India’s Ministry of Electronics and Information and Technology has issued an interim ban affecting 59 Chinese Apps including well known products such as WeChat, TikTok and CamScanner. The ban has been introduced to protect the sovereignty of Indian cyberspace and safeguard the interests of Indian citizens. We discuss the ban and its basis.

The ban

The interim order was issued by India’s Ministry of Electronics and Information and Technology (“MeIT”) on 29 June 2020 and was announced by the Government through a press release. It has been imposed on a wide category of Apps including WeChat, TikTok, Shareit, UC Browser, Club Factory, Shein and CamScanner. While the Government press release does not expressly mention China, all the Apps listed appear to be wholly owned by Chinese companies.

To implement the ban, the Department of Telecommunications has issued directions to internet service providers and telecom companies requiring them to block access to these Apps immediately.

The order coincides with a rise in border tensions between India and China, and India’s Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad, has called the ban a “digital strike” against China. In April this year, the Indian Government also imposed a condition that investments into Indian companies from countries which share a “land border with India” are made with only with Government approval. This directive was also primarily targeted at investments from China and to prevent opportunistic takeovers in the context of COVID. Please see here for a detailed article analysing this law.

Press reports, however, suggest wider concerns at MeIT about the level of access Chinese firms have to Indian users’ data through the Apps, which have become very popular in India over the past few years. These concerns have been heightened by provisions of the National Intelligence Law of the People’s Republic of China which became effective in 2017, pursuant to which the Chinese government could require Chinese companies to collaborate with intelligence services and law enforcement and provide data available to them.

Regulatory basis

The ban has been issued under Section 69A of the Information Technology Act, 2000 and the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009. These allow the Government to ban public access to any information generated, transmitted, received or stored through any computer resource where it is “satisfied” that it is “necessary or expedient” to do so in the interest of, inter alia, the sovereignty and integrity of India, defence of India and or security of India.

MeIT’s order is not publicly available but the accompanying press release states the order was issued to ensure “safety and sovereignty of Indian cyberspace” and to “safeguard the interest of crores of Indian mobile and interest users”. It identifies the following specific reasons for the ban:

• these Apps are engaged in activities which are prejudicial to the sovereignty, integrity, defence, security and public order of India;
• there have been complaints from various sources about these Apps “stealing and surreptitiously transmitting users’ data in an unauthorised manner to servers which have locations outside India”;
• the compiling of the data of individuals followed by mining and profiling by elements hostile to the national security and defence of India impinges upon the sovereignty and integrity of India and “is a matter of deep and immediate concern which requires emergency measures”;
• the Indian Cyber Crime Coordination Centre, Ministry of Home Affairs has sent an exhaustive recommendation for blocking “these malicious apps” and the Computer Emergency Response Team (CERT-IN) has also received representations from citizens regarding security of data and the breach of privacy impacting public order; and
• there are raging concerns on aspects relating to data security and safeguarding the privacy of Indian citizens which pose a threat to the sovereignty and security of the country.

Given the functionality of most of these Apps, it is not obvious how they can be said to be engaged in activities which are prejudicial to the sovereignty, integrity, defence, security and public order of India.

While the overarching concern identified by the Government is the breach of confidentiality and privacy of users, which is viewed as impinging on the sovereignty and integrity of India, India does not have a comprehensive law on data protection law and instead has only a series of sectoral laws (see summary here).

For example, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 apply narrowly and are inadequate to address the complex data protection related issues that Apps such as these have thrown up. There is therefore a gap in the law when it comes to the collection and processing of data by these Apps and it is not clear which specific Indian privacy laws these Apps have failed to comply with.

Even assuming there was a breach of privacy laws, the key question is the point at which that breach can be construed as engaging in activities which are prejudicial to the sovereignty, integrity and security of India in order to justify such an action. The issue will be observed closely by others in the Indian market because of the potential wider impact on business and especially the matters and evidence that the Government has relied on to issue this order.

The Government has also expressed concerns about users’ data being stored on servers outside India. However, other than in respect of certain types of information and businesses (e.g. payment service providers in respect of payments data and telecom companies with respect to user data), there is no general obligation on businesses operating in India to maintain data only in India. The Personal Data Protection Bill, 2019 only proposes that critical personal data (which will be notified by the Government) should be stored in India. It will be interesting to understand the specific allegations in respect of storing data outside India and the categories of data in respect of which the concern has been raised. Storing data outside India is quite common and the Government’s decision could impact other businesses.

What’s Next?

The ban has been issued on an interim basis and a final order would have to be issued under the IT Act and the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules, 2009. In accordance with the requirements of the above laws, the Government has also set up an inter-ministerial committee to inquire into the data-sharing practices of Chinese companies and the hearings are expected to begin soon.

Press reports suggest that, in accordance with legal requirements, the firms behind the banned Apps will have the opportunity to present their case to the committee, including with respect to compliance with privacy and security laws. TikTok has formally denied media reports that it will launch a legal challenge and instead has said it will cooperate with the Government’s inquiry. There are no indications of any other App proposing to challenge the order either.

China has strongly condemned the ban on the grounds that it selectively and discriminatorily targets certain Chinese apps on ambiguous and far-fetched grounds. It alleges the order runs against fair and transparent procedure requirements, abuses national security exceptions and is a potential violation of WTO rules. In contrast, the United States supports India’s move with the US Secretary of State stating that India’s “clean app approach” will boost India’s sovereignty, integrity and national security.  At the time of publishing this report, there has been no specific retaliation from China but time will tell if there will be a further heightening of tension in Indian or Chinese cyberspace.

Update (September 2020): The Indian Government has extended the ban to 118 more apps. A list of those apps is available here.

By Deepa Christopher, Partner at Talwar Thakore & Associates

Linklaters has a best-friends relationship with Talwar Thakore & Associates (TT&A), a leading Indian law firm.