Data Privacy Issues or a Secure Digital Space: The Curious Case of Whatsapp and Intermediary Guidelines, 2021
Data Privacy Issues or a Secure Digital Space: The Curious Case of Whatsapp and Intermediary Guidelines, 2021

Data Privacy Issues or a Secure Digital Space: The Curious Case of Whatsapp and Intermediary Guidelines, 2021

This article is written by Shruti Gupta and Akshat Shukla, 2nd Year Student, National Law Institute University, Bhopal.


The recent petition filed by WhatsApp before the Delhi High Court has raised a myriad of questions regarding the Intermediary Guidelines, 2021 and Data Privacy of individuals. This blog is an attempt to examine the impugned rules and scrutinize the grey areas associated with the issues set forth. There are three major aspects that this blog addresses in this regard- firstly, the assessment and legislative intent of rule 4(2) in the light of existing laws of the country and secondly an analysis of the practical drawbacks that this rule can cause because of the loopholes.


With the wave of globalization which converted the whole world into a global village, digital media saw a boom. When this wave hit India in the late 90s, digital marketing, social media, online businesses, e-transactions, etc. saw an upsurge. Applications like Amazon, WhatsApp, Facebook became huge hubs not only for socializing or entertainment but also for canvassing consumers. To regulate the content on these platforms and to recognize and legitimize online transactions, businesses, etc. the Information Technology Act, 2000[i] was enacted. The latest secondary legislation to this Act is the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.[ii]


The digital ethics regulations and guidelines have gained prominence and have become a contemporary legal conundrum because of two major reasons in the past one year – first, the stance of the guidelines to regulate OTT platforms under Ministry of Information and Broadcasting and second, the compliance regulations which have been brought about for social media entities and online news sources. These entities have been classified in the new guidelines as ‘social media intermediaries’ and ‘significant social media intermediaries’ where the classification is based on the threshold of registered users as set forth in clause (v) under sub-rule 1 of rule 2 of the guidelines.

WhatsApp has recently challenged the Rule 4(2) of these guidelines before the Delhi High Court stating that it is an infringement of privacy of its users. It alleges that the impugned rule requires the intermediary to aid in identification of the first originator of any wrongful information. According to WhatsApp, such identification is wrongful and against the fundamental right to privacy as enshrined in the Constitution. The case is listed before the Delhi High Court.


The challenge by WhatsApp has brought the rule 4(2) of the guidelines in the forefront and several interpretations have been deduced but it is necessary to analyze the law in its entirety so that even the criticism can be holistic and progressive. The complete rule 4 of these guidelines places an onus on the significant social media intermediaries to observe additional due diligence so as to ensure safe and ethical digital spaces. This legislative intent can be observed from the press release that mentions the wrongful use as the reason for the enforcement of guidelines.

Rule 4(2) in particular requires the significant intermediaries with primary services in messaging to help in identification of the originator of any information that purports and qualifies under the first proviso of this sub-rule. This information shall only be provided if a Court of competent jurisdiction passes an order or competent authority as defined in the IT Rules 2009 passes an order under Section 69 of the Information Technology Act, 2000. [iii]

Further, there are four provisos to the impugned rule 4(2) which clearly lay down that the originator shall be tracked only for offences that have an imprisonment term of more than five years and affect sovereignty of the nation, incite offences against women etc. This means that the right to privacy of individuals would not be infringed as the gravity of threshold for revealing information is substantially high and the same would fall under the reasonable restrictions. The second proviso is also indicative of the conscience of the State towards the matter of privacy as it provides for usage of ‘less intrusive’ measures before resorting to use of rule 4(2). The third proviso again stresses on the non-revelation of information relating to other users and even the other electronic messages of the first originator as well. Therefore, the rule 4(2) on the face of it connotes the reasonable restrictions as enlisted in the Article 19(2) of the Constitution of India.[iv]


While it is necessary to regulate the content in circulation, it is imperative to curb the overarching use of power which results in rights infringement. Even though rule 4(2) appears to be under the ambit of reasonable restrictions, there are other aspects that need to be dealt with before this standpoint can be resonated. There is enough void in the legislation to provide a leeway to the authorities to tread upon the privacy rights of an individual.

The word “public order” seems to be carefully manoeuvred into the proviso to the disputed Rule 4 sub- rule 2. After several attempts to interpret the term, no water tight definition has been provided. The closest to an interpretation is its interchangeability with public peace, safety and tranquillity.[v] Such open- ended interpretation and vagueness makes it easier to nab innocent critics of the government actions and policies and this, in an extended form, may affect citizens’ right to free speech and expression.[vi]

The second proviso to the sub rule states “other less intrusive means…”, which hints that the legislation is indeed intrusive to an individual’s privacy even when the right to privacy has been declared a fundamental right. The legislation empowers the significant social media intermediaries to back track the original source of an alleged inappropriate message.

The vagueness as to where the line needs to be drawn between more intrusive and less intrusive means gives the government an opportunity to invade into the privacy of innocent individuals. In the pretext of any information being a “threat to public order”, the government can misuse its power and even a person aiming for healthy criticism of the authorities might land in trouble. So, even if the original source can be tracked by the “less intrusive” means, the government could rather rely on the legislative mechanism to get a history of similar messages being drafted/circulated by that person, which is again intrusive upon the individual’s privacy. The concern of WhatsApp, is genuine as it promises its users a private end-to-end encrypted policy.

Another interesting phrase in rule 2 enables tracking the first originator of the information, upon receiving an order by a “competent authority” under the IT Act, 2000. This competent authority is an agency of the government, working on their orders as under Sec 2(d) of the IT Rules, 2009. Now the rule, on one hand manages to ensure proper procedure of law by allowing a court of competent jurisdiction to grant an order before invading an individual’s privacy.But the word “or” in the rule empowers the government to take direct action. Rule 2(d) of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information), Rules, 2009 defines the word competent authority and it includes only two governmental positions i.e. the Secretary in the Ministry of Home Affairs for the Central government and the Secretary In-Charge of the Home Department in case of  a State government. These positions come directly under the ambit of government and therefore the veil of unbiased authority in the form of a “court of competent jurisdiction” is bypassed. This loophole further facilitates an intolerant government in nabbing innocent critics.

This is a critique of just one rule of the legislation, when it could be full of such nuances which enable intrusion into an individual’s privacy.


The right to privacy of an individual is inalienable from the right to life and personal liberty. It is necessary to strike a balance between this individual right and the security of the state/ public order while framing these laws. Rule 4(2) of the Intermediary Guidelines, 2021 is tenable if seen in its strict legal sense.  However, law cannot be interpreted in isolation and the social implications and dynamics need to be considered while legislating.

There are certain ways in which the legislation can be made clearer. The problem could be solved if the ambiguous terms in the legislation such as public order are explicitly explained so as to create an exhaustive list which defines and narrows down the scope of such a general term. This would help in assessing what amounts to disruption of public order, even if for the specific purpose of the legislation. Further, the veils such as inclusion of a government servant under the ambit of “competent authority” can increase the propensity of probable misuse and thus, there is a need to amend and rectify the standpoint so that a fair, unbiased and just process is put in place where the identification under Rule 4(2) is ordered only by a competent court.

[i] The Information Technology Act, No. 21 of 2000, INDIA CODE (2000).

[ii] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (February 25, 2021).

[iii] The Information Technology Act, §69, No. 21 of 2000, INDIA CODE (2000).

[iv] INDIA CONST. art. 19(2).

[v] The Superintendent, Central Prison, Fatehgarh v. Ram Manohar Lohia, 1960 AIR 633.

[vi] Shreya Singhal v. Union of India, (2013) 12 SCC 73, ¶52.

Leave a Reply

Your email address will not be published. Required fields are marked *