DATA PROTECTION 2020

CASE STUDY OF DATA PROTECTION TIKTOK AND PUBG AND

NATIONAL SECURITY AND DATA PROTECTION
IMPLICATIONS

Law & Information Technology

Assignment

Submitted by
Name: Yasir Ahmad
Student ID: 20166136

B.A. LL.B. (IX Semester) (Self-

Finance) Faculty of Law,
Jamia Millia Islamia

Submitted to: Dr. Ghulam Yazdani, Associate Professor (Faculty

of Law, Jamia Millia Islamia, New Delhi)

(Date of Submission: 04.11.2020)

LAW & INFORMATION TECHNOLOGY Page 1

 DATA PROTECTION 2020

TABLE OF CONTENTS
ABSTRACT .............................................................................................................. 3
KEYWORDS ............................................................................................................ 3
INTRODUCTION..................................................................................................... 4
BAN ON PUBG AND TIK TOK .............................................................................. 6
MERITS OF THIS BAN ........................................................................................... 6
ASSOCIATED ISSUES ............................................................................................ 6
WAY FORWARD: STRENGTHENING DATA SECURITY ARCHITECTURE ..... 7
REASONS BEHIND BANNING OF THE CHINESE APPS IN INDIA ................... 9
AFFECT ON THE CHINESE APP PROVIDERS ....................................................10
IMPACT ON INDIAN USERS ................................................................................11
DATA PROTECTION IMPLICATIONS .................................................................14
INDIA’S DRAFT DATA PROTECTION LAW.......................................................15
CONCLUSION ........................................................................................................17
BIBLIOGRAPHY: ...................................................................................................18

LAW & INFORMATION TECHNOLOGY Page 2

 DATA PROTECTION 2020

ABSTRACT
This assignments deal with the data protection laws in India with respect to the recent
ban on various Chinese apps for data theft. Also it deals with the data protection
implications and the stand of Government of India with respect to the Indian user’s
privacy. In the modern times data has become new gold, where every economy is
running to collect the maximum data possible to boost their economy by decoding the
behavior of people of various regions of the world. Such acts why various
governments through mobile applications and games take place and to track down the
defaulter there need to be strict laws and advance technology. The Government of
India sees it as a matter of priority and national security. Indian law has long
acknowledged a constitutional right to privacy within its grand promise of a right to
life and personal liberty and the right to freedom of speech and expression. The
Supreme Court has crafted a positive obligation on the government to enact
legislation that adequately protects the right to privacy. Various High Courts are
dealing with data protection issues (export of data, transfer of data between group
companies, and adequacy of consent) from a post-Puttaswamy perspective. While a
clear judicial trend cannot be identified, it is evident that data collection and
processing efforts in India must evaluate and anticipate the impact of Puttaswamy on
Indian data laws. While the EU has recognized a right to the protection of personal
data for a while now (under the Treaty on the Functioning of the European Union),
India still does not have a cross-sectoral law on data protection. The Information
Technology Act of 2000 primarily governs issues such as cyber crime and the liability
of internet intermediaries, such as social media platforms, though it does possess
some requirements regarding the protection of personal data.

Keywords

1. Data protection

2. Privacy
3. Chinese
4. Information-technology
5. General Data Protection Regulation

LAW & INFORMATION TECHNOLOGY Page 3

 DATA PROTECTION 2020

INTRODUCTION

Indian law has long acknowledged a constitutional right to privacy within its grand
promise of a right to life and personal liberty and the right to freedom of speech and
expression. The nature and extent of this right has been historically the subject of
extensive judicial debate. In August 2017, in Justice K S Puttaswamy and Anr. v.
Union of India and Ors. [Writ Petition (Civil) No. 494 of 2012], ('Puttaswamy') a
nine-judge bench of the Supreme Court of India ('the Supreme Court') unanimously
held that the right to privacy was an intrinsic element of the promise of the right to
life and personal liberty protected under Article 21 of the Constitution of India ('the
Constitution'), and that it included, at its core, a negative obligation to not violate the
right to privacy and a positive right to take all actions necessary to protect the right to
privacy. Puttaswamy changed the contours of Indian privacy law, the interpretation of
the existing privacy rules, and raised the spectre of a robust common law tort of
violation of privacy, independent of statutory rules. The Supreme Court went on to
clarify that any law that encroached upon the right to privacy would be subject to
constitutional scrutiny, and would have to meet the three-fold requirement for:

 legality;
 necessity; and
 proportionality.

Furthermore, the Supreme Court has crafted a positive obligation on the government
to enact legislation that adequately protects the right to privacy. Various High Courts
are dealing with data protection issues (export of data, transfer of data between group
companies, and adequacy of consent) from a post-Puttaswamy perspective. While a
clear judicial trend cannot be identified, it is evident that data collection and
processing efforts in India must evaluate and anticipate the impact of Puttaswamy on
Indian data law

In 2011, the Government of India issued the Information Technology (Reasonable

Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 ('SPDI Rules'). The SPDI Rules require companies to have a privacy policy,

LAW & INFORMATION TECHNOLOGY Page 4

 DATA PROTECTION 2020
obtain consent when collecting or transferring sensitive personal data or information,
and inform the data subject of recipients of such collected data.

The Information Technology Act, 2000 ('IT Act') mandates that bodies corporate,
such as companies, firms, sole proprietorships, and other associations of individuals
engaged in commercial or professional activities, that handle sensitive personal data
or information, are liable to pay damages for any loss caused by their negligence in
implementing and maintaining reasonable security practices and procedures. While
the IT Act is silent on what constitutes 'reasonable security practices and procedures,'
the SPDI Rules offer examples of these standards without providing a clear-cut
definition. The IT Act also prescribes criminal penalties, that include both,
imprisonment of up to three years and a fine for persons, including intermediaries,
who disclose personal information without the consent of the person to whom the data
relates, in breach of a relevant contract, or to cause wrongful loss or gain.

LAW & INFORMATION TECHNOLOGY Page 5

 DATA PROTECTION 2020
BAN ON PUBG AND TIK TOK

Recently, the Indian government announced it would block 59 widely used

apps (such as Tik Tok, ShareIt, Cam scanner etc.), most linked to Chinese companies.
The Ministry of Electronics and Information Technology (MeitY),
invoked Information Technology (IT) Act, 2000 to cite the concerns regarding both
data security and national sovereignty associated with these apps.

Though the government has proposed this ban from the perspective of data security
and privacy, the action seems to form a part of the retaliatory strategy against Chinese
incursions in Ladakh.

Given that India’s digital economy is one of the largest markets in the world, such a
ban will certainly have an impact on the valuations of Chinese companies. However,
such a move is likely to have an impact on the India-China border dispute.

Merits of this Ban

 No Longer Reliance on Passive Diplomacy: The decision to ban these

apps, which comes amid continuing tensions between India and China, is the
clear message from India that it will no longer be a victim of China’s Nibble
and Negotiate policy and will review the norms of engagement.

 Hurting Chinese Ambition: The ban may affect one of China’s most
ambitious goals, namely to become the digital superpower of the 21st century.

 Recognising Importance of Data: India’s app ban, and consideration of

related restrictions on telecom hardware and mobile handsets, is based on the
recognition that data streams and digital technology are a new currency of global
power.

Associated Issues
 Data Privacy Issue Not Limited to Chinese Apps: MeitY banned apps on
reports of stealing and transmitting users data in an unauthorised manner to
servers which have locations outside India.

LAW & INFORMATION TECHNOLOGY Page 6

 DATA PROTECTION 2020
o However, data privacy and data security concerns are not limited
only to Chinese apps.

 Damage Done Already: The apps that were banned were very popular in
India and the move to block them comes after these apps had already amassed
hundreds of millions of users in India.

 India’s Economic Dependencies on China: The ban on Chinese mobile

apps is a relatively soft target, as India remains reliant on Chinese products in
several critical and strategically sensitive sectors.

o From semiconductors and active pharmaceutical ingredients to the

telecom sector, Chinese vendors are involved not only in India’s 4G
network but in on-going 5G trials as well.

o Also, Chinese finance is presently essential to sustaining India’s

start-up economy. As many Indian Unicorns such as Paytm, Zomato,
Byju’s are having Chinese shareholders.

Way Forward: Strengthening Data Security Architecture

 Weeding Out Obsolete Legislations: India’s digital applications are

governed by obsolete laws, which is unsuitable in the context of today’s digital
scenario.

o Information Technology Act, 2000 (20-year-old law) was designed

for the business process outsourcing ecosystem, not for modern digital
applications or platforms.

o Similarly, the Copyright Act, which provides incentives and

protections for most of the content that sits at the heart of the digital
economy, was last amended in 2012.

o Thus, there is a strong case to revise the key legislations and

syncing them to change the digital environment.

LAW & INFORMATION TECHNOLOGY Page 7

 DATA PROTECTION 2020
 Need For A Data Protection Law: Data privacy and security remains to be
major challenges emanating from the ongoing digital revolution. Thus, a data
protection law is long overdue.

o In this context, the Indian parliament must expedite the enacting of

the Personal Data Protection (PDP) Bill, 2019.

 Need For Developing Alternatives: The ban initiated by the Indian

government for securing citizen’s data is nothing new.

o Similar moves have been taken by China, as mobile apps like

Whatsapp, Facebook have been banned in China for years. However, the
Chinese government was quick to provide the local alternative to its
billions of users.

o Even today, these equivalent Chinese services like WeChat, Weibo

pose a decent competition to established global digital players.

o Thus, the recent ban is a good opportunity for Indian entrepreneurs

to quickly rise to fill market gaps.

World today recognises that the next source of economic growth lies in the digital
economy and given its raw material being data, thereby whoever decides standards
and builds the electronic backbone will have enormous advantages over everyone
else.

Thus, India must speed up indigenisation, research and development and frame-up a
regulatory architecture to claim data sovereignty.

India and China were maintaining good relationships with each other in several ways
economically, politically, culturally etc. Both are members of several international
cooperation bodies like the United Nation system organizations, BRICS etc. Chinese
troops attacked Galwan Valley at Ladakh and in this face off 20 Indian army
personnel's were killed. Also, several news came regarding compromise with privacy
of data of the Indian users who were using Chinese applications.

LAW & INFORMATION TECHNOLOGY Page 8

 DATA PROTECTION 2020
So in light of these burning issues and the losses that Indian citizens suffered,
government of India after thinking pros and cons and all the aspects legally,
financially and economically banned 59 Chinese apps to safeguard the, sovereignty
and integrity of India invoking powers under 69A of the Information Technology act
read with relevant provisions of the Information Technology Procedure and
Safeguards for blocking of access of information by Public Rules, 2009).

Why these apps are banned, what was the need and what are its effects, all are
discussed below:

Reasons behind banning of the Chinese apps in India

China violated the peace treaty between the countries. Galwan Valley clash and
killing of 20 Indian army personnel on the border area and then the news of threat to
the privacy of data of Indian users added fuel to the situation and worsened the ties
between the two countries.

The PIB notification characterises these apps as ‘malicious', citing several complaints
against these Apps for reportedly enabling unauthorised transmission of user data to
servers situated outside India.

The reasons stated in the notification are that these apps are engaged in activities
which are prejudicial to user privacy and the sovereignty of India. Addressing the Jan
Samvad series of virtual rally, Union Minister for Communication and IT Ravi
Shankar Prasad called banning of chinese apps as Digital Strike.

The government said these apps are banned under section 69A of the IT Amendment
Act,2008 because they are engaged in activities which are prejudicial to sovereignty
and integrity of India, defence of India, security of state and public order. As this
amendment in act gives the Central government the power to block public access to
any information online- Whether on websites or mobile apps.

LAW & INFORMATION TECHNOLOGY Page 9

 DATA PROTECTION 2020
India banned dozens of Chinese apps in the wake of deadly clashes at the border
stand-off. The list of banned apps include Tik Tok, Shareit, Cam scanner, Helo etc.

Affect on the Chinese App providers and China's Response on that

The Chinese government is accusing Indian Governments' step of banning Chinese

apps in India as a discriminatory measure and termed the act in violation of WTO
Rules. Ji Rong, the spokesperson of the chinese embassy in India, has already called
this move, Discriminatory and says it abuses National security exceptions of the WTO
Rules. Surprisingly, they have also banned foreign sites such as facebook, youtube,
twitter and whatsapp.They justify it by framing the ideas of internet governance as a
sovereignty issue. Arguably, India could also argue that its move is a retaliatory move
against Chinese filtering.

Several app companies who were making humongous profits from the Indian Users
have suffered a high loss. ByteDanceLimited is a Chinese multinational internet
technology company headquartered in Beijing. It is a developer of several apps
including news recommendation engine Toutia, the video sharing social networking
service, Vigo, Helo, Tik Tok which was known as Musically earlier. This is the worst
hit company after the ban.

The potential loss of advertising revenue impacts app-makers. Tik Tok's parent Byte
Dance Ltd.

recorded a doubling global revenue to $17 billion in 2019, over the previous year,
with $3 billion in profit. It's India business may have yielded only $5.8 million in
revenue for the year ended in March 2019, but with quicker user adoption more
recently, the stakes seem to be getting higher. When Tik Tok was banned briefly in
India last year on the grounds that it reportedly promoted pornography, the company
had told a local court that it was losing roughly $15 million a month due to the ban,
according to a Reuters report. The app had subsequently been permitted to operate.

LAW & INFORMATION TECHNOLOGY Page 10

 DATA PROTECTION 2020

Impact on Indian Users

Generally these restrictions are imposed by the Central government by an interim

order through a ‘geo-block', i.e, a technological measure which restricts access to
content based on the user's IP address. Though those people who are already having
these apps in their mobile phone could access it but cannot use its latest features and
the new users cannot download it as it is temporarily suspended from the Google play
store and Apple store.

As Chinese apps were very popular among Indian users due to its easy accessibility
and the way it has helped the people in different ways in their work was appreciable.
UC Browser, Cam Scanner were very popular apps and its download rate and review
on google play store shows how users were contended from them.

Then comes Tik Tok, a short video maker which has made a very large user base in
the country due to its easily accessible and attractive features which helped the people
living in different parts of the country whether in big cities or small villages to show
their talent and become famous by shooting small videos.

But then one cannot ignore the repercussion of these apps as its usage was addictive
in nature and has made people fall for it without thinking about its consequences and
then its ban by the Government of India had almost hit the mental health of those
people.
As of June 2019, it was estimated that there were 120 million monthly Tik Tok users
in India.

How this move of the government proved to be an opportunity for the Indian app
developers?
Google temporarily blocks access to banned apps in India. This blocking and banning
of Chinese apps has created an immense opportunity for the Indian app developers as
it has opened a wide way for them.

LAW & INFORMATION TECHNOLOGY Page 11

 DATA PROTECTION 2020
Substitutes of certain popular Chinese apps's Indian Version is certainly gaining
popularity in the Indian Subcontinent like Chingari is an app developed in India is a
substitute of Tik Tok and has seen an amazing rise in its download after the ban of
Tik Tok as the users of the latter app badly wanted substitute of that and in its absence
they certainly get attracted towards it.

Its download increased from 1 million to 100 million within a week, showing a
positive sign for the Indian economy and a motivation for Indian app developers and
companies. Similarly, other chinese apps have got their substitute like Jio Meet app is
the substitute of zoom meeting app which became very popular in the recent days due
to lockdown in wake of pandemic. Zoom app was widely used for online classes by
schools, colleges and was also used for webinars at large scale so its user base has
shifted to the India based Jio Meet app.

Zoho doc scanner which offers users the option to import all files on mass from Cam
Scanner has replaced the Cam scanner app. It is not clear yet how say a pdf, or
portable document format, created by a user via cam scanner a couple of years ago
and backed up in google drive could be transferred to another app such as Adobe Scan
or MS Office Lens, unless individually downloaded or re-uploaded.

In this way the Indian companies will be benefited at large. And above all the central
government's Aatmanirbhar Bharat app challenge is a humongous opportunity for the
people involved in the software development and IT sector and also for the students of
the different age groups has got an opening to showcase their skills through this
central government's initiative.
The move of the government has brought hope in the hearts of the citizens that the
government will not sit quietly if the other country does not respect India and will
give a befitting reply to it in need and the present step of banning the apps is the proof
of it. It is a kind of revenge taken by the government of India from Chinese
government for mishandling the Indian user's data and their unnecessary steps taken
on the border area to raise disputes.

LAW & INFORMATION TECHNOLOGY Page 12

 DATA PROTECTION 2020

This step of Indian government is supported by the other countries like France and the
USA. Though this move is widely appreciated on the world level but it is not free
from cons as China will not sit quietly on this but overall if we focus on this it has
more positive sides than the negative side like, this move gave Indians a chance to
shine and show their talent in app development and help the country to bring up the
economy which has slowed down due to pandemic and encourages the Aatmanirbhar
Bharat initiative of the central government whose motive is to motivate the Indians to
work on their skill and not to depend on anyone for any kind of support.
So from all these initiatives we can hope for the better future of our country, a country
which will be free from foreign interventions in the economic spheres and will
become more a self reliant country.

LAW & INFORMATION TECHNOLOGY Page 13

 DATA PROTECTION 2020

DATA PROTECTION IMPLICATIONS

The European Union’s (EU’s) General Data Protection Regulation (GDPR) took
effect in May 2018, harmonizing data protection and privacy requirements across the
EU. Many other countries have either implemented data protection requirements or
are in the process of considering them. In the United States, for example, Senator
Elizabeth Warren has proposed a bill to expand criminal liability for the executives of
companies that suffer data breaches.
India, too, is taking steps to enact a data protection framework modeled along the
lines of the GDPR. In July 2017, the government of India appointed a Committee of
Experts on a Data Protection Framework for India, or Data Protection Committee
(DPC), under the chairmanship of Justice B.N. Srikrishna, to study issues related to
data protection in India. Though the committee submitted its report—and proposed a
comprehensive law on data protection—on July 27, 2018, it failed to weigh the
economic costs and benefits of implementing a GDPR-style law in India.
Emerging economies—like India—that are considering such proposals need to
carefully evaluate the direct and indirect costs of such laws vis-à-vis the benefits from
a data protection framework. A survey of the existing literature that estimates these
costs and benefits highlights the need for further research on data protection laws.

The proposed law, called the Personal Data Protection Bill (hereafter, the bill),
incorporates many elements of the EU’s GDPR. These include requirements for
notice and prior consent for the use of individual data, limitations on the purposes for
which data can be processed by companies, and restrictions to ensure that only data
necessary for providing a service to the individual in question is collected. In addition,
it includes data localization requirements and the appointment of data protection
officers within firms. If enacted, the bill will provide a comprehensive, cross-sectoral
privacy and data protection framework for India.
Existing literature on the GDPR suggests significant economic consequences for the
EU, with a potential to impact small and medium-sized enterprises (SMEs), labor
markets, cross-border trade, and overall economic growth. A detailed analysis of the
literature assessing the impact of the GDPR highlights both the potential negative
consequences of a GDPR-like data protection law for India and the necessity of
undertaking similar studies in India prior to the bill’s implementation. As a legislative

LAW & INFORMATION TECHNOLOGY Page 14

 DATA PROTECTION 2020
proposal that will have a significant impact on critical sectors of India’s economy, it is
vital that the DPC’s proposed bill be carefully and critically evaluated.

INDIA’S DRAFT DATA PROTECTION LAW

While the EU has recognized a right to the protection of personal data for a while now
(under the Treaty on the Functioning of the European Union), India still does not have
a cross-sectoral law on data protection. The Information Technology Act of 2000
primarily governs issues such as cyber crime and the liability of internet
intermediaries, such as social media platforms, though it does possess some
requirements regarding the protection of personal data. For example, section 43A of
the act provides compensation for damages caused by a failure to maintain reasonable
security practices to protect sensitive personal data. Data protection and
confidentiality requirements, however, are regulated only by a patchwork of sector-
specific regulatory requirements.
In August 2017, the Indian Supreme Court declared the right to privacy to be a part of
the fundamental right to life under Article 21 of the Indian Constitution. It held
informational privacy to be a subset of this right to privacy, and noted that privacy
includes the right to protect individual identity. This essentially implied that the
patchwork approach to privacy embodied in existing laws was insufficient, and that a
more comprehensive approach to informational privacy would be required. The
judgment noted that the Indian government had already constituted the DPC and, in
effect, gave its own sanction to the committee’s workings. However, though the DPC
evaluated different legal frameworks for protecting privacy in different countries, it
chose to propose a bill modeled largely after the GDPR.
These similarities extend to several concepts and legal requirements, including:

 Data processing (the collection and analysis of personal data)

and data principals (persons or entities that provide data that is then
used by firms for data processing).
 Notice and consent requirements for the processing of personal
data.

LAW & INFORMATION TECHNOLOGY Page 15

 DATA PROTECTION 2020
 Limitations on the processing of personal data, including
minimization requirements—only collecting data that is necessary to
provide the services the data processor has agreed to provide to the
user.
 Compliance requirements for data processors, such as
incorporating privacy by design, and the appointment of data
protection officers to conduct periodic data protection impact
assessments and data audits.
 Providing positive rights to users, such as the right to data
portability (to migrate data from one service provider to another) and
the right to be forgotten.
 The requirement of data localization—critical personal data is to
be stored on servers within India, and there are constraints on the
transfer of other personal data outside India.
 Regulation and supervision by a proposed Data Protection
Authority.
 Penalties, including the prohibition of processing, and financial
consequences for noncompliance.
The bill does, however, differ from the GDPR in some respects—the most significant
being the provision of criminal penalties for harms arising from violations of the
bill, and the proposal to treat the relationship between a data processor and its
consumer as a “fiduciary” relationship.
Nevertheless, these provisions in the bill would increase data protection obligations
significantly. The bill would enforce economy-wide changes to the data collection,
storage, and management practices of Indian businesses, as well as foreign firms that
provide services within India. While the EU had a preexisting privacy framework (the
1995 Data Protection Directive), the bill would be a novel data protection framework
for India. The cost of compliance and data protection obligations would, therefore, be
much higher for India. In addition, no systematic economic analysis of the proposed
bill has been conducted yet to provide an accurate analysis of its overall impact within
India.

LAW & INFORMATION TECHNOLOGY Page 16

 DATA PROTECTION 2020

CONCLUSION
Privacy is a basic human right and computer systems contain large amounts of data
that may be sensitive. Chapters IX and XI of the Information Technology Act define
liabilities for violation of data confidentiality and privacy related to unauthorized
access to computer, computer system, computer network or resources, unauthorized
alteration, deletion, addition, modification, destruction, duplication or transmission of
data, computer database, etc. The data protection may include financial details, health
information, business proposals, intellectual property and sensitive data. However,
today one can access any information related to anyone from anywhere at any time
but this poses a new threat to private and confidential information. Globalization has
given acceptance to technology in the whole world. As per growing requirement
different countries have introduced different legal framework like DPA (Data
Protection Act) 1998 UK, ECPA (Electronic Communications Privacy Act of 1986)
USA etc. from time to time. In the USA some special privacy laws exist for protecting
student education records, children’s online privacy, individual’s medical records and
private financial information. In both countries self-regulatory efforts are facilitating
to define improved privacy surroundings. The right to privacy is recognized in the
Constitution but its growth and development is entirely left to the mercy of the
judiciary. In today’s connected world it is very difficult to prevent information to
escape into the pubic domain if someone is determined to put it out without using
extremely repressive methods. Data protection and privacy has been dealt within the
Information Technology (Amendment) Act, 2008 but not in an exhaustive manner.
The IT Act needs to establish setting of specific standards relating to the methods and
purpose of assimilation of right to privacy and personal data. To conclude it would
suffice by saying that the IT Act is facing the problem of protection of data and a
separate legislation is much needed for data protection striking an effective balance
between personal liberties and privacy.

LAW & INFORMATION TECHNOLOGY Page 17

 DATA PROTECTION 2020

BIBLIOGRAPHY:

 Information Technology Act, 2000 and Information Technology (Reasonable

Security Practices and Procedures and Sensitive Personal Data or Information)
Rules, 2011
 White Paper on Data Protection Framework for India

 Regulation of the European Parliament and the Council (EU) 2016/679 of 27

April 2016 on the protection of individuals

 Treaty on the Functioning of the European Union, official journal of 2012

 Public consultation on White Paper – Data Protection Framework for India

LAW & INFORMATION TECHNOLOGY Page 18