India bans 59 Chinese apps under section 69A; what does the law mean, why the order lacks transparency

The government’s much-publicised ban this Monday of 59 Chinese apps is most significant (for the cyber lawyer) for the use made of Section 69A of the Information Technology Act, 2000 – first, as a tool for geopolitical strategy (widely viewed as such given the Chinese focus despite several American and other apps facing several allegations, the unusual announcement via a press release and the growing anti-Chinese sentiment in the country). While not much prevents the government from using any tool at its disposal with an underlying geopolitical motive, compliance with the law is essential, and here issues arise with the use of S.69A.

S.69A and the related procedural safeguards laid down do not deal with data privacy concerns (unless it arises specifically in relation to the content being examined). Image: Pixabay

S.69A is a content regulation tool

The second significant new use of S.69A here is its use as a tool for achieving data protection compliance. Meity’s press release banning the apps lists broad concerns including national security and sovereignty concerns, arising from data security and privacy concerns, in particular from complaints of apps ‘stealing and surreptitiously transmitting users’ data in an unauthorised manner to servers which have locations outside India.’

Illegal data harvesting is a concern for any app, Chinese or otherwise. S.69A, however, is not designed to deal with data harvesting, privacy, or even (technical) security concerns. It is essentially a content regulation tool, designed to deal with offending content via blocking access to it. The related Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 reveal as much― a request to block information, for instance, must be accompanied with ‘printed sample content of the alleged offending information’. Complaint formats therein prescribe a screenshot/printout of the offending content, and it is this sample content that must be evaluated for whether it violates security, sovereignty, and other reasons listed under S.69A. S.69A and the related procedural safeguards laid down do not deal with data privacy concerns (unless it arises specifically in relation to the content being examined).

Range of apps banned

S.69A is thus basically a law in exercise of the State’s power under Article 19(2), to restrict free speech which violates the sovereignty, integrity, etc., of the country. The press release lists several national security concerns and related complaints, but does not list if any content-related issues specifically were found with these apps. Among the few publicly known cases are the content related issues against TikTok which led to its brief ban by the Madras High Court last year.

The range of apps that have been banned, further, make it harder to assess their content specific implications. For instance, apart from social networks, games, camera apps, image editors, etc. that are banned, the press release also bans mapping applications, video calling apps, document scanners and battery savers. It is primarily data harvesting and privacy concerns with these apps that is clear.

Even looking at the ban from a geopolitcal lens, the selection of the apps appears random. For instance, it bans Chinese games Clash if Kings and Mobile Legends, but not PUBG, despite PUBG’s tremendous popularity.  Nor are the apps company-specific, for instance with Tencent―WeChat, QQ Music, QQ Mail, etc. are banned, but not Tencent Cloud, Call of Duty or again, PUBG.  The implication would be that specific complaints were made against these 59 apps specifically.

Addressing the lack of transparency

The listed reasons for the ban and the selection of apps thus make for a press release that is difficult to understand. A reading of the actual order would make it easier to understand the legality of the order, in particular regarding whether actual content-specific issues arose in relation to the apps. A separate issue with the press release that has been highlighted is that S.69A is a law designed to address specific violations by individual apps, and not general violations by a collection of apps. Together, the ban of these 59 apps thus requires a separate, evidence-based evaluation of the alleged content violations by each of the 59 apps.

Under the rules, however, the government is under no obligation to disclose the order. To the contrary, such orders are expressly protected, requiring the maintaining of confidentiality w.r.t to the requests and complaints received, and the action taken.

Assuming that the purpose of the confidentiality clause is essentially to protect the identities of the persons making the complaints, the government should consider revealing more on the reasons behind the ban in the interest of transparency. Governmental actions, are after all, subject to the rule of law, and the press release makes it prima facie unclear as to how the ban is compliant with law.

Bringing in a data protection law

Setting aside the geopolitical angle to the ban, what stands out most is the sheer inadequacy of Indian laws to address data protection concerns. Section 43A of the IT Act, India’s primary data protection law, is very limited in its redressal― it protects only a breach of sensitive personal data by a body corporate, which leads to wrongful loss on account of a lack of reasonable security practices. The government needs to bring in the Personal Data Protection Bill soon.

The author is a lawyer specialising in tech, privacy and cyber laws. Views are personal.

from Firstpost Tech Latest News https://ift.tt/3dUKDmo