Despite its comeback, the recent suspension of the Mitron Application, hailed as a Swadeshi alternative for TikTok, has brought to light the inadequacy of data protection laws in the country. This short video platform had garnered over 5 million downloads on the Google Play Store. Prior to the app’s removal, there were media reports of its weak privacy policy and the lack of software security. Moreover, the so-called “Indian” alternative was actually bought from a foreign-based coding company and no further changes were made to the app. This major security vulnerability could have left the users susceptible to hackers and various threat actors. This article analyses how the existence of this app and its removal has highlighted the need for establishing an encompassing privacy protection legislation in India. It’s an appraisal of the already existing data protection laws and the Personal Data Protection Bill 2019 with regard to the suspension of this app.
In the “Privacy Judgement” of Justice K.S Puttaswami & Anr. v. Union of India, the Supreme Court has recognized the right to privacy as a fundamental right under Article 21 of the Constitution. Furthermore, it has also recognized “informational privacy” as a facet to such a right that needs to be protected.
This fundamental right is ensured by a privacy policy, which is the basis of trust for the users of any app. A privacy policy is a statement or a legal document that oversees an organization’s handling practices of personal information. It instructs employees about the usage and collection of data or any other rights that the data subjects might have. Other nations have recognized this by providing adequate legislation to make privacy policies a legal requirement for apps. There are various federal and state laws in America that recognize provisions on data privacy, such as the California Online Privacy Protection Act, The Computer Security Act of 1997, and more. Legislation in Canada requires companies to have an app privacy policy and addresses various extra measures to protect consumer data. Similar laws also exist in the European Union and Australia. In India, the current data protection legislation reveals a lacuna that needs to be addressed by the government. The Bill introduced in the Rajya Sabha in 2019 was a step in this direction. It was India’s first law on personal data protection. This Bill seeks to repeal section 43A of the Information Technology Act which is one of the only two sections which deals with the subject.
Once Mitron’s lack of privacy policy made headlines, it was removed from the Google Play store. Unfortunately, no other action was taken against the individual developer for putting the user’s data at risk of being misused. This is because the IT Act has a limited scope of application with regards to individual app developers. Section 43A of the IT Act deals with compensation for failure to protect data and states:
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
It can be observed that the section only mentions the term “body corporate” which is limited to “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.” A bare reading of the section shows that individual app developers are not explicitly mentioned under this. The bill addresses the problem of holding an individual developer accountable under Section 2 of the bill which states that “if passed, the bill would apply to ‘any Indian citizen or any person or body of persons incorporated or created under Indian law.’” Making matters worse, under the current IT act, a penalty is to be levied only if there is a wrongful loss to such a user. Thus, failing to take any kind of pre-emptive measures.
Another shortcoming of the app was that users were denied their right to be forgotten. Once an account was made, there was no possible way to delete it from the app. The user could either log out of the app or uninstall it. The right addresses the power to have personal data erased in certain circumstances. For example, the data subject withdraws consent. This right is recognized by various data protection laws, such as the one applicable in the European Union. Unfortunately, it is not applicable in India. There are precedents that have recognized this right with regard to the anonymity of victims in relation to sexual offenses against women. The Gujarat High Court has taken a different view, it dismissed a plea to restrain public exhibition of judgment on public resources. The bill, however, introduces an express right to be forgotten in accordance with which the data subjects may reserve their option in continuing the disclosure of their personal data.
While handling sensitive information such as access to the user’s phone camera, microphone, and location, apps need to have more transparency in their privacy policies. Further, according to security experts, if the source code was sold by the foreign-based company to another app developer, such an app developer would have been able to tap into the database of Mitron users.
The infamous Cambridge Analytica scandal serves as a reminder of how data can be misused, without the permission of the users. The firm was instrumental in bringing Trump into power in the 2016 US elections. This was achieved by creating personality profiles based on the data collected without the Facebook user’s consent. This data breach went undetected for three years. Another example of such a scenario is when a researcher discovered data breaches twice in Just Dial in April 2019. It was revealed that personal information of its users was easily accessible including those who had only called their number once or those who had left reviews. Data breaches can only be minimized with mandatory compliance of adequate IT laws.
The developer policy center of Google Play reveals that it is mandatory for apps that handle sensitive information to have a privacy policy which discloses how the app uses, stores, and shares user data. In addition, one of the terms of their policy does not allow for two apps that provide the same functionality to be in the Google Play store. This emphasizes how unsuccessful it has been in maintaining proper checks and balances as was the case with the Mitron app. However, Mitron was allowed to stay on the Play store until criticism of the app made headlines. This shows the play store’s lackadaisical approach in listing its applications.
Apple, on the other hand, demands its users to have a transparent privacy policy before allowing it to get listed in its application store. Google clearly needs to emulate such a plan and strengthen its precautionary measures. Pulling down apps subsequent to its release can still put its users to risk. The security measures of the Play Store will become a farce if apps like Mitron are allowed to flourish.
Although privacy has been recognized as a fundamental right of every person, the legal system of India has failed to provide adequate protection to its citizens. As a consequence, it has become increasingly difficult for users to know how and what information is being stored, recorded, and shared. There is a need to ensure strict compliance with data protection laws to prevent further breaches. History serves as a reminder of how data can be misused easily. What firms fail to consider is that a data breach proves costly not only for the users but also for the firm in the form of lawsuits, falling stock prices, etc. There is a need for the government to hold the firms responsible for failing to maintain the data privacy of its users and clients. Under the current IT Act, a user shall only be compensated in case of wrongful use of such data that has been stored, recorded, and shared by the company. However, as observed in the Cambridge Analytica case, it might take years to detect such use. There is a need for transparency by such companies about how the data is being processed.
The removal of the Mitron app has nudged us into recognizing the need for the PDP Bill. However, the bill needs to be equipped to deal with upcoming challenges and problems. The bill, currently undergoing changes under the committee review, must be durable enough to meet future challenges such as artificial intelligence and robotic process automation.
The bill serves as radical legislation following the landmark “Privacy Judgement.” Thus, it shoulders the responsibility of providing a holistic bill, which will be able to deal with all the emerging evolutions in the world of data protection and privacy.
Naina Bora is a third-year B.B.A. LL.B. (Hons.) student at Gujarat National Law University, Gandhinagar, India.
Devika Bansal is a third-year B.A. LL.B. (Hons.) student at Gujarat National Law University, Gandhinagar, India.
Suggested citation: Naina Bora and Devika Bansal, India’s Data Privacy Laws and the Removal of the Mitron App, JURIST – Student Commentary, July 16, 2020, https://www.jurist.org/commentary/2020/07/bora-bansal-mitron-app/.
This article was prepared for publication by Tim Zubizarreta, JURIST’s Managing Editor. Please direct any questions or comments to him at commentary@jurist.org