• The Law Gazette

Ban on Chinese Apps: Privacy Concerns & Legal Validity

Smartphone has become one of the basic necessities along with cloth, shelter and food. With the wave of digitization, the usage of mobile phones has increased in every sector of economy. Payments, bookings, shopping, academic excellence and even suit proceeding are made effective, by sitting in one place. But, loopholes are associated with every good system. On average there are a minimum of 30 applications installed on a mobile phone. Every time an app is installed, it asks for access to a person’s data including contacts, gallery, camera, navigation etc. Recently, due to tension along the Indo-China border, Indian government banned 59 apps of Chinese origin, owing to breach of privacy and issue of National security. Further, it would be elaborated about confidentiality of personal information shared with apps and law associated with it. In addition to it, specific emphasis would be put on necessity and move of central government banning the apps.


Whenever an app is installed through Play Store or Apple Store, subconsciously we click on term ‘I Agree/Accept’. This term is associated with the legal agreement between the mobile application and the user. It consist of the terms and condition, that user have to be agreed upon to enjoy the service. All the terms and condition specified therein is rarely read by us. This causes trepidation regarding personal data security.


By accepting the terms and conditions, we agree to share our contact details, bank card details, message details, access to gallery, location, address and even individual taste. The most scrolled object would appear again and again on the screen of the user, reflecting access to browsing history. More dreaded picture occurs when, digital frauds come off the veil. For example. the Paytm fraud case is skyrocketing and details are still vague.


PRIVACY NORMS FOR APPS

Every application has to fulfill certain requirements so that app application does not get rejected. These requirements are different for iOS, MacOS and Android. The common requirement among both is of data privacy. In iOS and macOS, from October 3, 2018, a new guideline has been issued. The app store connect requires adoption to the privacy policy for all the new apps and updates for the old apps before they can be presented for the distribution on app store [i].


The privacy guideline is specified in Article 5.1.1 of the Apple app store review guideline. It states that:

A) Identify the data that app collects and how and where that data is used

B) If an app shares the data with third party, then it had to ensure compliance with the apps privacy guideline and protect the personal data.

C) Explain its data deletion policy and procedure by which the consent of user can be revoked.


Following are the basic requirement that every app’s privacy policy should have:

i) Description about app owner.

ii) The data that has been collected and mode by which that data is collected.

iii) The legal basis for collection of data.

iv) The purpose for which data is collected.

v) Which third party will have information about personal data?

vi) The right of the users

vii) Notification regarding change in the privacy policy, if any.


For android app, Google play has made certain norms by which users will have access to privacy-related provisions. Google mentions in Developer Policy Centre’s User Data Guideline that user’s data usage must be transparent. It includes use of data, sharing of data and disclosing the collection. If app handles the sensitive data of individuals, then certain additional norms have to be followed. The policy also makes it mandatory to comply with the Google Play’s minimum privacy requirement and additional requirements if required by the applicable statute[ii]. The basic element for app’s privacy policy for android is same as that of iOS. The non-compliance to privacy norms may lead to the huge and hefty amount of fine and leave open to litigation.


INDIAN LEGISLATURE: INFORMATION TECHNOLOGY ACT, 2000

India is not associated as a convention party to any protocol in respect to data protection directives. Also, there is no special legislation in India for data protection. Although Information Technology Act, 2000 is amended in order to secure the personal information. There is addition of section 43-A & section 72-A, which provide damages on disclosure of personal data. There is Information Technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information), issued by central government of India under 43-A of IT act. These rules provide the business and commercial entities to meet basic elements of privacy policy and prevent disclosure of sensitive information which are in consonance with General Data Protection Regulation and Data Protection Directives.


The personal data is also protected by precedent set up court under common law principle, principle of natural justice and principle of justice, equity and good conscience. The Privacy Judgment was deciphered, in landmark case of Justice Puttaswamy and Anr. v Union of India and ors.[iii]. In the case, SC asserted that informational privacy is the part of right of privacy under Article 21 of the constitution of India. The information about the person and right to access the information also needed to be protected under the right to privacy. Every person has right to restrict the use of his personal information and disseminate it. It was the first time that SC has recognized the right in respect to personal data.


To ensure that this right is available against private entities, government of India has constituted a committee to draft the statue in respect of same. Committee has framed ‘Personal Data Protection Bill 2019’. It will be recognized as India’s first statue on personal data. The PDP bill proposes that personal data must have complied with seven principles:

I. the processing of personal data should be fair and reasonable.

II. It should be for a special purpose

III. The necessary personal data should be only collected.

IV. Lawful

V. Adequate notice of data processing should be given to individual

VI. The personal data processed should be complete and not misleading

VII. The data can be stored so long as it is necessary.


BANNING OF 59 CHINESE APPS: LEGAL ASPECT

Government of India on 29th June 2020, banned functioning of 59 China-based mobile applications. The action was intake due to rising border tension among India and China.


Under what provision the action was taken?

The Ministry of electronics and Information & Technology invoked its power under section 69A of IT Act 2000 r/w IT Rules 2009. Section 69A[iv] of act states that:


1) Where the Central Government or any of its officer specially authorised by it in this behalf is satisfied that it is necessary or expedient so to do, in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-section (2) for reasons to be recorded in writing, by order, direct any agency of the Government or intermediary to block for access by the public or cause to be blocked for access by the public any information generated, transmitted, received, stored or hosted in any computer resource.


(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out, shall be such as may be prescribed.


(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.


Constitutional Validity of 69A:

Supreme Court of India in the case of Shreya Singhal v Union of India[v] has upheld the constitutional validity of section 69A of IT Act, 2000. Section 69A permits the government to block application or any content for accessibility of public in lieu of happening of certain conditions. SC ruled that the proper procedure must be followed if such conditions are met. The originator of content must be given opportunity of representation. It also involves multiple level of decision making and review. All the safeguards must be followed.


Reasoning:

Ministry contended that these China-based apps were transmitting the personal information of users, thus causing threat to national security. The transmissions was unauthorized and were recorded by ministry outside Indian territory.


Due to Indo- China war type situation, the emergent threats are high. Therefore, the action undertaken by government was to restrict the flow of personal information. This action would prevent mala-fide use of data of users in India and preserve country’s sovereignty and national security. This action is interim in nature. The apps are removed from Apple and Android store. It is soon going to end on stores of Internet Service Providers, as per the notification of government.


The firms behind these were given 48 hours to provide clarification concerning data sharing norms under Chinese law. The Chinese law requires every firm to share its data with the country’s intelligence agency irrespective of the country in which they are functioning. Following the rules of natural justice i.e. fair opportunity of being heard, there is formation of Joint secretary Panel. The panel consist of officials from ministry of law, telecom, IT and Home Affairs. This panel will hear the clarifications from the representative of company. The panel is honoured with all power to ask for documents and issue show-cause notice. The final decision to permanently ban the apps or not is of the secretary level panel.


So, on the grounds of national security and sovereignty of India, action taken by government is sound as well as lawful. In my opinion, compilation of data and its categorisation by firms, in a way that is harmful to nation’s security, defence and impede upon sovereignty and integrity of country, is matter of immediate concern and thus urgent measures undertaken is need of hour. The privacy of 130 crore Indians is at stake, in some aspect or other.


IS THERE ANY EMERGENCY SITUATION IN COUNTRY?

China continuously resisted the efforts to clarify the Line of Actual Control (LAC). The armies of both the countries are locked in standoff at multiple hotspots in eastern Ladakh for the last seven weeks. The tension gain acceleration when 20 Indian soldiers were killed in the Galwan Valley on June 15th. Since 2013, China has adopted aggressive foreign policy against India. There have also been five major altercations among countries on the issue of LAC. Although New Delhi and Beijing has entered into several agreements in order to maintain peace along the border. But resistance from China to clarify, made it impossible to permanently settle the dispute.


Recently India has emerged has new digital market with huge technological advancement undertaken in country. With increase in digital environment there is rapid concern of security of data of 130 crore Indians. It also posses threat to country’s sovereignty and security. According to cyber intelligence firm Cyfirma, India is made central target for cyber attack by hacking groups that belong to Gothic Panda and Stone Panda, which have direct link with Chinese Government (People’s Liberation Army). A recent chatter was found on dark web forum by the Indian Cyber Intelligence.


The dark web forum are part of the internet server but are not indexed by search engine. Various Indian firms, media house, telecom agency, pharma and government agency, found their names listed on this forum. Some of them were, MRF Tyre, BSNL, Jio, Cipla, Republic TV etc. These two hackers have black history of conducting various cyber attacks. The attacks are basically made on government agency and competitive companies. Gothic Panda is also recognized for its major cyber crime in USA and Hong Kong. With increase in digitalization, cyber attacks are used as common tool to fight against competition, instead of engaging in physical war. Recently, Australia was also targeted by the same hackers group as a mode of retaliation against the Australian Government who decided to investigate the origin of Covid-19.


CONCLUSION

On receiving various credible reports and recommendation that such apps cause security issue and threat to sovereignty, Government of India decided to discontinue the service of those 59 China based apps. This decision is taken to ensure the safety, security and sovereignty of Indian cyberspace.


This situation seriously reflects danger to country’s economic, political and social environment. Currently, India is in middle of border war with china, bio weapon war initiated through corona virus and economy being in critical condition. All these factors lead to emergent situation in county. Thus, action taken by government to prevent the transmission of data is appropriate. There were various reports submitted by citizens, Indian Cyber Crime Coordination Centre and Ministry of Home Affairs have submitted many representation regarding security of personal information and breach of privacy to Ministry of Information & Technology.


ENDNOTES

[i] Privacy Policy for iOS and macOS Apps, URL: https://www.iubenda.com/en/help/401-privacy-policy-for-ios-and-macos-apps, accessed on 2nd July, 2020

[ii] Privacy Policy for Android Apps, URL: https://www.iubenda.com/en/help/11552-privacy-policy-for-android-apps, accessed on 2nd July, 2020

[iii] Justice Puttaswamy (Retd.) and Anr. v Union of India and Ors., available at (https://www.supremecourtofindia.nic.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf

[iv] Information Technology Act, 2000, URL: https://indiankanoon.org/doc/10190353/, accessed on 3rd July, 2020

[v] WRIT PETITION (CRIMINAL) NO.167 OF 2012


ABOUT THE AUTHOR

This blog has been authored by Ayushi Goyal who is a 3rd Year B.A., LL.B. (Hons.) student at Rajiv Gandhi National University of Law, Patiala.


[PUBLICATION NO. TLG_BLOG_20_2304]

​​​​© 2020 | The Law Gazette | All Rights Reserved | Terms & Conditions

  • LinkedIn
  • Instagram
  • whatsapp
  • YouTube
  • Facebook