India's Data Protection Bill Worries Facebook Parent Meta

India's new data protection bill, likely to be passed this year, worries Facebook's parent company Meta, it indicated in its annual report to the US Securities and Exchange Commission (SEC).

"Some countries, such as India, are considering or have passed legislation implementing data protection requirements or requiring local storage and processing of data or similar requirements that could increase the cost and complexity of delivering our services," it said.

Meta, in its report, also said it has been managing investigations and lawsuits in Europe, India, and other jurisdictions regarding the August 2016 and 2021 updates to WhatsApp's terms of service and privacy policy and its sharing of certain data with other Meta products and services.

Google’s parent Alphabet Inc had also expressed similar concerns in its regulatory filings, but hadn't mentioned any country in particular.

European data regulations prevent companies from sending data generated in Europe to servers based in the United States (US). Meta, which makes around 98 percent of its revenue from advertising, says this will limit its ability to target ads.

The company on Monday said that it had no plans to pull its services from Europe, after suggesting the possibility in its annual report to the Securities and Exchange Commission (SEC), citing data regulations.

"If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads," the report said.

The Personal Data Protection Bill, 2019, was referred to a Joint Parliamentary Committee (JPC) which submitted its report in December 2021 with a new draft bill to Parliament.

Here are the points of note:

• The new bill allows for conditional cross-border transfer of ‘sensitive personal data’, while ‘critical personal data’ (yet to be defined) cannot leave the country except in very limited circumstances.

• The JPC recommended that the central government formulate a comprehensive data localisation policy and ensure that a mirror copy of the sensitive and critical personal data stored abroad is brought back to India.

• It also asked the government to play a consultative role with the proposed Data Protection Authority (DPA) in approving the cross-border transfer of sensitive personal data through a contract or an intra-group scheme.

• The JPC recommended stringent measures for limiting data collection from people below 18. Companies might be barred from profiling, tracking, behaviourally monitoring children and their data.

• According to the committee, social media platforms should be accountable for the content they host from unverified accounts.

• It has also recommended that non-personal data be within the scope of the new bill. However, there are a lot of unanswered questions here, since such a move is unprecedented.