Data localisation is not the only approach towards protecting data privacy
This integration of three large consumption products is a means to monetise their everyday use by consumers and considering the fact that Facebook’s revenue model uses data on its platform to allow advertisers to target ads towards users, the algorithms would benefit from the WhatsApp data as well. Such data transfer from WhatsApp to Facebook is not possible in regions such as the EU, where data protection laws have stringent restrictions on storage and transfer of user data. This regionally differential treatment has attracted the attention of the Ministry of Electronics and IT, which has sent WhatsApp a series of queries, including on why Indian users would be sharing information with Facebook, unlike in Europe. The onus is also on the Indian government to quickly take up the legislation for robust data protection, that aligns with the recommendations of the Srikrishna Committee, which tried to address concerns about online data privacy in line with the 2018 Puttaswamy judgment. The draft Bill proposed by the government in 2019 diluted some of the provisos, for example, by limiting data localisation in proposing that only sensitive personal data needed to be mirrored in the country, and not all personal data as mandated by the committee. But data localisation as proposed by the committee may not necessarily lead to better data privacy, as it carries the possibility of domestic surveillance over Indian citizens. Privacy is better addressed by stronger contractual conditions on data sharing and better security tools being adopted by the applications that secure user data. The proposed Bill has some of these features, similar to Europe’s General Data Protection Regulation, but it also requires stronger checks on state surveillance before it is passed.