Indian data-protection legislation worries Facebook, other Internet giants

US tech giants such as Facebook are growing increasingly concerned about elements of India’s proposed data-protection law, complaining that it would trigger privacy issues for non-Indians and unreasonably restrict unfettered Internet access to teenagers approaching age 18.

In public statements and regulatory filings, tech giants and industry groups such as the Internet Association have complained that India’s proposed law would cause the world’s biggest democracy to diverge from global standards on privacy. The legislation, they say, would vest too much power in a national data-protection authority, would impede the international flow of data and would improperly restrict access to the Internet for older teenagers approaching adulthood.

India’s proposal would trigger enhanced privacy rules for people under age 18, requiring firms to verify a child’s age and obtain parental consent before processing any personal data. How the verification and consent would work in practice has been left to regulations that are yet to be formulated.

The European Union’s General Data Protection Regulation sets the default age at 16 for tighter privacy rules for children and teens hinged to parental consent, but individual states can choose to set the threshold as low as 13. In the US, the Children’s Online Privacy Protection Act includes tighter rules for children under 13.

The Internet Association — whose members include Amazon, Google, Microsoft, Twitter, Pinterest, LinkedIn, Facebook and other big online platforms — last year also classified the Indian proposal for children as “divergent” from global privacy standards in filing to the US Trade Representative. But officials with individual companies now are speaking out as well.

“Our view is that 18 is really too high an age for consent,” said Melinda Claybaugh, Facebook’s privacy policy director for legislation. “Children closer to 18 should be able to freely explore the Internet without parental consent.”

There is actually increased danger to giving parents the power to control or block access to the online world as teenagers approach the cusp of adulthood, Claybaugh said at a recent online privacy conference* organized in Washington.

For an Internet industry already unhappy about the growing fuzziness of the border between 13 and 16 for privacy rules for children because the GDPR allows EU-member nations to decide, the threat that India will further widen that span of uncertainty to age 18 is an unwelcome development.

Localization

Another concern involves the bill’s inclusion of a “Right to Be Forgotten” similar to Europe’s, but one that would vest the decision to extend that right with the data protection authority rather than a search engine or a court.

India’s proposal to require many forms of personal data about Indians to be stored on servers physically located in-country is one of the most unpopular aspects of the legislation with US companies.

The bill says that while sensitive personal data can be transferred outside India, a copy must be stored in India. “Sensitive data” includes financial and health data, as well as religious and political beliefs, along with any other categories the government, in consultation with the data protection authority, chooses to add.

An even more tightly regulated class of data — “critical personal data,” which hasn’t been defined — can only be transferred outside India in very limited circumstances.

Claybaugh said Facebook is concerned that “sensitive” content from Indians could be entangled with data pertaining to non-Indian users on a Facebook thread, possibly representing a privacy threat to non-Indians if their data is forced to be stored in India because of its proposed localization rules.

“What would happen is it would require storing data way beyond what is ‘sensitive’ data in-country,” because a platform such as Facebook can’t separate sensitive data off from non-sensitive data,” she said. Within Facebook databases, “it is very hard to disentangle sensitive data from other data.”

A number of software and Internet industry groups have assailed the data-localization elements of the Indian legislation.

Restricting the cross-border flow of sensitive personal data could slow down economic growth and hurt key industries, said BSA | The Software Alliance, a group that, like the Internet Association, advocates for the global software industry.

“Ultimately, forced data localization will decrease foreign direct investment, harm India’s ‘ease of doing business’ goals, make it more difficult for local startups to access state-of-the-art technologies and global markets, and hurt Indian consumers seeking to access information and innovative products online,” IA said in the filing to the USTR.

Process

The bill was referred by the information technology minister, Ravi Shankar Prasad, to a 30-member parliamentary committee shortly after it was introduced in December. The committee opened a consultation seeking views from any interested groups or individuals, many of which were later published online.

The parliamentary committee is due to report its suggestions back to Parliament in the Monsoon session at the end of July, although that date has already been delayed once and could be delayed again amid the crisis in India caused by Covid-19.

It is possible the bill will be reintroduced into parliament during the Winter session that runs November to December. There is generally a consensus that the bill that re-emerges into parliament will not look the same as the current draft, which has already undergone significant amendments.

A number of issues have already come up before the committee. In India, many people, already worried about the government’s extensive surveillance powers, were concerned about the broad exemptions the bill carves out for public agencies. They were also concerned that the bill gave the government far too much influence over the new data-protection regulator.

Echoing another concern of Facebook and other US companies, Observer Research Foundation, a Delhi-based think-tank, said a provision that would compel business to share any non-personal data with the government was problematic because the definition of non-personal data was likely to include trade secrets and intellectual property.

The localization requirements have been “considerably relaxed” in the current version of the bill as compared to its previous draft, Arjun Jayakumar, an associate fellow at the Observer Research Foundation, told MLex.

He said he's hopeful the final form of the law will take all stakeholder interests into account.

“We do not believe data localization is a one-size-fits-all policy that will allow governments to meaningfully exercise sovereign control over their data and data flows,” Jayakumar said. “India should also explore other mechanisms like bilateral/multilateral agreements on data sharing amongst governments …This will avoid placing unnecessary compliance burdens on corporations while preserving national interests at the same time.”

*Privacy + Security Academy Spring Forum, May 7-8, 2020, Washington, DC.