How safe is your data? $5 billion fine on Facebook raises privacy concerns in India


Three weeks have passed since the Federal Trade Commission, an independent consumer protection agency of the United States government, fined Facebook $5 billion for privacy violation, but the landmark verdict has hardly raised any privacy concerns in far-off India, Facebook's biggest market.

This despite an expose in May this year that Facebook employed over 260 contract workers in Hyderabad to gather users' data from millions of photos and status updates. The revelation had sent shockwaves across the cyber world.

"Most Indians are not aware of online privacy policies. India does not have strong privacy laws. Companies such as Facebook take advantage of the situation," technology expert Labby George told Onmanorama.

"Facebook's Privacy Law is a long document. It has 50 different settings, 170 options and runs to 5,830 words. This would confuse those who are not aware of the privacy issues," she said.

She alleged that Facebook has been violating privacy norms by insisting users to provide real names, location and gender. "Cambridge Analytica scandal in the United States has brought forth what digital activists have been saying for long," she said.

Cambridge Analytica scandal

The Federal Trade Commission found that Facebook violated three privacy norms.

Facebook Data Policy
A screengrab of the detailed data policy on Facebook. Source:

One, it is alleged that Cambridge Analytica, a data Analytica firm, harvested personal data of 87 million users through an online personality quiz conducted by Facebook in 2014 to psycho-analyse the US population during its presidential election.

Though only 305,000 people registered for the quiz, Facebook accessed data 280 times the number of registered players by accessing information of the user's friends' circle.

Two, Facebook's data policy disclosure was not fool-proof when it came to face-recognition.

Three, at no point of its two-factor authentication step does it reveal that the user's number would be given to a third party or used for advertising.

Concerns in India

Privacy advocates alleged that Facebook tried to collect data from India in the past too.

They said Facebook's Free Basics – a plan to provide free internet to inaccessible areas - was a ploy to access unencrypted data of thousands of users. All traffic from Free Basics users would have to run through Facebook server and this personal data would have been available with its server for 90 days. The plan was shelved after mass protests.

"Facebook could have accessed unencrypted data of thousands of users via its server had the plan been launched," Hrishikesh Bhaskaran, a privacy advocate and software engineer, said.

India is one of the fast-growing digital country in the world. According to a report by market research firm Kantar IMRB, the number of internet users in India is expected to touch 627 million in 2019. Going by statistics by New York-based firm, Jefferies, at least half of them are Facebook users.

But India has not formulated a law to protect privacy yet.

In a landmark judgement in 2017, the Supreme Court said the right to privacy is a fundamental right under Articles 14, 19 and 21 of the Indian Constitution, but it does not address the alleged violations of top technology companies. The Information Technology Act, 2000 is limited to deal with cyber crime and e-commerce.


The country kickstarted to formulate a law on data protection recenlty. In 2018, an expert committee, headed by retired Supreme Court judge BN Srikrishna, submitted its suggestions on data protection to the Union Ministry of Electronics and Information Technology.

The report mandates that critical personal data shall be processed only in a server located in India. It recommends to set up a Data Protection Authority to look into the effective implementation and enforcement of the law. It also recommended penalty for data breach. "In the event of data violation, companies should be fined between 2 to 5 per cent of their global turnover, or between Rs 5 crore to Rs 15 crore." It further said that all firms and agencies will have to appoint data protection officers who will act as the point of contact for individuals raising grievances.

Big question

Facebook and Google account for 68 per cent of the digital ad expenditure in India. So the big question is how do you protect your data?

Labby George's answer spells a sense of despair. "As a technologist, I have been careful in Facebook handling my data. But then Facebook, bought Whatsapp Instagram etc and built the network, it has been extremely hard to keep it clean. These are all interlinked and the algorithm picks up the slightest connections. It is like walking on a landmine. There are only two options now, either do not upload data or just be aware there will be a data breach,"she said.

Facebook India has not responded to Onmanorama's queries on the steps taken to protect users' privacy. This story willl be updated as and when the company responds.