Ever since the three-month deadline for social media companies to comply with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 ended on 25 May, there have been increased calls for them to abide by the IT regulations. Minister for Electronics and Information Technology, Ravi Shankar Prasad, has stressed on the need for significant social media intermediaries, platforms that have more than five million users, to appoint a Chief Compliance Officer in accordance with the new rules. While some entities such as Google, Facebook, WhatsApp and Koo have reportedly complied with this requirement, others such as Twitter have sought more time.
Under the IT Rules 2021, the Chief Compliance Officer (CCO) is meant to be a key managerial personnel or a senior employee of a significant social media intermediary who resides in India. She is responsible for ensuring that the company complies with the Information Technology Act 2000 and its rules. The CCO can also be held liable in “any proceedings” related to third-party content on the intermediary, if she fails to ensure due diligence on the latter’s part. The government has justified the need for a CCO by highlighting intermediaries’ lack of accountability due to their failure to introduce mechanisms at the national level to address issues faced by the victims of alleged abuse and misuse of their platforms.
However, the requirement for significant social media intermediaries to appoint a CCO must be viewed in light of the government’s efforts to evolve a stronger regulatory mechanism for such companies. In 2018, the Ministry of Electronics and Information Technology released the Information Technology [Draft Intermediaries Guidelines (Amendment) Rules] 2018, citing the misuse of social media. The draft 2018 rules proposed traceability and proactive monitoring of content, among other measures. After almost two years, the government passed the 2021 Rules without much public consultation, and went beyond the draft 2018 Rules by laying down the additional obligation of appointing a CCO.
Thus, while a CCO could be viewed as the government’s attempt to safeguard the interests of Indian users, the manner in which the 2021 Rules were notified raises fears that the compliance officer may be the primary target of enforcement actions. Intermediaries are apprehensive about the possibility of their CCOs being held criminally liable for any non-compliance. This has possibly contributed to the delay of some companies in complying with the rules.
Digital domain and flaws under IT rules
As some users have disseminated unlawful content at scale on social media platforms, governments worldwide have demanded greater accountability from these intermediaries. In May 2021, the UK released the Draft Online Safety Bill 2021, which pertains to the Office of Communications’ (OFCOM) regulation of certain internet services, including user-to-user services. It states that senior managers can be held criminally liable for certain offences. However, such liability is not universally applicable and is contingent on OFCOM imposing the requirement to identify such a senior manager. The scope of these offences is limited, and does not extend to content determination. The EU’s proposed Digital Services Act requires providers of intermediary services without a physical presence in the EU to designate a legal representative, who can be held liable for non-compliance with the regulation.
While apportioning personal liability is in line with globally accepted practices, its implementation under the new rules leaves much to be desired. To begin with, the rules provide no guidance on what constitutes the minimum standard of compliance that a platform must adhere to. Consequently, it is difficult to determine what amounts to non-compliance. For example, Rule 4(4) mandates significant social media intermediaries to ‘endeavour’ to deploy technology-based measures that will proactively filter problematic content. Let us consider that a social media platform deploys such measures but some problematic content slips through the cracks. In this case, will the CCO be liable for non-compliance? Or will the mere presence of technological measures establish compliance with Rule 4(4)? Further, exposing CCOs to such unqualified personal liability might have a chilling effect on free speech because they might pre-censor even legitimate content to avoid sanctions.
In an earlier explainer, we highlighted the difference between civil and criminal penalties under the law, demonstrating how the latter demand a higher burden of proof of wrongdoing. Due to the high volume of third-party content on social media platforms and the stringent timelines to act against content that violates the rules, CCOs may not always have the malicious intent associated with criminal liability. To ensure that they are not penalised disproportionately, there is a need to establish robust procedural safeguards. The rules state that significant social media intermediaries will be given an opportunity to be heard. However, a mere hearing will not be enough.
It is also important to keep in mind the ways in which the digital domain differs from traditional sectors. Generally, individual liability for non-compliance in other sectors arises due to the acts or omissions of the official concerned, or the entity itself. However, in the case of digital services provided by intermediaries, there is an element of third-party content that is generally absent from other sectors. Further, in traditional sectors with such liability, issues such as freedom of speech are unlikely to crop up.
The way ahead
The concept of fastening individual liability in the interest of better compliance is not new in India. The precedence of such an approach already exists under the Companies Act 2013, which defines ‘officer who is in default’ as whole-time director or key managerial personnel and imposes penal liability on such officers for certain contraventions. However, the implementation of the principle vis-a-vis social media intermediaries may require some fine tuning.
To ensure that the goal of accountability is balanced with principles of fairness and proportionality, a few measures can be considered. First, Standard Operating Procedure (SOPs) to the rules, which principles that will be used to determine whether a CCO must be proceeded against, can be issued. The SOPs could also explain (with illustrative examples) circumstances where a CCO will be held liable, and lay down possible defences available to her, in the interest of clarity and transparency. Since there is a possibility of criminal liability, criminal proceedings against the CCO must be the last resort. Further, the CCO must not be penalised for her genuine efforts to achieve compliance and due diligence, even if these prove unsuccessful. These steps can help in creating a compliance regime that is based on trust, rather than fear.
The authors work at Koan Advisory Group, a technology policy consulting firm. Views are personal.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.