The Indian government’s ban on 59 Chinese apps under Section 69A of IT Act has called into question the larger issues around data privacy
The government said the move protects the digital data of Indian users from the Chinese government and addresses data localisation concerns
But despite similar well-publicised privacy concerns in the past such as the Facebook-Cambridge Analytica, such bans have never been used in India
The Indian government’s list of 59 Chinese apps to be banned in India, includes a cherry-picking of some of the most popular Chinese apps including TikTok, UC browser, ShareIT, CamScanner and Shein. The decision is said to be driven by the multiple concerns around user data storage policies of these apps.
However, these are not the only apps to have stirred data localisation concerns in the country. The most recent case being US-based video calling app Zoom, which has faced massive criticism around the world for a range of privacy issues, including sharing user data with Facebook, and false claims of having end-to-end encryption.
Recognising the severity of concerns and Zoom’s growing popularity among Indian users, the Supreme Court has also sent a notice to the central government last month, seeking its opinion on banning Zoom. However, the video conferencing platform did not feature on the recent list of banned applications. Similarly, WhatsApp’s Pegasus scandal, Facebook’s Cambridge Analytica row, which impacted over 5.7 Lakh Indian users and Amazon’s Echo eavesdropping on user conversations are all well-known cases of data privacy breaches that have impacted Indians in the past. Yet these platforms continue to operate in the country without adequate scrutiny.
As an independent researcher Srinivas Kodali noted in a recent tweet, “Still waiting for that summons to Mark Zuckerberg and a parliamentary committee report on Cambridge Analytica, Aadhaar data leaks.”
In addition to this, many other Chinese apps with similar data security concerns continue to operate in India. This includes Mafiacity, Turbo VPN, Last Empire, ZakZak pro, UpLive, Togetu, Guns of Glory, and Bytedance-owned Resso, among others.
App Bans Over Diplomacy
Such selective banning of applications raises the question of whether it is actually a move to protect Indian users’ data privacy or a purely geopolitical move. According to technology lawyer and founder of SFLC (Software Freedom Law Center), Mishi Choudhary, this move underscores the fact that the cyber world and the internet are part of the geopolitics and not some distant matter left to the techies.
“We must have a robust cyber peace or war policy that addresses our national security concerns and presents a well thought through rights-respecting policy in sharp contrast to an authoritarian regime like China,” she added. The ban was announced under Section 69A of the IT Act which empowers the government to block any content in the interest of the country’s defence. So clearly, it’s all about defence.
Adding to this, Gurshabad Grover of the Centre for Internet and Society said that the rule 16 of these regulations place a confidentiality obligation on intermediaries (online services) that receive such orders, which makes it difficult to challenge such orders. However, the companies can still challenge the order for being arbitrary. “If lots of apps have been found to creating privacy concerns by surreptitiously passing data, these (Chinese) companies may contest the decision for being arbitrary,” he added.
Grover also noted that orders like these do not replace the need for personal data protection policy in India. There is a need for a data protection framework applicable to all organisations, no matter what their country of origin. “If the WeTransfer instance is any indication, this is opening up a pattern where the government blocks certain apps that it is suspicious of, rather than having a robust legal framework and regulator deal with such issues,” he added.
Data Protection Bill In India
On numerous occasions, Prime Minister Narendra Modi has called data the ‘new oil’ or ‘new gold’ and it looks like that India doesn’t want to give away its new gold. The government has also been working on a draft data protection policy since 2018, which is currently under discussion in a joint parliamentary committee.
The latest version of the bill draft that was circulated among the parliamentary members in Dec 2019, noted that companies will be allowed to transfer and process user data — including sensitive personal data — outside India after taking explicit consent from the user.
However, the bill maintained its stance on data localisation and noted that the sensitive personal data needs to be stored within India as well. Sensitive personal data definition includes financial data, health data, biometric data, sexual orientation, transgender status, genetic data, caste or tribe, religious or political belief, and more.
The only restriction on the processing of data outside India has been applied to critical personal data, a data categorisation that will be defined by the central government. At the moment, there is no definition of what constitutes critical data.