Banning of the ‘Chinese Apps’
Banning of the ‘Chinese Apps’
1. CONTEXT OF THE NEWS
Amid the rising tension and escalations between India and China on the LAC (Line of Actual Control), the Government of India announced an interim ban on 59 apps originating in China on 29 June.
This editorial analyses the move in its entirety.
2. BANNING THE CHINESE APPS
2.1 Why the ban?
- The Union Government announced the ban on these apps with Chinese links citing “emergent threats” to India's sovereignty and national security.
- The list of banned apps includes some very popular mobile apps, which have a combined user base running in several hundred million.
- Some apps also have a significance presence in India in terms of revenue, employees, and payrolls.
- The Ministry of Information and Technology revealed that it had received numerous complaints from various sources including the misuse of some of these apps to steal and surreptitiously transmitting users’ data to servers located outside India in an unauthorized manner.
- Such actions ultimately impinge upon the national sovereignty and integrity of India, which is a grave concern and requires emergency measures.
2.2 Effect of the Ban
- Some of these apps are very popular in India and have a wide user base.
- These apps are the only source of income for Indian creators on some of these platforms.
- The income of these creators and the offices and employees shut due to banning these apps could put a few thousand jobs at stake.
2.3 Legal Basis for the Ban
- The Union Government has enforced the ban under the powers available to it under Section 69A of the Information Technology Act, 2000.
3. INFORMATION TECHNOLOGY ACT, 2000
- The Information Technology (IT) Act, 2000 gives the legislative base and legal framework and sanctity to all electronic records and other e-commerce transactions (transactions occurring through electronic communication).
3.1 Some Highlights of the Act
1. Legal sanction to electronic documents.
2. Legal sanction to use of Digital Signature to authenticate an electronic record.
3. Details entailing Electronic Governance
4. Regulation of certifying authorities
5. Offenses and contraventions
6. Justice dispensation systems for cybercrimes - talks of an Adjudicating Officer with the powers of a Civil Court.
7. Establishment of a Cyber Regulations Appellate Tribunal - to hear appeals against the orders passed by the Adjudicating Officers
8. Establishment of a Cyber Regulations Advisory Committee to advice the government on any rules and purpose concerned with the act
3.2 Information Technology (Amendment) Act 2008 –
- The IT Act 2000 was amended in 2008 to add the following important provisions:
1. Data Protection -There were no specific provisions regarding Data protection in the IT Act 2000. The IT Act 2008 introduces two sections to address this concern.
- Section 43A (Compensation for failure to protect data)
- Section 72A (Punishment for disclosure of information in breach of lawful contract.
2. Information Preservation - Section 67C provides for the Preservation and retention of information by intermediaries. It provides that:
- Intermediary shall preserve and retain such information as may be pecified for such duration and in such manner and format as the Central Government may prescribe.
- Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to fine.
3. Blocking, monitoring and collection of information
- Section 69A grants power to issue directions for blocking for public access of any information through any computer resource.
- Section 69B authorizes to monitor and collect traffic data or information through any computer resource for Cyber security.
3.3 Section 69A in the Information Technology Act, 2000
69A Power to issue directions for blocking for public access of any information through any computer resource.
(1) Where the Central Government or any of its officer specially authorized by it in this behalf is satisfied that it is necessary or expedient so to do, in the interest of sovereignty and integrity of India, defence of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-section (2) for reasons to be recorded in writing, by order, direct any agency of the Government or intermediary to block for access by the public or cause to be blocked for access by the public any information generated, transmitted, received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out, shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.
4. WAY AHEAD
4.1 Implementation of the Ban
- The notification by the government will be followed by more specific and detailed instructions to Internet service providers (ISPs) to block these apps.
- Users will see a message regarding the banning of the app on request of the government.
4.2 Government to seek more details
- The two social media apps TikTok&Helo among the list of banned apps are operated by Bytedance (India) Technology Pvt Ltd and taken together to have more than 170 million active users in India.
- Bytedance India is not owned by a Chinese entity, its parent entity Bytedance Ltd is registered in the Cayman Islands. The parent company has five subsidiaries, TikTok Ltd being one of them and also registered in the Cayman Islands.
- Singapore-based entity TikTok Pte Ltd (registered under TikTok Ltd) handles operations in India and Southeast Asia.
- A Chinese law requires the companies of Chinese origin to share data with the other country’s intelligence agencies, irrespective of wherever in the world they are operating and the Indian IT Ministry is soon expected to seek details from the companies running these data-sharing apps in India under this law.
5. DATA PROTECTION LAWS
5.1 Data protection laws in the world
- Today most social and economic interactions are moving online and therefore the importance of privacy and data protection cannot be stressed enough.
- Collection, use and sharing of personal information to third parties without the prior consent or even acknowledgment to the consumer is also a rising concern.
- Today 132 out of 194 countries have legislations securing the protection of data and privacy.
- In Africa and Asia, 55% of nations have enacted such legislation including 23 least developed countries.
5.2 Global Status of Data Protection Legislation
- 66% Countries with Legislation
- 10% Countries with Draft Legislation
- 19% Countries with No Legislation
- 5% Countries with No Data
5.3 General Data Protection Regulation (GDPR)
- European Union General Data Protection Regulation (GDPR) is a watershed moment in data protection regimes in the last two decades.
- The GDPR is designed to protect the personal data of E.U. residents.
- Personal data refers to the data that relates to an identifiable living individual and includes names, email IDs, ID card numbers, physical and IP addresses.
- The GDPR entails a fundamental shift in the understanding of the relationship between individuals and their personal data.
- GDPR grants the citizen substantial rights in their interaction with data controllers and data processors.
- Data controllers are entities who determine the reason and manner of collection of data such as a government or several websites.
- Data processors are entities who process the data on behalf of controllers. When an E.U. firm outsources its data to an Indian firm for data analysis, the Indian firm here is a data processor.
- The GDPR provides that a data controller will have to provide clearly distinguishable consent terms. It means that the consent terms cannot be hidden in a fine print incomprehensible to the layperson.
- GDPR also requires data controllers to provide information on the ‘who collects the data’ and ‘how the data is collected’.
- It also provides individuals with the right to have their personal data deleted under certain conditions.
- GDPR also makes reporting obligations and enforcement stronger.
6. THE PERSONAL DATA PROTECTION (PDP) BILL
India introduced The Personal Data Protection (PDP) Bill, 2019, in the lower house, Lok Sabha and is presently referred to a joint select committee.
The Bill defines three types of personal data (data from which a particular individual can be identified)
1. Sensitive Personal Data - it relates to financial data, biometric data, genetic data, sexual orientation, religious or caste data, biometric data and genetic data.
2. Critical Personal data - A data can be deemed as critical data by the government at any time and it includes data such as military or national security data.
3. General Data- All non-sensitive and non-critical data.
The draft version of the bill was prepared by the Justice B N Srikrishna Committee. The bill has three important aspects that were not a part of the draft.
1. Storing and processing personal data
- The draft required all fiduciaries to store a copy of all personal data in India. This provision was criticised by foreign technology companies who store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash.
- The bill removes this impediment requiring only individual consent for data transfer abroad.
- The Bill requires sensitive personal data to be stored only in India and can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA)
- However, Critical personal data must be stored and processed only in India.
1. The Bill mandates fiduciaries to give the government any non-personal data when demanded. Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
3. The Bill requires all those social media companies, which are deemed as significant data fiduciaries to develop their own user verification mechanism.
- A social media company is deemed significant data fiduciary on factors such as volume and sensitivity of data and their turnover.
Other Key provisions of the Bill:
- The Bill provides for an independent regulator Data Protection Agency (DPA) which will oversee assessments and audits and definition making.
- The bill requires each company to have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
- The bill grants the right to data portability along with the right to access and transfer one’s own data to the individuals.
- The bill also provides for an individual to remove consent for data collection and disclosure (Right to be forgotten).
- Last year on the order of the Madras High Court, TikTok was banned in India for a few days, but later the court vacated the ban.
- The nature of the ban this time however is very different. It affects more number of apps and the reasons for restriction are strategic and in the context of India's national security.
- This ban could be a warning to other big Chinese business in India and in the broader context to China itself.
- The step shows clear intent from the government and a decisive break from the past.