A risk-based and graded approach is needed for classifying intermediaries: Rohit Kumar, founding partner, TQH – Times of India

Rohit Kumar is a founding partner at TQH. Previously, Rohit served as the Head of Policy and Research at the office of Baijayant Jay Panda, MP (Lok Sabha), and worked for a few years with PRS Legislative Research and the Boston Consulting Group (BCG). Rohit is a graduate of the Harvard Kennedy School and IIT Bombay. In an interaction, he shared his views on what an intermediary as per the proposed Digital Act, exemptions and more.
What is the definition of an intermediary as per the proposed Digital Act?
The term ‘Intermediary’ is defined in broad terms by the Information Technology (IT) Act, 2000. Section 2(1)(w) of the IT Act 2000 defines an intermediary as a person who receives, stores or transmits any electronic record and provides any service relating to such record on the behalf of another person. Intermediary includes a wide array of service providers like network service providers, telecom service providers, internet service providers, search engines, web-hosting service providers, online-auction sites, online payment sites, online-marketplaces and cyber cafes. The IT Rules 2021 (issued under the IT Act) create the sub-categories of social media intermediaries and significant social media intermediaries (with over 5 million registered users) within intermediaries.
There is no draft Digital India Bill/Act yet. However, since the Digital India Act will replace the IT Act 2000, it is likely to define intermediaries. The exact details will only be clear when a draft bill is out.

Are there any categories that are exempted and if yes, then why?
The IT Rules 2021 make some exemptions for temporary or transient or intermediate storage of information by an intermediary. Barring these exemptions, all intermediaries are required to comply with similar obligations.
Do you agree with the definition or think it needs a rethink?
Currently, under the IT Act, common obligations are laid down for all kinds of intermediaries despite fundamental differences in the way intermediaries transmit information or interact with users and their content. For example, all intermediaries are given the same 72-hour timeline for removal of offending content, irrespective of their access to information, size or technical capacity. In addition, the current law attracts criminal penalties on the personnel of intermediaries for non-compliance of the rules, which is also a cause for concern.
The current definition also assumes that all intermediaries can always identify and remove unlawful information, which is not true. Many enterprise service providers such as cloud service providers have no visibility or access to the content they host; they often lease infrastructure to customers under contractual obligations that prevent them from accessing client data.
A risk-based and graded approach is needed for classifying intermediaries. The intermediaries which pose the least amount of risk, like enterprise solution providers, could be regulated with a lighter touch. The highest obligations such as a short content removal timeline, appointment of resident officers etc. can be reserved for the biggest intermediaries, where the potential for harm such as viral spread of misinformation is higher.
Additional obligations can impose significant economic costs on businesses, and dent their growth potential. We have also worked on an alternative framework for classifying intermediaries – a graded classification framework for intermediaries that imposes proportionate obligations based on functionalities, reach and potential harm. Further, our report suggests exemption categories for micro and small enterprises, and classifications based on technical use case scenarios. You can access our report here: https://thequantumhub.com/a-framework-for-intermediary-classification-in-india/

How is India’s definition different from that of EU and US?
Intermediaries are broadly defined elsewhere as well – for instance, EU’s Digital Services Act defines intermediaries as including a variety of service providers like conduit, caching and hosting services. However, the EU law imposes limited obligations on conduit and caching services, and creates tiered subcategories in hosting services, with the lowest tier having limited legal obligations, and the highest tier of very large online platforms (VLOPs) having the highest obligations. Micro and small enterprises are also exempt from any major obligations.
India, on the other hand, has a broad definition of an intermediary, and creates only two tiers. This may lead to disproportionate obligations on smaller players and intermediaries.