A. Intermediaries to comply with judicial orders only on grounds prescribed under Intermediary Guidelines
Case Title: WhatsApp LLC v. Union of India [W.P. (Crl.) No. 02 of 2023]
A writ petition under article 226 of the Constitution of India was filed before the Hon’ble High Court of Tripura by WhatsApp challenging the vires of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”); apart from challenging an order passed by Judicial Magistrate First Class, directing WhatsApp to provide for the originator of WhatsApp chat consisting fake resignation letter of Hon’ble Chief Minister of Tripura under Rule 4(2) of the Intermediary Guidelines.
The Intermediary Guidelines mandates a social media intermediary to comply with a judicial order. WhatsApp contended that the Intemediary Guidelines require the intermediary to comply with the judicial order only on certain grounds, including for the purpose of prevention, detection, investigation, prosecution or punishment of offenses relating to sovereignty and integrity of India, security of state, friendly relations with foreign states or public order or of incitement to an offence, etc.
WhatsApp challenging the order of the passed by Judicial Magistrate First Class contended that no grounds of public order or imminent threat to public order have been made out in the said order.
Union of India’s (“UOI”) submissions before the Hon’ble High Court of Tripura were recorded in one of the orders, where UOI submitted that WhatsApp, being an intermediary, does not have a locus standi to object to the disclosure of the first originator of the message.
The Hon’ble High Court of Tripura vide its order dated 27 September 2023 granted interim relief to WhatsApp and stayed the order Judicial Magistrate First Class seeking to provide for the originator of WhatsApp in question; after holding that the Judicial Magistrate First Class did not deal with the issue of ‘threat to public order’ as contemplated under Rule 4(2) of the Intermediary Guidelines.
B. Constitutional challenge to CERT-In Directions of 2022
Case title: SNT Hostings v. Union of India [W.P. (C) 13997 of 2022]
SNT Hostings filed a writ petition before the Hon’ble Delhi High Court assailing the directions issued by the CERT-In dated 28 April 2022 relating to Information Security Practices, Procedure, Prevention, Response and Reporting to Cyber Incidents for Safe and Trusted Internet (“CERT-In Directions”), and more particularly directions under Paras 4 and 5 thereunder. The direction under paras 4 and 5 deal with all service providers, VPN service providers and data centers etc. to mandatorily enable logs of all ICT systems and maintain them securely for a rolling period of 180 days in India, and requirement to register accurate information which for a period of 5 years or longer with respect to details of customers etc.
SNT Hostings contended that the directions are ultra vires the powers that stand conferred on CERT-In under Section 70B(4) of the IT Act, and the directions are also vague in respect of the nature and extent of the compliances which are to be effected. Further, it is contended that the directions are also assailed on the principles which were laid down by the Supreme Court in Shreya Singhal vs. Union of India [(2015) 5 SCC 1]. As per the order dated 17.02.2023, the pleadings are complete and the matter is pending before the Hon’ble high Court of Delhi.
C. Intermediaries must mandatorily comply with blocking orders issued by DoT and MeitY
Case title: X Corp. v. Union of India [W.P. No. 13170 of 2022]
X Corp. filed a writ petition under article 226 of the Constitution of India before the Hon’ble High Court of Karnataka at Bengaluru, challenging MeitY’s power to issue blocking order with procedural and substantial non-compliance of Section 69A of the IT Act. One of the issues formulated by the Hon’ble High Court was whether section 69A of the IT Act read with the Website Blocking Rules authorizes issuance of a direction to block user accounts in their entirety or such power is only tweet-specific; and whether challenged blocking orders violate the doctrine of proportionality.
Apart from other grounds, X Corp. alleged that the blocking orders passed by MeitY are non-speaking orders, without any reasons for blocking of accounts, links and tweets, apart from being disproportionate and excessive. X Corp. further stated that such orders are in violation of Article 14, 19, and 21 of the Constitution of India.
The Union of India contended that X Corp. is a foreign company, and the allegation of violation of fundamental rights of a foreign company is not maintainable. Further, Union of India also stated that X Corp., not being a company of Indian soil, cannot invoke Articles 19 and 21 of the Constitution of India. Moreover, the particulars of the account holders are exclusively with X Corp., and therefore, authorities cannot issue any notice to them. Union of India also stated that delay of complying with the blocking order has caused the culpable conduct of X Corp., due to the spontaneity and virality of tweets.
On the issue of maintainability of X Corp’s petition under Article 226 of the Constitution of India, the Court reaffirmed the settled position that X Corp. has locus standi under the writ jurisdiction of the Court.
While deciding the issue regarding power of the government under Section 69A of the IT Act, the Hon’ble Court while applying purposive interpretation to effectuate the spirit and larger intent of the Parliament held that the power under Section 69A(1) of the IT Act read with Website Blocking Rules is not tweet-specific but extends to the user accounts in their entirety. The Hon’ble Court also found the impugned blocking orders to be proportionate.
With regards to the non-speaking order, the Hon’ble Court held that the orders under challenge are speaking orders and there is a thick nexus between the orders and reasons assigned. Further, these reasons were discussed by MeitY with X Corp. in committee meetings.
For the issue pertaining to notice to be given to the user, the Hon’ble Court held that in terms of the Website Blocking Rules, the absence of notice to the user does not provide a ground to the intermediary for assailing the Blocking Order.
The Hon’ble Court also held that the petition filed by X Corp is hit by delay and laches, and culpable conduct of X Corp. Therefore, no relief can be granted in the equitable jurisdiction under Article 226 of the Constitution of India.
Finally, while giving its findings on the issue of culpable conduct of petitioner and levy of exemplary costs; the Hon’ble Court took note of Petitioner’s pleadings etc. running into hundreds of pages and respondents’ submissions being voluminous. The Hon’ble Court also took note of the subject writ petition “being heard for days together, keeping at bay worthier causes of native litigants who were waiting in a militant silence and in a long queue.”
Then, the Hon’ble Court took note of the fact that for more than a year, the (impugned) Blocking Orders were not implemented by the petitioner and there was no plausible explanation offered therefor. The Hon’ble Court noted that there is willful non-compliance of the Blocking Orders. The Hon’ble Court observed that “cascading adverse effect of noncompliance of such orders, needs no research, nor reiteration.” The Hon’ble court also noted that the (impugned) Blocking Orders have been “abruptly” implemented “with a clandestine caveat of reserving the right to challenge. This is a classic case of speculative litigation and therefore, petitioner is liable to suffer levy of exemplary costs.”
The Hon’ble Court dismissed X Corp’s petition and relying on precedent in terms of imposition of costs imposed cost of INR 50,00,000 payable to the Karnataka State Legal Services Authority, Bengaluru, within 45 days, and delay if brooked attracts an additional levy of INR 5,000 (Rupees Fife Thousand) only, per day.
D. Payment Merchants are ‘third parties’ – no authorization required from RBI
Case title: Abhijit Mishra v. Reserve Bank of India 2023 [SCC OnLine Del 5094]
Public Interest Litigations were filed, before the Hon’ble High Court of Delhi, for the issuance of appropriate writs, order or directions directing the respondent/ Google Pay India Services (P) Ltd. to cease their operations in India for violation of regulatory and privacy norms.
The petitioners have stated that Google Pay had violated privacy norms by gaining access to and using consumers’ personal data such as Aadhar details which was in contravention of Section 29, 38(g) and 38(i) of the Aadhar Act, 2016 (“Aadhar Act“); Payments and Settlement Systems Act, 2007 (“PSS Act“) and the Banking Regulation Act, 1949. Further, it was stated that operations of Google Pay in India as a payment system provider were unauthorized for want of obtaining necessary permissions and hence Google Pay storing sensitive information of Indian citizens would tantamount to an offence by a company as per Section 43 of the Aadhar Act.
It was further submitted that upon a perusal of the terms and conditions of Google Pay, it emerged that the Google Pay’s application which operated on the UPI platform had been performing a role of facilitator of transactions. Therefore, Google Pay had been performing the role of a Payments System Provider (“PSP“) without obtaining valid authorisation from the RBI as per Sections 4 and 7 of the PSS Act, and therefore this constituted an offence by a company under Section 26 of the PSS Act.
The Hon’ble Court, after referring to Sections 2(1)(i), 2(1)(p) and 2(1)(q) of the PSS Act which defined ‘payment system’, ‘system participant’ and ‘system provider’ respectively and Section 7 of the PSS Act which gave power to the RBI to grant authorisation for payment systems, held that NPCI was the operator of the UPI system for transactions in India and was a “system provider” which was authorized by the RBI under the PSS Act to extend its services for facilitating transactions and on the other hand, the transactions carried out via UPI through Google Pay were only peer-to-peer or peer-to-merchant transactions and was not a system provider under the PSS Act.
The Hon’ble Court further held that the Unified Payment Interface Procedural Guidelines, 2019 (“UPI Guidelines, 2019“) also made it clear that data might be stored under two types, namely, ‘customer data’ and ‘customer payments sensitive data’. While the former might be stored with the app provider in an encrypted format, the latter could only be stored with the payment services providers bank systems, and not with the third-party app under the multi model API approach that Google Pay had opted for. Thus, the Hon’ble Court held that it did not find any merit in the petitioner’s contention that Google Pay was actively accessing and collecting sensitive and private user data.
The Hon’ble Court further observed that third-party apps such as Google Pay were designed to provide a large customer base to participating banks. A third-party app such as Google Pay obtained approval from NPCI for operating on the UPI platform and in the multi bank application system which Google Pay had adopted, the NPCI provided a common library for integration to Third-Party App Provider (“TPAP“) on behalf of PSP banks. The Hon’ble Court further opined that the Procedural Guidelines, 2019 shed light on the models used in UPI and under the model which was dependent on bank architecture which Google Pay had opted for, all transactions were routed through participating banks which were connected to the NPCI-NET.
Furthermore, the Hon’ble Court noted that the RBI had issued the Certificate of Authorisation to the NPCI to operate various retail payment systems in India including UPI. The Hon’ble Court, after referring to the counter affidavit filed by the RBI, held that Google Pay was a mere third-party app provider for which no authorisation from RBI was required under the provisions of PSS Act. Thus, the Hon’ble Court dismissed the petitions.