Module Home Take Quiz
PART 3 OF 6

Platform Liability & Safe Harbour

Deep dive into IT Act Section 79 safe harbour provisions, the landmark Shreya Singhal judgment, intermediary liability principles, and the IT Rules 2021 compliance framework.

1. Understanding Intermediary Liability

An intermediary under the IT Act is any person who, on behalf of another person, receives, stores, or transmits that record or provides any service with respect to that record. This includes internet service providers, web hosting providers, search engines, e-commerce platforms, social media platforms, and cloud service providers.

1.1 Definition of Intermediary (Section 2(1)(w))

"Intermediary with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes."

Key Distinction

An intermediary facilitates third-party content/transactions. The moment it creates its own content or actively modifies third-party content beyond technical necessities, it may lose intermediary status and face direct liability.

2. Section 79 - Safe Harbour Provision

Section 79 provides conditional immunity to intermediaries from liability for third-party content hosted on their platforms. This is the cornerstone of internet platform regulation in India.

2.1 Section 79 Text (Post-2008 Amendment)

Section 79(1): "Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him."

2.2 Conditions for Safe Harbour (Section 79(2))

The safe harbour applies only if the intermediary:

  • (a) The function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted
  • (b) The intermediary does not initiate the transmission, select the receiver of the transmission, or select or modify the information contained in the transmission
  • (c) The intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf

2.3 Loss of Safe Harbour (Section 79(3))

The safe harbour shall not apply if:

  • (a) The intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act
  • (b) Upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner
Safe Harbour Element Requirement
Passive Conduit Limited to providing access/hosting
No Modification Does not initiate, select, or modify content
Due Diligence Compliance with IT Rules and guidelines
No Conspiracy Not involved in unlawful acts
Takedown Compliance Expeditious removal upon actual knowledge

3. Shreya Singhal v. Union of India (2015)

This landmark Supreme Court judgment fundamentally shaped the interpretation of Section 79 and intermediary liability in India.

Case Background

The petition was filed challenging Section 66A of the IT Act (which criminalized sending offensive messages) and certain aspects of Section 79. Two young women were arrested in Maharashtra for a Facebook post criticizing a bandh called for a political leader's funeral.

3.1 Key Holdings on Section 79

1. Reading Down of "Actual Knowledge":

The Court held that Section 79(3)(b) must be read down to mean that the intermediary must receive "actual knowledge" in the form of a court order or government notification. Private complaints alone do not constitute actual knowledge requiring takedown.

2. Court Order Requirement:

"Section 79(3)(b) has to be read down to mean that the intermediary upon receiving actual knowledge that a court order has been passed asking it to expeditiously remove or disable access to certain material must then fail to expeditiously remove or disable access to that material."

3. Unlawful Acts Interpretation:

The phrase "unlawful acts" in Section 79(3)(b) was interpreted to refer to specific unlawful acts as defined in Section 79 Explanation, namely acts beyond the purview of the statute providing safe harbour.

Practical Impact of Shreya Singhal

Post this judgment, intermediaries are not legally obligated to take down content based solely on private complaints. They must receive a court order or government order to trigger the Section 79(3)(b) obligation. However, many platforms voluntarily take down content under their own community guidelines.

3.2 Balancing Free Speech

The Court emphasized that intermediaries should not become "judges of what is right and wrong." Requiring intermediaries to make takedown decisions based on private complaints would have a chilling effect on free speech, as platforms would err on the side of caution and over-remove content.

4. IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021

The IT Rules 2021 significantly expanded the due diligence requirements for intermediaries, creating a tiered regulatory framework based on the nature and scale of operations.

4.1 Categories of Intermediaries

Category Definition Key Obligations
Intermediary All intermediaries as defined in IT Act Basic due diligence (Rule 3)
Significant Social Media Intermediary (SSMI) Social media with 50 lakh+ registered users in India Additional due diligence (Rule 4)
Social Media Intermediary Primarily enables online interaction between users allowing them to create, upload, share content Rule 3 + certain Rule 4 provisions

4.2 Due Diligence Requirements (Rule 3)

All intermediaries must:

  1. Publish Rules: Prominently publish rules, regulations, privacy policy, and user agreement
  2. Inform Users: Notify users not to host, display, upload, modify, publish, transmit, store, update or share any information that:
    • Belongs to another person without authorization
    • Is defamatory, obscene, pornographic, paedophilic, invasive of privacy
    • Harms minors in any way
    • Infringes any patent, trademark, copyright
    • Violates any law in force
    • Deceives or misleads about origin of message
    • Impersonates another person
    • Threatens national unity, integrity, security, friendly relations with foreign states, public order
    • Contains software virus or any computer code designed to interrupt or destroy
  3. Grievance Officer: Appoint a Grievance Officer who shall acknowledge complaint within 24 hours and resolve within 15 days
  4. Takedown Timelines: Remove content within 72 hours of receiving court/government order; 24 hours for content depicting nudity, sexual act, or impersonation
  5. Cooperation: Provide information within 72 hours to authorized government agency for verification of identity or prevention/investigation of offenses
  6. Account Removal: Remove access within 72 hours of receiving court order requiring such action

4.3 Additional SSMI Obligations (Rule 4)

Significant Social Media Intermediaries must additionally:

  • Chief Compliance Officer: Appoint a CCO who is a senior employee and resident in India, responsible for compliance and liable for proceedings
  • Nodal Contact Person: Appoint a nodal contact person for 24x7 coordination with law enforcement
  • Resident Grievance Officer: Appoint a Resident Grievance Officer who shall be resident in India
  • Physical Address: Publish physical contact address in India
  • Monthly Compliance Report: Publish monthly compliance report containing details of complaints received and action taken
  • First Originator Traceability: Enable identification of first originator of information when required by court order or government order (for messaging platforms)
  • Voluntary Verification: Enable voluntary verification of accounts through an appropriate mechanism

First Originator Traceability Controversy

Rule 4(2) requiring messaging platforms to trace the first originator of information has been challenged by WhatsApp in the Delhi High Court. The company argues that this requirement would necessitate breaking end-to-end encryption, undermining user privacy. The case remains pending and represents a fundamental tension between law enforcement needs and privacy rights.

5. Safe Harbour Post IT Rules 2021

The IT Rules 2021 have significantly impacted the safe harbour protection available to intermediaries:

5.1 Expanded Takedown Obligations

Unlike the Shreya Singhal position requiring court orders, the IT Rules 2021 require intermediaries to:

  • Act on government orders (not just court orders)
  • Remove certain categories of content within 24 hours even without orders
  • Take down content "related to" various prohibited categories

5.2 Grievance Appellate Committee

The 2022 Amendment introduced Grievance Appellate Committees (GACs) to hear appeals from grievance officer decisions. Users dissatisfied with platform's grievance resolution can appeal to GAC within 30 days.

5.3 Judicial Challenges

Several provisions of IT Rules 2021 have been challenged in various High Courts on grounds including:

  • Excessive delegation of legislative power
  • Violation of Article 19(1)(a) - Freedom of Speech
  • Conflict with Shreya Singhal principles
  • Privacy concerns (traceability requirement)

6. Compliance Checklist for E-Commerce Platforms

  1. Determine Classification: Identify if platform is SSMI (50 lakh+ users)
  2. Publish Policies: Terms of use, privacy policy, acceptable use policy prominently displayed
  3. Grievance Mechanism: Appoint Grievance Officer, publish contact details
  4. Response Timelines: Acknowledge complaints within 24 hours, resolve within 15 days
  5. Takedown Mechanism: Process for 72-hour/24-hour takedowns
  6. Law Enforcement Cooperation: 72-hour response mechanism for government requests
  7. Record Retention: Maintain records for 180 days after account deletion
  8. For SSMI: CCO, Nodal Officer, monthly compliance reports
  9. Annual Audit: Consider periodic compliance audits
  10. Training: Train staff on compliance procedures