” means a connection
between a hyperlink or graphical element (button, drawing, image) and
one or more such items in the same or different electronic document
wherein upon clicking on a hyperlinked item, the user is
automatically transferred to the other end of the hyperlink which
could be another document website or graphical element.
(c) “Computer resource” means computer resources
as defined in clause (k) of sub-section (1) of section 2 of the Act;
(d) “Cyber security incident” means any real or
suspected adverse event in relation to cyber security that violates
an explicitly or implicitly applicable security policy resulting in
unauthotrised access, denial of service or disruption, unauthorised
use of a computer resource for processing or storage of information
or changes to data, information without authorisation;
(e) “Data” means data as defined in clause (o)
of sub-section (1) of section 2 of the Act;
(f) “Electronic Signature” means electronic
signature as defined in clause (ta) of sub- section (1) of section 2
of the Act;
(g) “Indian Computer Emergency Response Team”
means the Indian Computer Emergency Response Team appointed under sub
section (1) section 70 (B) of the Act;
(h) “Information” means information as defined
in clause (v) of sub-section (1) of section 2 of the Act;
(i) “Intermediary” means an intermediary as
defined in clause (w) of sub-section (1) of section 2 of the Act;
(j) “User” means any person who access or avail
any computer resource of intermediary for the purpose of hosting,
publishing, sharing, transacting, displaying or uploading information
or views and includes other persons jointly participating in using
the computer resource of an intermediary.
(2) All other words and expressions used and not
defined in these rules but defined in the Act shall have the meanings
respectively assigned to them in the Act.
(3) Due diligence to be observed by intermediary —
The intermediary shall observe following due diligence while
discharging his duties, namely: —
(1) The intermediary shall publish the rules and
regulations, privacy policy and user agreement for access-or usage of
the intermediary’s computer resource by any person.
(2) Such rules and regulations, terms and conditions
or user agreement shall inform the users of computer resource not to
host, display, upload, modify, publish, transmit, update or share any
information that —
(a) Belongs to another person and to which the user
does not have any right to;
(b) Is grossly harmful, harassing, blasphemous
defamatory, obscene, pornographic, paedophilic, libellous, invasive
of another’s privacy, hateful, or racially, ethnically
objectionable, disparaging, relating or encouraging money laundering
or gambling, or otherwise unlawful in any manner whatever;
(c) Harm minors in any way;
(d) Infringes any patent, trademark, copyright or
other proprietary rights;
(e) Violates any law for the time being in force;
(f) Deceives or misleads the addressee about the
origin of such messages or communicates any information which is
grossly offensive or menacing in nature;
(g) Impersonate another person;
(h) Contains software viruses or any other computer
code, files or programs designed to interrupt, destroy or limit the
functionality of any computer resource;
(i) Threatens the unity, integrity, defence,
security or sovereignty of India, friendly relations with foreign
states, or public order or causes incitement to the commission of any
cognisable offence or prevents investigation of any offence or is
insulting any other nation
(3) The intermediary shall not knowingly host or
publish any information or shall not initiate the transmission,
select the receiver of transmission, and select or modify the
information contained in the transmission as specified in sub-rule
(2):
Provided that the following actions by an
intermediary shall not amount to hosing, publishing, editing or
storing of any such information as specified in sub-rule: (2) —
(a) Temporary or transient or intermediate storage
of information automatically within the computer resource as an
intrinsic feature of such computer resource, involving no exercise of
any human editorial control, for onward transmission or communication
to another computer resource;
(b) Removal of access to any information, data or
communication link by an intermediary after such information, data or
communication link comes to the actual knowledge of a person
authorised by the intermediary pursuant to any order or direction as
per the provisions of the Act;
(4) The intermediary, on whose computer system the
information is stored or hosted or published, upon obtaining
knowledge by itself or been brought to actual knowledge by an
affected person in writing or through email signed with electronic
signature about any such information as mentioned in sub-rule (2)
above, shall act within thirty six (36) hours and where applicable,
work with user or owner of such information to disable such
information that is in contravention of sub-rule (2). Further the
intermediary shall preserve such information and associated records
for at least ninety days for investigation purposes,
(5) The Intermediary shall inform its users that in
case of non-compliance with rules and regulations, user agreement and
privacy policy for access or usage of intermediary computer resource,
the Intermediary has the right to immediately terminate the access or
usage rights of the users to the computer resource of Intermediary
and remove non-compliant information.
(6) The intermediary shall strictly follow the
provisions of the Act or any other laws for the time being in force.
(7) When required by lawful order, the intermediary
shall provide information or any such assistance to Government
Agencies who are lawfully authorised for investigative, protective,
cyber security activity. The information or any such assistance shall
be provided for the purpose of verification of identity, or for
prevention, detection, investigation, prosecution, cyber security
incidents and punishment of offences under any law for the time being
in force, on a request in writing staling clearly the purpose of
seeking such information or any such assistance.
(8) The intermediary shall take all reasonable
measures to secure its computer resource and information contained
therein following the reasonable security practices and procedures as
prescribed in the Information Technology (Reasonable security
practices and procedures and sensitive personal Information) Rules,
2011.
(9) The intermediary shall report cyber security
incidents and also share cyber security incidents related information
with the Indian Computer Emergency Response Team.
(10) The intermediary shall not knowingly deploy or
install or modify the technical configuration of computer resource or
become party to any such act which may change or has the potential to
change the normal course of operation of the computer resource than
what it is supposed to “perform thereby circumventing any law for
the time being in force:
Provided that the intermediary may develop, produce,
distribute or employ technological means for the sole purpose of
performing the acts of securing the computer resource and information
contained therein.
(11) The intermediary shall publish on its website
the name of the Grievance Officer and his contact details as well as
mechanism by which users or any victim who suffers as a result of
access or usage of computer resource by any person in violation of
rule 3 can notify their complaints against such access or usage of
computer resource of the intermediary or other matters pertaining to
the computer resources made available by it. The Grievance Officer
shall redress the complaints within one month from the date of
receipt of complaint.