To trace or not to trace, that is the Shakespearean question we are confronted with. The implementation of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 framed under the IT Act of 2000 has sparked a stormy debate. Battle lines are apparently drawn and hardening day-by-day between those who advocate data privacy and those who give primacy to national sovereignty and public order. Stepping away from the heat of the ‘here and now’ of the argument in court, as also the minutiae of these rules, it would be useful to examine the foundational and public-policy questions involved while navigating between this binary of privacy and public order.
At their heart, the intermediary rules seek to have significant messaging intermediaries (SMIs) in the private messaging space accept certain tracing obligations, in particular on the identification of a ‘first originator’ of information. Ideological advocates of the state point to the need to protect society from public harm, in terms of terrorism and radicalization, misinformation, fake news, sexual misconduct and cyber-crime, to justify the imposition of this obligation on SMIs. The privacy challenge is foregrounded in the principle that such rules are violative of the fundamental right to privacy of SMI users, as they compel SMIs to overhaul their data encryption mechanisms, which ensure that messages are only accessible to their senders and receivers.
There are three public-policy arguments that help understand how to steer between privacy and public order. First, Supreme Court judgements like the 2017 Puttaswamy judgment on privacy. It held that the right to privacy is an intrinsic part of the right to life and personal liberty, and, thus, is protected under Article 21. Like all fundamental rights under the Constitution, the right to privacy could be subject to reasonable restrictions. However, any invasion of privacy requires that an enabling law must be based on a legitimate state aim, should not suffer from arbitrariness and adopt means that are proportionate to the object and needs it seeks to fulfil. This test of reasonableness was also adopted in the Supreme Court’s Aadhaar judgement. Consequently, there is a legitimate way forward for public-order tracing under the IT Rules which would satisfy such a three-fold test. This allows for public-order tracing but only in a manner that constitutes a reasonably formulated infringement of privacy, meeting the touchstones of legitimacy, lack of arbitrariness and proportionality. Framing the legitimate state interest that necessitates tracing must be precise, so as to obviate any concern of arbitrary application.
Second, in striking such a balance between privacy and public order under the intermediary rules, India would be in line with global practices. There exists an analogy in the context of bank secrecy. Switzerland has for long been the most ardent advocate of bank secrecy. However, global efforts at financial transparency have resulted in the country having to accept that its bank customers’ right of privacy on bank information now has to be balanced with legitimate processes of procuring information needed to combat money laundering, terrorism and crime, which have been codified in Switzerland’s bilateral agreements. Jurisdictions like Singapore and Germany have moved to regulate social media platforms in the interest of law and order, as an initial step towards regulating major technology companies. India could draw upon some of these international best practices. In Singapore, for instance, the Protection from Online Falsehoods and Manipulation Act, 2019, provides for the issuance of ‘correction notices’, rather than removals—which is an outcome-based approach. India, with its ideals of free speech, could consider a similar device, rather than mandating removals or tracing.
Finally, attempts to use criminal law for leverage over companies in ensuring that they accept the intermediary rules need to be carefully considered. Seeking enforcement of the law by private companies need not mean undertaking actions akin to those used in criminal proceedings for civil obligations. This may not be favoured by the courts. The use of criminal proceedings for the dishonour of cheques against corporate debtors during insolvency proceedings was disparagingly referred to as “civil sheep in criminal wolf’s clothing” by the Supreme Court in P. Moharanj & Ors. vs Shah Brothers in 2021. The use of police complaints (first information reports) to ensure compliance with the intermediary rules could also be inconsistent with efforts to decriminalize what are essentially civil matters, as reflected, for example, in the proposed Companies (Amendment) Bill, 2020. Also, as a matter of process, a transition period, as was allowed in Germany before the introduction of its NetzDG laws (the penalties for which are fines), should be granted.
Legitimate public order interests will have to be balanced with the reasonableness of rules to encourage the development of trust-based compliance between SMIs and the government, and should take due account of privacy concerns based on end-to-end encryption. The matter will ultimately be decided by the judiciary, not law enforcement agencies. Striking an appropriate balance will burnish India’s credentials as a global leader as we move to take up the mantle of the G20 presidency in 2023.
Varun Mehta, senior associate, Cyril Amarchand Mangaldas, contributed to this column. These are the authors’ personal views.
Arjun Goswami and Richa Roy are, respectively, director, public policy; and partner, Cyril Amarchand Mangaldas
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.