Legal Obligations of Intermediary 

  1. Background 
  1. On 25 February 2021, the Ministry of Electronics and Information Technology (MEITY) notified the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (Rules) under the Information Technology Act, 2000 (IT Act). 
  1. Under IT Act, intermediaries are entitled to safe harbour protections from liability in relation to any third-party information, data, or communication link made available or hosted by them (Safe Harbour Protection)1 if they observe: 
  1. due diligence, as prescribed under the Rules (Due Diligence Requirements), and  
  1. meet the content neutrality conditions under section 79 of the IT Act2
  1. Intermediaries, is defined under Section 2(1)(w) the IT Act as follows: 

“intermediary”, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes

  1. Rules regulate the following categories of Intermediaries and digital media entities: 
  • Intermediaries, social media intermediaries (including significant social media intermediaries- SSMI 3), online gaming intermediaries 
  • Publishers of news and current affairs content, including news aggregators, news agencies, and individual news reporters to the extent they are transmitting content in the course of a systematic business, professional or commercial activity; and 
  • Publishers of online curated content4, which include publishers (including individual creators) transmitting content in the course of a systematic business, professional or commercial activity. 
  1. Obligations under the IT Act and Rules 
  1. Under Rules 3(1)(a) and 3(1)(b) of the Rules, intermediaries should: 
  1. prominently publish their rules, regulations, privacy policies and user agreements on their websites and/or applications (collectively, Policies); and  
  1. inform users through such Policies of statutorily identified types of prohibited content (Prohibited Content – identified below) 
  1. Under Rules 3 (1) (f), an intermediary should periodically, and at least once every year, inform its users of (i) the Policies, (ii) any changes to the Policies, and (iii) the consequences of non-compliance (such consequences include the termination of the access/usage rights of the user and/or the removal of non-compliant information). 
  1. Please note that the Policies and annual reminders should in a user’s preferred language, which may be English or one of the 22 languages specified in the Eighth Schedule to the Constitution of India. 
  1. Under Rule 3(1)(a) a positive obligation has been imposed on intermediaries to ensure user compliance with the Policies. 
  1. However, Rule 3 (1) b notes that an Intermediary shall make reasonable efforts [by itself, and to cause the users of its computer resource to not host], display, upload, modify, publish, transmit, store, update or share any Prohibited Content. 
  1. The Rules are however silent on how to “ensure” user compliance with Policies and further what would “reasonable efforts” entail. 
  1. Prohibited Content 
  1. Rule 3 (1) b specified the list of Prohibited Contents which is content that: 

(i) belongs to another person and to which the user does not have any right; 

(ii) is obscene, pornographic, paedophilic, invasive of another’s privacy including bodily privacy, insulting or harassing on the basis of gender, racially or ethnically objectionable, relating or encouraging money laundering or gambling, or an online game that causes user harm, or promoting enmity between different groups on the grounds of religion or caste with the intent to incite violence; 

(iii) is harmful to child; 

(iv) infringes any patent, trademark, copyright or other proprietary rights; 

(v) deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any misinformation or information which is patently false and untrue or misleading in nature or, in respect of any business of the Central Government, is identified as fake or false or misleading by such fact check unit of the Central Government as the Ministry may, by notification published in the Official Gazette, specify; 

(vi) impersonates another person; 

(vii) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign States, or public order, or causes incitement to the commission of any cognizable offence, or prevents investigation of any offence, or is insulting other nation; 

(viii) contains software virus or any other computer code, file or program designed to interrupt, destroy or limit the functionality of any computer resource; 

 (ix) is in the nature of an online game that is not verified as a permissible online game; 

 (x) is in the nature of advertisement or surrogate advertisement or promotion of an online game that is not a permissible online game, or of any online gaming intermediary offering such an online game; 

 (xi) violates any law for the time being in force. 

  1. Rule 3(1)(n) mandates that intermediaries must respect the constitutional rights guaranteed to citizens, including but not limited to the fundamental rights guaranteed under the Constitution. 
  1. Rule 3(1)(m) requires intermediaries to take all measures to ensure accessibility of their services to users along with reasonable expectation of due diligence, privacy, and transparency without further elaboration. 
  1. Take down of Prohibited Content:  
  1. The Rules prescribe the following take-down procedure: 
  • Upon receipt of actual knowledge in the form of a court order or upon being notified by the appropriate government or its agency, the intermediary should not host, store or publish any Prohibited Content. The intermediaries must remove or disable access to such content within 36 hours from the receipt of such order or direction and may also voluntarily take down any prohibited information. Compliance with take down requests or voluntary removal of information will not dilute the Safe Harbour Protection. 
  • On receipt of any complaint from an individual or person on their behalf regarding content which is prima facie in the nature of any material depicting nudity or any sexual act, or the impersonation of any person including artificially morphed images, revenge porn etc. the intermediary must take all reasonable measures to remove or disable access to such content within 24 hours of receipt of the complaint. 
  1. This will not apply to information that is temporarily or transiently stored by the intermediary in an automatic manner, and which does not involve any human, automated or algorithmic editorial control. 
  1. Existing practice in relation to the orders of law enforcement or appropriate Government authorities to communicate take down of information usually contains: 

(a) the platform specific identified URL(s); 

(b) the law that is being administered by the appropriate Government/ authorised agency and the specific clause of the law which is being violated; 

(c) justification and evidence; and 

(d) any other information (e.g., time stamp in case of audio/ video, etc.) as may be relevant. 

  1. Grievance redressal mechanism: 
  1. Intermediary are required to (i) appoint a grievance officer, and (ii) publish their name and details. The Rules require an intermediary to constitute a grievance redressal mechanism and to acknowledge receipt of user complaints within 24 hours and resolve disputes within 15 days
  1. The grievance officer is also required to receive and acknowledge any order, notice or direction issued by the appropriate government, competent authority or a court. 
  1. It is expected that the platform would provide grievance registration process in easy-to-understand terms for the benefit of the users. 
  1. Retention of records:5 
  1. Intermediaries must retain information and user registration records for a period of 180 days from (i) date of removal or disabling access to any unlawful information pursuant to receipt of actual knowledge or on voluntary basis or upon receipt of any grievances received by it, and (ii) additionally in case of any cancellation of registration or withdrawal of a user. 
  1. The Rules require the intermediaries to store or retain data that have been collected from the user at the time of registration (mainly the location, time and date stamp of the user to understand when and where the account was created) if the user has withdrawn from the platform or in case of cancellation of account by the intermediary.  
  1. Regarding the information that has been collected after registration and before withdrawal, it will vary from platform to platform. Quantum of information that a platform should store would be addressed through the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and notifications under Section 67C of the IT Act. 
  1. Assistance to the Government Agencies: 

  

  1. The Rules require this information to be provided to the government agencies within 72 hours from the receipt of the order. 
  1. Therefore, all actions required by intermediaries may be summarised as follows: 
Action from Intermediary Timelines 
Grievance Acknowledgement 24 Hours 
Response to Grievance 15 days 
Removal/ disabling of content which exposes the private area of such individual, shows such individual in full or partial nudity or shows or depicts such individual in any sexual act or conduct, or is in the nature of impersonation in an electronic form, including artificially morphed images of such individual Within 24 hrs 
Content removal on receipt of court order or notice from Appropriate Government or its agency Within 36 hours 
Provide information under its control or possession, or assistance to the Government agency which is lawfully authorised for investigative or protective or cyber security activities Within 72 hours of the receipt of an order 
Preservation of information and associated records relating to removal/ disabling of access to such information 180 days or as may be required 
Retaining user’s registration information after cancellation or withdrawal of his registration 180 days 
  1. Non-compliance by an intermediary  
  1. The intermediary shall lose its exemptions from liability as provided under Section 79 of the IT Act and Rule 7 of these Rules may become applicable with respect to the extant law violated.  Intermediary will be liable to the various liabilities provided under the IT Act and penal laws of India. 
  1. Note that the users will not face any penalties under the Rules, however, they need to ensure that the content they share on intermediary platforms is not violative of the IT Act else they may be penalised under the penal laws of India, Copyrights Act and other applicable law. 
  1. Grievance Appellate Committee 
  1. The Rules empowers the Central Government to establish a Grievance Appellate Committee (GAC) or more than one GAC. 
  1. The appeal process, which is intended to hold intermediaries accountable for how they redress grievances, enables any person aggrieved by a decision made by an intermediary’s Grievance Officer (GO) to appeal such a decision before the GAC within 30 days of receipt of the GO’s communication.  
  1. The GAC must then resolve the appeal within 30 days of its receipt. The entire appeal process (from filing to decision) will be conducted through an online dispute resolution mechanism. An intermediary is expected to comply with the GAC’s order and upload a compliance report on its website. 
  1. The Central Government has established three GAC. Relevant details of GAC can be found at: 
  1. Advisory by MEITY 

In addition to above, MEITY periodically issues advisory on various subjects. Some relevant advisory is summarised below: 

  1. Advisory dated 03.09.2024 
  1. In Advisory dated 03.09.2024, MEITY has noted that intermediaries while complying with their due diligence obligations are not taking prompt action in some cases by removing the prohibited content from their platforms, which could lead to irreparable loss and/or harm to the individuals in instances like cyber financial frauds and scams. 
  1. It highlighted that Hon’ble High Court of Bombay in the matter of National Stock Exchange of India Ltd. vs. Meta Platforms, Inc. & Ors. has taken note of this and while emphasising the duty of intermediaries under the Rules has directed them to take prompt action on the complaints of entities like the National Stock Exchange of India about unauthorised use of their trademark on dubious webpages, profiles, accounts, content, social media groups and /or channels, directed the concerned intermediaries to delete or disable the fake information such as morphed videos and profiles circulating on their platform relating to the plaintiff promptly within ten hours of receiving such complaint
  1. The advisory further notes that intermediaries should take prompt action to remove any prohibited information at the earliest possible opportunity. They should do so proactively and at the earliest possible opportunity and not wait for the expiry of the time limits as prescribed in the Rules which is only an outside limit. 
  1. Advisory dated 15.03.2024 
  1. In this advisory, MEITY has highlighted about the use of AI, LLM, Generative AI, software or algorithms (“Technology”) by intermediary and notes that such Technology should not permit its users to host, display, upload, modify, publish transmit, store update or share any unlawful content. Further such Technology should not create bias or discrimination or threaten integrity of electoral process. 
  1. All undertested, unreliable AI foundational models should be made available to users in India only after appropriately labelling the possible inherent unreliability. Consent pop-up or equivalent mechanism should be used to explicitly inform the users of possible fallibility/unreliability of output generated. 
  1. Intermediaries should inform users through terms of service and user agreements about consequences of dealing with unlawful information including disabling of access and removal of such information, suspension or termination of access or usage rights of the user, punishment under applicable law. 
  1. If the intermediary though its resources permits synthetic creation, generation or modification of text, audio, visual or AV information which may be potentially used as misinformation or deepfake, it is advised that such information created/generated or modified through its software is labelled or embedded though permanent unique metadate or identified in a manner that such label, metadata, identified can be used to identify that such information has bene created, generated, modified using computer resource of the intermediary. Further in case of any changes made by a user, the metadata should be configured to enable identification of such user or computer resources that has effected such change. 
  1. Advisory dated 26.12.2023 

This advisory contains a list of instructions; most of which are overlapping with the Rules:  

  1. The content not permitted under Rules should be clearly listed. The same should be expressly informed to the user at the time of first registration and regular reminder, at every instance of login and while uploading/sharing of information onto the platform. 
  1. The user should be made aware of various penal provisions of the Indian Penal Code6 and IT Act and other laws which may be attracted. Further, the terms of service and user agreements must clearly highlight that intermediaries/platforms are under obligation to report legal violations to the law enforcement agencies under relevant Indian law. 
  1. Intermediaries should identify and remove misinformation or information which is patently false, untrue, misleading, impersonates another person, created using deepfakes. 
  1. Intermediaries should allow users, victims or any person on their behalf to report violations of the Rules in simple and easily accessible manner including through in-app user reporting on its platform. Upon receipt of complaint grievance officer must acknowledge and redress the same within stipulated timelines. 
  1. For each grievance a ticket number may be adequately generated, to provide details of grievance, including the time at which grievance was made, information to which the grievance relates, details of user/victim who files grievance, details of users who uploaded or transmitted such information. 
  1. Intermediaries must comply with the orders of GAC within timelines mentioned in the order and publish a report in relation to the same on its website. 
  1. Intermediaries should take additional measures to not permit any advertisement of illegal loans and betting apps which have potential to scam and mislead users, the consequences of which will be the sole responsibility of the intermediaries. 
  1. It reiterates that failure on part of an intermediary to observe due diligence or comply with the provisions of grievance redressal mechanism of the Rules would result in the concerned intermediary automatically loosing exemption from liability provider under Section 79(1) of the Act in accordance with Section 79 (2) (c) of the Act. 
  1. CERT-In 
  1. The Government of India established “Indian Computer Emergency Response Team (CERT-In)” vide notification dated 27th October 2009. CERT-In serves as the national agency for performing the following functions in the area of cyber security:  
  1. collection, analysis and dissemination of information on cyber incidents; 
  1. forecast and alerts of cyber security incidents; 
  1. emergency measures for handling cyber security incidents; 
  1. coordination of cyber incidents response activities; 
  1. issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; 
  1. such other functions relating to cyber security as may be prescribed. 
  1. The composition and functioning of CERT-In is regulated by the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”). CERT-In is empowered and competent to call for information and give directions to the service providers, intermediaries, data centres, body corporates etc. (“Entities”) 
  1. On 28 April 2022, CERT-In issued new directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (“2022 Directions”) which impose certain requirements in relation to cyber security incidents, storing of logs etc. 
  1. Reporting Requirements 
  1. Certain cyber incidents, as specified in Annexure 2 herein, are required to be reported to CERT-In within 6 hours of noticing such incidents or of being notified of such incidents. The reporting should be in the prescribed format (as available on the CERT-In website). 
  1. If all information regarding the cyber incident is not available, Entities may provide information to the extent available within 6 hours and provide additional information to CERT-In within reasonable time. 
  1. Further, if multiple parties are affected by a cyber security incident, any party that notices such incident is required to report it to CERT-In.  Note that the reporting obligation to CERT-In is mandatory and overrides any confidentiality related obligations under contract.  
  1. Further under Rule 14 of the CERT-In Rules, CERT-In can seek information from regulated entities in specified formats and time frames for responding to cyber incidents. 
  1. ICT clock synchronization 
  1. The 2022 Directions require all entities to synchronise ICT system clocks to the Network Time Protocol (NTP) of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with other NTP servers traceable to those maintained by NIC or NPL. 
  1. While global entities are permitted to use a different time source that is in sync with the NTP, they need to ensure that their time source shall not deviate from NPL and NIC. 
  1. Maintenance of logs 
  1. Entities are required to maintain logs of Information and Communication Technology (ICT) systems for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction
  1. Further the FAQ issued in relation to the 2022 Directions note that these logs can be stored outside India as long as a copy is retained within India. Any service provider offering services to the users in the country needs to enable and maintain logs and records of financial transactions in Indian jurisdiction. 
  1. Relevant logs need to be provided to CERT-In when cyber incidents are reported or when so ordered by CERT-In. The logs that need to be maintained will depend on the sector in which an Entity is operating and may include – firewall logs, event logs of critical systems, application logs, VPN logs, etc. 
  1. Point of Contact 
  1. The service providers, intermediaries, data centres, body corporate and government organisations shall designate a Point of Contact to interface with CERT-In. 
  1. The Information relating to a Point of Contact shall be sent to CERT-In in the format specified at Annexure 3 herein and shall be updated from time to time. 
  1. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact. 
  1. Subscriber Data Collection and Retention of Financial Transaction 
  1. Data Centres, Virtual Private Server (VPS) providers, cloud service providers (CSPs) and Virtual Private Network (VPN) providers are required to record certain information accurately in relation to its subscribers, similar to the Know Your Customer (KYC) requirement imposed by other sectoral regulators. This information needs to be maintained for at least 5 years after the cancellation/withdrawal of the user registration, or a longer period when mandated by law. 
  1. The information required to be maintained are:  

a. Validated names of subscribers/customers hiring the services 

b. Period of hire including dates 

c. IPs allotted to / being used by the members 

d. Email address and IP address and time stamp used at the time of registration / on-boarding 

e. Purpose for hiring services 

f. Validated address and contact numbers 

g. Ownership pattern of the subscribers / customers hiring services 

  1. CERT-In is empowered to call for this information in case of any ‘cyber incidents’ or ‘cyber security incidents’. 
  1. Further, the 2022 Directions require all ‘virtual asset service providers, virtual asset exchange providers and custodian wallet providers’ to maintain KYC and financial transaction records.  
  1. The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) must mandatorily maintain all information obtained as part of KYC and records of financial transactions for a period of 5 years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.  
  1. For transaction records, the intent is to maintain accurate information in such manner that individual transaction can be reconstructed/identified.  
  1. The transaction records to be maintained include but are not limited to, information relating to the (i) identification of the relevant parties including IP addresses, (ii) timestamps and time zones, (iii) transaction ID, (iv) public keys (or equivalent identifiers), (v) addresses or accounts involved (or equivalent identifiers), (vi) the nature and date of the transaction, and (vii) amount transferred.  
  1. Please note that above is an inclusive list only and the intent is that individual transactions can be reconstructed from transaction records. 
  1. Non-compliance with 2022 Directions 
  1. Non-compliance with the 2022 Directions, shall lead to punitive action under the IT Act, which can extend to imprisonment for up to a year, and/or a fine upto INR 100,000.  
  1. Other penal laws of the country, where applicable, may also be invoked in cases of noncompliance 

Annexure 1: Relevant section of the IT Act  

Section 79. Exemption from liability of intermediary in certain cases.— 

(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him. 

(2) The provisions of sub-section (1) shall apply if— 

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or 

(b) the intermediary does not— 

(i) initiate the transmission, 

(ii) select the receiver of the transmission, and 

(iii) select or modify the information contained in the transmission; 

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf. 

(3) The provisions of sub-section (1) shall not apply if— 

(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act; 

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. 

Explanation.—For the purposes of this section, the expression “third party information” means any information dealt with by an intermediary in his capacity as an intermediary. 

Annexure 2: Types of cyber security incidents mandatorily to be reported by service providers, intermediaries, data centres, body corporate and Government organisations to CERT-In: 

i. Targeted scanning/probing of critical networks/systems 

ii. Compromise of critical systems/information iii. Unauthorised access of IT systems/data 

iv. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc. 

v. Malicious code attacks such as spreading of virus/worm/Trojan/Bots/ Spyware/Ransomware/Cryptominers 

vi. Attack on servers such as Database, Mail and DNS and network devices such as Routers 

vii. Identity Theft, spoofing and phishing attacks 

viii. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks 

ix. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks 

x. Attacks on Application such as E-Governance, E-Commerce etc. 

xi. Data Breach  

xii. Data Leak 

xiii. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers 

xiv. Attacks or incident affecting Digital Payment systems xv. Attacks through Malicious mobile Apps 

xvi. Fake mobile Apps 

xvii. Unauthorised access to social media accounts 

xviii. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications 

xix. Attacks or malicious/suspicious activities affecting systems/ servers/networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones 

xx. Attacks or malicious/ suspicious activities affecting systems/servers/software/ applications related to Artificial Intelligence and Machine Learning 

Annexure 3: Format for providing Point of Contact information 

The Information relating to the Point of Contact shall be sent to CERT-In via email (info@cert-in.org.in) in the format specified below and shall be updated from time to time: 

Name  
Designation  
Organisation Name  
Office Address  
Email ID  
Mobile No.  
Office Phone  
Office Fax  
Next Post

Leave a Reply

Disclaimer & Confirmation

In compliance with the Bar Council of India’s regulations, Trust Law Advocates and Solicitors (the “Firm”) is prohibited from soliciting work or advertising through this website. By clicking “I Agree”, the user acknowledges and agrees to the following:

  • The Firm has not made any advertisement, personal communication, solicitation, invitation, or inducement of any kind to solicit work or offer legal services through this website.
  • The purpose of this website is solely to provide information about the Firm, its practice areas, and its advocates and solicitors.
  • The user seeks to access this website for their own personal or professional information and not for the purpose of soliciting legal services.
  • The information provided on this website is made available only at the user’s specific request, and any materials obtained or downloaded from this site are entirely at the user’s discretion. Accessing or using this website does not establish an attorney-client relationship.
  • This website is not intended to serve as an advertisement or solicitation, nor should any content on this site be construed as legal advice.
  • The Firm is not liable for any consequences arising from the use of any information or materials accessed through this website. If the user requires legal assistance, they should seek independent legal advice.
  • All content on this website is the intellectual property of the Firm and may not be reproduced without prior written consent.

By accessing this site, you acknowledge that you have read and understood the Terms of Use and Privacy Policy of the website.

I Disagree
I Agree