The Indian Government recently banned 106 mobile applications of Chinese origin. These apps include TikTok, WeChat, CamScanner and Mi Video Call Xiaomi among others (the ‘Banned Apps’). Further, another 250 applications such as PUBG Mobile are reportedly being reviewed for possible privacy and security concerns similar to the Banned Apps. The Government ordered the ban under section 69A of the Information Technology Act, 2000 (IT Act) read with the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009. These Banned Apps were reportedly taken down from Google’s play store and Apple’s app store and Indian telecom companies were directed to block internet traffic to these Banned Apps.

The basis for the ban, as stated by the Indian government in its press release, revolves primarily around concerns regarding unfettered data collection, mining and profiling which allegedly poses a threat to the sovereignty and integrity of India. In this post, we focus on changes in data protection law that can help bring about the desired outcome of restricting potential foreign governmental incursions into Indians' personal data within a regulated framework.

From the lens of data protection, the two focal points are (i) whether the personal data collected by such applications is excessive and could be used to track personal information which could pose a threat to the national security of a country, and (ii) how such personal data should be restricted from being transferred to a potentially belligerent foreign country (‘Foreign Country’) and what the scope of such restrictions could be.

While at first glance, the function of these Banned Apps seems innocuous enough to make claims of them being a threat to national security seem far-fetched, a closer look at their privacy policies and data collection practices reveal that they collect much more personal data than is strictly necessary for them to provide the functionality they advertise themselves for. Tik Tok, for example, states in its privacy policy that it automatically collects IP addresses, geolocation-related data, unique device identifiers, browsing and search history and cookies. They also collect the contact details saved on the user device as well on their social media account along with the users' payment details. Together, such data can be easily used to identify the individual using the app along with being able to track their movements and other details of their personal lives. In fact, the collection of contact details of unsuspecting individuals from the contact book of a person who has downloaded TikTok is a blatant violation of privacy.

As pointed out in this New York Times article, such excessive data collection is not limited to the Banned Apps but permeates across the tech industry, and this should be counteracted through effective penalties for the contravention of data protection principles. However, as mentioned above, the blocking order was passed not just because the Banned Apps collect excessive personal data but, rather, due to the suspicion that these apps were profiling persons in India at the behest of Foreign Countries. Since the locations wherein such personal data is processed and stored at any given moment are not readily available, it is possible that the personal data may be processed and stored in a Foreign Country by these apps as well as other private companies.

Given the pervasive nature of data collection by the Banned Apps, their use by militarily or politically sensitive persons could become a source of worry for governments. Researchers in the US, for example, found live GPS data on the internet which revealed the location of troops on military bases and spies in safe houses through the use of geolocation features in fitness devices used by such personnel. The Government could therefore argue that it has a vested interest in ensuring the confidentiality of certain personal data belonging to militarily or politically sensitive persons. Additionally, in a situation wherein personal data is being transferred to a hostile country, the Indian Government may have a greater interest in preventing the transfer of any and all data to such a country. This is because access to personal data may make it easier for a hostile government to profile and target numerous key personnel across the ecosystem.

While India does not yet have a comprehensive data protection law which can appropriately address such violations of privacy, a draft Personal Data Protection Bill (the Bill) has been introduced in the Parliament of India and is currently being reviewed by a joint parliamentary committee. Crucially however, the Bill does not have any provisions that address the threat of Foreign Countries gaining access to Indian personal data. Specifically, while the Bill provides restrictions regarding transfer of sensitive personal data to countries which do not offer adequate protections, there are no minimum protection standards that must be met for the transfer of personal data.

Accordingly, in our opinion, the Bill should be modified to empower the Indian Government to restrict the transfer and disclosure of personal data to countries where (a) an adequate level of protection is not provided; (b) this would compromise the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order; or (c) it is necessary for the prevention of incitement to the commission of any cognizable offence relating to the matters described in (b). Additionally, such a provision should mandate the Government to provide credible evidence and adequate reasons as to why it is imperative to impose such restrictions. Further, certain procedural safeguards which are currently missing from section 69A, IT Act should be addressed by the Bill, such as a list of such blacklisted countries should be periodically reviewed and modified to reflect changing realities. Personal data which has been historically stored or processed in a blacklisted country, by any organisation, should be erased from all servers which are located in that country. Additionally, all organisations handling the personal data of individuals present in India should be mandated to provide an undertaking to the data protection authority (to be established under the Bill) certifying that all historical personal data has been erased from servers located in a blacklisted country and that no personal data is henceforth being processed, disclosed or stored therein. Furthermore, as an added transparency measure, organisations should be required to periodically disclose to each individual the locations at which their personal data is being or has been collected, processed and stored, even if done momentarily.

Effectively, this would imply that apps and websites will not be permitted to host, process or transfer personal data belonging to persons present in India to servers located in such blacklisted countries while at the same time offering the flexibility to transfer, process and store such data in any other part of the world. Section 69A of the IT Act empowers the government to block public access to websites and apps whereas our suggestion will enable the government to achieve its aim of preventing the transfer of personal data to a Foreign Country without depriving the public access to platforms, products and services thereby strengthening the fundamental right to freedom of speech and expression as well as the right to carry on any profession, occupation, trade or business. Accordingly, this would be a better alternative to imposing a blanket ban on apps and websites as they generate employment, have significant economic interests and investments in India, and most importantly, contribute to developing a marketplace of ideas by facilitating creative expression.

Gargi Rohi is a London based technology, data protection and telecom lawyer.

Samraat Basu is a Bengaluru based technology and data protection lawyer.