Move fast and fix things: on safeguarding users' privacy

Individual users’ privacy cannot be safeguarded on platforms such as Facebook without institutional reform

Updated - December 04, 2021 10:39 pm IST

Published - December 22, 2018 12:02 am IST

Facebook’s motto was to “move fast and break things”. By now we have all heard various variations of it to mock the social networking platform which is identified globally for privacy breaches and misinformation campaigns — even interfering in the election processes of major democracies. The latest in this torrent of disclosures is the investigation by The New York Times documenting a range of private deals struck by Facebook for reciprocal sharing of user data with the knowledge of top management. Some deals permitted access even to private chats. But rather than merely documenting a violation of user trust by Facebook, which has received extensive commentary, let us focus on walking towards solutions.

Here, it is important to consider how the underlying cause for our deficient national response is a lack of institutional capacity to respond to such challenges. It is instructive to take just data protection and privacy and go instance-by-instance to see how the government response is best summed up as, ‘move slow and calm things’.

Scandals unnoticed

Even prior to the disclosures by Cambridge Analytica, Indian civil society activists had fought against Facebook very publicly on net neutrality. The company had proposed to offer users without Internet on their phones a platform called “Free Basics”, with a bouquet of essential websites. In December 2015 it argued that by facilitating access to websites beyond Facebook, its intent was purely altruistic. This deal was opposed on grounds of net neutrality by those who recognised that Facebook would become a gatekeeper to the Internet. The opposition to “Free Basics” won, with a ban on it being imposed by the telecom regulator. However, one subsidiary argument which largely went unnoticed was that Facebook was not clearly stating how it would use the personal data of users on the Free Basics platform. While three years ago, when the net neutrality campaign was on, this may have seemed to be a distant fear, today there is a clear realisation that this would have been a reasonable inference to make. Then, as now, there is no data protection authority or an office of a privacy commissioner to investigate and independently audit platforms such as Free Basics.


Undaunted, Facebook continued its corporate blitzkrieg, building a digital conglomerate. These were primarily through acquisitions but also data sharing practices, in which any application which got access to Facebook data had to share it back with Facebook. This practice of data hoarding became clear when after acquiring WhatsApp, it changed its privacy policy with effect from September 2016. It allowed sharing a user’s metadata between WhatsApp and Facebook, without clearly explaining what was being shared and how it was being used. Changes to these terms of service were challenged in a public interest petition in the Delhi High Court, which dismissed this legal challenge, noting among other things that at the time the status of the fundamental right to privacy was disputed, based on an objection by the Central government.

This was appealed against in the Supreme Court. The apex court sensed the seriousness in this plea and announced that a Constitution Bench would be constituted. When in August 2017 the right to privacy judgment came, there was hope that it would lead to greater accountability with the horizontal application to private platforms such as WhatsApp and Facebook. Instead, as documented in an order in September 2017, the Union government submitted it had constituted a data protection committee headed by retired Supreme Court judge, Justice B.N. Srikrishna, on the same issue. In a sense, this amounts to pushing for a deferral of the hearing. The WhatsApp-Facebook case is still pending in the Supreme Court.

Cambridge Analytica alarm

By March 2018 the Cambridge Analytica exposé gathered steam. Blockbuster reports by The New York Times and The Observer documented the compromising of personal data of Facebook users to micro-target them with subtle forms of political campaigning without their knowledge. This was reportedly aimed at influencing their voting preferences and the outcome of elections.

This immediately acquired a cynical hue in India, with a whodunnit approach in which petty and personal allegations flew in television debates. Suspicion pointed to the Indian National Congress as per the statement of Christopher Wylie, the Cambridge Analytica whistleblower. Meanwhile, the government, through the Ministry of Electronics and Information Technology, responded in two principal ways. First, it wrote to Facebook, with the complete text and responses not made public. Second, there were strongly worded press interactions, which included ministerial statements to summon Facebook’s Mark Zuckerberg to India.

Concurrently the Parliamentary Standing Committee on IT in April 2018 also started examining this issue. While it did invite public comments, its proceedings have not been disclosed. Subsequently, the matter at the ministerial level was referred to the Central Bureau of Investigation, which launched a preliminary investigation in September 2018. Till date, there is little public information on movement in this investigation. We know little on how Indians were impacted beyond the unexamined statistic that 562,000 Indians were impacted by Cambridge Analytica. High on emotion and rhetoric, there is little to show in terms of results.

Public welfare, institutions

Let us remember that many of these problems go much beyond Facebook, to the entire wave of digitisation from the big building blocks down to a fine grain of Indian society. Who will guarantee that such changes serve public welfare? Not Facebook. This task must fall to public institutions. This seems unlikely at present.

Movement on a privacy law has become gridlocked in recent months. A draft law to safeguard it is beset with controversy in a closed drafting process without much transparency. It has no clear path to enactment, and is not listed for the ongoing winter session of Parliament. On the other hand, the government has prioritised more data collection and privacy-impairing legislation. These include the DNA Technology (Use and Application) Regulation Bill, which is listed for discussion and voting. Another instance is the political firestorm after Ministry of Home Affairs issued a notification authorising digital surveillance by 10 Central government agencies.

Let us suppose that by a stroke of luck, we get a data protection law. What form it takes and the fine detail will be crucial. Will it protect us? Take, for instance, the transitory provisions (contained under Section 97 of the draft Data Protection Bill) which permit the government to delay notification for three years. Imagine a law passed by Parliament today completely coming into force only by the end of December 2021! It would be delaying the administration of a remedy despite a clear diagnosis.

The government must act with urgency. While we should continue focussing scrutiny on large platforms such as Facebook, it cannot be done just by the smarts and technical negotiations of everyday users. We also must not forget that Facebook, despite its unethical conduct, is of enduring value to millions of Indians. To properly harness digitisation, we now have the challenge of developing and prioritising institutions of governance to protect users. This must start immediately with a strong, rights-protecting, comprehensive privacy law. At present, despite having the second highest number of Internet users in the world, India has little to show as a country in investigatory outcomes, measured regulatory responses or parliamentary processes which safeguard users. Regretfully, unless things change dramatically even the most outrageous revelations will at best lead to statements of empty bombast and bluster. Now is the time to ‘move fast and fix things’.

Apar Gupta, Executive Director of the Internet Freedom Foundation, is a Delhi-based lawyer

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.