Facebook: Facing privacy headwinds

There is a bit of irony about Facebook’s poor record of protecting the data of its users. Facebook is not founder Mark Zuckerberg’s first social networking experiment. In 2003, while he was studying psychology and computer science at Harvard University, he developed FaceMash, which paired pictures of students and let visitors to the website rate their attractiveness. FaceMash was shut down over charges of breach of security and violating individual privacy by taking photos of students from the school’s intranet without permission. The charges were dropped, and Zuckerberg was let off. A lot has changed between 2004, when Facebook was incorporated, and now. Facebook is not FaceMash, which, in CEO and chairman Zuckerberg’s own words, was a “prank website”. Facebook is now a listed company with a market cap of more than $400 billion. With about 1.49 billion people using it every day, Facebook has the world’s greatest receptacle of personal data with a proper social graph—a map of social connections of each user. In this day and age, data is power. If it fails to protect that, it has to face the music.

So far, it’s been a tough year for Facebook. First it was the furore set off by the Cambridge Analytica scandal which involved the data analytics firm harvesting personal information of more than 80 million Facebook users. Towards the end of September, Facebook announced that another data breach had occurred in which hackers stole data of 50 million people. This figure was later revised to 30 million. A few days later the Irish Data Protection Council announced a probe, which will determine whether the company complied with the General Data Protection Regulation (GDPR) enforced in the European Union in May. It will also see whether news of the breach was notified within 72 hours of the incident. Facebook could face 4% of its annual global turnover—more than $1.6 billion. The latest rap on its knuckles for its failure to protect data came from the information commissioner’s office in the U.K. It upheld a decision to fine Facebook £500,000 over the Cambridge Analytica scandal.

What about the impact of the September data breach on India, Facebook’s biggest market with more than 270 million users? As of now, in the absence of a comprehensive data privacy law, the government does not have adequate legal backing to clamp down on the social media giant. However, Facebook could find itself in the line of fire as the government readies to tackle data breaches more effectively armed with a new law, which will come into effect soon. “The Indian context is not as clear as GDPR,” says Zain Pandit, principal associate at law firm J. Sagar Associates.

560,000
The Number of Facebook users affected in India by the data breach which involves Cambridge Analytica 

The regulations in India specify that if there is a breach, the data controller, or the intermediary, needs to notify the CERT (computer emergency response team) in a ‘reasonable’ amount of time. And there’s the rub: There’s no clarity on what that is. “Unfortunately, it becomes very difficult to ascertain what reasonable is. That language has given intermediaries, social networks and people who operate marketplaces, or cyber establishments, a fair bit of flexibility on how and when they should report the details of the incident,” Pandit says.

Prime Minister Narendra Modi meets with Facebook’s Chief Executive Officer Mark Zuckerberg.

But the new Bill on data privacy submitted by a committee of experts under Justice B.N. Srikrishna in July is expected to address such problems as the government prepares to clamp down on big tech firms and take measures to protect citizens’ data. The Personal Data Protection Bill, 2018, is expected to be tabled in the winter session of Parliament.

The existing regulations in India on data privacy are governed by the Information Technology (IT) Act, 2000. The Act, in its original form, did not explicitly protect data. There were subsequent amendments but not enough to give users control over their personal data. For instance, one of the amendments makes companies or other organisations possessing, dealing or handling any sensitive personal data or information liable to pay damages if they haven’t maintained reasonable security practices. Another amendment introduces imprisonment of up to three years or a fine of up to ₹5 lakh or both for disclosure of personal information in breach of lawful contract.

The new draft Bill mandates that the incident must be reported within the time specified by the authority, which will be set up when the Bill is passed. That time frame is likely to be fixed when the rules and regulations under the law are passed by the government. Siddharth Vishwanath, partner, cyber advisory leader at PwC, explains that the consequences mentioned in the draft Bill are fairly strong, and “black and white”. It determines the quantum of fine based on the severity of non-compliance. If there is grave non-compliance, the fine can be up to 4% of the revenues or ₹15 crore, whichever is higher.

We need to have a balanced approach, we cannot kill innovation; so law, the way it should be, should provide the framework for sure. But within the framework there should be enough flexibility for the players to do what they want to do ... that is where the middle path is.
Supratim Chakraborty, Associate Partner, Khaitan & Co

The debate on data localisation has been on for a while now. One of the aspects of the debate is that if the norms are formalised for everyone, Internet, IT and software companies besides digital payments companies would have to store data on Indian citizens on Indian shores. Local players like Paytm have vociferously advocated it as their servers are in India. But for companies with servers in other locations, localisation means massive costs. “The tech issue is more of a smokescreen: the real reason is that with data localisation, these companies are worried that the monetisation potential through the data generated reduces drastically and they also become more accountable in our country,” says a Paytm spokesperson.

The Bill also sets out the details that companies need to provide and takes a GDPR-like approach to incidents of breach of data privacy. “The data privacy Bill has adopted several international best practices—the right to be forgotten, anonymisation, the right to withdraw consent... all of those are now built into the Bill. It has also brought the state in as a stakeholder,” says Pandit. It also delineates the responsibilities of the data fiduciary and the data processor. A data fiduciary is the person—including the state or a company—who decides how data should be processed. A data processor is a person, or company, who processes personal data on behalf of the fiduciary, but isn’t, or doesn’t include, an employee of the fiduciary. In the case of the Cambridge Analytica scandal, Facebook is the data fiduciary and Cambridge Analytica, the data processor.

Facebook users outside the U.S. and Canada are protected by provisions in the EU, because this user base is managed by Facebook Ireland, reports say. Anticipating the huge liability that GDPR, which gives greater autonomy to users over their personal data and has stricter consequences for slip-ups, would entail, Facebook was planning to tweak its terms of service so that only EU users would be covered by the new law when it took effect, according to a Reuters report. It quoted an expert as saying that the 1.5 billion users outside the U.S. and Canada (239 million users) and EU (370 million) would be “governed by more lenient U.S. privacy laws”.

Harriet Green, chairman and CEO of IBM Asia Pacific.
We totally share the need for data security and are prepared to help with our cyber resiliency capabilities, but we believe it is possible for India to continue to have a pragmatic, light- touch view that you can secure data even when it is moving around and stored in different hubs.
Harriet Green, IBM Asia Pacific chief

Facebook, which declined to participate in this story, was prompt in responding when India sought to know how many users in the country were affected by the data breach in September. An emerging market like India is too important for the Menlo Park, California-based company to ignore. A report by the Boston Consulting Group, ‘Digital Consumers, Emerging Markets, and the $4 Trillion Future’, says that falling smartphone prices—down by an average of 40% in emerging markets from 2011 to 2016—have put these devices in the hands of hundreds of millions in these countries who previously could not afford them. High-speed data networks are now almost ubiquitous in emerging markets as in developed ones such as the U.K. and the U.S. “Together, these factors have enabled emerging markets to achieve spectacular advances in their levels of Internet connectivity. Half the population in emerging markets worldwide is now connected to the Internet, compared with less than a quarter in 2010,” the report says, implying that the market potential in India for Internet businesses is huge.

In India, Facebook’s woes go beyond data privacy issues. Earlier in the year, WhatsApp, which it acquired in 2014, got into trouble when there was a spike in cases of lynching in parts of the country set off by rumours and fake news spread through the messaging app. It has since put restrictions on forwards after the government warned it of legal consequences.

Its foray into the Indian digital payments market, which began earlier this year, too hit a road-block. The digital payments service was in beta mode till August, but it could not be launched as the government wanted it to set up an office

first and recruit a team in India. Additionally, the Reserve Bank of India (RBI) issued norms which would require payments companies to store data locally. Close to the October 15 deadline to comply with the RBI norms, WhatsApp announced that it had built a system to store payments-related data in India.

Also Read: Why Facebook is ‘feeling optimistic’ with Ajit Mohan

The government doesn’t seem to think so and might ask others also to localise data. Experts say storing data of Indian citizens in India makes it easy for legal purposes. Pandit believes it provides comfort from a public and a regulatory perspective because of accessibility: “It’s one hurdle less. Even if you want to access somebody’s server because of a court mandated order, or for a criminal investiga-tion, where do you go to serve that warrant if the entity does not have an India establishment?”

Having servers outside the country also means that there will be international laws to comply with or the regulations in the country where the servers are housed. “With a lot of overseas companies feeling the need to have an Indian subsidiary, that makes it a little simpler, but obviously it would be more accessible if those servers are in India itself,” Pandit adds.

He is among those who believe what is happening with Facebook and other tech companies and regulations is a matter of course. “It is a classic case of regulation playing catch-up with innovation… It’s a question of reactive regulation; we unjustly blame regulators and Facebook in that situation, it’s always been the case of regulation playing catch-up with innovation,” says Pandit.

It is a classic case of innovation… It’s a catch-up with question of reactive regulation; we unjustly blame regulators and Facebook in that situation,it’s always been a case of regulation playing catch-up with innovation.
Zain Pandit, Principal Associate, J. Sagar Associates

Industry sources say that forcing companies to store their data in India is not really a good idea. Companies decide on the location to store data depending on factors like where their clients are based, cost, and availability of an ecosystem that offers solutions in terms of data processing, analytics and other additional services. Companies like Mastercard and Visa have been lobbying for some relaxation of rules.

In a recent interview with Fortune India, Harriet Green, IBM Asia Pacific chief, said, “We totally share the need for data security and are prepared to help with our cyber resiliency capabilities, but we believe it is possible for India to continue to have a pragmatic, light-touch view that you can secure data even when it is moving around and stored in different hubs.” Supratim Chakraborty, associate partner at legal firm Khaitan & Co, agrees. “We need to have a balanced approach, we can’t kill innovation; so law, the way it should be, should provide the framework for sure. But within the framework there should be enough flexibility for the players to do what they want to do. I think that is where the middle path is,” he says.

Facebook’s motto till 2014 was ‘move fast and break things’—in other words, grow at all costs and fix mistakes later. The company then changed it to ‘move fast with stable infrastructure’. But Facebook is still breaking things. It takes responsibility, as it did at the U.S. Congressional hearings in the wake of the Cambridge Analytica scandal that looked at the data security practices at the company. Zuckerberg owned up for the failings of his company which also included Russian agents posting political ads on its platform to sway voters in the 2016 U.S. presidential elections. At the Congressional hearings, the Facebook CEO said, “It’s clear now that we didn’t do enough to prevent these tools from being used for harm as well. That goes for fake news, foreign interference in elections, and hate speech, as well as developers and data privacy. We didn’t take a broad enough view of our responsibility, and that was a big mistake. It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.”

Also Read: Why India needs a data privacy law

Facebook is trying to fix things. In view of the general elections in India expected by March 2019, it is setting up a task force to prevent the abuse of the platform to influence voters. Also, WhatsApp is taking steps to reduce forwarding of messages, ban automated accounts, and block spammers, its vice president, Chris Daniels, said in a newspaper interview. “In order to better understand the most effective ways to tackle the societal issues of misinformation, we will be awarding grants to 20 researchers around the world including three in India,’’ he said. Facebook also picked Hotstar CEO Ajit Mohan as its MD and vice president of India operations. There was no India chief for almost a year after Umang Bedi left to join news aggregator Dailyhunt. Also, Facebook is looking to introduce a transparency feature in India by March that will help users identify political ads easily. Since the row over fake news began, Facebook has been deprioritising profiles and pages that spread fake news. It recently partnered with fact-checking website BOOM Live to help weed out fake news. Facebook knows it cannot carry on breaking things, because the law is catching up.

(This story was originally published in the November 2018 issue of the magazine)

Follow us on Facebook, X, YouTube, Instagram and WhatsApp to never miss an update from Fortune India. To buy a copy, visit Amazon.

More from Enterprise