To ban or not to ban: A data protection alternative to the Indian ban of 59 Chinese apps

by Gargi Rohi & Samraat Basu

The Indian Government recently banned 106 mobile applications of Chinese origin (Times of India, 2020). These apps include TikTok, WeChat, CamScanner and Mi Video Call Xiaomi among others (the ‘Banned Apps’). Further, another 250 applications such as PUBG Mobile are reportedly (FE Online, 2020) being reviewed for possible privacy and security concerns similar to the Banned Apps. The Government ordered the ban under section 69A of the Information Technology Act, 2000 (‘IT Act’) read with the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009. These Banned Apps were reportedly taken down from Google’s play store and Apple’s app store (Tech Desk, 2020) and Indian telecom companies were directed to block internet traffic (PTI, 2020) to these Banned Apps.

The basis for the ban, as stated by the Indian government in its press release, revolves primarily around concerns regarding unfettered data collection, mining and profiling which allegedly poses a threat to the sovereignty and integrity of India. In this post, we focus on changes in data protection law that can help bring about the desired outcome of restricting potential foreign governmental incursions into Indians’ personal data within a regulated framework.

From the lens of data protection, the two focal points are (i) whether the personal data collected by such applications is excessive and could be used to track personal information which could pose a threat to the national security of a country, and (ii) how such personal data should be restricted from being transferred to a potentially belligerent foreign country (‘Foreign Country’) and what the scope of such restrictions could be.

While at first glance, the function of these Banned Apps seems innocuous enough to make claims of them being a threat to national security seem far-fetched, a closer look at their privacy policies and data collection practices reveal that they collect much more personal data than is strictly necessary for them to provide the functionality they advertise themselves for. Tik Tok (The Guardian, 2020), for example, states in its privacy policy[1] that it automatically collects IP addresses, geolocation-related data, unique device identifiers, browsing and search history and cookies. They also collect the contact details saved on the user device as well on their social media account along with the users’ payment details. Together, such data can be easily used to identify the individual using the app along with being able to track their movements and other details of their personal lives. In fact, the collection of contact details of unsuspecting individuals from the contact book of a person who has downloaded TikTok is a blatant violation of privacy. 

As pointed out in this New York Times article (Thompson & Warzel, 2019), such excessive data collection is not limited to the Banned Apps but permeates across the tech industry, and this should be counteracted through  effective penalties for the contravention of data protection principles. However, as mentioned above, the blocking order was passed not just because the Banned Apps collect excessive personal data but, rather, due to the suspicion that these apps were profiling persons in India at the behest of Foreign Countries. Since the locations wherein such personal data is processed and stored at any given moment are not readily available, it is possible that the personal data may be processed and stored in a Foreign Country by these apps as well as other private companies.

Given the pervasive nature of data collection by the Banned Apps, their use by militarily or politically sensitive persons could become a source of worry for governments. Researchers in the US, for example, found live GPS data on the internet which revealed the location of troops (Sherman, 2020) on military bases and spies in safe houses through the use of geolocation features in fitness devices used by such personnel. The Government could therefore argue that it has a vested interest in ensuring the confidentiality of certain personal data belonging to militarily or politically sensitive persons. Additionally, in a situation wherein personal data is being transferred to a hostile country, the Indian Government may have a greater interest in preventing the transfer of any and all data to such a country. This is because access to personal data may make it easier for a hostile government to profile and target numerous key personnel across the ecosystem. 

While India does not yet have a comprehensive data protection law which can appropriately address such violations of privacy, a draft Personal Data Protection Bill (the ‘Bill’) has been introduced in the Parliament of India and is currently being reviewed by a joint parliamentary committee. Crucially however, the Bill does not have any provisions that address the threat of Foreign Countries gaining access to Indian personal data. Specifically, while the Bill provides restrictions regarding transfer of sensitive personal data to countries which do not offer adequate protections, there are no minimum protection standards that must be met for the transfer of personal data.

Accordingly, in our opinion, the Bill should be modified to empower the Indian Government to restrict the transfer and disclosure of personal data to countries where (a) an adequate level of protection is not provided; (b) this would compromise the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; or (c) it is necessary for the prevention of incitement to the commission of any cognizable offence relating to the matters described in (b). Additionally, such a provision should mandate the Government to provide credible evidence and adequate reasons as to why it is imperative to impose such restrictions. Further, certain procedural safeguards which are currently missing from section 69A, IT Act should be addressed by the Bill, such as a list of such blacklisted countries should be periodically reviewed and modified to reflect changing realities. Personal data which has been historically stored or processed in a blacklisted country, by any organisation, should be erased from all servers which are located in that country. Additionally, all organisations handling the personal data of individuals present in India should be mandated to provide an undertaking to the data protection authority (to be established under the Bill) certifying that all historical personal data has been erased from servers located in a blacklisted country and that no personal data is henceforth being processed, disclosed or stored therein. Furthermore, as an added transparency measure, organisations should be required to periodically disclose to each individual the locations at which their personal data is being or has been collected, processed and stored, even if done momentarily.

Effectively, this would imply that apps and websites will not be permitted to host, process or transfer personal data belonging to persons present in India to servers located in such blacklisted countries while at the same time offering the flexibility to transfer, process and store such data in any other part of the world. Section 69A, IT Act empowers the government to block public access to websites and apps whereas our suggestion will enable the government to achieve its aim of preventing the transfer of personal data to a Foreign Country without depriving public access to platforms, products and services thereby strengthening the fundamental right to freedom of speech and expression as well as the right to carry on any profession, occupation, trade or business. Accordingly, this would be a better alternative to imposing a blanket ban on apps and websites as they generate employment, have significant economic interests and investments in India, and most importantly, contribute to developing a marketplace of ideas by facilitating creative expression. 


[1] Access to this privacy policy on Tiktok’s website is no longer available to readers in India, due to the ban.

References

1. FE Online. (2020, July 27). Retrieved from Financial Express: https://www.financialexpress.com/industry/technology/india-bans-47-more-chinese-mobile-apps-250-apps-reportedly-under-scanner-over-privacy-concerns/2036181/

2. The Guardian. (2020, July 6). TikTok may be ‘data collection service disguised as social media’, Liberal senator says. Retrieved from The Guardian: https://www.theguardian.com/technology/2020/jul/06/tiktok-may-be-data-collection-service-disguised-as-social-media-liberal-senator-says?utm_term=Autofeed&CMP=twt_b-gdnnews&utm_medium=Social&utm_source=Twitter#Echobox=1594021583

3. Times of India. (2020, July 27). After ban on 59 Chinese Apps, government blocks 47 more. Retrieved from Times of India: https://timesofindia.indiatimes.com/business/india-business/after-ban-on-59-chinese-apps-government-blocks-47-more/articleshow/77192075.cms

4. Tech Desk. (2020, July 3). 59 Chinese apps India banned deleted from Google Play store, App store. Retrieved from The Indian Express: https://indianexpress.com/article/technology/tech-news-technology/58-chinese-apps-banned-removed-google-play-app-store-6486181/

5. PTI. (2020, June 30). Govt directs internet companies to immediately block Chinese apps. Retrieved from TImes of India: https://timesofindia.indiatimes.com/business/india-business/govt-directs-internet-companies-to-immediately-block-chineseapps/articleshow/76717660.cms#:~:text=%22Order%20to%20block%20all%2059,%2C%20Bigo%20Live%2C%20Wechat%20etc

6. Thompson, S. A., & Warzel, C. (2019, December 19). Twelve Million Phones, One Dataset, Zero Privacy. Retrieved from New York Times: https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html

7. Sherman, J. (2020, April 2). Unpacking TikTok, Mobile Apps and National Security Risks. Retrieved from Law Fare: https://www.lawfareblog.com/unpacking-tiktok-mobile-apps-and-national-security-risks

*This article was originally published on the Oxford Business Law Blog. Click here to visit*

About the Author

Gargi Rohi is currently an associate at Linklaters, London.

Samraat Basu is currently pursuing an Advanced LLM in Law and Digital Technologies from Leiden University, The Hague, Netherlands. He has worked with Cyril Amarchand Mangaldas in its TMT / Data Protection Team for close to two years where he advised leading multinational companies on their nuanced queries regarding privacy, gaming, artificial intelligence and machine learning, tele-medicine, Aadhaar, fin-tech and other emergent technology and data protection related issues. 

He was previously a research fellow with Vidhi Centre for Legal Policy where he provided legal advice, research assistance and policy inputs to the Ministry of Electronics and IT, Ministry of Finance and the Srikrishna Committee on the Personal Data Protection Bill. 

He regularly writes for media outlets such as The Economic Times, Hindustan Times-Mint, The Wire and The Indian Express, and has published academic articles in journals published by Sweet & Maxwell and Lexis Nexis

       


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s