Social Media Intermediary Liability After IT Rules 2021: Where Grievance Redressal Mechanisms Have Succeeded and Failed

Introduction

The regulation of social media intermediaries has been one of the most contentious legal developments in Indian cyberlaw in the present decade. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021) introduced a comprehensive compliance regime for platforms that host user-generated content, imposing obligations ranging from designated officer appointments to content takedown timelines and the establishment of tiered grievance redressal structures. The Rules also extended regulatory reach to digital news media and over-the-top streaming platforms, creating a regime that was simultaneously a content moderation framework and a speech regulatory tool.

The legal controversy generated by the IT Rules 2021 has been extraordinary. Multiple platforms challenged specific provisions before various High Courts. The Ministry of Electronics and Information Technology (MeitY) amended the Rules in 2022 and 2023 in response to both legal challenges and operational concerns. The Bombay High Court delivered a landmark decision in 2024 striking down one of the most contested provisions. These developments, set against the backdrop of high-profile confrontations between the government and Twitter (subsequently rebranded as X), have made intermediary liability one of the most actively litigated areas of Indian cyberlaw.

This article examines the structure of the IT Rules 2021 regime, the legal challenges it has faced, the operation of the Grievance Appellate Committee, and the question of whether the current framework adequately balances free expression, platform accountability, and user rights. The comparison with the EU’s Digital Services Act provides an instructive contrast in regulatory philosophy and design.

Legal Framework

The IT Rules 2021 were enacted under Sections 87(2)(zg) and 87(2)(z) of the IT Act, 2000, which authorise the Central Government to prescribe guidelines for intermediary due diligence and for cybersecurity practices. The constitutional authority for this exercise of delegated legislation was contested, with challengers arguing that the Rules exceeded the scope of the parent Act, particularly in regulating digital news media and OTT platforms, which many argued required specific legislation rather than subordinate rulemaking under the IT Act.

The Rules create a distinction between intermediaries generally and “significant social media intermediaries” (SSMIs), defined as social media intermediaries having more than 50 lakh registered users in India. SSMIs face a more demanding compliance regime than ordinary intermediaries.

The obligations applicable to all intermediaries under Rule 3 include publishing privacy policies and terms of service in Indian languages, informing users of prohibited content categories, disabling access to unlawful content within 36 hours of government or court orders, retaining information about first originators for cybersecurity incidents, and providing assistance to government agencies.

SSMIs face additional obligations under Rule 4. These include the appointment of a Chief Compliance Officer who is a key managerial person and can be held personally liable for compliance failures, a Nodal Contact Person resident in India for coordination with law enforcement, a Resident Grievance Officer resident in India to receive and process user complaints within defined timelines, and publication of monthly compliance reports disclosing the number of complaints received, actions taken, and content removed proactively.

Rule 4(2) requires SSMIs that primarily provide messaging services to enable identification of the “first originator” of a message on the platform if required by judicial or governmental order. This provision, targeting encrypted messaging platforms such as WhatsApp, has been the subject of the most significant and sustained legal challenge in the intermediary liability space.

Judicial Developments

WhatsApp’s challenge to the traceability requirement was filed before the Delhi High Court in May 2021. WhatsApp argued that the first originator identification requirement was incompatible with end-to-end encryption, which is the technical foundation of its privacy proposition, and that breaking encryption to enable traceability would fundamentally compromise the privacy and security of all users, not just those targeted by a specific order. The challenge raised questions of proportionality under Article 19 and 21 of the Constitution, as well as statutory incompatibility with Section 84A of the IT Act.

Twitter (now X) challenged blocking orders issued under Section 69A of the IT Act before the Karnataka High Court in 2022, arguing that the blocking orders lacked procedural fairness (no hearing was provided before blocking content that had significant public interest value) and that the orders were disproportionate. Twitter was ultimately found to have delayed compliance with blocking orders and faced suspension of its liability protection. This confrontation illustrated the considerable coercive power the government possesses in its relationship with platforms that seek to operate in India.

The Bombay High Court’s decision in Kunal Kamra v. Union of India (2024) on the Fact-Check Unit (FCU) was the most significant judicial intervention in the intermediary liability space. The IT Rules 2021 (as amended in April 2023) introduced Rule 3(1)(b)(v), which required intermediaries to take down content that the government-established Fact-Check Unit deemed “fake or false or misleading” regarding “any business of the Central Government.” Kamra, a stand-up comedian who had previously been a target of government criticism, challenged the provision along with several media organisations.

The Bombay High Court, in a split 2:1 decision, delivered an operative majority that struck down Rule 3(1)(b)(v) as unconstitutional. The majority found that designating the Central Government’s own Fact-Check Unit as the arbiter of factual accuracy about government affairs violated the separation of powers and created a chilling effect on free speech that was not proportionate to any legitimate aim. The minority would have upheld the provision with certain safeguards. The decision is under appeal before the Supreme Court, and the legal status of the FCU remains uncertain pending final adjudication.

The Grievance Appellate Committee (GAC), established by IT Rules 2022 amendment, enables users dissatisfied with a platform’s grievance resolution to appeal to a government-constituted committee. Three GACs were established, with governmental and technical members, to hear appeals against platform decisions on content removal or retention. The constitutional validity of the GAC is itself contested: critics argue that empowering a government body to review and reverse private platform editorial decisions on speech constitutes state censorship through an administrative mechanism, potentially violating Articles 19 and 21.

Contemporary Issues and Analysis

The fundamental conceptual tension in the IT Rules 2021 framework is between the legitimate regulatory interest in making platforms accountable for harmful content and the risk that accountability mechanisms become instruments of government speech control. The traceability requirement exemplifies this tension acutely. The government’s stated rationale for traceability is law enforcement: the ability to identify the original source of viral misinformation or incitement to violence. The technical consequence of traceability is the elimination of anonymity for all users of encrypted messaging platforms, since there is no way to build a traceability mechanism that applies only to specific categories of content without breaking the encryption for all.

The 50-lakh user threshold for SSMI status raises definitional questions. The threshold is based on registered users, not active users, but many platforms do not maintain reliable registrations that allow accurate user counts by geography. The threshold also creates an artificial compliance cliff: a platform with 49 lakh users faces substantially lower obligations than one with 51 lakh, creating incentives for regulatory gaming.

The monthly compliance reports published by SSMIs have produced a significant volume of data about platform takedown activity. Meta platforms in India reported processing tens of thousands of content-related orders monthly; Twitter/X reported substantially lower compliance with Indian government requests, a disparity that became publicly contentious. The data from these reports has not been systematically analysed by any regulatory body, and there is no mechanism to independently verify the accuracy of the disclosures.

The Chief Compliance Officer’s personal liability exposure under Rule 4(1)(a) has attracted significant concern from senior executives at major technology companies. The provision effectively makes a senior employee a personal hostage for the platform’s regulatory compliance, creating pressure to over-comply with government content removal requests to avoid personal criminal exposure. This structural feature may explain some of the divergence between platforms’ publicly stated content moderation positions and their actual India-facing compliance behaviour.

Comparative and International Perspective

The EU Digital Services Act (DSA), applicable since February 2024, offers a sophisticated and rights-protective contrast to the IT Rules 2021 framework. The DSA applies graduated obligations based on platform size, with the heaviest obligations falling on Very Large Online Platforms (VLOPs) with over 45 million monthly active users in the EU, and Very Large Online Search Engines (VLOSEs) by analogous criteria. These entities must conduct annual systemic risk assessments covering risks to fundamental rights, public health, and democratic processes, and must implement risk mitigation measures.

The DSA creates a trusted flagger mechanism, under which certified civil society organisations, fact-checkers, and consumer protection bodies can submit notices of illegal content with a priority processing obligation on platforms. This mechanism distributes enforcement away from the government and towards independent expert bodies, reducing the risk of political abuse. The DSA also creates an independent dispute settlement body mechanism, analogous in function to India’s GAC but independent of government, to hear user appeals.

The DSA expressly prohibits “deceptive design” interfaces that impair users’ ability to make free choices (a provision that overlaps with India’s emerging dark pattern regulation), and requires VLOPs to provide researchers and civil society organisations with data access for independent auditing of their algorithmic recommendation systems.

The contrast with India’s framework is illuminating. The DSA’s enforcement is led by an independent regulatory body (the European Commission for VLOPs, national Digital Services Coordinators for others), with appeal to courts, and the entire framework is oriented around protecting users from harm including state-originated harm. India’s IT Rules 2021 framework places enforcement power primarily in government hands, with the GAC also being a government body, and the framework contains no structural protection against government misuse of the compliance tools it creates.

Practical and Policy Implications

For technology platforms operating in India, the compliance demands of the IT Rules 2021 regime are substantial. The requirement for India-resident compliance officers represents a significant commitment for platforms with small India teams, as these officers face personal legal exposure. The 36-hour takedown obligation creates operational pressure that may lead to over-removal of content that would on careful review be permissible. Monthly compliance reporting requires dedicated data infrastructure and legal review.

The legal uncertainty created by ongoing court challenges to multiple provisions of the Rules creates planning difficulties. Platforms must simultaneously comply with provisions that may be struck down (and thus represent resources wasted) and prepare for the possibility that provisions they find burdensome will survive judicial review.

For users, the framework creates a formal but imperfect grievance architecture. The availability of a GAC appeal is meaningful only if the committee operates transparently, decides cases on consistent principles, and has genuine independence in its decision-making. The current GAC structure, with government-appointed members and limited transparency about its deliberations, does not inspire confidence on these dimensions.

Suggestions and Reforms

The most fundamental reform the framework requires is structural independence in the grievance redressal mechanism. The GAC should be reconstituted as a genuinely independent body with members appointed through a process involving civil society representatives, retired judges, and technical experts, with no serving government officials. Its decisions should be published with full reasoning and subject to appeal on points of law to the High Courts.

The traceability requirement should be withdrawn. The technical reality is that message traceability in end-to-end encrypted systems requires either building a backdoor into the encryption (which compromises all users) or maintaining a parallel metadata layer outside the encryption (which is itself a data protection risk). Neither approach is proportionate to the law enforcement benefits claimed. Targeted assistance to law enforcement through existing legal process tools is a better path.

The personal liability exposure of compliance officers should be reframed. Officers should be liable for deliberate non-compliance or wilful obstruction, not for the platform’s overall compliance profile. Vicarious personal liability for institutional failures creates perverse incentives for individual overcompliance that harm users.

Conclusion

The IT Rules 2021 have succeeded in forcing social media platforms to establish formal compliance infrastructure in India, including grievance officers, takedown procedures, and disclosure mechanisms. Whether they have succeeded in improving content moderation outcomes or protecting user rights is far more doubtful. The framework’s structural reliance on government oversight of private speech disputes, the constitutionally contested traceability requirement, and the chilling effect created by personal liability provisions all represent design failures that require legislative correction.

The EU Digital Services Act demonstrates that it is possible to hold large platforms accountable for systemic harms while protecting users from government overreach and maintaining robust procedural protections for speech. India’s framework should be revised with these design principles in mind, before further confrontations between platforms and the government produce outcomes that harm the digital public sphere.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these

✶ Message sent! We'll get back to you shortly.