THE ROLE OF STANDARD SETTING BODIES IN DEFINING INTERMEDIARY RESPONSIBILITIES

Author: Swetha M, Jain University

ABSTRACT

The emergence of digital intermediaries, including internet service providers, social media platforms, search engines, and cloud service providers, has fundamentally transformed the structure of global communications and commerce. Their dual role as both passive conduits and active curators of content has led to ongoing uncertainty about the extent and limitations of their legal responsibility. Standard-setting bodies (SSBs), such as the International Telecommunication Union (ITU), the Internet Engineering Task Force (IETF), the Organisation for Economic Co-operation and Development (OECD), the Internet Governance Forum (IGF), and national sectoral regulators, have gradually become the architects of conduct norms for intermediaries. Nevertheless, a doctrinal deficiency endures: current legal scholarship primarily emphasizes ex post liability frameworks, while the formative function of SSBs in delineating future intermediary obligations remains insufficiently scrutinized. This paper contends that SSBs wield both soft and hard regulatory authority via technical specifications, policy recommendations, and governance frameworks that pre-emptively delineate intermediary responsibilities prior to legislative action. The paper employs a doctrinal and comparative methodology to examine the interaction between SSB outputs and national legal frameworks in India, the European Union, and the United States. It evaluates whether the existing standard-setting architecture effectively reconciles intermediary accountability with freedom of expression and innovation.

Keywords: Standards Setting Bodies, Internet Intermediaries, Cyber Governance, Intermediary Liability, Safe Harbour, Digital Regulation, OECD, ITU, and IETF

INTRODUCTION

The internet was built without a central regulatory body because it was thought that technical interoperability, not legal coercion, would control behaviour. This basic choice spreads regulatory power across several levels: technical bodies set rules, private actors build infrastructure, and states make rules that only apply in their own areas. At the crossroads of these layers are internet intermediaries, which are companies that send, host, index, or otherwise make it easier for people to access content and services from other people.

The issue of the extent of an intermediary's liability for user conduct has generated some of the most contentious litigation and legislation of the digital age. The Communications Decency Act 1996 (United States), the EU E-Commerce Directive 2000, and India's Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, have all tried to draw a line between passive conduits and active participants. Nevertheless, none of these legislative responses arose in isolation. The normative outputs of standard-setting bodies shaped, informed, and sometimes predicted them.

This paper delineates a doctrinal deficiency in current scholarship: the function of SSBs as pre-legislative norm entrepreneurs in the domain of intermediary responsibility has not been rigorously analysed. Most studies regard SSB outputs as ancillary material rather than as autonomous sources of legal obligation or quasi-regulatory authority. This paper fills that gap by asking: How much do standard-setting bodies define the substantive content of intermediary responsibilities, and how do their results work with binding domestic legal frameworks?

The paper is divided into five parts. After this introduction, Part II looks at what has already been written about intermediary liability and how digital platforms are run. Part III explains how the research was done. Part IV is the main analysis. It looks at the normative structure of important SSBs and how they relate to frameworks for intermediary duty. Part V shows what the paper found, and Part VI ends with suggestions.

LITERATURE REVIEW

The academic discourse on intermediary liability has evolved through two principal avenues: the doctrinal examination of safe harbour provisions and the governance-theoretic investigation of platform power.

The doctrinal tradition, as demonstrated by the research of Grimmel Mann (2009) and Sylvain (2016), delineates the parameters of secondary liability standards—contributory, vicarious, and inducement-based—across various jurisdictions. Lemley's seminal work on intermediary liability (2007) elucidated the conflict between innovation-fostering immunity and responsibility for harmful content, a conflict that persists unresolved. This literature primarily examines legislative frameworks without exploring the epistemic processes involved in the formation of legislative standards.

A second group of scholars looks at platform governance and how private middlemen use content moderation and terms of service to act like the government. Balkin's (2018) notion of the 'information fiduciary' and Zittrain's (2008) examination of 'generative platforms' both imply an increased duty of care, yet fail to systematically associate these duties with SSB frameworks.

Drezner (2004) and Mueller (2010) are two examples of governance literature that look at how legitimate and useful multi-stakeholder internet governance institutions like ICANN, the IGF, and the IETF are. This work recognizes that SSBs create normative frameworks but focuses on institutional design rather than substantive legal impact.

In the context of India, for instance, while Prasad (2021) and the Preamble to the IT Rules 2021 suggest that SSB recommendations such as the OECD Guidelines and ITU frameworks are relevant to the domestic regulatory framework for intermediaries, no such analysis of the impact of SSB outputs on the duty content of intermediary liability in India exists.

The gap in the comparison between India, the EU, and the US—i.e., the lack of a study comparing the impact of SSB outputs on intermediary liability standards in these jurisdictions—is the gap this paper aims to fill.

RESEARCH METHODOLOGY

The research methodology used for this paper is primarily doctrinal, involving analysis of the content of primary sources, including legislation, court decisions, regulatory instruments, and technical and policy outputs of SSBs. This research methodology is appropriate because the research question is essentially legal and concerns the legal importance and/or normativity of SSB outputs in relation to intermediary liability.

The research methodology used is comparative, with three jurisdictions being chosen for comparison on the basis of their representativeness of the range of regulation of intermediary liability: the US represents the most deferential model of regulation (Section 230), the EU represents an evolving duty of care model of regulation (Digital Services Act 2022), and India represents an emerging model of conditional safe harbour with active due diligence requirements (IT Rules 2021).

The primary sources include the OECD's Principles for Internet Policy Making (2011, updated 2022), IETF Request for Comments (RFCs) relevant to content filtering and data handling, ITU-T Recommendations on cybersecurity and network management, UNESCO's Recommendations on the Ethics of AI, and the results of the IGF's Dynamic Coalition on Platform Responsibility.

The paper does not use quantitative methods. The paper does not attempt to determine the level of compliance or assess the enforcement level, as this requires empirical data collection, which is beyond the scope of the research.

The temporal range of the paper will be 2000–2024, the main period during which SSB was involved in intermediary governance, taking into account some important developments related to the EU's Digital Service Act (DSA) 2022, which provides some current references.

ANALYSIS AND DISCUSSION

A. Standard Setting Bodies: Taxonomy and Normative Authority

SSBs within the internet governance landscape may be broadly categorized into three types. First, technical standards organizations, such as the IETF, the WWW Consortium, and the IEEE, develop specifications on protocol behaviours, encryption, and data processing. These are technically voluntary but assume regulatory authority by virtue of network effects: an intermediary deviating from IETF standards risks interoperability failure.

Second, intergovernmental policy institutions, including the OECD, ITU, UNESCO, and the Council of Europe, develop policy recommendations, principles, and best practice models, which are not legally enforceable on their member states but may be used as interpretive aids by national legislatures and courts. For example, the OECD's 2011 'Principles for Internet Policy-Making' considered, among other matters, intermediary liabilities for user-generated content and transparency, which were ultimately codified in the EU's E-Commerce Directive review.

Third, multi-stakeholder institutions, dominated by the IGF and ICANN's policy development processes, are best characterized by their production of consensus policy statements and best practice guidelines, which, although lacking legal authority, derive their authority from the broad representation of stakeholders within them.

The authority of SSBs over intermediaries is thus ranged from technically mandatory, by virtue of technical requirements, to persuasively influential, by virtue of their representation of legislative intent. The distinction is significant for legal analysis, as SSB authority has been invoked by courts and regulators as evidence of industry practice, standards of care, and global policy consensus.

B. OECD, ITU, and the Construction of Intermediary Duty

The OECD Recommendation of the Council on the Governance of Critical Risks (2014), and the OECD Recommendation Concerning the Use of Artificial Intelligence (2019), include intermediary-related provisions that require the exercise of due diligence in relation to harmful content and the establishment of risk management frameworks. The recommendations anticipate the 'very large platform' obligation under the EU's Digital Services Act, which entered into force in 2023. Thus, there is a direct normative lineage between OECD recommendations and EU legislation.

The ITU-T's X-series of recommendations, which include the recommendations on 'Cybersecurity' under Recommendation X.1205, and 'Emergency Communications' under Recommendation X.1303, require intermediaries in the network domain to comply with national cybersecurity legislation. In India, the National Cyber Security Policy 2013, and the proposed National Cybersecurity Strategy 2020, rely on the ITU-T frameworks, which creates a feedback loop between global technical standards and intermediary regulations.

The IETF's 'RFC 8280—Research into Human Rights Protocol Considerations' and 'RFC 7258—Pervasive Monitoring as an Attack' illustrate the direct engagement of SSBs with the rights-related behaviour of intermediaries. RFC 7258, which was issued in the context of the Snowden revelations, defines the conduct of intermediaries as the 'threat model' of mass surveillance, which must be mitigated, effectively creating a 'technical norm' of non-cooperation with state surveillance programmes, which is at odds with data access laws in India and other jurisdictions.

C. The Indian Framework: Safe Harbour, Due Diligence, and SSB Inputs

India has a conditional safe harbour provision under its IT Act 2000 and the Rules of 2021, which are dependent on the intermediaries' compliance with due diligence requirements such as content takedown, verification of users (for significant social media intermediaries), and appointment of resident grievance officers. In 2023, the Rules were amended to include government fact-checking authority over content hosted by intermediaries, a provision that has been challenged at the Bombay High Court.

The relationship of the framework to the outputs of the SSB is not well explored. However, the consultation papers of the Ministry of Electronics and Information Technology (MeitY) leading to the formulation of the IT Rules 2021 had cited the OECD Principles and the Manilla Principles on Intermediary Liability (2015), which is a civil society framework developed partly through the IGF process. This suggests the impact of the multi-stakeholder process of the SSB on the scope of the due diligence standard, though not directly referenced.

The comparative analysis reveals a lacuna in the Indian framework in not formally acknowledging the role of the SSB in the formulation of the IT Rules 2021, as is the case with the DSA 2022, which formally refers to the risk assessment framework of the EU. This creates ambiguity in the assessment of the scope of the role of the SSB best practices in the assessment of the due diligence obligation by the courts.

D. The EU Digital Services Act and the Interface of the SSB and Legislation

The DSA 2022 is the most advanced attempt by a leading jurisdiction to implement the norms of the SSB in the form of legislation. The risk assessment and audit requirement for very large online platforms is directly based on the ISO 31000 risk management and NIST risk assessment framework. The transparency and algorithmic accountability provisions of the DSA 2022 can be traced to the UNESCO 2021 Recommendation on the Ethics of AI.

The DSA 2022 also creates a co-regulatory framework by enabling the European Commission to prepare Codes of Conduct for intermediaries in collaboration with the SSB and civil society, effectively enshrining the authority of the SSB in the regulatory framework of the European Union. This demonstrates the potential for the soft law of the SSB to be translated into the hard law of the EU, which can be emulated by other jurisdictions, such as India.

FINDINGS AND OBSERVATIONS

Five findings emerge from the analysis: First, SSBs are not merely commentaries on the regulation of the intermediary; they are constitutive of it – they shape the substantive content of such regulation through their technical specifications that have de facto legal effect and policy recommendations that are adopted in domestic law.

Second, there is a marked asymmetry in how different jurisdictions receive SSBs' outputs: The EU has institutionalized the engagement with SSBs through the DSA's co-regulatory mechanisms and has thereby ensured transparency around the normative pedigree of intermediary regulation; The USA has a strong say in the output of SSBs because of the multi-stakeholder heritage of ICANN and IETF but has a minimalist approach to domestic regulation; India is a middle case – SSBs' outputs are considered in the legislative process but are not adopted in law.

Third, a normative conflict obtains between SSBs and domestic law with respect to state access to intermediary data: IETF's output is against mass surveillance; domestic law – including the IT Act of India's Section 69 – makes it incumbent on the intermediary to comply with lawful interception orders.

Lastly, the question of the accountability of SSBs is also a problem: SSBs that have a significant impact on the regulation of the intermediary have done so without any of the hallmarks of legitimate state regulation – such as a democratic mandate or a transparency requirement – and the legitimacy of SSBs' regulation of the intermediary has not been adequately addressed in the governance literature or domestic law.

Fifth, the move to duty of care-based approaches for intermediaries, as evidenced by the EU's DSA and the IT Rules 2021 in India, also points to a growing need for substantive norms of reasonable care. In this context, the SSBs have the potential to provide such norms, although in a manner that requires more formal recognition of the role of the SSB in the legislative process and the need for democratic accountability within the SSB.

CONCLUSION

The present paper has sought to demonstrate the role of standard setting bodies as not merely bystanders to the development of intermediary norms, but rather as active participants in the development of a normative structure in which intermediaries must perform in advance of, or in place of, legislative action. The OECD, ITU, IETF, and various multi-stakeholder fora such as the IGF have all developed norms and frameworks that have influenced the legislative norms applied to intermediaries in the context of the laws in India, the EU, and the United States. However, the nature of such influence is opaque and not well theorized in the literature.

The developing notion of duty of care-based approaches to intermediary regulation, as evidenced by the DSA in the EU and the IT Rules 2021 in India, also points to the need for substantive norms of reasonable care, which only the SSBs have the expertise to provide. However, the challenge for legislators, courts, and scholars is to place the influence of the SSB within a framework of democratic accountability and legal transparency.

Domestically, India would be well-advised to learn from the DSA's co-regulatory model and formally integrate SSB outputs into the development of intermediary guidelines, giving due weight and clarity to the due diligence standard under the IT Rules. Internationally, the IGF and OECD should seek to clarify their protocols for the adoption of their normative recommendations in national law, such as through the inclusion of model interpretive provisions to enable courts to consider SSB best practices as indicative of the standard of care to be followed by internet intermediaries.

The picture of the governance of internet intermediaries will not be complete without the recognition of the role of SSBs in the determination of their responsibilities. The recognition of the role of SSBs in the determination of the responsibilities of internet intermediaries is both necessary for the development of the law and essential for democracy.