I’ll be talking about the Salient features of the regulatory framework in

India with reference to data privacy and governance of social media

companies.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code)
Rules 2021 have been framed in exercise of powers under section 87 (2) of the
Information Technology Act, 2000 and in supersession of the earlier Information
Technology (Intermediary Guidelines) Rules 2011.

These are some of the Salient Features of Social Media Governance

(25/02/2021): intermediaries (social media website or app)

 Grievance Redressal Mechanism: it seeks to empower the users by mandating the

intermediaries to establish a grievance redressal mechanism for receiving and
resolving complaints from the users or victims. Intermediaries shall appoint a
Grievance Officer to deal with such complaints who shall acknowledge the complaint
within 24 hours and resolve it within 15 days from its receipt.
 Ensuring Online Safety and Dignity of Users, Especially Women Users: The
social media companies should remove or disable access within 24 hours of
receiving complaints of contents that exposes the private areas of individuals, show
such individuals in full or partial nudity or in a sexual act or impersonation like
morphed images. Such a complaint can be filed either by the individual or by any
other person on his/her behalf.

 Significant social media intermediaries providing services mainly in the nature of

messaging shall enable identification of the first originator of the information
that’s required only for the purposes of prevention, detection, investigation,
prosecution or punishment of an offence related to sovereignty and integrity of India,
the security of the State, friendly relations with foreign States, or an offence in
relation with rape, sexually explicit material or child sexual abuse material will be
punishable with imprisonment for a term of not less than 5 years. The intermediary
shall not be required to disclose the contents of any message or any other
information to the first originator.
 Giving Users an Opportunity to Be Heard: In cases where significant social media
intermediaries remove or disables access to any information on their own accord,
then a prior intimation for the same shall be communicated to the user who has
shared that information with a notice explaining the grounds and reasons for such
action.
 Removal of Unlawful Information: An intermediary upon receiving actual
knowledge in the form of an order by a court /Govt. or its agencies through an
authorized officer should not host or publish any information which is prohibited
under any law in relation to the interest of the sovereignty and integrity of India,
public order, friendly relations with foreign countries etc.
 Voluntary User Verification Mechanism: Users who wish to verify their accounts
voluntarily shall be provided with an appropriate mechanism to do so and provided
with a demonstrable and visible mark of verification.
Coming to the Salient Features of Data Privacy and Protection:

 Data protection in India is currently governed by the Data Protection Rules, 2011
notified under the Information Technology Act, 2000 (“IT Act”).
 The Data Protection Rules impose certain obligations and compliance
requirements on organisations that collect, process, store and transfer sensitive
personal data or information of individuals such as obtaining consent, publishing a
privacy policy, responding to requests from individuals, disclosure and transfer
restrictions.
 The Data Protection Rules further provides for the implementation of certain
reasonable security practises and procedures (“RSPPs”) by organisations
dealing with sensitive personal data or information of individuals. What are the
rules ?  
o Organisations may demonstrate compliance with the RSPP requirement via
implementing security practises and procedures and having a documented
information security programme and information security policies. 
o Codes formed by any self-regulatory organisation must be approved and
notified by the Central Government. .
 
However, it is to be noted that as of yet India does not have its own set of Data Protection
Law. Currently, the ‘Personal Data Protection Bill, 2019’ (PDP Bill), has been granted a
fourth extension for a review. At present, the Indian constitution does not allow judicial
written remedies against purely private bodies given that they do not constitute ‘state’ within
the meaning of Article 12. This means that in every instance where a purely private body
violates a citizen’s right to privacy, there is very limited solution available under Indian law at
present, such as, for instance, under section 43A of the Information Technology Act,
2000 (IT Act).
 
In short, data protection is still in a grey area in India until a law comes into force.

With this we reach the end of our presentation. thankyou