The New IT Rules, 2021 and the Threat to Right to Privacy

This article is written by Aviral & Aditya Tiwary, students of ICFAI University, Dehradun.


The Digital India program has empowered the citizens of the country with technology and the internet. Subsequently, this has enabled many social media platforms to connect people across the country. This has also aided the social media platforms to gain innumerable users. According to the data released by the Ministry of Information and Technology (MeitY), the user base of major social media platforms stands as:

  • WhatsApp users: 53 Crore
  • Facebook users: 41 Crore
  • Instagram users: 21 Crore
  • Twitter users: 1.75 Crore

The proliferation of social media platforms, on the one hand, allows numerous benefits to the people while, on the other hand, gives rise to serious concerns relating to the abuse of these platforms. In 2018, it was observed by the Supreme Court that the Indian Government might frame necessary guidelines to eradicate child pornography, rape and gang rape images, videos from such sites, platforms and other applications. In 2020, an Ad-hoc committee of the Rajya Sabha submitted its report on social media pornography and its effects on children and society as a whole. The report recommended tracing the originator of such messages. The Ministry of Information and Technology, on February 26, 2021, introduced the new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The new rules replace the earlier Information Technology (Intermediary Guidelines) Rules, 2011. It requires significant social media intermediaries, i.e., social media platforms having more than 50- lakh-user base, to comply with a host of new rules. Under these latest rules, the intermediaries are required to appoint a grievance officer, a chief compliance officer, and a nodal contact person who must be residents of India. They are also required to publish a monthly compliance report of actions taken regarding grievances received by the officers. Furthermore, these intermediaries need to have a physical contact point in India mandatorily published on their website.

The Breach of End-to-End Encryption and Privacy 

These new rules will assist the users in having a safe online environment. However, the stumbling block of these new rules is the drastic inroads into the fundamental right to privacy. The new rules require the breach of end-to-end encryption for compliance in some instances. End-to-end encryption means that only the sender and receiver can access the messages, images, documents, and calls being exchanged between them. A third person cannot access the conversation. These messaging platforms store minimal user data to facilitate the messaging services.  The right to privacy was upheld to be a fundamental right protected under Articles 14, 19, and 21 of the Constitution of India in the case of Justice K.S. Puttaswamy (Retd.) vs Union of India. In 2017, the nine-judge bench of the Supreme Court of India unanimously gave a judgment that citizens of India have a fundamental right to privacy even though it is not expressly mentioned. It should be interpreted from the text and the thought process under which the constitution-makers would have drafted the constitution for the country. The loopholes in the new IT rules, 2021 (mis), using which the fundamental right to privacy can be potentially breached, are as follows.   

  1. Identification of the first originator- 

The new IT Rules, 2021 have, under sub-rule (2) of Rule 4, made it mandatory for a significant social media intermediary providing messaging services such as WhatsApp, Signal, Telegram and others to enable the identification of the first originator of a message flagged by either court of law or an authorised government agency. These platforms use end-to-end encryption for protecting the user’s privacy. The rules require WhatsApp to unmask only such people who are credibly accused of wrongdoing. The company says it cannot do that alone in practice as messages are end-to-end encrypted. They further state that they would have to break encryption for receivers as well as originators of messages. While challenging the new IT rules, a WhatsApp spokesperson said that requiring messaging apps to trace chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermine people’s right to privacy”. Identifying the first originator will consequently mean accessing all users’ messages and the consequential breach of the end-to-end encryption. This is a grave threat to the right of privacy of the users on such platforms. BN Srikrishna, retired Judge of the Supreme Court in The Economic Times, stated that requirements such as traceability could open up unregulated access to people’s private messages, if implemented without necessary safeguards. The circumstances under which the information regarding the first originator will be asked have not been mentioned. This expands the scope of misuse. The matter of tracing the first originator gets even more complicated if the originator is outside India. In such a case, the first originator of that information within the territory of India shall be deemed to be the first originator of the information. Without preventive measures like a feasible data privacy policy, tracing the first originator of a message will lead to encroachment of the fundamental right to privacy.

2. Claiming Intermediary Safe Harbor-

Under sub-section (1) of Section 79 of the IT Act, 2001, an intermediary will not be liable for third party content that they carry.  Further sub-section (2) mentions that the protection given under sub-section (1) will apply only if the intermediaries observe due diligence while discharging duties and follow necessary guidelines laid down by the government.  This points towards the need to disclose the information asked by the government. The obligation to provide immunity to intermediaries from actions of third parties came into focus following a case in 2004. In November 2004, an IIT student uploaded obscene video footage for sale on, an auction website.
Along with the student, Avnish Bajaj, the then CEO of the website, was also arrested by the Crime Branch of Delhi Police. In 2005, the Delhi High Court held him liable under section 85 of the IT act. However, in 2012 this decision was overturned by the Supreme Court. Making it compulsory for the intermediaries to disclose the first originator by breaking down the end-to-end encryption is disparaging the intermediary safe harbour while also influencing the fundamental right to privacy.

Questions and concerns of the People

Centre for Internet and Society has raised concerns with the draft rules and has asked for total deletion of Draft Rules 4(2), 4(4), 4(5), and 4(9). Senior policy officer at the Centre for Internet and Society, Gurshabad Grover, said, “There are some parts of the rules which may infringe on user privacy and go against the data minimisation principle of the data protection law”. Divij Joshi, a Tech Policy member at Mozilla, also recommends that draft Rule 4(5) be deleted, stating that the “requirement to identify and remove access to all ‘unlawful content proactively’ is vague and overbroad.”  In a joint letter written by a group of experts from the realms of research, academia, and media, including Faisal Farooqui, Karma Paljor, Nikhil Pahwa, Shamnad Basheer and professors from IIM Bangalore and IIT Bombay, Free Software Foundation Tamil Nadu, Free Software Movement of India, Free Software Movement Karnataka and Software Freedom Law Centre, India, to MeitY, the various issues that the rules could cause, such as the traceability requirements interfering with the privacy rights of citizens, were pointed out. The 2021 Rules have been challenged in three high courts across the country. The first one was brought to the Delhi High Court in March this year by the Foundation for Independent Journalism, a non-profit organisation running the news portal, The Wire. The Delhi High Court issued notice on this petition on the 9th of March. The next day, the Kerala High Court issued notice on another petition filed by the legal news portal Livelaw challenging the concerned rules. The court has also restrained the Centre from taking any coercive action against LiveLaw under the new regulations. Quint Digital Media Ltd., which runs the digital news website “The Quint”, has also filed a petition in the Delhi High Court. The Truth Pro Foundation India (TPFI) has also filed a petition in the Karnataka High Court. Praveen Arimbrathodiyil has filed another batch of petitions on the issue, a free-and-open-source (FOSS) programmer in the Kerala High Court and Advocate Sanjay Kumar Singh in the Delhi High Court.


The sanctity of privacy in a country like India, which is the largest democracy and has the 2nd largest population globally, must be respected. Freedom of speech and expression is the basic fundamental right of any democracy. The new rules regarding identifying the first originator could breach end-to-end encryption, and therefore, infringe the right to privacy. Other workarounds can be used instead to mitigate the spreading of fake news and any offence relating to the sovereignty and integrity of India. Dr Manoj Prabhakaran, a Professor at IIT Bombay, specialising in cryptography, submitted in his report that it is not clear if traceability serves as much of deterrence, given the prevalence of fake news spread openly through platforms like Twitter, Facebook, websites and even mass media.
Moreover, a message can be sent as a new message without forwarding it, thus creating multiple first originators. A feature could be introduced by the intermediaries letting the user tag a message as “not for sharing” or “for limited sharing”, thereby limiting the length of the chain in which the message can be shared or forwarded. Alternatively, viral messages could be marked and made available publicly so that fact-checkers could add comments to them. Subsequently, the WhatsApp client can display these comments alongside the message. Once the required technology is available, an offline or online spam filter can be designed to mark inappropriate and unreliable messages. This will discourage users from sharing such messages. Finally, the only long-term measure to counter the spread of fake news is education and information literacy. Such efforts will help to regulate the online world and make it a safe space for everyone.

1 reply »

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s