In a judgment that protects the online privacy of women, the Delhi High Court on April 26, 2023, issued extensive directions to search engines, the Delhi Police and the Ministry of Electronics and Information Technology (“MeitY”) to ensure that victims in cases of Non-Consensual Intimate Images (“NCII”) are not repeatedly harassed and don't have to constantly approach authorities for removal of their explicit images/content. The Delhi High Court ordered that the Cybercrime Reporting Portal must display a status tracker for such grievances, and that Delhi Police must promptly register a complaint and commence investigation.
Why should you care?
Mrs. X v. Union of India highlights how the infringement of privacy lies at the core of gender-based violence and how a lack of privacy protection built into digital technology can perpetuate such violence. In this regard, by directing intermediaries to undertake privacy-respecting measures to prevent Technology-Facilitated Sexual Violence (TFSV), the Delhi HC has potentially paved the way for making the internet a safer playground for its users.
In Mrs. X v. Union of India, the Petitioner was facing repeated harassment at the hands of the accused who kept uploading intimate images of the Petitioner that had been captured without her consent and under coercion. Despite approaching the Grievance Cells of various intermediaries such as Google LLC, Microsoft, etc., her grievances remained unaddressed. This led to her filing a writ petition before the Delhi High Court praying for the offending content to be taken down and for action to be taken against the accused.
During the course of the hearing, the HC directed Google LLC and Microsoft to disable access to the URLs displaying NCII content pertaining to the Petitioner. However, it was seen that even after disabling the links to such NCII content, it would simply be reproduced elsewhere.
The HC decided to expand the scope of the writ petition and suggested to the intermediaries to institute a proactive approach towards disabling access to links of NCII. However, intermediaries contended that such an approach was beyond the due diligence requirements under the IT Act and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”). It was further submitted by the intermediaries that they did not possess the appropriate technology for such proactive monitoring of NCII content and that such monitoring would lead to the violation of the fundamental right to speech and expression under Article 19 of the Constitution of India.
Right to Informational Privacy Affirmed
After hearing intermediaries such as Google and Microsoft, as well as the counsel for MeitY, and also Mr. Saurabh Kipral, amicus curiae, in this matter, the Delhi High Court issued several directions and guidelines to be followed in matters involving NCII.
One of the main considerations of the Delhi HC was to ensure that the victim did not have to incessantly scour the internet for their NCII content. Once it had been reported by the victim or a takedown order had been issued by the Court order or by the appropriate Government authority, then it ought to be incumbent upon the intermediaries to prevent resurfacing of such content.
The Delhi HC observed that right to privacy was a sacrosanct aspect of Article 21 of the Constitution as held by a 9-Judge Bench of the Supreme Court in K.S. Puttaswamy v. Union of India, and that this right includes the right to informational privacy and the right to exercise control over personal data. Further, it referred to Section 66E of the IT Act, which provides for punishment for publishing NCII content, to state that individuals inhabited a reasonable expectation to privacy.
Further, the Delhi HC referred to Kerala HC’s decision in Vysakh K.G. v. Union of India, the Delhi HC observed that intermediaries must take “reasonable efforts” to ensure that its users do not publish content that is prohibited under Rule 3(1)(b). Further, it was noted that search engines can help protect user privacy from illegal content being hosted on third-party websites as de-indexing a URL can have an incremental impact on protecting one’s right to be forgotten, in these cases, as it makes it impossible for someone to access such material if they are not aware of the exact URL.
The Delhi HC noted that tools existed with the offending entities for the detection and removal of matched content that had previously been removed. Though such technology exists for the purpose of removing CSAM, the Court went a step further to recognise that entities such as Meta have been using such tools for curtailing the spread of NCII content. The Court held that the amended Rules increased the burden on intermediaries to prevent illegal content. The Court found that the right to free speech is subject to reasonable restrictions, so the fundamental right is not violated.
What were the directions given by the Court?
The Court directed the Petitioner to file an affidavit in a sealed cover identifying the NCII content that is to be removed. The definition of NCII must be liberally interpreted to include explicit content that is obtained or disseminated without the consent of an individual.
The Government’s Online Cybercrime Reporting Portal must display a status tracker and redressal mechanisms for victims. The contact details/address of each District Cyber Police Station will also be displayed, with an assigned Officer for coordinating with the Delhi Police.
The Delhi Police was directed to promptly register a complaint and start an investigation upon receiving information about NCII. Additionally, a round-the-clock helpline must be set up for reporting such content.
Search engines were directed to deploy already existing mechanisms with the relevant hash-matching technology. Thus, when a victim obtains a takedown order, the user/victim may be assigned a unique token upon initial takedown of NCII content. If the content resurfaces, then the search engines must ensure that access to such content immediately ceases. They are further required to strictly follow the timeframe stipulated under Rule 3 of the Rules.
The Court proposed a long-term solution for removing reported NCII content, which involves assigning cryptographic hashes/identifiers to the reported NCII content for its automatic identification and removal. This process would require collaboration between intermediaries and MietY and would ensure secure and automatic removal of the content. The Court emphasized the importance of transparency and accountability due to the sensitive nature of the data involved.
Internet Freedom Foundation was not involved in these proceedings on behalf of any of the parties or itself. We are reporting on this case, as an update of an important case in India that increases online privacy.
- Order of the Delhi High Court dated 26.04.2023 in Mrs. X v. Union of India (link)