Part 5 of 6

Intermediary Liability & Safe Harbour

🕑 90-120 minutes 📖 Platform Compliance IT Rules 2021

Introduction: The Intermediary Ecosystem

Understanding intermediary liability is crucial for cyber crime investigators. When investigating crimes committed through platforms like social media, messaging apps, e-commerce sites, or cloud services, investigators must understand the legal obligations of these intermediaries and when they can be held liable.

📚 Learning Objectives

By the end of this part, you will be able to:

  • Understand Section 79 safe harbour provisions and their conditions
  • Navigate the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
  • Apply due diligence requirements for obtaining information from intermediaries
  • Understand grievance redressal mechanisms
  • Identify additional obligations of Significant Social Media Intermediaries (SSMIs)

Section 79: Safe Harbour Provision

Section 79 of the IT Act 2000 provides conditional immunity to intermediaries for third-party content hosted on their platforms. This is the foundational provision for understanding when platforms can and cannot be held liable.

The Basic Rule (Section 79(1))

Section 79(1)

"Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him."

Conditions for Safe Harbour (Section 79(2))

The immunity under Section 79(1) applies only if the intermediary:

  1. 79(2)(a): Function is limited to providing access to a communication system over which information is transmitted or temporarily stored or hosted
  2. 79(2)(b): Does not initiate the transmission, select the receiver, or select or modify the information
  3. 79(2)(c): Observes due diligence while discharging duties under the Act and observes such other guidelines as the Central Government may prescribe (IT Rules 2021)

Loss of Safe Harbour (Section 79(3))

The immunity does NOT apply if:

  1. 79(3)(a): The intermediary has conspired, abetted, aided, or induced the commission of the unlawful act
  2. 79(3)(b): Upon receiving actual knowledge or being notified by the appropriate Government, the intermediary fails to expeditiously remove or disable access to the unlawful content
Shreya Singhal Interpretation

In Shreya Singhal v. Union of India (2015), the Supreme Court clarified:

  • "Actual knowledge" under Section 79(3)(b) means knowledge through a court order
  • Mere receipt of a complaint or third-party notice does NOT constitute actual knowledge
  • This protects intermediaries from frivolous takedown demands

However: The IT Rules 2021 impose proactive obligations that may affect this interpretation in practice.

IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

These Rules, commonly known as the "IT Rules 2021," prescribe detailed due diligence requirements for intermediaries. Compliance with these rules is necessary to claim safe harbour protection.

Rule 3: Due Diligence by Intermediaries

Rule 3(1)(a)

Privacy Policy and Terms of Use

Intermediary must publish rules and regulations, privacy policy, and user agreement informing users about content that shall not be hosted/transmitted.

Rule 3(1)(b)

Prohibited Content Categories

Rules must inform users not to host/transmit content that:

  • Belongs to another person without right
  • Is grossly harmful, harassing, defamatory, obscene, pornographic, paedophilic
  • Harms minors in any way
  • Infringes IP rights
  • Violates any law
  • Deceives or misleads addressee about origin
  • Impersonates another person
  • Threatens unity, integrity, defence, security, sovereignty of India
  • Contains software viruses or malicious code
  • Is patently false and untrue, written to mislead readers
Rule 3(1)(d)

36-Hour Takedown for Specific Content

On receipt of court order or government notification, intermediary must remove or disable access within 36 hours for content:

  • Relating to sovereignty and integrity of India
  • Security of the State
  • Friendly relations with foreign States
  • Public order
  • Decency or morality
  • Content punishable with imprisonment of 5+ years
Rule 3(1)(j)

Assistance to Government Agencies

Intermediary must provide information or assistance to authorized government agencies within 72 hours of receipt of order for:

  • Prevention, detection, investigation, prosecution of offenses
  • Cyber security incidents

Critical for Investigators: This is the legal basis for requiring platforms to provide user data, logs, and other information during investigations.

Rule 3(1)(k)

Data Retention Period

Intermediary must retain information collected for registration for 180 days after any cancellation/withdrawal of registration.

Rule 3(2)

Grievance Redressal Mechanism

Every intermediary must:

  • Appoint a Grievance Officer and publish contact details prominently
  • Acknowledge complaints within 24 hours
  • Resolve complaints within 15 days
  • For complaints about intimate images posted without consent: take down within 24 hours

Significant Social Media Intermediaries (SSMIs)

SSMIs are social media intermediaries with registered users in India above a threshold (currently 5 million). They have additional compliance obligations.

SSMI Threshold: 5 Million Registered Users in India

Additional Obligations for SSMIs (Rule 4)

Rule 4(1)(a)

Chief Compliance Officer

Must appoint a Chief Compliance Officer who is:

  • A senior designated employee
  • Resident in India
  • Responsible for ensuring compliance with the Act and Rules
  • Can be held liable for non-compliance
Rule 4(1)(b)

Nodal Contact Person

Must appoint a Nodal Contact Person for 24x7 coordination with law enforcement agencies. Must be resident in India.

Critical for Investigators: This is your primary contact point at SSMIs for urgent requests.

Rule 4(1)(c)

Resident Grievance Officer

Must appoint a Resident Grievance Officer who is resident in India for handling complaints under the grievance mechanism.

Rule 4(2)

First Originator Identification

For messaging services providing primarily messaging function:

  • Must enable identification of the first originator of information
  • When ordered by court or authorized government authority
  • For offenses related to sovereignty, security, public order, sexual offenses, CSAM
  • Must retain information for identification purposes

Controversy: This provision has been challenged as requiring "breaking" of end-to-end encryption. Courts and government are addressing implementation challenges.

Rule 4(4)

Content Moderation

SSMIs must deploy technology-based measures for:

  • Proactive identification of content depicting rape, CSAM, or similar unlawful content
  • Must report identified content to NCMEC (National Center for Missing & Exploited Children) as per US law if applicable
Rule 4(5)

User Verification

SSMIs must:

  • Provide users with voluntary option to verify their accounts
  • Display a visible mark of verification
  • Helps distinguish verified accounts from impersonators
Rule 4(6)-(7)

Monthly Compliance Reports

SSMIs must publish monthly compliance reports containing:

  • Number of complaints received
  • Number of complaints resolved
  • Content removal actions taken
  • Proactive monitoring information

Obtaining Information from Intermediaries

As a cyber crime investigator, you will frequently need to obtain information from intermediaries. Here's the legal framework and process.

Legal Basis for Requesting Information

  • Rule 3(1)(j) of IT Rules 2021: Requires cooperation within 72 hours
  • Section 91 CrPC / Section 94 BNSS: Summons to produce documents
  • Section 69 IT Act: For interception/monitoring (through proper channel)
  • Court orders: For specific data preservation or disclosure

Response Timelines for Intermediaries

24 Hours Acknowledge grievance complaints; Remove intimate images posted without consent
36 Hours Remove content on court order/government notification (sovereignty, security, public order, etc.)
72 Hours Provide information/assistance to authorized government agencies for investigation
15 Days Resolve grievance complaints
💡 Practical Process for Obtaining Data
  1. Identify the right contact: For SSMIs, contact the Nodal Contact Person
  2. Send formal request: On official letterhead, citing legal basis (Rule 3(1)(j), Section 91/94)
  3. Specify clearly: Exact data needed, user IDs, time period, case reference
  4. Preserve evidence: Request data preservation while seeking court order if needed
  5. Follow up: If no response in 72 hours, escalate or seek court intervention

What Information Can Be Obtained

  • Registration data: Name, email, phone number, IP address at registration
  • Login records: IP addresses and timestamps of logins
  • Content data: Posts, messages, uploads (may require court order)
  • Metadata: Time, location, device information
  • Transaction records: For e-commerce platforms
End-to-End Encrypted Content

For messaging platforms with end-to-end encryption (WhatsApp, Signal, etc.):

  • Platform cannot access message content
  • Can only provide metadata (who contacted whom, when, from where)
  • For content, need access to the device itself
  • Rule 4(2) "first originator" provision is meant to address this but has implementation challenges

When Intermediaries Lose Safe Harbour

Understanding when platforms lose protection is crucial for determining liability in cyber crime cases.

Scenarios Where Safe Harbour Does NOT Apply

  1. Active participation: Platform actively curates, edits, or promotes the content
  2. Knowledge and inaction: Has actual knowledge (court order/notification) but fails to act
  3. Non-compliance with due diligence: Fails to meet IT Rules 2021 requirements
  4. Conspiracy/abetment: Actively helps in commission of the offense
  5. No grievance mechanism: Fails to establish required complaint handling system
🚨 Consequences of Losing Safe Harbour
  • Intermediary can be prosecuted as publisher/author of the content
  • Criminal liability under IT Act and BNS provisions
  • Civil liability for damages
  • Potential for platform blocking under Section 69A

2023 Amendments to IT Rules

The IT Rules 2021 were amended in April 2023 to add provisions for fake news and other concerns.

Key 2023 Amendments

  • Grievance Appellate Committees (GACs): Established to hear appeals against intermediary decisions
  • Fake News: Government can fact-check and notify intermediaries about fake news related to government business
  • Online Gaming Rules: Added Part III for regulation of online gaming
Legal Challenges

Several provisions of IT Rules 2021 and 2023 amendments are under legal challenge in various High Courts. Investigators should stay updated on ongoing litigation that may affect implementation.

📚 Key Takeaways
  • Section 79 provides conditional immunity - intermediaries must follow due diligence to claim protection
  • IT Rules 2021 prescribe detailed compliance requirements for all intermediaries
  • "Actual knowledge" means court order (Shreya Singhal), but Rules add proactive obligations
  • SSMIs (5M+ users) have additional obligations: CCO, Nodal Contact, first originator identification
  • 72-hour rule is key for investigators - platforms must respond within 72 hours
  • Contact Nodal Contact Person for urgent law enforcement requests at SSMIs
  • For encrypted content, focus on metadata - content requires device access
  • Non-compliance with Rules = loss of safe harbour = potential criminal liability for platform
Previous: DPDPA 2023 Next: International Framework