Tech

Does the Data Protection Bill Solve the Dilemma Posed by Dominance of ‘Foreign' Apps?

While localisation provisions help bring the data of Indian users under the aegis of Indian laws, the exemption clauses still bring up a host of privacy concerns.

An oft-invoked adage of the digital age is that if something is free, you are the product. 

Global technology giants like Facebook and Google have been under public scrutiny for a few years now for their privacy protections and advertising policies, but are by no means the only purveyors of free online services that engage in these practices.

The Chinese government, for instance, has reportedly leveraged free-to-use apps like WeChat for intelligence gathering and has instituted cybersecurity and data laws that facilitate surveillance.

India’s Personal Data Protection Bill, a revised draft of which was circulated on December 11, presents a deeply flawed alternative, leaving Indian users in the lurch.

Chinese apps are dominating the app economy in India. In 2017, only 18 of the top 100 apps listed on Google Play were Chinese. By 2018, this number had grown to 44. Most of these apps are free: from usual suspects such as Tik Tok, to games like PUBG and Clash of Kings, as well as e-commerce platforms like Club Factory.

App Parent Company  Category Number of Downloads (as on December 5, 2019)
Tik Tok (+TikTok Lite) ByteDance Short videos 13.6 million (+245,874)
PUBG Mobile Tencent Game 22.9 million
Club Factory Club Factory E-commerce 1.3 million 
Clash of Clans Supercell/

Tencent (majority stake)

Game 50.6 million
Likee YY Inc Short video 4.1 million
SHAREit SHAREit Technologies Co.Ltd File sharing 12.7 million
Camera360 PinGuo Inc Photo editing 4.9 million
Helo Bytedance Social 1.1 million
UC Browser Alibaba Group Browser 20.6 million
Xender Beijing Anqi Zhilian Technology Co. Ltd. File sharing 2.2 million
BeautyPlus Meitu Inc. Photo editing 4.2 million
Hago Alibaba Games 3.8 million
WeChat Tencent Messaging 5.7 million
CamScanner INTSIG Information Co. Ltd Scanner 2.2 million
Turbo VPN Innovative Connecting VPN 3.3 million

Table 1: Abridged List of Popular Chinese Apps in India with 1 million+ Downloads

India is thus a major market for Chinese apps and allied services. In addition to marketing apps, Chinese tech companies have invested heavily in Indian technology startups as well: in 2018 alone, Chinese VCs invested $5.6 billion in Indian startups.

Chinese apps have come under the Indian government’s radar a number of times, most notably in the wake of the Doklam incident in 2017 and the 2019 General Elections. In December 2017, the Indian Ministry of Defence directed the armed forces to uninstall 42 Chinese apps that “reliable reports” stated are likely riddled with spyware and/or malware. In April 2019, Bytedance came under fire for hosting falsified information and their inaction on the rampant use of their platforms by child predators. 

From Beijing, with love 

While Chinese social media and video sharing apps have been repeatedly criticised for their lax moderation and resultant misuse, the broader Chinese app ecosystem suffers from a host of accountability and privacy issues. 

In November 2019, there were two major, unprecedented leaks from Beijing detailing the internment and “re-education” of Uyghurs. The documents show that the CCP allegedly used two popular apps – Zapya and WeChat (Weixin in China) – to identify and target Uyghurs. 

Chinese unicorn Megvii made headlines earlier the same year when the US Commerce Department blacklisted the company alleging that their facial recognition technology Face++ was being used by the Chinese government to persecute Uyghurs. Face++ customers include popular photo editing apps like Camera 360 and Meitu’s Beauty Plus.

Also read: Interview | Dilution of Privacy Bill Makes Govt Surveillance a Cakewalk: Justice Srikrishna

Chinese technology giants also score poorly on corporate accountability and transparency. While Tencent (the company behind WeChat) and Baidu have made some improvements on these parameters in response to the Personal Information Security Specification  (2018), the 

‘Specification’ itself gives the Chinese government considerable leeway through exemptions under the categories of “national security and national defense” as well as “public safety, public health, and significant public interests”. Weixin and Zapya both include provisos on these grounds that facilitate disclosure of personal information to government agencies.  

Personal data: Unpeeling the onion

China’s Specification, in conjunction with Multi-Level Protection Scheme (MLPS 2.0), mirrors India’s Personal Data Protection (PDP) Bill in many ways. Both identify obligations of data fiduciaries/personal information controllers; they also both call for the creation of data auditing bodies and restrict certain cross-border data flows. 

What do these guidelines and regulations mean for the plethora of Chinese apps in the Indian market? The newest draft of the PDP Bill has relaxed data localisation requirements [Chapter VII) vis-a-vis previous drafts: “sensitive” personal data must be stored in India, but can be transferred after obtaining user consent; “critical” personal data needs to be processed – but not stored – in India.

Chinese tech giants, such as Alibaba and Tencent, have already opened data centres in India, with other players like Bytedance announcing plans to do the same as well.

Localisation provisions under Chapter VII therefore help bring the data of Indian users under the aegis of Indian laws. However, this is where Indian law has substantial ground to cover. 

While the PDP Bill is robust in terms of the obligations of privately-owned data fiduciaries and has even incorporated the concept of the right to be forgotten, it has been widely criticised for the creation of broad exemptions based on national security and law enforcement, granting government agencies virtual immunity to this legislation. 

In sum, all personal and critical data can be accessed by government agencies under a wide gamut of reasons, including the omnipresent yet vague categories “sovereignty and integrity of India, the security of the State, friendly relations with foreign States, and public order”.

Indian users are thus caught between a rock and a hard place: wherever their data goes, it is afforded little protection from an overbearing state.

In search of alternatives

China’s domination of India’s app economy rides on the aversion of users to pay for online services. This problem is by no means unique to India: surveys in the aftermath of the Cambridge Analytica scandal found that a majority of users would continue to use these apps for free, rather than pay a modest fee. 

Furthermore, the privacy paradox points to the skewed perception of the actual tradeoff between convenience and privacy: users seem to place very little value in the protection of their data.

It is therefore crucial that users be aware of exactly where their data is going, and consider whether the allure of a “free” service is worth the long-term costs of the erosion of privacy and eventual loss of autonomy.

Trisha Ray is a Junior Fellow, Technology and Media Initiative, Observer Research Foundation.