Is Meta trying to dodge requirements of India’s Personal Data Protection law?

The Act offers detailed, granular protections, and a ‘right to forget’ provision. (Hindustan Times)
The Act offers detailed, granular protections, and a ‘right to forget’ provision. (Hindustan Times)


  • Probably not, but there appears to be a genuine case for India to want to speed things up

India’s Digital Personal Data Protection Act, which was passed by Parliament in August 2023, outlines protections for personal data and the rights and duties of Data Principals (owners of data), Data Fiduciaries (who collect and hold data), Data Processors (say, a software company contractually processing data collected by a fiduciary), and Consent Managers (entities that act as intermediaries between Data Principals and Data Fiduciaries). The Act offers detailed, granular protections, and a ‘right to forget’ provision.

There are also stringent compliance standards for ‘Significant data fiduciaries’, entities that collect more than a certain threshold volume of data (yet unspecified), or collect data that could impact electoral democracy or India’s sovereignty and security. Significant data fiduciaries have to appoint ‘Data Protection Officers’ based in India to be points of contact. They must also appoint independent auditors to carry out data audits.

Everybody, including powerful social media companies, agrees that the Act is necessary and good.

What has created somewhat of a schism between them and the government is the timeline within which these measures need to be implemented. The government is happy to give time to MSMEs, startups, and hospitals, but its views are different for large, global organisations. “Companies that alread follow similar rules like that of the GDPR (EU’s General Data Protection Regulation) shouldn’t ask for a very long time to follow these new rules," Rajeev Chandrasekar, Minister of State for Skill Development & Entrepreneurship, and Electronics & IT, said at a Digital India Forum recently.

Social media companies, which are clearly significant data fiduciaries, argue that things are not that simple. Nick Clegg, who is president, Global Affairs for Meta, recently claimed “operational difficulties" in complying with the Act and asked for time. India is Meta’s biggest market, with the largest number of users on WhatsApp, Instagram and Facebook. Other data fiduciaries have reportedly informally made similar representations for reasonable time to comply. Could it be that these data fiduciaries are making excuses to seek exemptions from provisions they must comply with under Indian law?

Not really. They will need to rework their processes and systems to ensure compliance with the new Act. This takes time. They will have to hire people, and may need to move Indian data onto servers located in new places to avoid conflicts between the Indian Act and the European Union’s GDPR (General Data Protection Regulation), which is far more demanding than the Indian law and even the US’s Data Protection laws. This cannot be accomplished overnight.

To understand why data fiduciaries may want time, let’s look at the new law and its provisions.

Personal data protection standards are based on either the US or the EU model. The US model has little control on fiduciaries. The EU’s GDPR, in contrast, has detailed, granular protections for personal data, including a “right to forget" and even protection against government demands for personal data of citizens, except for very specific purposes. The “right to forget" provision enables a data principal to ask that data be deleted once a stated purpose is served. A loan defaulter, for instance, may make a Right-to-Forget request to wipe out the record once the loan is repaid – this was the original case that established the principle.

GDPR’s granular protections involve asking for new permissions if it is proposed that data collected for a stated purpose be reused for another purpose. For example, financial data collected to assess a mortgage may be reused to offer a vehicle loan but only with a second set of permissions. The GDPR requires even governments to carefully specify the grounds for asking for personal data, and it imposes the “right to forget" provision on governments.

At the other extreme, India’s Act gives the government and its ‘instrumentalities’ the right to collect data for broad, vaguely defined purposes. But it imposes controls on private data fiduciaries and offers the right to forget.

So there are significant differences between these laws, and global data fiduciaries need time to ensure that their data collection and processing systems don’t conflict.

The entire system, including appeals, ruling, and penalties, will be managed by a proposed regulatory body called the Data Protection Board (DPB). The Centre shall appoint all the members and the chairperson of this board. There will also be an appellate tribunal to take up cases on appeal.

Also, any significant data fiduciaries will need to hire officers based in India. Even if it doesn’t host Indian data on servers within India (this is not required), it will have to rework software and processes to set up granular permissions, and to process right-to-forget requests. The fiduciary will also have to ensure that it avoids conflicts between the Indian Act and the GDPR. For example, if it hosts Indian data on servers in the EU, a request by the Indian government for data of an Indian may conflict with the GDPR’s stricter provisions for government access.

It’s normal for a reasonable period to be allowed for fiduciaries to comply with new laws. The EU gave data fiduciaries 24 months to comply with the GDPR. India’s Ministry of Electronics and Information Technology (Meity) is still in the process of formulating rules, setting volume thresholds, appointing the DPB, the Tribunal, etc. And while it hasn’t yet set a time period for compliance, unconfirmed reports say the Ministry may not give fiduciaries more than three months.

Such tight deadlines may be required to prevent data misuse that could impact electoral democracy, especially in the context of the several upcoming elections in India. Facebook’s personal data was notoriously misused to influence voters in the Brexit Referendum and in the 2016 and 2020 US Presidential elections. If India’s Act isn’t notified by the government before the forthcoming Assembly elections and the General Election due in April-May 2024, the possibility of social media being misused again cannot be ruled out.

It is understandable that given the election schedules, Meity may not be keen to give the sort of generous timelines the EU offered for GDPR compliance. However, it must resist slapping unrealistic timelines on fiduciaries unless it wants to risk hurting India’s attractiveness as an investment destination to global business.

At the same time, it is incumbent upon global, digital savvy organisations like Meta, too, to try and speed things up, leveraging their experience of such initiatives in other markets.

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.