On 29th June 2020, the Ministry of Information Technology (“MEITY”) issued a press release through the Press Information Bureau, stating that it has block access to 59 apps/websites. However, the order imposing the ‘ban’ is not publicly available as on 15th July 2020. As we await the order, this article raises a few questions based on the information publicly available as on date. This article looks to analyse this ‘ban’ on a purely legal basis, keeping aside the very real and imminent geopolitical threats faced by our country, as well as the sentiments these threats harbour.
On a reading of the press release banning the 59 apps and the public statement by TikTok available here, the order blocking access to these apps is purportedly an interim order under Rule 9 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009 (“Blocking Rules”) read with Sec. 69A of the Information Technology Act, 2000 (“IT Act”). Rule 9 provides that in situations of an “emergency nature, for which no delay is acceptable”, information available on or through computer resources can be blocked by the Secretary, Department of Information Technology directly as an interim measure. We’ve analysed the relevant procedural safeguards in the Blocking Rules a little later, but first let’s look at the section itself.
Sec. 69A(1) of the IT Act permits the Central Government to direct any agency of the Government or an “intermediary” to block access to “any information generated, transmitted, received, stored or hosted on any computer resource”, in situations where it is “necessary or expedient so to do, in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above”.
WHAT’S BEING BANNED/BLOCKED?
Sec. 69A is meant to block access to information that is “generated, transmitted, received, stored or hosted” in a computer resource. “Information” is a defined in Sec. 2(1)(v) the IT Act. “Computer resource”, as defined in Sec. 2(1)(k) of the IT Act, includes websites and apps within its scope. What these definitions appear to indicate is that this ban has blocked access to the computer resources (i.e. the apps/websites) altogether, instead of blocking information available by means of these computer resources. At the very least, given how scarce the jurisprudence on Sec. 69A is, the scope of these definitions in context of Sec. 69A is definitely something that requires judicial scrutiny.
WHY THE BANNING/BLOCKING?
This ban seems to be more on account of alleged privacy issues as opposed to the grounds set out in Sec. 69A(1). The press release simply mentions these privacy concerns in the same sentence as the grounds mentioned in Sec. 69A(1) without providing any specifics or explanations. Let’s have a look at the relevant portion of the press release is reproduced below –
“At the same time, there have been raging concerns on aspects relating to data security and safeguarding the privacy of 130 crore Indians. It has been noted recently that such concerns also pose a threat to sovereignty and security of our country. The Ministry of Information Technology has received many complaints from various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India. The compilation of these data, its mining and profiling by elements hostile to national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which requires emergency measures.
The Indian Cyber Crime Coordination Centre, Ministry of Home Affairs has also sent an exhaustive recommendation for blocking these malicious apps. This Ministry has also received many representations raising concerns from citizens regarding security of data and risk to privacy relating to operation of certain apps. The Computer Emergency Response Team (CERT-IN) has also received many representations from citizens regarding security of data and breach of privacy impacting upon public order issues. Likewise, there have been similar bipartisan concerns, flagged by various public representatives, both outside and inside the Parliament of India. There has been a strong chorus in the public space to take strict action against Apps that harm India’s sovereignty as well as the privacy of our citizens.”
On the basis of these and upon receiving of recent credible inputs that such Apps pose threat to sovereignty and integrity of India, the Government of India has decided to disallow the usage of certain Apps, used in both mobile and non-mobile Internet enabled devices…”
I’m mindful that this is merely a press release and probably mustn’t be analysed excessively. However, the unavailability of the actual order leaves one with few options. I’m hoping that the order blocking these apps/websites (once published) will provide clarity with regard to the causal link between the privacy issues and how they meet the parameters for invoking these powers, which are exhaustively set out in Sec. 69A(1).
ARE SECTION 69A AND THE BLOCKING RULES THE RIGHT WAY TO GO?
Without undermining the gravity of the threats allegedly posed by these apps/websites, in my view the purpose of Sec. 69A is to block public access i.e. internet users from accessing information that is made available i.e. “generated, transmitted, received, stored or hosted” by a computer resource, for the sake of the ‘interests’ the prescribed in Sec. 69A(1). But the press release suggests that the grievance with these 59 apps/websites is that they are mining /collecting/ processing the information of users in an unauthorised and illegal manner. Thus, the question that I wish to raise here is this – is the collection of such data/information truly the mischief that Sec. 69A(1) empowers the State to deal with? In my reading, Sec. 69A(1) appears to focus more on dissemination of information rather than its unauthorised/illegal collection. While I don’t condone any illegal or unauthorised information collection/mining/processing, this question appears to be one worth considering.
THE INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR BLOCKING OF ACCESS OF INFORMATION BY PUBLIC) RULES, 2009 (“BLOCKING RULES”)
Sec. 69A(2) states that the blocking of information under Sec. 69A(1) shall be subject to the procedure and safeguards that may be prescribed. This led to the imposition of the Blocking Rules by the Central Government in 2009. The Blocking Rules are thus the prescribed procedural safeguards that must be observed by the Central Govt. before imposing such blocking measures, since these measures naturally restrict fundamental rights. Under these Rules, any ‘organisation’ [Rule 2(g)] (which includes ministries or departments of the Central Govt., State Governments etc.) may ‘request’ [Rule 2(h)] the Central Govt. to block access to information on certain computer resources. Such blocking is carried out subject to the prescribed procedure. This procedure includes issuing prior notice and providing hearings to the “person or intermediary who has hosted the information” (under Rule 8), as well as obtaining the recommendations of an examination committee established under Rule 7. This recommendation and the underlying ‘request’ will then be considered by the Secretary in the Department of Information Technology under the Ministry of Communications and Information Technology, who has the final say regarding whether a blocking order is necessary. Under Rule 14, a separate Review Committee must meet at least once every 2 months to record its findings in regard to all the orders passed under the Blocking Rules and they have the power to set aside the orders/directions.
Rule 9 empowers the Secretary, Department of Information Technology to pass interim directions without providing any prior hearings. In situations of an “emergency nature, for which no delay is acceptable”, information on computer resources can be blocked by the Secretary directly (circumventing the default procedure set out above), as an interim measure. Rule 9(2) requires the Secretary to record the reasons warranting such an interim order. Rule 9(3) requires that the underlying ‘request’ shall be placed before an examination committee for their recommendation within 48 hours of the interim directions being passed, who will then carry out the notice-and-hearing requirements under Rule 8. Based on the recommendations of the examination committee, the Secretary shall pass a final order. To put it simply, in emergency situations, Rule 9 permits the State to pass interim directions first and hear the concerned intermediaries and persons later. Thus, the procedural requirements I’m more concerned with are the ones linked to Rule 9. The aforementioned public statement issued by TikTok states that the companies have been invited to meet with concerned government stakeholders for an opportunity to respond and submit clarifications. Whether this process complies with the requirements laid out in the Blocking Rules is yet to be seen – to that end, this news article suggests that so far, this process has involved the companies being asked to answer a questionnaire.
Non-availability of orders
As stated earlier, the actual interim order that imposes this ban remains unavailable. In this regard, it would be untoward to conclude without analysing Rule 16 of the Blocking Rules and its implementation. Rule 16 requires that “strict confidentiality shall be maintained regarding all the requests and complaints received and actions taken thereof“.
In the Shreya Singhal judgment [AIR 2015 SC 1523], the Hon’ble Supreme Court analysed the Sec. 69A and the Blocking Rules and stated that “reasons have to be recorded in writing in such blocking order so that they may be assailed in a writ petition under Article 226 of the Constitution.” In Anuradha Bhasin vs. UoI [2020 SCC OnLine SC 25], they took it a step further by stating that “an order, particularly one that affects lives, liberty and property of people, must be made available“. This judgment reiterated the cardinal principle that any Executive action imposing ‘reasonable restrictions’ upon fundamental rights must always be subject to judicial review, for which publication of the orders becomes imperative. Thus, to lend some sanctity to the Executive action necessitated by threats that these apps/websites pose, I believe that order banning/blocking them must be published.
However, RTI applications (as available here and here,) reveal that MEITY has on several occasions, rejected requests asking for copies of the blocking orders and the related records citing Rule 16 or confidentiality provisions of the RTI Act, 2005 – even to the very ‘originator’ of the blocked information! In my view such a stance is squarely in the teeth of the aforementioned findings in the Shreya Singhal judgment, which came in response to a challenge to Rule 16 specifically – at the very least, this is unsustainable qua the originators and the intermediaries concerned, be it for this particular ‘ban’ or otherwise. Even though the judgment does not explicitly say that Rule 16 can’t be cited against the originators or intermediaries of the offending information (or discuss Rule 16 in much detail), I believe that any meaningful interpretation thereof necessarily implies that Rule 16 or even the provisions of the RTI Act, cannot be used to deny the concerned originators and intermediaries from obtaining the blocking orders.
Now comes the issue of the publication of the order under 69A i.e. making the order publicly available to parties aside from the originator and intermediary hosting the blocked information. It’s quite evident that the fundamental rights under Art. 19(1)(a) (which includes the right to information) and Art. 19(1)(g) of many stand curbed by the ban/blocking order. If one were to look at the findings in the Anuradha Bhasin and Shreya Singhal judgments together, it is arguable that the blocking order should be published as well, to enable the erstwhile users of these 59 apps/websites to have the restriction of their fundamental rights judicially reviewed. This question points to a possible gap in the Blocking Rules that may need to be plugged. At the very least, a clarification from the judiciary regarding the true meaning and proper implementation of Rule 16 is warranted, given the manner in which the powers under Sec. 69A are being used. One hopes that the order will be published soon – it would be a good start for the State in its endeavours to demonstrates that it’s restricting our fundamental rights in a lawful manner.
To conclude, I hope that the State, as it goes about protecting our interests and ensuring our safety, does so in consonance with applicable law, in order to allay any criticism towards its actions and to lend credibility to it.