One of the objectives in regulating the Mobile App ecosystem is for the regulators to have a check on the Google and Apple Playstores. These Playstores are “Intermediaries” through which apps get downloaded and hence are liable under ITA 2000/8 for due diligence and ensuring a reasonable security against malicious apps.
At present Google/Apple will check the technical compatibility of the apps submitted for approval and implement the US laws of Privacy to the extent they can check. The legal compliance is not based on Indian law and cannot be expected to be perfect. As a result the permissions allowed can be misused. A continuous oversight may be difficult for these tech companies.
To strengthen this mobile app ecosystem, it is necessary for a secondary filter of “Compliance to Indian laws” by the apps available on the Playstores. This could be expected of Google/Apple as an Intermediary responsibility of due diligence under ITA 2000 but it is unlikely that these organizations could fulfil this responsibility satisfactorily.
It is therefore suggested that the Government of India encourage indigenous organizations to audit mobile apps and provide an assurance of compliance to Indian laws. Such organizations can be independent of the regulator so that the regulator does not get directly involved in the assurance. However, the regulator (Data Protection Board) may suggest a broad criteria for registration of such organisations (like the consent manager registration) and accredit them. They can be subject to peer monitoring where apps assured by one organization can be re-assessed by other organizations and a “Peer Evaluation” can be published.
Adoption of this system by app developers can be voluntary and it can be left to the users to bring consumer pressure on app developers to get this assurance. If more Indian app developers adopt this approach of getting “Certified” as compliant to the Indian Cyber Law (DIA and DPDP Act), they will carve out a special niche in the mobile app world which will add value to the app.
Since these apps are also certified by Google and Apple, the technical compatibility requirements would be taken care of by the Google/Apple and only legal compliance is taken care by this second factor authentication of the app.
To accommodate this scheme, it is recommended that the DIA may introduce a category of service providers designated as “Application Certifiers” which will be another category of intermediaries and work out regulatory advisory for their operations.