There can’t be arbitrary rules just because privacy right is not absolute
WhatsApp, the instant messaging service, has challenged the new social media intermediary rules in the Delhi High Court. WhatsApp claims a provision that forces service providers to identify “the first originator of Information” in posts is unconstitutional and violates privacy. While the government was quick to clarify that it had no intention to violate the ‘right to privacy’, that’s unlikely to inspire much confidence. The problem is the way the new rules, which apply to any online platform with over five million users in India, have been introduced without meaningful public consultation. Compliance with rules with far-reaching effects takes time. Only three months was given in this instance, where, for example, the EU’s General Data Protection Regulation allowed for two years. Nor did the government issue a set of FAQs to explain how social media guidelines were to be implemented, as it said it would. There has also been criticism about bringing in a plethora of rules that ought to be normally triggered only via legislative action. For example, the Supreme Court recommended specific privacy legislation, especially in the digital domain. A committee chaired by retired Supreme Court judge B N Srikrishna released draft privacy and data protection legislation in 2018. However, while that draft reportedly has undergone extensive revisions, and been presented for Cabinet scrutiny, it has not been sent to Parliament for legislative passage. Hence, India still does not have a specific privacy law.
Apart from social media platforms, the new rules affect Slack, Zoom, LinkedIn, YouTube, and mainstream news sites, which carry reader-comments. Under the 2021 rules, any content flagged by the government must be taken off within 36 hours of notice. All such platforms must appoint a resident grievance officer, a chief compliance officer, and nodal contact person, all based in India. The government notification threatens that any entity that does not agree to comply by May 25 will forfeit its protections as an intermediary, which gives legal protection. An intermediary is not liable if a user has posted “offensive” content. WhatsApp and other instant messaging services use end-to-end encryption. Only the sender and the recipient of a message can decipher it. Identifying the “first originator” at the government’s request would require instant messaging services to break encryption to identify the creator of content which may be forwarded many times. Several legal experts have opined this violates privacy. It has also been pointed out that the IT Rules 2021 go beyond the scope of the IT Act, and subordinate legislation cannot do this.
Analogous provisions revealing user identities do not exist, except in totalitarian countries. While this would supposedly stem the flow of “fake news”, there is every chance it could be misused to harass political opponents and suppress content unfavourable to the government. This becomes very likely, given recent attempts to ban or geo-block Twitter and Facebook accounts criticising the government. It is important to protect online platforms as enablers of free speech. This means walking a fine line between regulating hate speech while protecting freedom of expression, transparently and even-handedly, while respecting fundamental rights. It is true that no fundamental right, including the right to privacy, is absolute and is subject to reasonable restrictions, but the question is who decides on what is reasonable. The new rules make government officials the final arbiter in such matters. That is a sure recipe for failure: the government would do well to set up an independent institutional framework to bridge the trust deficit.