The information in this article is current as of 28 August 2020.

In the midst of on-going border tensions between India and China in eastern Ladakh, the Ministry of Electronics and Information Technology of India (“MEITY”) issued a press release on June 29, 2020, and announced its decision to disallow the usage of 59 applications (“Banned Apps”) since, basis the information available with MEITY, the Banned Apps were involved in activities which were prejudicial to the sovereignty, integrity, defence and security of India.2 This digital strike has been implemented by MEITY by virtue of the broad-based powers vested in it under Section 69A of the Information Technology Act, 2000 (“IT Act”) read with the relevant provisions of the Information Technology (Procedures and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (“IT Rules 2009”). That is, when matters of national security and interest are concerned, the said legal provisions enable and stipulate the manner in which the Central Government, or any officer specially authorised by it in that behalf, can issue directions to any agency of the Government or intermediary for blocking public access to any information generated, transmitted, received, stored or hosted in any computer resource, for reasons to be recorded in writing.

As per MEITY’s press release, the Banned Apps were said to be indulging in stealth and transmission of users’ data in an unauthorised manner to servers which are located outside of India, and were generally violative of Indian data privacy norms. Resultantly, the usage of popular mobile and non-mobile internet enabled services having Chinese origins, including applications like TikTok, CamScanner, Shareit, UC Browser, Club Factory and Xender, has been blocked by MEITY within India. However, in response, Chinese embassy spokesperson, Ji Rong has claimed that the decision to block the Banned Apps by the Indian Government is violative of the World Trade Organisation (“WTO”) norms, calling it arbitrary and selectively discriminatory in nature. In this context, it is noteworthy to mention that last year a similar ban was imposed by the Madras High Court on TikTok for data privacy violations and the presence of inappropriate content on the application, however, the order was later reversed3 stating that ample safeguards were already in place by TikTok and there was sufficient compliance with the statutory guidelines.

Thus, in view of the above, it becomes important to discuss and analyse the legal provisions governing data privacy norms in India and thereby, the maintainability of MEITY’s digital sanctions against China.

Data privacy laws in India

Presently, India does not have a dedicated data privacy legislation and the principles aimed at protecting and minimising the breach of one’s privacy through any sort of intrusion of personal data are set out under certain provisions of the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPD Rules”). The IT Act, through Chapter IX (Penalties, Compensation and Adjudication) and Chapter XI (Offences), lays down penal provisions in the form of imprisonment, fines or both for specified cyber security violations. Here, it is pertinent to note that provisions of the IT Act not only apply to any offence or contravention committed within India but also extend to those committed outside India by any person, irrespective of their nationality, if the act or conduct constituting the offence or contravention involves a computer computer system or computer network located in India.4

Further, the SPD Rules have established guidelines for the protection of not only personal information that is capable of identifying an individual, but also sensitive personal data such as a person’s financial information, medical records and history, biometric information, sexual orientation, etc. The SPD Rules create a general obligation on bodies corporate5 dealing with personal and/or sensitive personal information of data providers to establish, publish and abide by a privacy policy for handling of the same which must inter alia provide for reasonable security practices and procedures6. Further, with respect to the handling of sensitive personal data or information, the SPD Rules require bodies corporate to (i) obtain an express written consent from the data provider for data collection; (ii) use the sensitive personal data only for the purpose it has been collected for; and (iii) seek prior permission from the data provider in case of disclosure to third parties. In this regard, Section 43A of the IT Act stipulates that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Thus, on a strict reading of these provisions and having regard to the manner in which the term body corporate has been defined, it appears that the foregoing data protection obligations are only applicable to private entities and not on government entities.

However, in the current digital age where the internet is riddled with cyber terrorism and yet, due to easy access to technology, more and more individuals upload and store personal information online, the extant data privacy framework has proved to be insufficient to address the nation’s rising need for comprehensive data privacy norms. More so, the IT Act and SPD Rules fail to regulate and control the flow of data from India to any other country, or to protect data relating to specific groups such as children and victims of abuse, or provide for a central authority to govern the implementation of data privacy norms.

Furthermore, concerns regarding the absence of a robust regime for data protection have been raised time and again by Indian courts. In the year 2017, WhatsApp’s user policy was brought into question before the Delhi High Court7 alleging that account users’ information was being unauthorisedly shared with Facebook and, consequently, the court prohibited WhatsApp from sharing user information with Facebook or any of its group companies. Further, in early 2018, the shortcomings in the data privacy legal infrastructure became more palpable when the Cambridge Analytica incident came to light and Facebook admitted to sharing personal user data through a third-party application, demonstrating that the users had no control and knowledge about the processing and sharing of their personal data. More recently,8 apprehensions were raised regarding the confidentiality of sensitive personal data of COVID-19 positive patients in the State of Kerala, since the State Government had surreptitiously entered into an agreement for sharing the same with a third-party data processing agency located in America. Thus, to ensure that “there is no data epidemic after the COVID-19 epidemic”, the Kerala High Court passed a landmark interim order stipulating various checks and balances, and held that besides obtaining express consent from data providers for collection of their sensitive personal information, going forward all data must be anonymised prior to sharing such data with third parties.

In light of these concerns, a committee of experts, under the chairmanship of Mr. Justice B.N. Srikrishna, was constituted by MEITY in July, 2017 to identify key data protection issues in India and recommend methods of addressing them9. Thereafter, the Personal Data Protection Bill, 2019 (“PDP Bill”) was proposed by MEITY.

Although the PDP Bill was introduced in the Lok Sabha on December 11, 201910 by MEITY, it has yet not been passed by the Parliament due to the ongoing COVID-19 pandemic. The PDP Bill seeks to establish a Data Protection Authority to protect the personal data of individuals, in line with the EU General Data Protection Regulation (“GDPR”)11. Once effective, the reach of the PDP Bill would be more extensive than that of the IT Act since the former also proposes to bring within its purview, persons outside India who carry on any business in India, offer goods or services to individuals in India or the profiling of individuals in India. Further, unlike the IT Act, the PDP Bill mandates data protection of both electronic and manual records of individuals, and expressly holds accountable the government entities that collect and process personal data of individuals. It also grants a data principal the ‘right to be forgotten’ once the data has served the purpose for which it was collected, or is no longer required for such purpose. Moreover, the PDP Bill restricts the transfer and processing of sensitive personal data outside India and mandates that critical personal data be processed only in India.

Validity of India’s action against Banned Apps

In the landmark case of Justice K.S. Puttaswamy and Ors. vs Union of Indian and Ors.12, the Supreme Court of India (“Supreme Court”) has recognised ‘right to privacy’ as a fundamental right under Article 21 of the Constitution of India (“Constitution”) and has upheld that privacy is the constitutional core of human dignity and a central value for protecting the life and liberty of an individual. It was held that informational privacy is a facet of right to privacy and thus, being susceptible to dangers from state as well as non-state actors, such fundamental right is subject to the legitimate concerns of the state which includes protecting national security. Recognising that technological changes have given rise to data protection concerns which were not present before, it was admitted that privacy was not an absolute right, however, the restrictions imposed on the same have to be fair, just and reasonable.

It cannot be denied that India accounts for a significant percentage of the audience / users on the Banned Apps13 and, therefore, it is imperative to understand whether restriction from using and accessing the Banned Apps could be deemed as a violation of the fundamental right of freedom of speech and expression under Article 19 of the Constitution. In this regard, it is important to mention that expression through the internet has gained a phenomenal significance in contemporary times and there can be no doubt that it is a major means of information dissemination, amongst the young and old alike. The Supreme Court, in the case of Anuradha Bhasin and Ord. vs Union of India and Ors.14, has rightly said that freedom of speech and expression by means of the internet forms an integral part of exercising the said fundamental right, and therefore the restriction on such a right should be on the basis of threat to the security, integrity, sovereignty and public order of India.15 While the Supreme Court refrained from commenting on whether the right to access the internet constitutes a fundamental right in this case, it did acknowledge that in the current times, modern terrorism relies heavily on the internet. It noted that such terrorism could range from support of fallacious proxy wars by raising money or spreading propaganda and ideologies, to including threat to the invasion of privacy of a citizen. Although the notion of complete blocking/ prohibition of access to internet was rejected, merit was accredited to the fact that threats to the sovereignty and integrity of the country could call for appropriate measures to combat such issues.16 In accepting this, the Supreme Court also upheld the constitutional validity of Section 69A of the IT Act read with IT Rules 2009, that allow the Central Government to block public access to information should the circumstances so require. Thus, since the aim is not to restrict or block access to the internet as a whole, but just access to certain unscrupulous platforms/ websites, MEITY can justify its digital sanctions against China based on the rationale that the Banned Apps posed a threat to India’s security and sovereignty.

However, in the same discourse, it is also important to address if such restrictions, vis-à-vis the Banned Apps, are just and reasonable. Article 14 of the Constitution requires everyone to be treated equally before the eyes of law and that it is a guarantee against arbitrariness.17 Here, it is important to note that the fundamental right under Article 14 is available to citizens and non-citizens as well and thus, in the event of unfair discrimination, such right shall be available to non-citizens such as foreign companies having a presence in India. Therefore, a distinction between two entities has to be just, fair and reasonable in the eyes of law. MEITY’s rationale to block access the Banned Apps is based on violation of data privacy norms which in turn prejudiced the integrity and sovereignty of India. While not openly stated, the Banned Apps, in entirety, seem to have origins in China and this, coupled with the ongoing border tensions between India and China, makes it an arguably shaky ground for distinction. Moreover, there are various other internet platforms such as Facebook, Instagram, Messenger, and so on, which seem to be collecting and handling the personal data of users in a similar manner18 and are still functional in India.

Implications of the digital sanctions at the international level

India’s measure to block access to the Banned Apps may also attract repercussions at the WTO level where both India and China, being members19, are also signatories to the General Agreement on Trade in Services (“GATS”). GATS defines ‘trade of services’ as inter alia the supply of a service from the territory of one member into the territory of any other member.20 Accordingly, member nations are required to accord services/ service supplies to another member nation with at par treatment given by it to the other members (“MFN Treatment”). However, member nations could choose to adopt measures inconsistent with the MFN Treatment in the event it is necessary to maintain public order, privacy of personal data, security and safety. It is to be noted that such measures which are applied by a member nation cannot be arbitrary or an unjustifiable discrimination or a disguised restriction on a member nation.21

Ironically, it has to be noted that China, within its own territory, has banned the usage of applications such as Facebook, WhatsApp, Google, YouTube and so on, citing its reasons as threat to its internal security. Arguably, the same stance could then be made available to India at WTO subject to it justifying that the measures taken were deemed necessary to ensure its integrity and sovereignty and were enforced in a non-discriminatory manner. While it is China’s prerogative to proceed against India for the digital sanctions, India will have the obligation to prove that such actions were deemed necessary in the interest of maintaining data privacy, security and safety and were not arbitrary. It seems difficult to justify such a stance taking into account that India has allowed applications equivalent to Banned Apps, but not of Chinese origins, to remain operational in India.22

Conclusion

Currently, MEITY, through its social media platforms, has suggested a ban of 47 more applications which either have Chinese origins or have investments based out of China, claiming that these applications are operating as clones or substitutes to the Banned Apps. While the specific list of such applications has not yet been made public, applications such as PUBG have been reported to fall under it. Though it remains to be seen what would be China’s next steps, India’s need for an all-encompassing data privacy legislation, having strong deterrents against breach, stands irrefutable as it marches on to become a $1 trillion digital economy.23