Facebook’s parent has threatened to call it quits in India as it fears the data privacy law could force it to modify or cease existing business practices.
On 2 February, Meta Platform expressed concerns in a filing to the US Securities and Exchange Commission (SEC) that India’s data privacy bill “requiring local storage and processing of data … could increase cost and complexity of delivering our services”.
Deeksha Manchanda, a New Delhi-based partner at Chandhiok & Mahajan, said data localisation might be a sore point of contention. “It is bound to raise costs and does not seem to be directly linked to data protection,” she said.
Although the joint parliamentary committee made 92 recommendations when submitting its report last December on the Personal Data Protection Bill, 2019, the two key contentious issues significantly expected to impact businesses – data localisation and restrictions on cross-border transfer – have not been omitted in the latest draft.
This draft allows for conditional cross-border transfer of sensitive personal data, but denies “critical personal data”, which has yet to be defined, to be transferred overseas with very limited exceptions.
The additional requirements on cross-border data transfer are another cause of worry, said Manchanda. The bill says that cross-border data transfer would not be permitted if it is against public policy, but she pointed out that public policy has a very wide subjective connotation and can vary.
Jyotsna Jayaram, a Bengaluru-based partner in the telecoms, media and technology (TMT) practice at Trilegal, told India Business Law Journal that while the bill explained what would be considered against public policy, the explanation was very broad and subjective. “The additional requirement of all cross-border transfer mechanisms being subject to consultation with the central government is likely to further impact the ability to freely transfer data across borders, and introduce additional steps in the process,” said Jayaram.
In its SEC filing, Meta Platform said: “If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services, or our ability to target ads.”
Google’s parent, Alphabet, has reportedly expressed similar concerns, without citing any specific country, in its regulatory filings.
Many organisations including the US-India Business Council and various Indian businesses have highlighted that parts of India’s data privacy bill are not “business friendly”. While many may engage with the government to express concerns and see if some changes for the better can take place, Jayaram does not see the bill undergoing “significant modifications at this stage”.
Discussed at length
The original 2019 draft had been through extensive public consultation, with several members of the industry and legal fraternity deposing before the committee, she said. “Most of the key provisions that seemed to impact businesses significantly, including data localisation and restrictions on cross-border transfer, have already been discussed at length.”
Banks and financial institutions operating in India have had to abide by the Reserve Bank of India’s (RBI) data localisation laws, and action has already been taken by the central bank against MasterCard and American Express, Manchanda pointed out.
Jayaram said there could be some changes in the practical implementation of some of these requirements, based on stakeholder feedback. She said the extent of compliance, as well as specific exceptions that may be introduced, would be subject to codes of practice and regulations issued by the Data Protection Authority, which is required to consult with stakeholders on various aspects.
The draft bill invites greater scrutiny of social media platforms, especially for shared content. But both Manchanda and Bagmisikha Puhan, a New Delhi-based associate partner at TMT Law Practice, said it was unclear why this should be within the ambit of a data protection act.
While the premise may be that social media platforms have been processing a lot of personal data, and have become all-pervasive, Puhan said it was not very clear how and why this category of entities was being brought under the bill’s auspice.
She said she feared that the deliberate addition of a definition for “social media platforms” could have more severe implications than may meet the eye. Citing an amendment to the IT Intermediary Rules, 2021, which scoped every aspect of the digital ecosystem, Puhan did not rule out a similar approach being adopted under the data privacy law “to bring in stricter compliance requirements” for certain of these platforms.
Manchanda said there was equally a lack of clarity on the obligations of these social media intermediaries, which primarily enabled commercial or business-oriented transactions such as search engines and e-mail service providers.
Fear of fines and disruption
Jayaram said social media platforms had always been within the scope of the proposed legislation. The bill has specifically listed social media platforms within the classification of “significant social media intermediaries”, subject to them crossing the user threshold and being determined as a platform that is likely to have an impact on sovereignty, security and public order.
This likely explains why Facebook fears that it could face fines, orders restricting or blocking its services, or other government-imposed remedies as a result of content hosted on its platform.
In the face of these challenges, the US social media giant cannot afford to be lackadaisical. India is among the top three countries where it experienced growth in 2021, in terms of daily and monthly active users. Facebook witnessed a 4% increase in India in the number of active users on 31 December 2021 compared to 31 December 2020.
The Briefing is written by Freny Patel