Tiktok, Getty images
by Parth Tyagi and Aman Kumar Yadav 11 July 2020
On June 29th, the Ministry of Electronics & Information Technology (‘MeiTY’) through a press release, imposed a ban on 59 Chinese apps by invoking its powers under Section 69A of the Information Technology Act, 2000(‘the Act’) read with Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009(‘the Rules’). Though the ban was imposed with the ulterior motive to curb data delocalization, the method in which it was achieved raises serious concerns.
Lack of Procedural formality with the Ban
Power to issue directions for blocking for public access of any information under section 69A of the Act can be exercised where the central government or its authorized officers consider it “necessary or expedient”…“in the interest of sovereignty and integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognisable offence relating to above”.
The blocking of such information can take place in two ways: a normal course (Rule 6 of ‘the Rules’) and in cases of emergency (Rule 9 of ‘the Rules’) and going by the language of the press release which mentions ‘the emergent nature of threats’, ‘a matter of very deep and immediate concern which requires emergency measures’, it seems that the government has resorted to the latter course.
Due to the lack of transparency and vagueness of the press release, it is still unclear as to the procedural compliances of the said rule.
Rule 9 of ‘the Rules’ provides that in state of an emergency where “no delay is acceptable”, the Designated Officer may directly refer the request to the Secretary, Department of Information Technology who, upon her satisfaction of the justifiability of the request, may issue interim directions to block access without providing a hearing. Within 48 hours of such a direction, the request has to be placed before the Committee (referred in rule 7 of ‘the Rules’) for its determination.
Given that the government has utilized the rule 9 route, it appears that this press release is only an interim measure and the ratification from the committee is still awaited. The press release does mention serious concerns raised by various sources but it is still not clear if the designated officer made the requests.
Through a plain reading of the relevant section and the rule, it can be seen that the provision does not extend to directions for blocking smartphone applications but individual pieces of information and content. Also, the apex court in its lengthy discussion in the Shreya Singhal case didn’t make any such mention of blocking mobile applications.
Considering the individualized nature of section 69A, the blanket ban imposed on these apps raises several questions. What remains to be seen is how the MeitY justifies the use of this section when it sends a well-reasoned blocking order to each app as per the requirements under the law.
The ban and WTO regulations
In a hypothetical case at World Trade Organization (‘WTO’), China will most likely contend that countries at WTO, have stressed the importance of the General Agreement on Trade in Services (‘GATS’) supporting mobile applications for a better trade in services. However, China might have a difficult time establishing its case, if India proves the need for the ban. Especially when in the past the appellate body at WTO has held that internet-based services of other countries may be banned, on clear state interests, if the state imposing the ban establishes the need for it.
The case at WTO might be no cakewalk for India as well. India will make its case under Article XIVbis of GATS, which states that the security of the state is an exception for compliance with the provisions of GATS. Going by the past decision of WTO in the case United States — Continued Dumping and Subsidy Offset Act of 2000, even while invoking the security exception, a state must comply with the good faith principle and give a chance to the other side to present its case before taking any actions, something which was lacking on India’s side. Additionally, India will have to prove the high threshold required for invoking the exception, by demonstrating how the data which it seeks to protect, qualifies as its ‘essential security interest’, at the same time justifying why the apps from other countries, which store data in a similar manner do not possess a similar threat.
Future of Data Localization in India
India as of now doesn’t have an effective law that prevents mobile applications from sending data to servers outside India. The only rule that’s similar to data localization norm is the RBI notification of April 6, 2018, which is limited to payment systems data.
An effective way to ensure data localization is contained in Draft National e-commerce Policy concerning the ‘Digital Economy’ which seeks to regulate the ‘e-commerce’ sector in India. It proposes localization of several categories of data generated by users in India from sources such as e-commerce platforms, social media, search engines, etc., and all community data collected by Internet of Things devices in public spaces are to be stored exclusively in India and sharing of such data within the country is proposed to be regulated.
Lastly, data localization requirements under the Personal Data Protection Bill, 2019 (‘the Bill’), are only on sensitive and critical personal data (stored in India with conditions for transfer overseas). Section 33(2) of the Bill mandates that the Critical Personal Data(‘CPD’) may only be processed in India and Sensitive Personal Data (‘SPD’) may be transferred outside India based on explicit consent and under certain conditions provided in Section 34. The term CPD is not explicitly defined and shall mean any such personal data as may be notified by the central government. Moreover, the transfer of CPD outside India may only be allowed for health or other emergency services or where the central government approves transfers to a country, entity, or international organization.