The Jio-Facebook deal and our need for a privacy law

Facebook’s acquisition of a 9.99% stake in Jio Platforms has led to the integration of WhatsApp with JioMart, Reliance’s grocery platform. The collaboration’s scope and implementation remain unclear, but concerns arise regarding the impact on privacy - especially in the absence of a data protection law in India.

This article was first published in The Mint. You can read the original at this link.

The news that Facebook was going to acquire a 9.99% stake in Jio Platforms set the cat among the pigeons. In his video announcing the investment, Reliance Industries Ltd chairman Mukesh Ambani said that one of the benefits of the deal was going to be the integration of WhatsApp with JioMart—Reliance’s newly launched grocery platform. In the days following the announcement, this new WhatsApp-powered service has rolled out a limited pilot in some parts of Mumbai, even in the midst of the nationwide lockdown.

It is not entirely clear at this stage what the eventual shape of this collaboration will be. Ambani’s vision for the platform seemed to include extending it to farmers, teachers, healthcare workers and small- and medium- scale enterprises. In sheer scope, this is as bold as one has come to expect of Reliance. Unfortunately, we do not yet have any details on how it will be implemented. One would imagine that JioMart will want to leverage WhatsApp’s reach as the nation’s communication network of choice to connect all those it intends to bring onto the platform with potential customers. Facebook, for its part, will probably look to Jio’s vast on-ground communications network to deepen its reach in parts of India that it has struggled to access.

Whatever path they take, there will be concerns about the impact this will have on their respective consumer bases, as well as on the market in general. But that is an issue for the Competition Commission of India to examine, and it will doubtless have its hands full trying to get to the bottom of it.

So, what is it that worries me? It’s the impact that this deal might have on privacy.

Both Facebook and Jio have access to an extraordinary amount of personal data. Until the Personal Data Protection Bill is enacted into law, their use of this data and, more importantly, how they share it, will be largely governed by their respective privacy policies.

If you study Facebook’s [[privacy policy]], it describes a few different types of data sharing arrangements. Facebook Products, such as Instagram and Messenger, share data extensively among themselves. On the other hand, Facebook Companies (which include WhatsApp) are kept a little more distant—Facebook only shares infrastructure, systems and technology with them to provide users a consistent experience across the ecosystem. Finally, there are also data sharing arrangements with third-party partners, though limited to clearly specified purposes.

So how will Jio Platforms fit into this framework? Having paid $5.7 billion to acquire its nearly 10% stake, it seems unlikely that Facebook will consider Jio just another third-party partner. On the other hand, it seems equally improbable that it will be integrated as deeply into the Facebook ecosystem as Instagram was. This means that Jio Platforms could either be treated like a Facebook Company (like WhatsApp), or be awarded some other yet-to-be-defined status, perhaps with a bespoke data sharing arrangement.

Jio’s privacy policy is comparatively straightforward. It makes it clear that Jio can share personal information of customers with affiliates when necessary, among other things, to perform its own services and to provide advertising as well as promotional services.

This suggests that even as it currently stands, all it will take from a data protection standpoint is for Facebook and Jio to appropriately classify their relationship with each other in a manner that allows them to share data extensively. This would mean that with relatively little effort, JioMart users could start getting suggestions of what they should shop for based on how Facebook has categorized and profiled them. Similarly, it may not take much for Facebook’s algorithms, which rely heavily on user data to refine themselves, to drink from the firehose of data that Jio can provide.

But I doubt that this is the path they will take. It is far more likely that Facebook and Jio will implement whatever commercial arrangement is at the heart of this deal and then simply amend their respective privacy policies to implement it. When WhatsApp was acquired by Facebook, it simply included an “Affiliated Companies" section to its privacy policy, stating that it had become an affiliate company of Facebook, and then went on to describe exactly how it would share data with its new owner. I see no reason why Facebook and Jio will not go down a similar path.

Which brings me to the real reason why this deal worries me. As regular readers of this column have heard me say time and again, we do not yet have a data protection law in this country. This means that we do not yet have a data protection regulator. In the absence of an authority tasked with ensuring compliance, there is nothing—beyond the good conscience of Facebook and Reliance—that stops them from doing what they want when it comes to the sharing of data. Sure, they will be answerable in the court of public opinion, and, as a global company, Facebook has to operate with the high standards that global regulators expect of it, but in the absence of regulatory oversight in India, much could fall between the cracks.

More than anything else, this is why we need a law. As the data stakes rise, we will see more deals between big data-rich companies. And just like we have a competition regulator to minimize the adverse effects on competition, we need a data regulator to safeguard our privacy.