Deep dive : How the intermediaries rules are anti-democratic and unconstitutional.

An overview of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the “safeguards” it seeks to establish, how they affect your internet usage experience, and your fundamental rights.


The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “Intermediary Rules”) fundamentally change the way the internet will be experienced in India. We provide you with an overview of its contents, the “safeguards” it seeks to establish, how they affect your internet usage experience, and your fundamental rights. Most notably, the Rules now will bring government control rather than regulation over digital news platforms and OTT video content providers. Several requirements under them suffer from unconstitutionality and undermine the free expression and privacy for millions of internet users in India.

What are the Intermediary Rules?

In our previous post, we discussed the sketchy history of the Intermediary Rules. We also touched upon an analysis of the draft version, and while there have been some changes between the finalised version, the core of the proposals remain. They massively undermine your privacy and free expression as users of the Internet in India. For a quick explainer on what they are, you can also view a video we made yesterday.

Yesterday evening these rules were notified in the official gazette as the “Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021”. For convenience, let’s just call them the Intermediary Rules. The Intermediary Rules have replaced the Information Technology (Intermediaries guidelines) Rules, 2011 (or the 2011 Rules). In this post, we bring a much more in-depth and legal analysis of the Intermediary Rules breaking down the top 5 changes in each chapter that impact your digital rights.

What is the structure of the Intermediary Rules?

While Part I of the Intermediary Rules mainly lays down the definitions of terms, Part II and Part III contain the actual compliances and requirements. Part II deals with the regulation of intermediaries, including social media intermediaries. Social media intermediaries include messaging-related intermediaries, such as WhatsApp, Signal and Telegram, and media-related intermediaries, such as Facebook, Instagram and Twitter. This part is administered by the Ministry of Electronics and Information Technology (MeitY).

Part III deals with the regulation of digital news media (though there is a lack of clarity on exactly which news media these Rules apply to) and OTT platforms, such as Netflix, Amazon Prime and Disney+Hotstar. Part III is administered by the Ministry of Information and Broadcasting.

Below we are doing a deeper dive and an initial analysis of the new compliances with brief comments on possible impacts. We invite you to use the comments feature to let us know your thoughts, views, and yes, we do remain open to any and all corrections. We intend to advance a public discussion on these massive changes to our internet freedom which appear to hurt our privacy and free expression tremendously.

1. Creation of differential obligations: Fresh classes have been created including, “social media intermediary” [Rule 2(w)] and “significant social media intermediary” [Rule 2(v)]. The threshold for social media intermediary to be considered and regulated as a “significant social media intermediary” was notified on February 26, 2021, as fifty lakh (5 million) registered users. These categories bring a high level of government discretion in determining which platforms need to comply with what regulations. Such power is further reinforced by Rule 6, as per which the government may, by order, require *any intermediary* to comply with obligations imposed on a “significant social media intermediary” under Rule 4. To do so, it must satisfy the threshold of “a material risk of harm”. This threshold is vague, and it enables the Central Government to enforce discriminatory compliances.

2. Nanny requirement: Do you hate email spam? Do you hate incomprehensible Terms of Service and Privacy Policies even more? Well, get ready for them being delivered more than once a year. Under the new rules, each intermediary will have to notify you at least each year [Rule 3(c)]. This means practically a whole host of web services will send you periodic emails reminding you not to do anything “illegal”, or they will terminate your account.

3. Grievance redressal mechanism: While in the version in 2011, an intermediary was required to appoint a grievance redressal officer (Rule 11), there are a whole host of compliances now necessary that have been additionally placed. Previously, the Grievance Officer was responsible for receiving complaints from users concerning the Rules and redressing them within a month. Now, the Grievance Officer is responsible for acknowledging complaints within 24 hours and resolving them within a reduced timeline of 15 days [Rule 3(2)(a)(i)]. The Grievance Officer has also been made responsible for the receipt and acknowledgement of any order, notice or direction issued by the appropriate government, any competent authority or a court of competent jurisdiction [Rule 3(2)(a)(ii)]. However, grievance officers for intermediaries other than significant social media intermediaries are not required to furnish reasons for the decision taken regarding complaints received by them. They don’t have to furnish reasons either to the complainant or even to the user whose content may have been removed because of the Intermediary Rules. This is discussed in more detail below.

4. Significant Social Media Intermediaries get a full grievance redressal team: In addition to the obligations imposed on intermediaries, significant social media intermediaries, which is a distinct class, have an additional requirement to appoint three officers with different responsibilities [Rule 4(1)]. The officers are:

  • a Chief Compliance Officer, responsible for ensuring compliance with the Information Technology Act, 2000 (the IT Act) and the rules made thereunder, and liable for proceedings in this regard;
  • a nodal person of contact, for “24x7 coordination” with law enforcement agencies; and
  • a Resident Grievance Officer, with similar responsibilities as the Grievance Officer for intermediaries described above.

A Resident Grievance Officer of a significant social media intermediary is also required to notify a user before removing content posted by such user with reasons, provide them with an opportunity to dispute such action, and give the complainant its reasons for the decision taken in response to their complaint [Rules 4(6)]and 4(8)]. Notably, the grievance officers for other intermediaries do not have such requirements.

All three officers appointed by the significant social media intermediaries, as above, are now legally required to reside in India. Significant social media Intermediaries are also required to have a physical contact address in India [Rule 4(5)]. Officer’s details and the physical contact address must be prominently published on its website or mobile-based Internet application. It is important to note that the Home Ministry has fortnightly meetings with all social media entities in India. We may expect this list to grow now, with designated Chief Compliance Officers required to attend them.

5. Contracted timelines for assistance to law enforcement agencies: The obligation on the intermediaries in the 2011 Rules was to “act within thirty-six hours and where applicable, work with the user or owner of such information” to take it down. Under the new Intermediaries Rules, intermediaries must *complete* the takedown process under Section 79(3) of the IT Act, within 36 hours. Further, the 2011 Rules did not specify a timeline within which intermediaries were required to provide information or assistance to law enforcement agencies. The Intermediary Rules have provided intermediaries with a 72-hour limit for providing such information or assistance [Rule 3(2)(j)]. Additionally, a new takedown requirement has been added, wherein specific scenarios, such as nudity, depiction of sexual conduct or impersonation, the intermediary is required to take down such content, upon request of the concerned user, within 24 hours [Rule 3(2)(b)].  

6. Hello big brother! Expansion of mandatory data retention: The data retention period has been doubled, and intermediaries are now required to preserve information for 180 days (6 months!) for investigative purposes [Rule 3(1)(h)]. The data has to be preserved even after a user has deleted their accounts. It is important to consider this requirement in the absence of a data protection law and any kind of oversight on how surveillance operates in India (side note: IFF is a litigant challenging it in the Supreme Court).

7. “Voluntary” verification of social media users: Significant social media Intermediaries must also allow their users to “voluntarily” verify their accounts, using any appropriate mechanism, including the active Indian mobile number of the user. The significant social media intermediary shall also provide a visible and demonstrable mark identifying such verification [Rule 4(7)]. This could lead to a scenario where the voluntary becomes mandatory, as is the case with many other technologies which were introduced as “voluntary” but eventually made mandatory in an indirect manner. It would then have severe implications for anonymity and privacy (imagine being made to link your Aadhaar to your social media accounts without which government handles may not respond to you!), which are essential for users of social media intermediaries, for example, political dissenters. Also, much more worryingly, without a data protection law, this means that Social Media entities will collect data of our government IDs without any regulatory body, such as a data protection authority, to ensure it is used only for verification.

8. An end to end-to-end encryption: Significant social media intermediaries must enable tracing of the originator of information on their platform if required by a court of competent jurisdiction or a competent authority under Section 69A of the IT Act [Rule 4(2)]. While the Intermediaries Rules clarify that traceability order may only be passed for serious offences, some categories are open-ended. For instance, “public order” grounds are relatively broad in operation and can give rise to many demands. The Intermediaries Rules also clarify that in doing so, the significant social media intermediary shall not be required to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users. However, the Information Technology Decryption Rules contain powers to make demands for the message content. Used together, the government will break any type of end-to-end encryption to gain knowledge of who sent what message and also get to know its contents. Also, this specific requirement will break existing protocols for the deployment of end-to-end encryption that has been built through rigorous cybersecurity testing over the years!

9. AI automated censorship: Significant social media intermediaries are now also required to develop and deploy technology-based measures. These include automated tools or other mechanisms to proactively identify information that depicts any act or simulation in any form depicting rape, child sexual abuse or conduct [Rule 4(4)]. We have highlighted how even the best effort deployment of such filtering technologies (such as Photo DNA) can lead to function creeps. For instance, the Delhi Police has sought for it to be used at least once in a criminal investigations entirely unconnected to rape or child sexual conduct.

10. Penalty provisions: The 2011 Rules did not specify any consequences upon the intermediaries for failing to comply with the provisions of the Rules; the consequence was relatively direct -- they lost immunity! The Intermediaries Rules, 2021 expressly state a loss of immunity and indicate a level of severity of consequences, including potential criminal prosecution under provisions of the IT Act and the Indian Penal Code [Rule 7].

Digital News Media and Video Streaming Platforms

Arguably the most significant development in the Rules is the regulation of OTT platforms and digital news media when they use other intermediary sites/apps such as Twitter or Facebook and when they host news media content on their own website/app. It is worth mentioning that the 2011 Rules did not regulate Digital News Media and OTTs. Before going into the specifics, some comment on the larger framework and its legality.

1. Power to administer conferred upon MI&B: The Rules have been framed under the Information Technology Act, 2000, and as such, MeitY is the nodal ministry to administer these rules. However, as per the Intermediary Rules, Part III will be administered by the Ministry of Information and Broadcasting [Rule 8(1)].

2. Scope of regulation under the IT Act has been expanded: Digital news media and OTT platforms were not previously regulated under the provisions of the IT Act. This was changed with a notification under the Allocation of Business Rules. But this notification only confers administrative clarity on which ministry gets to administer the sector. It does not create the power to exercise it. For this, a clear parliamentary enactment is necessary. However, instead of going to parliament, the Intermediary Rules framed under the IT Act seek to expand the scope of regulation under the purview of the IT Act to include digital news media and OTT platforms. This amounts to the executive amending parliamentary legislation and is not permissible under the Constitution.

3. Excessive delegation of powers: The Rules suffer from an excessive delegation of powers. As an example, the Rules have established a non-judicial adjudicatory process to resolve grievances regarding content published by Digital News Media and OTTs. They have also created an adjudicatory body which is the “oversight committee”. This is even though the IT Act does not specifically empower the Government to do so. This non-judicial adjudicatory process has been discussed in detail below.

Apart from the above, the noteworthy aspects of this part have been discussed below.

1. A broad sweep. Not only large digital news websites: No threshold requirement of users or readership has been contemplated to differentiate between digital news media on the basis of size and scale, as has been done in Part II in the case of social media intermediaries and significant social media intermediaries. The Intermediaries Rules have been made applicable to all publishers of news and current affairs content, as long as they have a physical presence in India or conduct the systematic business activity of making their content available in India [Rule 8(1)]. Since ‘news and current affairs content‘ has been defined as “newly received or noteworthy content, including analysis, especially about recent events primarily of socio-political, economic or cultural nature, made available over the internet or computer networks” [Rule 2(m)], the Intermediaries Rules will arguably seek to regulate a large number of internet users that engage in producing similar content on a very small scale.

2. Regulation of foreign news media: While territorial presence is one of the requirements for digital news media to be regulated under the Intermediaries Rules, it is not a necessary condition [Rule 8(2)]. If a digital news media organisation makes its content available in India in a systematic and continued manner, the provisions of the Intermediaries Rules will apply to them. In the case of significant social media intermediaries, the Intermediaries Rules made it mandatory for them to establish a physical presence in India by appointing officers resident in India and providing an Indian address for correspondence; however, it is unclear how foreign news media organisations are sought to be regulated by Indian authorities.

3. Code of Ethics: Digital News Media and OTTs have to adhere to a Code of Ethics which has been laid down in the Appendix to the Rules. The criteria provided in the Code of Ethics are vague, overbroad and will have a chilling effect on the free speech of publishers, as well as the right to access information for consumers of content.

  • As applicable to Digital News Media: Digital News Media has to comply with Norms of Journalistic Conduct of the Press Council of India and Programme Code, and ensure that content which is prohibited under any law is not published or transmitted  (Paragraph I of Appendix)
  • As applicable to OTTs: This is important because OTTs have now been mandated to classify content based on the type of content as ‘U’, ‘U/A 7+’, ‘U/A 13+’, ‘U/A 16+’ and ‘A’ (Paragraph II(B) of Appendix). The OTTs have to ensure that the content which is classified as U/A13+ or higher has access control measure and content classified as A (restricted to adults) has a reliable age verification mechanism for viewership of such content, in addition to access control measures to restrict minors from accessing such content (Paragraph II(C) and II(D) of Appendix).  Apart from this, the Code of Ethics also mandates OTTs to take into consideration India’s multi-racial and multi-religious context and ‘exercise due caution and discretion’ while featuring activities, beliefs, practices, or views of any racial or religious groups. This is likely to have a chilling effect on speech as it provides formal validity to the concerns which have been raised by certain groups against artistic content.

4. Grievance Redressal Mechanism: To ensure observance of the Code of Ethics, the Intermediary Rules have introduced a three-tier mechanism. The Union Minister of Information and Broadcasting, at the press conference on February 25 2021, unveiling these Rules, touted the three tier mechanism as self-regulation by the publishers with minimal governmental interference. On a closer look, it is apparent that the Rules envisage much more than ‘minimal government interference’.

  • First Tier: At the first level, similar to the requirement for intermediaries under Rule 3, digital news media and OTT platforms must establish a grievance redressal mechanism and appoint a Grievance Officer, resident in India. The Grievance Officer is required to take a decision on every grievance received by it within 15 days.If the complainant does not receive a satisfactory response within 15 days, they may appeal to Level II, i.e. the self-regulating body. (Rules 10 and 11)
  • Second Tier: At the second level, the “self-regulating” body is to be an independent body constituted by publishers or their associations, and headed by a retired judge of the Supreme Court, a High Court, or an independent eminent person from  media, broadcasting, entertainment, child rights, human rights or other relevant fields. This body must be registered with the MI&B, and the MI&B will “satisfy itself” that the self-regulating body has been constituted properly. The self-regulating body is empowered to warn/censure/admonish/reprimand the publisher, require an apology, reclassify ratings, or even censor the content as it deems fit. If the publisher fails to comply with the directions of the self-regulating body, the matter may be referred to the Central Government at the third tier. (Rule 12)
  • Third Tier: Level III is the oversight mechanism for the self-regulation by digital news media and OTT platforms. The oversight mechanism is an “Inter-Departmental Committee”, consisting of representatives from the Ministry of Information and Broadcasting, Ministry of Women and Child Development, Ministry of Law and Justice, Ministry of Home Affairs, Ministry of Electronics and Information Technology, Ministry of External Affairs, Ministry of Defence, and such other Ministries and Organisations (Rule 14). The Chairman of the Inter-Departmental Committee will be a Joint Secretary of the MI&B [Rule 13(2)]. This Committee will hear complaints regarding decisions taken at Levels I and II, and is empowered to delete or modify content for preventing incitement to the commission of a cognisable offence relating to public order. [Rule 14(5)].

5. Encouraging self-censorship: While publishers are expected to self-regulate at the first tier, the provisions of the Rules are too onerous for self-regulation to effectively be complied with. Any person is empowered to make a complaint with the publisher, and the publisher must respond within 15 days, or risk censure. In terms of what this means for the regular internet-user, digital news media will have to edit their coverage to keep in mind the arbitrary manner in which overbroad restrictions are applied, particularly when the news is not favourable to the government. Further, OTT platforms, such as Netflix, Amazon Prime and Disney+Hotstar, will be forced to adhere to similar censorship norms as prevail in offline movies and television content.

6. Excessive governmental control over digital news and OTT content: While level II of the 3-tier mechanism is framed as the second layer of self-regulation, it is in fact the first layer of government control. The Chairman of the self-regulatory body is suggested to be a retired Judge of the High Court or Supreme Court, and even though the body is ostensibly expected to be appointed/elected by the media community, the MI&B retains approval power over the composition of the body.

7. Executive exercise of judicial powers: The oversight mechanism, consisting of the Inter-Departmental Committee comprises entirely of members of the executive, i.e. officers from various ministries, and is chaired by the Joint Secretary, Ministry Information and Broadcasting, who is in turn supervised by the Secretary, MI&B. This Inter-Departmental Committee is responsible for hearing complaints arising out of the three-tier grievance mechanism. In particular, when news or OTT content is sought to be deleted or modified, it is the Secretary, MI&B that is empowered to take such action, on recommendation from the Joint Secretary. So basically, an aggrieved person can escalate a complaint up to the government, or the Government can directly refer a complaint to this Inter-Departmental Committee.

8. Emergency blocking powers: The Intermediary Rules provide emergency powers to the MI&B in cases where “no delay is acceptable”. The Secretary may, if she/he is satisfied that it is necessary or expedient and justifiable issue directions for blocking of online content  to persons, publishers or intermediary in control of hosting such information, without giving them an opportunity of hearing. (Rule 16)

9. Range of punitive measures: The self-regulatory body of tier-II and the Inter-Departmental Committee of level-III have been provided wide-ranging punitive powers over digital news media and OTT platforms, including the power to empowered to warn/censure/admonish/reprimand the publisher, require a warning card or disclaimer, require an apology, reclassify ratings, or even censor the content as it deems fit and recommend action under Section 69A of the IT Act.

10. Registration with the government: While taking questions from the press at the press conference, Union Minister Prakash Javadekar admitted that the government was not aware of who are the digital news media and OTT platforms. To rectify this information gap, the Intermediary Rules require digital news media and OTT platforms to furnish details of their entity and their accounts on intermediaries to the MI&B (Rules 5 and 18).

We are of the view that the Intermediaries Rules have far-reaching consequences on online privacy, freedom of speech and expression, and access to information, in addition to the constitutional issues that the Rules suffer from. We invite you to use the comments feature to let us know your thoughts, views and any and all corrections.

  1. Information Technology (Guidelines For Intermediaries And Digital Media Ethics Code) Rules, 2021 (link).
  2. The Information Technology (Intermediaries guidelines) Rules, 2011 (link)
  3. Latest Draft Intermediary Rules: Fixing big tech, by breaking our digital rights? (link)
  4. Union Ministers Prakash Javadekar and Ravi Shankar Prasad address a press conference (link to YouTube video recording).

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!