After suggesting in its annual report that it might have to pull Instagram and Facebook from Europe due to stringent data regulations, Meta on Monday said that it had no plans to do so.
Europe is preventing companies from sending data generated there to servers based in the United States. Meta, which makes around 98 percent of its revenue from advertising, says this will limit its ability to target ads.
India will likely pass its own data protection bill in Parliament this year, and some think there are lessons to be learnt from the tiff between Meta and European data regulators.
Meta Vs EU: What's Going on?
In 2016, the European Union (EU) and the US had agreed to a transfer framework for data transferred from the EU to the US, called the Privacy Shield.
This was invalidated in July 2020 by the Court of Justice of the European Union (CJEU), which said that the Privacy Shield provided US authorities the right to collect personal data about EU residents without adequate safeguards and effective means of redressal.
The judgment, called Schrems II, affects every American company, including Google, Microsoft, and Amazon, whose cloud services have become a crucial part of modern internet usage.
"If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads," Meta said.
The company is hopeful for a new transatlantic data transfer framework. But if that doesn't materialise, it will "likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe."
India's Proposed Data Protection Laws
The Personal Data Protection Bill, 2019, was referred to a Joint Parliamentary Committee (JPC) which submitted its report in December 2021 with a new draft bill to Parliament.
Here are the points of note:
The new bill allows for conditional cross-border transfer of ‘sensitive personal data’, while ‘critical personal data’ (yet to be defined) cannot leave the country except in very limited circumstances.
The JPC recommended that the central government formulate a comprehensive data localisation policy and ensure that a mirror copy of the sensitive and critical personal data stored abroad is brought back to India.
It also asked the government to play a consultative role with the proposed Data Protection Authority (DPA) in approving the cross-border transfer of sensitive personal data through a contract or an intra-group scheme.
The JPC recommended stringent measures for limiting data collection for people below 18. Companies might be barred from profiling, tracking, behaviourally monitoring children and their data.
According to the committee, social media platforms should be accountable for the content they host from unverified accounts.
It has also recommended that non-personal data be within the scope of the new bill. However, there are a lot of unanswered questions here, since such a move is unprecedented.
India's Takeaways
The new data protection bill and the JPC recommendations could pose significant challenges to foreign companies and Indian startups alike, similar to the troubles that Meta currently faces.
Kazim Rizvi, director of The Dialogue, thinks the committee suggestions about the central government's involvement are "barriers for entering bilateral or multilateral arrangements for cross-border data flow" and will "hamper ease of doing business."
He quoted a study that showed that strict cross-border data flow restrictions may limit the ability of Indian startups to access cost-effective technology and storage solutions, like cloud services provided by foreign players.
"It is also likely that our laws would prove to be held inadequate by the EU while evaluating India as a jurisdiction for free flow of data," he says.
"It is imperative that the bill, rather than solely focusing on localisation mandates, focus on ensuring that data that is within India borders remains adequately protected and is in line with the basic principles of data protection."Kazim Rizvi, Director of The Dialogue
The concerns about the protection of data are echoed by Udhbhav Tiwary, who handles tech policy at Mozilla.
"While a much-needed law, India's data protection bill needs radical improvements when it comes to independence of the data protection authority, enabling the free flow of data, and protections against government surveillance," he says.
"Lawmakers should utilise this opportunity to ensure that India's law meets global standards and enhances India's role in the technology sector," he adds.
Some, however, believe that India should follow the EU's example when it comes to data localisation.
"The bill should have clear definition of data, personal and sensitive and have criteria set for sharing of the same with other countries," says Santosh Sarraf, Director, wevouch, "All data should follow the Personal data protection Act and stored locally and explicit permissions have to be taken from the user before the same can be shared."
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)