New IT rules likely to impact ease of business in India, says report

IAMAI study raises fears over mandates potentially creating entry barriers

A majority of intermediaries and other key stakeholders fear that the new IT rules drafted last year may create entry barriers affecting ease of doing business in India, said a report on Monday.

The report titled “IT Rules, 2021: A Regulatory Impact As­sessment Study” assessed mandates prescribed under the In­formation Technology (Inter­mediary Guidelines and Digital Media Ethics Codes) Rules, 2021. It was released by the Internet and Mobile Association of India (IAMAI) and The Dialogue, a public policy think tank.

The IAMAI said it is the first impact study on the rules; it found that the originator traceability provision was “technically infeasible” as implementing it on end-to-end encrypted platforms would break the encryption technology itself.

The report came days after the Ministry of Electronics and Information Technology (MEITY) held an open house discussion on the proposed changes to the IT rules and asked for inputs on proposed amendments by July 6.

The report, based on responses from 70 stakeholders, has recommended clear and implementable standard operating procedures (SOPs) with expert inputs for checks and balances on the access to data by law enforcement agencies.

The IT rules require significant social media intermediaries (SSMIs) to trace the first ori­ginator of a message. Instead, the law enforcement ecosystem needs to enhance its meta-data analysis capabilities, the report said.

The majority of stakeholders expressed a need for resetting the threshold for designating the SSMIs. According to the current norms, intermediaries having 5 million users are considered as SSMIs — the report observed that the figure is too minuscule for a country with a population of 1.3 billion.

Stakeholders including int­er­mediaries and legal experts raised concerns over the provisions related to content takedown and data retention. The intermediaries said the timelines for the content takedown and information assistance rules were creating burdens.

The singular timeline for the takedown of all grades of harmful content was an overwhelming and impacted investment, the report added. The study has recommended the creation of a risk-based content gradation mechanism to provide specific timelines for different grades of harmful content.

Several legal and technical experts highlighted the inconsistency of the data retention mandate. They have suggested a 90+90 days approach, where the intermediaries might store data for the original 90 days and would retain it after that only if needed.

Amar Patnaik, Member of Parliament (Rajya Sabha), said at the time of releasing the report: “Takedowns must be graded, and one cannot compare differing forms of harm and put them in the same (regulatory) basket.”

The study has recommended the removal of the personal liability mandate, saying it was legally infeasible and caused a compliance burden.

According to the study, the IT rules were intended to create a regime for tackling modern-day challenges such as proliferation of disinformation, child sexual abuse material, and seditious and terrorism-related content. However, it said, the legal and technical legitimacy and the viability of many of their provisions are problematic.

What Stakeholders Want

• Creation of gradation mechanism for removal of harmful content
• Reset threshold for SSMIs, as current level of 5 million could be burdensome
• Removal of originator traceability provision, as it was “infeasible” on encrypted platforms
• Clear SOPs for data access by law enforcement agencies
• 90+90 days approach for data retention, considering privacy concerns