New Information Technology Rules 2021 and Right to Privacy

Reading time : 12 minutes

The new world moves in leaps and bounds. Nothing is certain and everyday is a jumble of information. With the Covid-19 outbreak, the past year has been unprecedented for every human being. This pandemic has halted the world, and everything came to a standstill. Nonetheless as things started to resume back, India on 25th February 2021, woke up to the enactment of Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which obligated several surveillance mechanisms on social media and internet intermediaries. This caused widespread uproar and the courts saw major influx of cases being filed against these rules. Several independent media houses, artists, advocates, humanitarians and even the United Nations Human Rights Commission (UNHRC) has voiced their concerns against the rules. Privacy of an individual on the world wide web is already compromised with the development of technologies beyond our comprehension. Data protection and personal information of every person is at peril. To counter this hazard high tech firms come up with privacy protection services which are in return an issue for the government in restraining criminal activities.  

The meaning and ambit of the word privacy has evolved and developed from the time of its inception. When once it meant to have private autonomy, now as the essence remains the same, it has been attributed to the exercise of control over one’s personal data. With the advent of technology, easy access to internet services, the need to be available to the world twenty-four seven has become a habit and in some cases a compulsion. The range of privacy has expanded and also at the same time contracted. Earlier where privacy chiefly included personal space and physical boundaries, now it is confronted with the privacy of personal information. The advance of the technology has robbed us all of privacy and what we have left is mere notions of privacy. The New Information Technology Rules 2021 comes at a time when the debate for right to privacy is more heated than ever. It introduces new mechanisms and also infringes upon the already prevalent rules. During a generation when living without the internet is not a real option anymore, the rules and regulations guarding our privacy are the only hope of safety. As there are rules protecting the privacy of the individual, similarly there are also rules encroaching upon them, violating their fundamental right to privacy.

The onslaught of fake news and fabricated theories on the internet is relentless. To combat these rumors, the social media platforms have mechanisms to report such content. These new rules will instill a much in-dept grievance redressal mechanism in place to tackle these but also on the flip side will leave the personal data of millions of users vulnerable. The new IT Rules 2021 aims to lessen the end-to-end encryption provided by the digital media platforms, although not explicitly mentioned by the guidelines. The new guidelines have bifurcated digital social media into two parts namely social media intermediaries and significant social media intermediaries. The significant social media intermediaries have been decided as those digital platforms having more than fifty lakh users.

The second part of the guidelines also calls for the due diligence to be followed by the social media platforms towards their users. This includes informing the users about the privacy policies, the user agreement for accessing the computer resource. Rule 3 (1) (d), prohibits hosting, storing, and publishing anything which is against the law. The term “public order”[1] being cited as one of the reasons for something to be unlawful. Now, this term has a very broad reach and can be interpreted as per the demands of a particular situation. Public Order includes everything from unlawful assemblies to disputes related to immovable properties. The lack of clear definition of public order within the domain of internet and digital media platforms might lead to ambiguity in deciding maintenance of public order. It is inevitable that this uncertainty will create upheaval in the grievance mechanism that is to be followed during a complaint.

The rules also issue tracing the originator of the message. This will lead to the dissolution of end-to-end encryption policy which safeguards the personal data of the users. Encryption is a form of coding where no one other than the recipient and the sender of the message or files can access the information and no one else, not even the platform hosting and enabling the chatting mechanism. Encryption is majorly of two kinds, encryption in transit and at rest. In transit is used to secure information and data from network operators, Wi-Fi service providers, and other operators along the way. For example, if we connect to a particular web page and type something, it connects us to the various websites hosting data similar to our requirement, the web search engine then collects these and displays it to us all the while storing some pockets of caches. If the whole process is not encrypted, then there are chances of possible middlemen tampering with the information. This has been reduced due to end-to-end encryption services provided by many social media platforms whereby only the receiver and the sender has the decryption keys to the information. By introducing the traceability clause in the new guidelines, these intermediaries will have to reduce their encryptions and consequently leave the data of millions at risk of predators.

Interestingly a similar Bill has been introduced in the United States of America in March 2020 named, “Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, 2020”[2]. This Bill was initially brought before the judiciary committee on 11th March 2020. Coincidentally it has similar provisions to that of the New Information Technology Rules. Although the EARN IT Act of the US is generally focused on the welfare of child abuse victims and locate child abusers. It still aims at targeting the end-to-end encryption facilities for this purpose. Also, quite similarly under this law, it would empower the government of the US to demand private information about the users from the tech companies. This struggle between privacy of individuals on internet and elimination of the end-to-end encryption has been long going around the world. The Five Eyes Alliance, which includes United States of America, New Zealand, Australia, Canada, and United Kingdom (UK), is an intelligence alliance between these countries for the surveillance of the internet and root out any threat. Recipients of many criticisms by civil liberty advocates and human rights activists they had in a joint statement requested tech companies like Facebook to provide government authorities with the information of encrypted messages to annihilate threat to the security of the states and criminal conspiracies. However, these countries were quick to point out the importance of end-to-end encryption for the protection of “personal data”[3], “journalists, human rights activists, and other vulnerable communities”.

This is a pertinent Human Rights issue all over the world. Countries like China and Saudi Arabia has already eliminated end-to-end encryptions. Conversely, Human Rights advocates believe that such cancellation of encryption is done more for curbing dissent rather than to track serious criminals. Criminals generally find other methods to transmit information. The brunt of an encryption less platform is borne by the law-obeying ordinary citizen. The privacy of citizens at large is at stake when end-to-end encryptions are not there. Now the Five Eyes Alliance through a virtual meeting in June 2020 is looking forward to including India, South Korea, and Japan. So, it could be well understood that there are larger stakes at play when the question of ending encryption arises. India and Japan have joined the Five-Alliance in their demand for encryption backdoors from tech companies for “encrypted instant messaging applications, device encryption, custom encrypted applications, and encryption across integrated platforms”[4].

Following this new rule, WhatsApp, the prominent messaging platform, has filed a lawsuit before the Delhi High Court against the law to trace information. Although it can be contended that the new rules only require those who have transgressed to be detected, it would also jeopardize the data of millions of others.  WhatsApp has also argued that giving away the names of the originator of the messages would endanger the privacy of the users and violate their fundamental right to privacy. This new rule would mean cessation of the privacy of the users.  Also, another key factor is that end-to-end encryption is crucial feature of this application. This enables the application to lessen the bandwidth requirement and makes it functional on any device due to its low data storage need. It has garnered a huge user base and letting go of the encryption facility would eventually lead to it giving up a certain number of users. It is also pertinent to consider that WhatsApp is also facing a similar lawsuit in the Supreme Court of Brazil, where it declines to forfeit the security of its users. Non-compliance with the Brazilian legislations will lead to WhatsApp paying fines after the protection of data laws in Brazil are implemented in August 2021. The Brazilian National Congress is bringing out a new law which will demand the companies like WhatsApp to trace the messages of its users. This would mean an end to the privacy of personal information and as the new legislation will enforce the companies to give away the names of the users who sent a message and even of those who commented on it.

It is critical to discern that the question of right to privacy of an individual has been brought before the esteemed courts time and again. Most prominently in the case of Justice K.S Puttaswamy v. Union of India, the court upheld the right to privacy as an essential component of Part III of the Indian Constitution. This judgement subsequently overruled several other decisions namely of Kharak Singh v. State of UP and M.P Sharma v. Satish Chandra and held that the right to privacy is protected by the constitution. However, there has always been duel regarding the individual’s right to privacy and the need of the lawmakers to bring about new policies. Even if the policies are righteous, they still infringe upon the privacy of the citizens. It always settles down to how much privacy are we willing to give up. Right to Privacy of an individual in this era of technology is constantly under threat.

Right to Privacy has always been a tender topic for the world. With the United Nations framing policies and guidelines for the protection of privacy and its recognition as the basic right from which all other fundamental rights emanate. Right to Privacy as basic right garnered the world’s attention during the 2013 case of Edward Snowden, who brought into light the mass surveillance methods used by the American Intelligence Authorities which compromised the data of thousands of citizens. Since then, there has been a lot of discussions and debates around privacy of an individual during the coming times. While countries like Iceland, Estonia, and Canada, have been ranked as the countries that have very less control over the internet users and only monitored surveillance, others like Ethiopia, Cuba, and China have strict laws and huge control over the data of internet users. Such tight control over the user’s data in these countries have made people dubious about the privacy one has on social platforms over the internet.

Right to privacy of an individual is a most prized possession in this time and era, to infringe upon it means to violate the person’s most basic human right. Right to privacy and freedom of free speech and expression are interdependent on each other and are the two sides of the same coin. People are generally not comfortable with having their private details being read or monitored, personal lives are a matter of concern for everyone. What might be freedom of speech and expression could be counted as infringement of privacy for another.

The new rules also seek to remove content from the social media intermediaries immediately after receiving a court order or a notification from a Government Agency, within thirty-six hours. In a country where the freedom and speech and expression are fundamental right guaranteed under the Article 19, this could become a tender spot. Freedom of speech and expression which ensures an individual’s right to have their own opinions and convictions about a certain matter has been a bone of contention many a times. Having a perspective of one’s own is what distinguishes us from each other. We are after all solitary creatures with highly developed brains and capable of having separate thoughts. To curb a person’s thought is to directly inhibit their humanness and undermine their intelligence. Admittedly not all thoughts and opinions result in benefit of humanity, some are a threat to it as well. But to distinguish one from another is a demanding task ergo the need for a well-defined judicial system. The courts of the country have persistently held the importance of speech and expression in several judgements explicitly stating that the democracy stands on the pillars of free conversations and criticism. Hence the petition filed by TM Krishna, a Carnatic Musician and Ramon Magsaysay award winner, in lieu of his violation of freedom of speech and expression by the imposition of the new rules. In his petition he states the thirty-six hours’ time limit to be incongruous with Sec 69A of the IT Act 2000 and the IT Blocking Rules 2009. These laws already contain detailed provisions for removing or blocking online content. Accordingly, these new rules might lead to hampering the freedom of speech and expression. Through this petition, it has been contended that the Supreme Court had struck down Section 66A and stated it to be vague, arbitrary, and violative of Article 19(1)(a), similarly these rules should also be curbed as being violative of freedom of speech and expression of an individual. Subsequently the past months have seen an influx of petitions and pleas being filed by various independent media houses and newspapers. They have been challenged before the Delhi High Court by Foundation for Independent Journalism. The main area of conflict arisen is the fact that these rules seek to censor digital media when the main IT Act 2000 does not entail the same. In in the case of Romesh Thapar v. State of Madras, Patanjali Shastri J, said that a freedom of such vast magnitude might involve some risks but was of the same opinion as that of James Madison, chief author of the Bill of Rights in America, “that it is better to have a few noxious branches than to cut away the proper fruits”[5]. This authenticity of this statement is reflected in the current scenario where, the rules unreservedly violate more than one fundamental right of the citizens. Opinions and beliefs are personal to every individual, it forms the basis of every democracy.  

Under Section 3(1)(j), intermediaries are supposed to provide information and assistance to the authorized Governmental agency within seventy-two hours of receiving such orders. This is a very broad law and does not specify what it entails under information and assistance. Where it states to root out unlawful activities it could also be potentially violative of the fundamental rights of privacy that is Article 21 of the Constitution. Under the grievance redressal mechanism laid down there is a three-tier system for addressing the issues of a complainant. Firstly, there is the Self-Regulating Mechanism whereby the publishers of the intermediary need to appoint a grievance redressal officer based out in India and take decisions on the grievances received within fifteen days and inform the complainant about the same. In the next level, there could be more than one or more independent self-regulating bodies comprising of publishers and their associations. This body would be headed by a retired Supreme Court Judge or an eminent person from the society. This body then needs to register itself with the Ministry of Electronics and Information Technology. Then in the third level there is the Oversight Mechanism. Through this the Ministry will coordinate adherence of the publishers and self-regulating bodies to the Code of Ethics.

Chiefly it has laid down a grievance redressal mechanism under Sections 10 and 11. The complaint of the aggrieved must be acknowledged within twenty-four hours and the decision of the grievance redressal must be provided within fifteen days. Now, this mechanism is definitely straightforward, and the anguished individual has a better and swift chance at justice. Yet it is certain that at least some portion of such complaints will be contrived and formulated. Anyone anywhere can lodge a complaint with anything that does not confirm to their beliefs. The ambit of grievance is not defined so there is always a chance of disorderly conducts by miscreants. Moreover, for many independent publishing platforms it is cumbersome to maintain such grievance redressal mechanisms at their own costs. It is difficult for these small-scale publishing houses to stay afloat, to include another department for grievances will put a dent unto their already dwindling assets.

Section 14 of the Rules sets up an Interdepartmental Committee, which comprises of members from, “Ministry of Information and Broadcasting, Ministry of Women and Child Development, Ministry of Law and Justice, Ministry of Home Affairs, Ministry of Electronics and Information Technology, Ministry of External Affairs, Ministry of Defense and other such Ministries and Domains, including Domain experts can be included in the Committee”[6]. These members would then address the issues arising due to non-compliance with the rules. Essentially these are the functions of the judicial system of the country and other committees are generally not designated such tasks. With the dawn of the new era changes are unavoidable, but where the Ministries are already burdened with their respective responsibilities, to further increase their work might stall their purpose. The Committee is allowed to recommend censuring of content to the Ministry if it is contrary to the rules.

The Ministry is also empowered to appoint a “Authorized Officer”[7], who must not below the rank of Joint Secretary to Government of India, to issue orders under Rules 15 and 16. This officer will be entitled to issue directions for “deleting, modifying or blocking” [8]content which is deemed to be against the rules. This is very similar to Section 69A of the Information Technology Act 2000 which is concerned with cyber-crime in India. To bring about similar rules when there is already one present is unnecessary. It may be simpler and easier than the existing ones, but it is rather fluent to modify the previous rules than to go through the whole process of creating and editing which eventually becomes a cumbersome process. Where Section 69A includes all the perquisites and identical provisions of the new rules, it will only work to complicate the redressal systems. Rule 16 of the new guidelines allows the blocking the content in cases of emergency, if the content in question falls within the sweep of anything mentioned in sub-section 1 of section 69A of the Information Technology Act 2000. this completely arbitrary. The online content being monitored, and every step of the users being followed will open up new threats to privacy.

These new rules pose a new point of debate, where it will allow the users to report content which they find disturbing, contrarily it also will take over the privacy of the individuals by locating the originator of the information, which means to remove the end-to-end encryption facilities of the social media intermediaries. There is bound to be clash of different opinions and perspectives in a widely diverse society. It is not necessary that every person will be truly troubled by the published content but merely have a different viewpoint than the curator of the content. The dilemma over handing over the privacy of the users of internet services have always been a point of conflict for both the tech firms and the users as well. Where in the government seeks to contain criminal activities and threats to the national security through open access to information about the individuals and also staunchly ascertains that only the information which is of surmount importance is to be accessed, it still is a human rights error to open up the personal information of millions of users.

There is a very thin line of ethics between privacy and security, which at times is laborious to maintain. Privacy has always remained an integral part of the liberty of the citizens of the nation. Privacy albeit not explicitly mentioned in the constitution, has time and again been upheld by the courts of justice of the country to be implied and a fundamental right. The privacy of every individual is dependent on laws to guard it. Also, there are laws which breaches privacy. This is a chaos and enigma that does not at present have a viable solution. The status of every person around the world in a complex web of increasingly partisan and technological atmosphere is glaringly obvious. Moral and ethical demands of the current scenario is urgent or else individual privacy stands at the menace of being proclaimed an allegory.

[1] Information Technology (Intermediary Guidelines and Digital Media Ethics Code), 2021.

[2] Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARNT IT), 2020, s. 1.

[3] Walking the Tight-rope in the Crusade Against End-to-End Encryption, India, available at: Statecraft | Walking the Tightrope in the Crusade Against End-to-End Encryption (last visited on June 18, 2021).

[4] India joins Five Eyes, Japan in demanding backdoor into WhatsApp end-to-end encrypted chats, India,  available at: India joins Five Eyes, Japan in demanding backdoor into WhatsApp end-to-end encrypted chats – Technology News ( (last visited on June 18, 2021).

[5] The First Amendment Encyclopaedia, available at: James Madison | The First Amendment Encyclopedia ( (last visited on June 18, 2021).

[6] Information Technology Rules 2021, India, available at: 250221 IR and DMEC Rules_Ver 1.12_25.02.2021_Clean version ( ( Visited on June 18, 2021).

[7] The Information Technology Act, 2021.

[8] Ibid.

Author: Madhuparna Sarkar, IFIM Law School, Bengaluru

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s