By – Sharanya G Ranga & Meghna Punjabi
In a dramatic move following the recent border skirmish with China, the Indian Government temporarily banned 59 Chinese mobile applications. The list ranges from the very popular TikTok to SheIn, ClubFactory, WeChat, Weibo, UC browser, CamScanner and other less-known apps. The banned apps have since been taken down from both the Google Playstore and the Apple App store.
The trade ties between India and China run deep with China becoming India’s second largest trading partner in 2019-2020 right behind the United States and the largest exporter to India, especially in pharma, electronics and IT hardware. Indian tech startups, telecom infrastructure and manufacturing businesses have attracted significant Chinese investment over the past few years. The Bytedance owned TikTok has been on a roll in India, one of its top markets with over a 100 million active users and the company forecasting advertising revenue of $1 billion this year. Besides leaving the app users/influencers high and dry, the ban may see business closures and significant job losses.
What is India’s law on blocking apps?
The ban has been imposed under Section 69A of the Information Technology Act, 2000 (“IT Act”) that empowers the government to impose such a ban in the interest of sovereignty and integrity of India, defence of India, security of the state, friendly relations with foreign states; public order; or to prevent incitement for the commission of a cognisable offence relating to any of the above.
The Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009 lays down the procedure to be followed when issuing an order under Section 69A blocking any website or app in India. This includes serving a show-cause notice, giving an opportunity of hearing to the aggrieved party followed by a detailed legal order. A plain reading of the section makes it clear that the Government has the power to take interim measures without notice in the case of emergencies, which is what has been resorted to in this case.
While upholding the constitutional validity of the Government’s blocking powers (in Shreya Singhal vs Union of India), the Supreme Court of India pertinently stated that blocking can be resorted to, where and if necessary, so long as due process is followed and the reasons recorded in writing. In another recent case examining the scope of the internet shutdown in Jammu and Kashmir since August 2019, the Supreme Court directed the need for public disclosure prior to restricting internet access.
Media reports indicate that the blocking order was placed before the designated committee comprising officials from various ministries such as home, information & broadcasting, law and justice and CERT-In, India’s nodal agency for computer security within 48 hours and that the committee ratified the invocation of such emergency powers and confirmed the ban. It has also been reported that formal notices will be issued to the concerned companies to give them an opportunity to present their case.
Grounds for the ban
The press release banning the apps refers to complaints of apps ‘stealing and surreptitiously transmitting user data’ in an unauthorised manner to servers located outside India and that the compilation of these data, its mining and profiling ‘by elements hostile to the national security and defence of India’ ultimately impinges upon the sovereignty and integrity of India.
Data mining refers to the process of generating fact-based patterns from large sets of data that are insightful to businesses (remember the Cambridge Analytica scandal). Data harvesting is similar to data mining but goes much beyond that to extract/scrape all (or specific parts) data hosted on websites/apps through automated bots or Application Programming Interfaces (APIs). Presently, both data harvesting and data mining are legally permissible under India’s archaic data protection law. Given the lack of a robust legal framework addressing the requirements of the technological advances, can they be reasonable grounds to invoke emergency measures blocking such apps?
The law on blocking is designed to address specific violations by each app, and not general violations by a collection of apps. The ban will thus require an individual, evidence-based evaluation of the alleged breaches in data security by each of the 59 apps. The Government will thus have to substantiate what content and how exactly such content on these apps violates security and sovereignty of the state, among other things.
Can the ban be challenged?
It is possible to challenge the blocking order by way of a writ petition before the High Courts or the Supreme Court of India on the grounds that it is arbitrary and violates the principle of proportionality. For instance, an arguable case could well be made based on the very nature of the banned apps. For instance, Tiktok being a video-sharing social networking app with users creating dance, lip-sync, comedy and talent videos, Shein and Club Factory being fashion/lifestyle portals and UC Brower being one of the preferred web browsers for low budget smartphones. And if these apps were transferring user data outside India like most other apps do, without violating the laws of the land, how strong is the case that such apps were posing a threat to the security and sovereignty and integrity of India or defence of India necessitating a complete ban, as against, say, blocking some sensitive or confidential content on their apps? Also, content creators/influencers on some of these apps are well within their rights to challenge the ‘arbitrary’ nature of the ban on the grounds that their fundamental right to life and livelihood and freedom of speech and expression has been impacted.
Impact on doing digital business in India
A robust data protection framework is at the very core of building a digital economy. Sadly, we have the IT Act outlining some data protection requirements rather than a comprehensive data protection law that has been work in progress for a few years now. The current framework does not restrict or even adequately deal with third party transfers and cross border movement of personal data by laying out safeguards or protocols. The proposed Personal Data Protection Bill, 2019 goes up a few notches as it categorises personal data into personal data, sensitive personal data and critical personal data and provides specific compliances for each category. So businesses may be restricted from cross-border transfer of critical personal data but be allowed to transfer sensitive personal data after complying with specific conditions.
User privacy has to be at the centre of any privacy and data protection regulation and the app ban has given short shrift to the users/ content creators/ influencers on platforms like Tiktok. It is a pressing requirement for us to bring in legislation akin to the European Union’s General Data Protection Regulation (GDPR) or the recently enacted California Consumer Privacy Act to protect user privacy as well as set out clear obligations and accountability measures for businesses when dealing with personal data.