Facebook exposé signals the need for India to update its social media regulations

tl;dr

In light of the recent facebook disclosures, we wrote to the Ministry of Electronics and Information Technology about any forthcoming updates to the Information Technology Act, 2000. We pointed out several inadequacies and lacunae in the Act, and asked the Ministry to publish a full consultation timeline over any proposed amendments.

Background

The Information Technology Act, 2000  (IT Act) is the cornerstone of India’s policy framework for regulating the internet. However, in the two decades since the IT Act was originally enacted, significant technological, policy, and legal developments have taken place that subsequent amendments have not been able to completely account for. Digitisation has grown tremendously and, today, integrates strongly with a wide range of individual and social behaviours across demographics in India. For context, only 0.5% of the population (around 55 lakh people at that time) actually used the internet in 2000. BSNL was also incorporated 4 months after the passing of the Act.

As a result, amending the IT Act is an issue that has come up multiple times over the last couple of years. In January this year, multiple media reports (see here and here) emerged stating that the Ministry of Electronics and Information Technology (MEITY) had begun a ‘revamp’ of the IT Act. These reports stated that discussions over updating the Act to better deal with modern technologies and challenges. These changes would also involve harmonising the Act with the provisions of the Personal Data Protection Bill, 2019.

On February 3rd, 2021, an answer to a Lok Sabha question stated that “MeitY has initiated work on amendment to the Information Technology Act, 2000 which, inter alia, includes strengthening the provisions for intermediaries for making them more responsive and accountable to Indian users.” Furthermore, an RTI request we had filed received an answer on February 4th, 2021 that revealed that the Ministry had begun to interact with stakeholder ministries over potential amendments to the Act. In response to all these happenings, we had written to MEITY, pointing out the issues and lacunae with the IT Act and asking the Ministry to hold a full public consultation with regards to the proposed amendments.

Then, in July this year, before the Monsoon session of Parliament, we wrote to the Standing Committee on Information Technology, explaining how the IT Act’s original purpose was to govern e-commerce in India and how there was a need to update the Act in line with technological, policy, and legal developments. Recent media reports have once again indicated that MEITY is working on amendments. These reports suggest that MEITY is looking to introduce a more stringent intermediary liability regime that would subsume the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules) and give the government more control over social media platforms.  Some reports even indicate that a new Act may be introduced to deal specifically with intermediary liability. The reports also indicate that terms such as ‘online bullying and harassment’ may be defined under the IT Act, while technologies such as blockchain and bitcoin may also be regulated under the Act.

Intermediary liability and the Facebook disclosures

Given the important role of social media platforms in modern life, intermediary liability is one of the key issues that needs to be addressed. While we understand the need for robust regulations and acknowledge the existence of certain progressive provisions, on the whole, the IT Rules are anti democratic and unconstitutional. This is not to say social media is perfect. On the contrary it is broken, and ample evidence of its brokenness can be found, of which the recent disclosures from a whistleblower about the activities of Facebook and the company’s role in misinformation campaigns, hate speech moderation, and dubious fact checking is only the latest example.

Previously, in July this year, the Supreme Court in its judgement in Ajit Mohan & Ors. vs Legislative Assembly National Capital Territory of Delhi & Ors. had noted that Facebook had, “become a platform for disruptive messages, voices and ideologies''. Facebook’s role as a intermediary was at the heart of the issue, as stated by the Supreme Court:

[I]t is difficult to accept the simplistic approach adopted by Facebook - that it is merely a platform posting third party information and has no role in generating, controlling or modulating that information”.

The Supreme Court’s observations were further confirmed by the whistleblower disclosures. In September 2021, the Wall Street Journal published a series of ten reports titled, “The Facebook Files: A Wall Street Journal Investigation” based on a review of internal Facebook documents, through which they came to the conclusion that Facebook knows that its platforms are harmful to its users. The whistleblower also submitted eight complaints alleging that Facebook is knowingly withholding information and research about its shortcomings from the public and its investors.

The leaked reports also contain information that is of extreme relevance to India. One of these documents explicitly states that anti-muslim and Islamophobic content is rampant on Facebook:

Anti-Muslim narratives targeted pro-Hindu populations with [violent and incendiary] intent… There were a number of dehumanizing posts comparing Muslims to ‘pigs’ and ‘dogs’ and misinformation claiming the Quran calls for men to rape their female family members”.

The same report also notes several instances of fear-mongering by members of the Rashtriya Swayamsevak Sangh. The report also states that Facebook lacks the technical capacity to deal with hate speech in local languages such as Hindi and Bengali. Furthermore, one of the reasons Facebook has been unable to develop said capacity is the existence of ‘political sensitivities’, which critics imply means that Facebook has pursued profit over harm reduction.

Additionally, one of the whistleblower has claimed that Facebook halted their efforts to take down a network of fake accounts in the lead up the Delhi legislative Elections of 2020 when it discovered that the network was run by a BJP politician:

While two Congress, one Aadmi Party and one Bharatiya Janata Party-linked IT cell-style networks were actioned, one was spared despite being repeatedly flagged…. in case of the BJP MP, it was obvious that the network was being operated from his house, and was being personally done.

The Facebook whistleblowers claims are quite worrisome, and merit a thorough review of the regulatory paradigm for social media. However, in the rush to curb the powers of internet companies, the government must not override constitutionally guaranteed fundamental rights.  Instead, in collaboration with multiple and diverse stakeholders, the government must work towards building a statutory framework that safeguards ordinary Indians who use social media with increased frequency in every aspect of their lives.

Other issues with the IT Act

One key development since the passing of the IT Act is the emergence of progressive data protection paradigms. On 24th August, 2017, the Supreme Court affirmed that the Constitution of India guarantees to each individual the fundamental right to privacy in its judgement in Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. Additionally, in its judgement in Shreya Singhal v. Union of India, the Supreme Court struck down section 66A as unconstitutional and draconian, stating that the provision was vaguely drafted and significantly violated the right to free speech guaranteed under articles 19, and 21 of the Indian Constitution.

However, the efficacy of these progressive judgements has been significantly hindered. For example, as acknowledged by the hon’ble Supreme Court itself, section 66A (or similar provisions) continues to be sued within the India legal system. Additionally, provisions of the Act that relate to privacy, such as section 69, to accommodate the proportionality standards laid down in the aforementioned judgement require revision. Provisions that relate to data protection, such as sections 43A and 67C, may also need to be brought in line with modern data protection practices and the Personal Data Protection Bill, 2019 (which has its own issues).

Another significant concern is the increasing number of data breaches that have plagued the country. The average data breach in India in 2021 cost Rs 16.5 crore an increase of 17.85% from 2020. The average time to detect went up from 230 days to 239 days, while the average time taken to contain a breach reduced slightly from 83 to 81 days. This indicates a significant amount of information and data loss for users.

Existing mechanisms under the IT Act may be inadequate. For example, section 43A of the Act only provides compensation to users for negligent handling of sensitive personal data (and so not in the case of a breach of personal data). The use of such a narrow metric precludes any compensation for the vast amounts of data (such as a home address, passport details, etc) that have been leaked. Furthermore, no proactive measures for ensuring the security of data have been specified.

Our recommendations

Given all these issues, we once again request that MEITY furnish the public with a full consultation timeline over any potential amendments. This would help bring the drafting process in line with the Pre-Legislative Consultation Policy adopted on February 5th, 2014 while also respecting several health precedents for public consultations set in the past.

Furthermore, we ask that extensive dialogues be conducted with academics, civil society, digital rights experts and organisations, and technologists, as such groups would provide a unique citizen-centred perspective that would complement the more business or administration friendly inputs of other stakeholders. Such a timeline must also include details about the composition of the committee to be formed for drafting these amendments and the set of stakeholders that are to be invited. We also request the MEITY to publish a white paper on the amendments that sets out the policy direction the Ministry wishes to take.

Important documents

  1. IFF's representation to MEITY Re: "Facebook whistleblower disclosures require a public process for legislative protections including proposed amendments to the Information Technology Act, 2000" (link)
  2. Previous blogpost: Update the IT Act 2000: India needs a reboot! (link)
  3. Previous blogpost: The Times Are A-Changing: Ensuring IT Act amendments are progressive (link)
  4. Previous blogpost: Examining Facebook’s Human Rights Policy (link)
  5. Previous blogpost: Explained: Supreme Court upholds Delhi Assemblies summons to Facebook (link)