IT Rules 2021: Promise of Privacy or Unbridled Authority?

The pandemic looming out of unpreparedness steered our lives sharply through the paths of online content and digital media. Personal messages hold great expectations of being in the private sphere of oneself but “misinformation” while collaborating with the vast reach of social media platforms, becomes one of the potential bearers of danger and in some cases, practically so. The attempt to address this has been evident with the implementation of the IT Act 2000 and various allied acts. Recently, we also saw a surge in online web series and digital media views. So, with yet another attempt by the government in the form of IT Rules 2021, would the ambit of OTT platforms be questioned? Would the encryption promised by the messaging apps remain unbreachable or would privacy take a toll? Would a clamp on cybercrimes require privacy to be compromised? These are the questions that this article will endeavour to find out. Cyberspace has always been a grey area of legal jurisdiction because of its nebulous peripheries and for being a recent phenomenon. This wouldn’t have been such a hassle but this is also the place where starting from connecting people to entertaining them and making their careers even have turned out to be the “all-doer” and on such tricky waters the line between good and bad stands blurred.

Why was it passed?

Amidst the backdrop of intense commotion in the form of communal riots ignited by radical views and messages floating on social media, callings for a ban on certain content or profiles on “hurting people’s sentiments” and the subsequent opposing cry for safeguarding the freedom of speech and expression, these rules were introduced. Governments must update their regulatory framework to address new issues given the complexity of the issue, the significance of SMIs in shaping the public discussion, the impact of their administration on the freedom of speech and expression, the volumes of data they house, and the ongoing technological advancements that affect it. The IT Rules were introduced in India in 2021 to replace the country’s ten-year-old SMI legislation and were largely intended to impose requirements on SMIs (Social Media Intermediaries) to maintain an open, safe, and trusted internet. The words from the government convey that these rules “empower the ordinary users of social media” and their engagement had become necessary due to widespread concerns about issues relating to increased abuse of social media and digital platforms.

“The victims of misuse on social media platforms should have a place for redressal of their issues,” the IT Minister stated.[1]

By the Allocation of Business (AoB) Rules, 1961, the Ministry of Electronics and Information Technology (hereinafter referred to as “MeitY”) was given responsibility for overseeing matters about cyber laws as well as the administration of the Information Technology Act, 2000 (IT Act), and other IT-related regulations. (This also covers the oversight of the internet, a more recent type of electronic media.) On the other hand, the Ministry of Information and Broadcasting has consistently overseen conventional media, such as print, radio, and television (I&B Ministry).[2]

Although the I&B Ministry has previously sought to control both online curated content (OCC) and digital news material, the Ministry formally authorized the creation of a committee in 2018 to create guidelines for the oversight of digital news portals and websites. Additionally, the I&B Ministry’s submission for registration of the Press and Periodical Bill 2019, which contains measures for the management of “news on digital media,” was authorised.

In addition, the I&B Ministry suggested introducing digital content like OCC in July 2020. The President happened to later change the AoB rules to bring “Digital/Online Media” under the Information and Broadcasting Ministry. This includes “Films and Audio-Visual Programs Granted Access by Digital Content Providers” and “News and Current Affairs Information on Online Platforms.”

What Do the IT Rules Say?

  • The Ministry of Electronics and Information Technology of the government enacted the IT Rules, which came into force on February 25, 2021. These regulations updated the outdated IT RULES OF 2011 in a ground-breaking way by broadening its purview

to incorporate OTT platforms and online news providers. The ability of the foregoing platforms to govern and present their material was decreased due to the new legislation’s expansion of the intermediate supervision mechanism’s jurisdiction. Sections 87(1), 87(2)(z), and Section 87(2) of its parent Act, the IT ACT 2000, have brought about the implementation of certain rules.

  • A code of ethics would also need to be taken into consideration by the OTT platforms, digital media companies, and online news organisations. OTT platforms will be referred to under the proposed rules as “publishers of online curated content.” Parental locks would have to be put in place for users who are 13 or older, and the material is automatically divided into five categories based on age. Content designated as “Adult” requires age verification processes.
  •  An intermediary must routinely notify its users—at least once a year—that failure to adhere to the conditions and terms, privacy statement, or user agreement for access to or use of the intermediary’s computer system or network may result in the immediate revocation of the consumers’ connectivity or exercisable, the removal of non-conforming data, or both, as acceptable. However, the intermediary may also block access to such data after 36 hours of obtaining a court order or contact from the relevant government authorities if any such content that contravenes the guidelines is kept, stored, or published.
  • The intermediary shall, as soon as practicable but afore 72 hours following the reception of an order, dispense relevant data in the ambit of its regulatory oversight or possession, or aid to the Government entity that has been legally permitted for investigatory or preventative or cyber exercises, to ascertain a person’s identity, or for the avoidance, acknowledgment, investigation, or prosecution of contraventions of any law as it stands in effect, or for cyber security.
  •  It proposes a three-tiered grievance resolution process while claiming to engage a Chief Compliance Officer who will be in charge for guaranteeing conformity with the Act and its rules and be held accountable in any legal proceedings involving any appropriate third-party information, communication or data link readily accessible or hosted by that. This suggests that no culpability under the Act or its rules may be positioned on such significant social media sites without being heard. To verify that the instructions or requisitions issued by law enforcement agencies and personnel by the provisions of the law or rules formed thereunder were obeyed, a Nodal Contact Person would be on the second level and a Resident Grievance Officer at a higher level would be in charge of publishing a periodic compliance report each month with information on complaints received, responses provided to them, the number of specific communication links or explanatory parts that the intermediary had removed or restricted access to as a result of close monitoring conducted using automated systems, as well as any other pertinent information that may be stipulated
  •  A significant social media intermediary that facilitates avenues primarily in the form of messaging is required by the “Information Technology (Procedure and Safeguards for the interception, monitoring, and decryption of information) Rules, 2009” to make it possible to identify the first author of the data in question on its software as may be deemed necessary by a court’s judicial order with jurisdiction or an order issued under Section 69 by the Competent Authority. No order may be made for anything other than protecting “India’s sovereignty and integrity, the security of the State, friendly relations with other countries, public order, or the protection, detection, examination, trial, or punishment of crimes involving rape, sexually explicit material, or child sexual abuse that are punishable by a term of imprisonment of at least 5 years”. Keeping certain information from the source of electronic communication private has been discussed. Additionally, if the first originator of any information on an intermediary’s computer resource is situated outside of Indian territory, the first originator of such information under this clause must be regarded to be located inside India.


When read together, Sections 79(2) and 89(2)(zg) make it obvious that the Central Government’s authority is restricted to prescribing rules about the due diligence that intermediaries must use when carrying out their obligations under the IT Act. The set of requirements included by the 2021 guidelines expanded the range of standards the intermediary must follow. The report from the Committee on Subordinate Legislation dated May 17, 2005, states that “Regulation under such delegated authority is supplementary and cannot, simply by its nature, modify or adjust the parent legislation or set in place clauses corresponding to implied terms,” does appear to be at loggerhead with this.[3] There are cases where subordinate legislation that tried to establish new laws on its own or attempted to repeal or change sections of the fundamental law has been declared to be “ultra vires.”

A judicial order or a governmental order (under Section 69 of the IT Act) requiring a prominent social media intermediary to make it possible to determine the source of the content on their website is an example of this. The only way the message provider could meet this requirement would be to implement an upgradation of technology in their platform that would inhibit end-to-end encryption or provide ancillary metadata to every discussion that would undermine the security and privacy protections that E2E encryption gives. As mentioned earlier, the executive has its role limited to having subsidiary legislation enacted to carry out regulations that are in conformity with the parent act and the declared legislative policy of the central government.[4]

 There is no indication in Section 79 of the IT Act that the legislators intended to give the government the power to compel service providers to change their technical architecture or to jeopardize customer privacy. Despite the development and specification of new intermediary categories in the 2021 Intermediary Guidelines, such as Social Media Intermediaries and Significant Social Media Intermediaries, The IT Act does not mandate that intermediaries be categorized. Significant social media intermediaries are now held to a higher degree of behavior as well as a new set of rules. The IT Act does not support the new set of requirements imposed on social media intermediaries since it does not distinguish between various intermediary kinds. The alterations made by the regulation, in the opinion of experts at the Ministry of Law and Justice, were beyond the scope of the current IT Act, according to papers obtained under the Right to Information Act.

If the content “disturbs the preservation of public order,” the publisher must exercise reasonable prudence, per Chapter 6 Part II(A)(iv) of the act. The phrase “maintenance of public order” has, however, frequently been misused and leaves the content totally up to the interpretation of the government, which is not in favor of the development of wholesome material.[5]

An SMI is now believed to be an SSMI if it has 50 lacs, or 5 million, users which are registered in India. Contrarily, we draw attention to the fact that the government’s warning of this impact is inadequate in terms of how this user threshold would be determined, and whether the user count would be determined based on an active user base or an average number accumulated over time. Thus, there is currently uncertainty around the legal basis for setting user criteria for SSMIs operating in India.[6]

Every piece of content that has been generated by a news publisher, an OCC publisher, or an intermediary is referred to as “Digital Media” by Rule 2(1)(i). This definition also covers news producers, current affairs material publishers, and content that has been altered by intermediaries. With this strategy, the use of general language covers almost every online content a user could have while working with digital objects. According to this viewpoint, the residual clause may apply to “news feeds” maintained by social media websites like Twitter and Facebook.[7]

Along with stand-up comedy, Instagram reels, social commentary videos, the in-depth personal analysis provided via tweets, and private messaging apps like WhatsApp, Telegram, and Signal occasionally (particularly when it comes to messages that become viral), this could also be included.

Intermediaries are required under Rule 3(1)(b) to warn users against posting anything that is, among other things, “racially, ethnically, or otherwise objectionable,” “related to or supporting money laundering or gambling,” “libelous,” “obscene,” or “insulting or harassing based on gender.” These are general words that are not connected with any particular crimes listed in the Indian Penal Code (IPC) or under allied laws. Many of these defences are based not on the stands of the constitution and aren’t found on legal conditions but rather on arbitrary measures of human sensitivity. The Supreme Court emphasized that phrases with too much vagueness might lead to excessive censorship and scare individuals in its ruling in Shreya Singhal v. UOI.

The Secretary of the Ministry of I&B has the authority to ban content in “emergency” situations when “no delay is acceptable,” therefore the subjective nature of the scenario will make it unclear as to how long the delay will last and if it will be acceptable.[8]

Way Forward

A distinguishing principle of identification is based on what experts say, “the hash value of the unencrypted message, where equivalent messages will contribute in a common hash (message digest) regardless of the encryption used by a messaging platform”. This was also brought to light by the concerned ministry when “the first originator” clause was looked into suspicion. The mathematical technique known as hashing allows every piece of data to be transformed into a brief, distinctive string of letters (a sort of “fingerprint”). The relevant SSMI is responsible for determining how such a hash will be generated or stored, and it is up to that SSMI to come up with various technical methods to enforce this restriction. Even though it’s a one-way process, it is widely thought to be computationally unfeasible to retrieve the actual text from its hash.[9]

Additionally, since hashing differs from encryption, maintaining hashes of confidential conversations exposes them to examination by messaging service providers or malevolent actors with access to the service providers’ infrastructure. Additionally, this method is straightforward to use. The end-user device can only view the “hash” of a message and not what it contains, thus the service provider has no way of knowing if it is giving the correct hash. Although the provider advises against self-categorizing material based on audience age, adding parental lock and age verification procedures is an excellent approach to put up a protective barrier and make it accessible to the right audience.

The question of whether content “harming the sovereignty and integrity of the nation” is combined for unlawful purposes has been raised in light of recent and ongoing controversies regarding some OTT and cinematic content being branded “anti-national,” “hurting religious sentiments,” and “libelous,” and actions being taken against them without proper investigation. The Leaflet, The Hindu, Whatsapp, The Quint, and several other intermediaries filed petitions in the SC addressing the aforementioned claims in light of the application of these guidelines. The MeitY calls on intermediaries to preserve “rights provided to users under the Constitution of India” in a new clause that is likely in reaction to the suggested modifications to the IT Rules 2021.

The MeitY asserts that the creation of a new Grievance Appellate Committee will provide people another way to challenge decisions made by mediators and grievance officers. Additionally, this committee will have the authority to overturn any judgment rendered by intermediaries or grievance officers, including the barring or deletion of any user or a user account on social networking sites.

Last but not least, it has suggested a modification to the grievance redressal process, requiring intermediaries to respond to complaints about material removal from platforms within 72 hours. For other complaints, the current 15-day window will remain in effect. Though such changes have been made, it is only through the establishment of robust data protection laws, strengthening individual privacy, and maintaining safeguards against the spread of misinformation would a satisfactory change transpire where the intention would not be deviant of the sacrosanct intention of creating a safe cyberspace.

[1]“MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY, IT(Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY NOTIFICATION (2021), (last visited Dec 11, 2022).”

[2] “Centre for Internet and Society, On The Legality And Constitutionality Of The Information Technology (Intermediary Guidelines And Digital Media Ethics Code) Rules, 2021, Medianama (2021), (last visited Dec 10, 2022).”


[4] “Aman Abhishek, The State Deputizing Citizens to Discipline Digital News Media: The Case of the IT Rules 2021 in India, Taylor and Francis 1 (2022).”

[5] “Anandini Saha, Construction of Hierarchies: A Critical Analysis of the Information Technology Rules, 2021, 5 iplr 282 (2021).”

[6] “PIB Delhi, Amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, Ministry of Electronics & IT Press Release (2022),

 (last visited Dec 11, 2022).”

[7] “Omir Kumar, Explained: Draft amendments to the IT Rules 2021, PRS Blog (2022), (last visited Dec 14, 2022).”

[8] “Aihik Sur, Explained: Why government has proposed amendments to the IT Rules 2021, Money Control (2022), (last visited Dec 12, 2022).”

[9] “The Hindu, Information Technology Rules, 2021(Update), Drishti IAS (2022), (last visited Dec 14, 2022).”

Author: Zoya Farah Hussain

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s