COMPARATIVE GRID Response to the DIT regarding the Due Diligence of Intermediaries: |
||||||||||||
Due Diligence by Intermediaries (Regulations) | Confederation of Indian Industry (Comments) | Dr. Subho Ray, IAMAI | DSCI | MAIT | IAMAI | E2E Networks | USIBC | Yahoo! | APAR GUPTA | CIS | Final Rules Information Technology (Intermediaries Guidelines) 2011 | |
Clause 1 1. Short title and commencement.― (1) These rules may be called the Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011 |
No Suggestions | No Suggestions | No Suggestions | No Suggestions | Have suggested to removeing the phrase “Due Diligence of Intermediaries” from the title and renamed it as “Information Technology (Intermediaries Guidelines) Rules 2011 | No Suggestions | No Suggestions | No Suggestions | No Suggestions | Has sought clarification on the sort of due diligence which should be followed by an intermediary. Has sought the frame work and timelines for providing the actual notice and the intermediaries’ compliance. |
No Suggestions | Has renamed the title of the Rule to Information Technology (Intermediaries Guidelines) 2011. Has accepted Google's recommendation. |
Clause 2 Definitions.― In these rules, unless the context otherwise requires,--.. |
Has suggested intermediaries introducing “community guidelines”instead of the present provisions under the rules. |
No Suggestions | Has suggested that the terms Blog and Bloggers in 2(b) and (c) is very restrictive. New terminologies will evolve with new technology hence should be changed to “user”. It is also recommended to remove 2(b) and (c). Has suggested that 2(k) be updated to “User means any person who uses any computer resource for the purpose of sharing information, view or otherwise and includes other persons jointly participating in using such computer resource of an intermediary” |
No Suggestions | Have suggested that the terms ‘Blog’ and ‘Blogger’ from 2(b)(c) and (k) be removed as they are not technology neutral and might cause confusion. | 2(c) Has suggested in replacing the word “originates” instead of “keep”. The suggested amendment is: “Blogger means a person who originates and updates a record”. The word “originates” signifies a person creating a blog. The word “keep” maybe interpreted as an intermediary providing a platform for blogging. Or 2(c) Blogger means a person who or an entity on whose behalf keeps and updates a blog; Has suggested changing the term “Website” as a blog is not an entire website but a part of it. Has suggested including clause (dd) to define "Communication Link" as "Hyperlink" as the same is used in section 79 of the IT Act and (dd) for defining "Content" to mean "Information" or "Data" or a "Hyperlink" after 2 (d) to bring it in parity with section 79. Has suggested replacing the word “information” with “content” after the words “storage of” in sub rule 2(e) 2(e) Has also suggested replacing the words “data information” with “the same”. 2(k) Has suggested replacing the word “information” with “content” This is done in order to make it consistent with the intent of section 79 |
No Suggestions | No Suggestions | Has suggested in changing the definition of "Blog" as the definition seems to be copied from wikipedia. | 2(b), 2 (c) Has suggested to remove the terms “blog” and “blogger”. 2(k) Has suggested removing the term “user” as it is different from the term “originator” under Section 2(za) of the IT Act. They contain the same concept and the word “originator” should be used to reduce ambiguity. |
Rule 2 (b) ,c, (k): Has suggested the terms "Blog", "Blogger" and "User" are technologically non- neutral as it leaves out other internet users. | Draft Rules Sub Rule 2(b and c): Has removed the definitions of Blog and Blogger from the Definiton. Has accepted the recommenations of Apaar Gupta IAMAI, Google, CIS. Final Rules: 2(b) "Communication Link". Has introduced the defintion of Communication Link accepting IAMAI's recommendation Final Rules: 2(j) "User'. Has changed the definition of "User" accepting DSCI's recommendation. |
Sub Rule 3(1) The intermediary shall publish the terms and conditions of use of its website, user agreement, privacy policy etc.. |
No Suggestion | No Suggestions | No Suggestions | No Suggestions | Has suggested that the intermediaries should have their own terms of service and develop community guidelines. | No Suggestion | As per section 2(f) of the proposed rules an intermediary is defined under clause (w) of sub-section (1) of section (2) of the IT Act (Amendment) as"Hosting Providers" | No Suggestions | No Suggestions | Suggested amendment to the rule: “Terms and conditions, user agreements and other forms of legal agreements which provide an originator with notice as to the terms of the access” |
Has suggested that a standard set of rules cannot apply to all intermediaries equally. | Rule 3(1): Has changed the sub rule to "The intermediary shall publish the rules and regulations, privacy policy and user agreements for access or usage of the intermediary's computer resource by any person". |
3(2) The intermediary shall notify users of computer resource not to use, display, upload, modify, publish, transmit, update, share or store any information that : — a-j |
Has suggested that the intermediary should be able to enforce their own community guidelines on the users. This grants flexibility to the intermediaries to adopt their own standards and maintain information not in violation with any law in force. | Has suggested to omit points “a-d” and “f-i” of 3(2) and include them as an illustrative list as point “e” covers all existing penal codes. | Has suggested to rewrite 3(2) as “ The intermediary shall notify user of computer resources not to use, display, upload, modify, publish, transact, update, download, extract or store any information that…” Has also suggested to change the wordings of point 3(2) (j) to “ Threatens the unity, integrity, defense, security pr sovereignty of the India or friendly relations with foreign states or public order or causes incitement to the commission of any cognizable offence or prevents investigation of any offence” . This is to align the language to that in section 6 |
Have suggested that intermediary should not be held liable for third party content as they are mere conduits, hence provisions must be made accordingly. | Have suggested that the list provided in sub rule 3(2) is very prescriptive and should not be listed in a subordinate regulation. The sub rule should be redrafted as follows: “ The intermediaries shall notify the users of local domains of a computer resource not to use, display, upload, modify, publish, transmit, update, share or store any information that violates any law for the time being in force” |
Has suggested in replacing the word “information” with “content”. 2(a) Has suggested in adding the phrase “and to which the user does not have any right to” after “person” 2(b) Has suggested adding the phrase “ Is prohibited by the terms and conditions of use of the intermediary where such content” before “ is harmful” 2(g) Has suggested in adding the phrase “is prohibitive by the terms and conditions of use of the intermediary where such content” before “causes annoyance” Has suggested in replacing the word “Information” with “Content” |
Has sought clarification on each sub clause as it is determined that the Hosting Providers are not legally competent to determine whether they are infringing any term of this sub clause | Has expressed concerns over the language under 3(2)(b) being too broad. Has requested clarification on certain words being used in the sub rule: Harmful, Threatening, Abusive, Harassing, Blasphemous, Objectionable, Defamatory, Vulgar, Obscene, Libelous, Invasive of another's privacy, Hateful, Racially, Ethnically or otherwise objectionable, Causes annoyance.., Threatens unity, integrity... Requests definitions on all these words and phrases. | No Suggestions | 3(2)(a)(d): Has suggested that the clause does not match the scheme of Section 79. Has asked the sub rules to be deleted and a separate set of rules to be made under the Copywrite Act 1957 and Trademark Act 2002 to protect infringement of intellectual property. 3(2)(b)(g): Has suggested omitting these and make it as a reference in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (hereinafter the Blocking of Information Rules, 2009) |
Has suggested removing sub rule 3(2) except clause "e" from the rules as: 1. Granting intermediaries power to remove information would lead to stifiling of the constitutionaly guranteeted speech online. 2. It will be impratical to apply Indian rules on intermediaries based outside India. | Rule 3(2): Has changed the wordings of the rule to " Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, trasmit, update or share any information that-" partly agreeing to DSCI. Rule 3(2)(a): Has accpeted IAMAI's suggestion in toto. Rule 3(2)(b): Has added the word "grossly" after "is". Rule 3(2)(f): "Discloses sensitive personal information..." has been deleted from the final rules. Rule 3(2)(g): The sub rule has been deleted from the final rules. |
3(3) The intermediary shall not itself host or publish or edit or store any information or shall not initiate the transmission, select the receiver of… | Has suggested a need to establish an institutionalized system where complaints received by the intermediaries can be authenticated. |
Has suggested that sub rule 3(3) begin with “The following actions by an intermediary shall not amount to hosting…” | No Suggestions | Has suggested that the word “Itself” be substituting by “Knowingly” |
Has suggested that the current language of the sub rule violates the provisons in the IT Act and strips away 'safe harbour" protection. Has suggested the following amendment to the sub rule " for the purposes of Section 79(2)(b), an intermediary shall not be assumed to have selected or modified the information contained in the transmission if the activities in question constitute automated activities that do not involve any direct recurring human editorial control or discretion on the part of the intermediary" | Has suggested adding two clauses to the sub rule in order to clarify the nature of technology, role of intermediary and intermediary’s action thereafter. 3(a)The new provisio is to exclude liability of intermediaries for "Automatic, Intermediate, Temporary, Transient or Incidental Storage" 3(b) Removal of access as per 3(a) if such information comes to the knowledge of the person authorised by the intermediary as per the provisions of the Act | No Suggestions | No Suggestions | Has suggested inserting the word "Knowingly" between "Itself" and "Host" so as to connect with sub rule 4 | No Suggestions | Has suggested removing sub rule 3(3) from the draft rules as they are in violation of section 79 of the IT ACT. | Rule 3(3) Has changed the sub rule to include two more sub rules relating to 1) Intermediate and transient information. 2) Removal to access of data after such information comes to the knowledge of the intermediary accepting IAMAI's suggestion. Have also accepted MAIT's suggestion to subsitute the word "Itsef" with "Knowingly". |
3(4) The intermediary upon obtaining actual knowledge by itself or been brought to actual knowledge by an authority mandated under the law for the time being in force in writing or through email signed with electronic signature… | Has suggested to remove sub rule 3(4) as it is ultra vires of the IT Act section 79(3) | Has suggested to appoint a Designated Officer under 69(A) of the IT Act for communicating with the Intermediaries. |
Has asked to define the word “expeditiously” properly Suggested to remove the sentence “Further the intermediary shall inform the police about such information” from the sub rule is it creates unnecessary burden on the intermediary Suggested that the words “… is claimed to be infringing” be replaced by “.. is claimed to be in violation of sub rule (2) of Rule 3” |
Has removed the words “obtaining actual knowledge” from the sub rule and has sought that the sub rule be limited to what constitutes actual knowledge for the purposes of section 79 (3) (b). Have also suggested that the last sentence of sub rule pertains to section 67C. Have rephrased the sub rule accordingly “ An intermediary shall be taken to have actual knowledge if it receives written notice of the determination by a court of law or other legally empowered public authority of specific information, data or communication link residing in or connected to a computer resource controlled by the intermediary as being used to commit unlawful acts. This notice shall be provided in the form of a duly sworn legal notice or order under the law. |
Has suggested adding the words “and where applicable” after “act expeditiously”, “said authority” after “inform the” and “as the case may be” after “police”. Additions have been made in order to clarify the obligation of the intermediary to the authority. Has sought a definition on the term “Expeditiously” This sub rule is in violation of sub rule (2) as it puts the onus on the service provider. 90 days from what needs to be specified. |
No Suggestions | Has suggested changing the word "authority" to words closely implying rights - owners representative. Has also suggested that the sub rule should construe "implied knowledge" with "actual knowledge". Recommends the "maintenance of record for the rights - owners representative" Recommends to allow intermediaries to block websites infringing copywrite. | Has sought clarification for the term "Expeditiously" . Has suggested in replacing the word "Infringing" with "Contraventions of sub rule 2". Has also sought clarification on which police station should be informed? | Recommends to redraft rule with regards to concerns of infringement of freedom of speech and expression. | Has suggested to modify the sub rule from the draft rules as 1. This sub rule is ultra vires of the provisions provided in section 69 of the IT Act and the Constitution of India. 2. Has recommended that an intermediary is obliged to remove content from the website only when the order is backed by a court order, the direction is issued following the procedure prescribed by the ruled framed under section 69 (A) of the IT Act as the "User" is neither notifed nor udpated that the content posted has been removed. | Rule 3(4): Has change the sub rule to "The intermediary on whose computer system the information is stored or hosted or published, uopn obtaining actual knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes". thereby accepting the concerns of Google, IAMAI, Yahoo and USIBC | |
3(5) The Intermediary shall inform its users that in case of non-compliance with terms of use of the services and privacy policy provided by the Intermediary.. | No Suggestions | No Suggestions | Has suggested to add the phrase “ ..and remove non compliant content “ at the end of the sub rule. | No Suggestions | No Suggestions | No Suggestions | Has felt that the language of the sub rule is ambigious and requires futher clarification. Recommends to add words like website blocking, bandwidth throttling etc to the list of dettrent measures that the intermediaries are allowed to exercise. | No Suggestions | No Suggestion | Has suggested that sub rule 3(5) has no relation with intermediary laibility and non laibility under section 79(2) and rightfully is a part of section 43(A) | Rule 3(5): Has changed the sub rule and added MAIT's recommendation to the sub rule : " The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage lights of the users to the computer resource of Intermediary and remove non-compliant information.." | |
3(6) The intermediary shall follow provisions of the Act or any other laws for the time being in force. |
No Suggestions | No Suggestions | No Suggestions | Has suggested to insert the word “applicable” between the words “other laws”. | No Suggestions | No Suggestions | No Suggestions | No Suggestions | No Suggestions | No Suggestions | No Suggestions | Rule 3(6): No change to the sub rule. |
3(7) The intermediary shall not disclose sensitive personal information. | Has suggested to revoke this sub rule as it is covered under section 43(A) of the IT Act and within the ambit of Rule 3(6) | Has suggested to omit this section as it is covered well under section 69 | No Suggestions | No Suggestions | Suggested to delete this sub rule, already covered under 43(A). | Pertains to Sections 43A and 70B of the IT Act. | No Suggestions | No Suggestions | Has suggested that disclosure of information be allowed for legally valid reasons. | No Suggestions | Has suggested that sub rule 3(7) has no relation with intermediary laibility and non laibility under section 79(2) and rightfully is a part of section 43(A) | Rule 3(7) Has changed the sub rule to " When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance". Accepting Yahoo! 's recommendation on disclosure of information for legally valid reasons. |
3(8) Disclosure of information by intermediary to any third party shall require prior permission or consent from the provider of such information, who has…. | Has suggested to revoke this sub rule as it is covered under section 43(A) of the IT Act and within the ambit of Rule 3(6) | No Suggestions | No Suggestions | Suggested to delete this sub rule, already covered under 43(A). | Pertains to Sections 43A and 70B of the IT Act. | Hs suggested in deleting the word “prior” as implied consent may not be prior. Has suggested in replacing the words “such information” with “the same” Has suggested adding the phrase “except under sub rule (7)” after the words “third party”. |
No Suggestions | Recommends to delete the words " Disclosure of information by intermediary to any third party shall require prior permission or consent from the provider of such information"as it creates unncessary third party notification system, which will be a hindrance to business. Has also suggested to allow private parties to include liability and data protection provisions ij any legal contracts drawn. | No Suggestions | No Suggestions | Has suggested that sub rule 3(8) has no relation with intermediary laibility and non laibility under section 79(2) and rightfully is a part of section 43(A) | Rule 3(8): Has changed the sub rule and referred to the "Reasonable Security Practices and Procedures and Sensitive Personal Information Rules 2011". Thereby rejecting the recommendations of CIS, CII, MAIT, Google. "The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011." |
3(9) Intermediary shall provide information to government agencies who are lawfully authorized for investigative, protective, cyber security or intelligence activity. | Has suggested to revoke this sub rule as it is covered under section 43(A) of the IT Act and within the ambit of Rule 3(6) | Has suggested that 3(9) be a part of section 70 and not part of section 79 due diligence. | No Suggestions | Has been pointed out that the term “Intelligence Activity” has not been defined properly and hence should be deleted. Has been suggested that the word “Information” occurring two times in the sub rule should be substituted by “or any such assistance” |
Pertains to Sections 43A and 70B of the IT Act. | Has suggested removing the term “Intelligence Activity” from the sub rule as it can be a big risk to privacy of the individuals, hence should be replaced with “Lawful Purposes”. | No Suggestions | Has expressed concern that the language used in the sub rule does not include disclosure to duly appointed rights owners representatives. | Has Suggested removing the term "Intelligence Activity" as section 91 CrPc provides enough details. | Recommends removing sub rule 3(9), as it broader than the well defined set of rules provided in Section 69 of the IT Act. | Has recommended to delete sub rule 3(9) from the draft rules as it vilolates provisions provided in section 69 and 69B of the IT Act | Rule 3(9): DIT has revoked this sub rule accepting CIS, Apar Gupta and CII’s recommendation. Sub Rule 3(12) in the draft intermediary rules is sub rule 3(9) under the final intermediary rules. |
3(10) The information collected by the intermediary shall be used for the purpose for which it has been collected. | Has suggested to revoke this sub rule as it is covered under section 43(A) of the IT Act and within the ambit of Rule 3(6) | No Suggestions | No Suggestions | No Suggestions | Pertains to Sections 43A and 70B of the IT Act. | No Suggestions | No Suggestions | No Suggestions | No Suggestions | No Suggestions | Has suggested that sub rule 3(10) has no relation with intermediary laibility and non laibility under section 79(2) and rightfully is a part of section 43(A | Rule 3(10): The DIT has revoked this sub rule accepting CIS and CII’s recommendation. Sub rule 3(10) now includes the conditions under which an intermediary shall knowingly deploy or modify or install the technical configuration of a computer resource. Sub rule 3(10) was sub rule 3(13) of the draft intermediary rules. |
3(11) The intermediary shall take all measures to secure its computer resource and integrity of information received, stored, transmitted or hosted shall be ensured. | Has introduced the word “reasonable” after the word all. “The intermediary shall take all reasonable measures to secure its computer resource…” This was done to link it with the provisions of 43A of the IT Act. | Has suggested that the process of securing the computer process whether automated or physical should be clearly explained. Should have a redressal mechanism in place | Has suggested to modify the language of the sub-rule to “ The Intermediary shall take all measure to secure its computer resources and integrity of information received, stored, transmitted or hosted, shall be ensured as per the provisions of the act” | Seeking clarification on how the user would be compensated when an intruder files, modifies or manipulates user data. | No Suggestions | Has suggested in adding the word “reasonable” after “take all”. The word ‘reasonable’ has been added in order to indicate the extent of the activities carried out by the intermediaries. Has suggested to be brought in line with the rules of sensitive information. |
No Suggestions | No Suggestions | Has recommended that the government should list reasonable security policies and procedures that intermediaries should follow. | No Suggestions | No Suggestions | Rule 3(11): The new sub rule decribes the role of the Grevaince Officer. "The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint" |
3(12) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team. |
Sub rule 3(12) pertains to the subject matter of section 70A or 70B and not in the realm of section 79(2). Hence it should be deleted. | No Suggestions | No Suggestions | No Suggestions | Pertains to Sections 43A and 70B of the IT Act. | No Suggestions | No Suggestions | No Suggestions | No Suggestions | No Suggestions | Has suggested to delete sub rule 3(12) from the draft rules as the subject matter listed in the sub rule is under section 70 (B)(5)(3) of he IT Act. | Rule 3(12): Sub rule 3(12) of the draft intermediary rules is sub rule 3(9) under the final intermediary rules |
3(13) The intermediary shall not deploy or install or modify the technological measures or become party to any such act which may change or has the potential to exchange the normal course of operation of the computer resource than what it is supposed | Has suggested that the word “Technological Measures” be deleted from the sub rule as it does not appear anywhere in the Act. It is critical to use well defined words to afford clarity. | No Suggestions | No Suggestions | No Suggestions | Has sought clarification on the term “ technological measures” as the word does not appear anywhere in the IT Act and needs to be defined. | Has suggested reconsidering the sub rule as it is not in sync with the rules. | No Suggestions | No Suggestions | Has suggested removing this sub rule. | No Suggestions | No Suggestions | Rule 3(13): Sub rule 3(13)is sub rule 3(10) of the final intermediary rules. |
3(14) The intermediary shall publish on its website the designated agent to receive notification of claimed infringements. | Has sought clarification on the term “Designated Agent”. Have sought clarity whether the “Designated Agent” has the post of a listener or as a coordination office with law enforcement agencies. Has sought clarification on the term “ technological measures” as the word does not appear anywhere in the IT Act and needs to be defined. | No Suggestions | No Suggestions | Seeking clarification on whether the name of the “Designated Agent” should be mentioned on the website and if there needs to be a link of the “Designated Agent” on the website. Seeking clarification on the time frame within which acknowledgement/response has to be sent to the notifier. |
Has suggested that a complaint redressal system exist instead. Suggestion to amend the sub rule to: “The intermediaries shall publish or make available on its website a mechanism by which it can be notified regarding complaints against content, services or other matters pertaining to the computer resources made available by it" |
Has suggested to list clear rules with regard to infringements, nature of declaration and undertaking to be furnished by the parties, the rights and liabilities of the intermediaries and the parties at disputes claiming infringements, content involved etc. | No Suggestions | No Suggestions | Has sought clarification on the term "Designated Agent" and recommends removing the term "Infringements" | Has suggested re drafting the sub rule to include complete contact details of a person or an agent designated as the compliance officer for the purposes of the rule. Further suggests to maintain an online register of these compliance officers by the Ministry of Information and Technology | Has suggested deleting the sub rule and modifing the sub rule to publish on the intermediary's website a method of providing judicial notice. | Rule 3(14): The new sub rule decribes the role of the Grevaince Officer. "The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint" Accepting Google. MAIT, CII, Apar Gupta and Yahoo!'s recommendation. |