The Indian government is making a lot of noise about the Cambridge Analytica fiasco, but Facebook CEO Mark Zuckerberg won’t worry about threats like those of Law & IT Minister Ravi Shankar Prasad(Photo: Ankita Das/The Quint)

India tried to demonstrate the power of a 56-inch chest on Wednesday, 21 March, when Union Minister for Law and IT Ravi Shankar Prasad issued a “stern observation” to Facebook (FB) CEO Mark Zuckerberg over reports that information harvested from the social media site was used to influence elections in India.

Mr Mark Zuckerberg, you better note the observation of the IT minister of India. We welcome the FB profile in India, but if any data theft of Indians is done through the collusion of FB system, it shall not be tolerated. We have got stringent power in the IT Act, we shall use it, including summoning you in India.
Ravi Shankar Prasad, Union Minister for Law and IT

The “warning” was part of the government’s response to news of how Cambridge Analytica, a data-driven election strategy company, got access to data of 50 million Facebook users and allegedly retained this to build their profiling tools despite telling Facebook that they had deleted it. Prasad also alleged that the Congress utilised the services of CA during the Gujarat elections last year.

But is this really a cause of concern for Zuckerberg? If any such data leak of Indian citizens is discovered, will he actually be bound by a summons from India? Or is it all bluster?

Too caught up to read the whole story? Listen to it here:

Can the Indian Government Summon a Foreign National From Outside India?

If someone commits a criminal offence which applies to India, but is based outside the country, the good news is yes, the long arm of the law can still get to them.

Section 105 of the Code of Criminal Procedure deals with how requests can be made to issue summons to suspected criminals in foreign countries, and we also have Mutual Legal Assistance Treaties (MLATs) with 39 countries (including the US) which makes the process much simpler. As the Hon’ble IT Minister of India points out, the Information Technology Act 2000 (IT Act) covers offences committed by a person outside India as well (section 75), provided it involves a computer, computer system or computer network located in India.

The bad news is that the long arm of the law doesn’t so much reach out across the seas and drag them kicking and screaming to India, as gently tap them on the shoulder and invite them over for tea and biscuits.

This is because even in situations where we have a MLAT, a summons issued from India isn’t immediately binding on the foreign national in question. To take the example of Zuckerberg, if India wants to summon him in relation to data theft from Indians, the ministry for home affairs will need to make a request to the US central authority under the India-US MLAT to issue a summons to him. Because of the MLAT, the US Authority is bound to consider the request, but is not bound to accede to it.

And even if it does this, the way the whole process works is very different from what you might expect.

Also Read: What Is the Cambridge Analytica Controversy and Its India Connect?

What Would Happen Once India Sends Such a Summons to the US?

Even if a summons (or a bailable warrant) is sent by India through the right channels, with all the necessary documents, there’s no guarantee that it will even be sent to Zuckerberg. However, requests under an MLAT are generally meant to be complied with, and only refused in limited circumstances like political offences, or where the law of the ‘requested state’ wouldn’t allow compliance.

So let’s be optimistic and say that the request is granted, and the summons is served to him. What happens then? Does he have to promptly book the next flight to India?

Well, not quite. The Indian government reportedly sent a noticeto Cambridge Analytica on Friday, asking whether the data of any Indian citizens was compromised — though this has not been specified to be under any legal provision, and it is unclear what legal provision would even apply to CA. However, this is reflective of the fact that in the event the Indian government does want to look into any data theft, it will need to make inquiries, ask questions and collect evidence.

For all of this, even under our MLATs, there is no need for a foreign national to come to India. Instead, the evidence or testimony required for such things is to be collected by the requested state (ie the US in Zuckerberg’s case).

Article 8 of the India-US MLAT would allow Indian authorities to go to the US to be part of any questioning, but it is important to note that even any evidence or documents collected by the US would not be automatically transferred to India. The US would have to check whether their own law prohibits sending the relevant evidence first, and only then agree to send it across.

Also Read: Facebook Data Breach: Govt Issues Notice to Cambridge Analytica

Continuing our vein optimism, let’s say things are going swimmingly and we’ve got some interesting information we want to follow up on by getting Zuckerberg to India. Can we get him hauled over here and arrested?

The answer is not one that Prasad is going to like.

Yes, we can ask for Zuckerberg to be brought to India, but, according to Article 10 of the India-US MLAT, this would only get the US to “invite” the Facebook CEO to go to India, which he can refuse to do. If he agrees, he cannot be “subjected to service of process, or be detained or subject to any restriction of personal liberty” in relation to whatever India wants to question him about (if he commits some fresh crime on Indian soil, that’s obviously another matter). And we would have to cover at least part of his expenses.

All in all, this makes the IT Minister’s warning not much of a warning, because it means that a summons from India would have very little coercive power over Zuckerberg, who could very well ignore it and not face any major consequences for doing so.

Extradition and Possible Offences

If Prasad really wanted to flex the mighty arm of the Indian state, he would, of course, have the option of trying to get Zuckerberg extradited. Extradition, unlike procedures under an MLAT, would compel Zuckerberg to arrive here.

Unfortunately, India isn’t very good at extradition, with only 33% (or even fewer) extradition requests successful, owing to a combination of bumbling incompetence by Indian authorities, poor jail conditions and concerns over human rights violations. India has also never managed to get any foreign nationals extradited to India from the US.

Even if extradition were an option on the table, what would we be looking to extradite Zuckerberg for? Not every offence is extraditable – they have to at least involve one year’s imprisonment, for instance, and, under the India-US Extradition Treaty, cannot be a political or military offence.

It’s not quite clear what legal provisions we would use to proceed against Zuckerberg. If the data of people in India has been stolen from Facebook, the most obvious provision of the IT Act that relates to this is section 43A. Under this, a company which fails to ensure reasonable security and so fails to protect a person’s “sensitive personal data or information”, has to compensate the person whose data they’ve lost.

Sensitive personal data or information (SPDI) is defined in the IT Rules 2011 refers to (i) passwords, (ii) financial information (such as bank account and payment instrument details), (iii) physical and mental health condition, (iv) sexual orientation, (v) medical records and history, and (vi) biometric information.

Going by the kind of data harvested in the Cambridge Analytica fiasco, it is not clear that any data theft from Facebook would necessarily involve SPDI, and so this provision may not apply in such cases — though it really should, as the profiling potential is just as bad. Even if it did, this is not a criminal offence, so any proceedings against Facebook for this issue would neither provide grounds to summon Zuckerberg under an MLAT nor extradite him.

The only criminal offence which might apply is section 72A of the IT Act, which punishes disclosure of personal information in breach of a lawful contract. If Facebook has shared any personal information (broader than SPDI), either without your consent or contrary to the terms and conditions you agreed to, then this could lead to criminal liability.

Unfortunately, Facebook’s terms and conditions, like everything we happily sign to get access to apps and online services, are labyrinthine and give the company and third party developers all sorts of access and rights to your data. They were improved in 2012 to no longer allow your data to be signed away, per se, by one of your Facebook friends, but as the expose by The Guardian, Channel 4 and the New York Times shows, Facebook’s enforcement of data protection rules leaves a lot to be desired.

Regardless, when we can’t get the Vijay Mallyas and Tiger Hanifs and David Headleys extradited to India, it would be inconceivable that the US would agree to extradite someone like Zuckerberg for some random IT Act offence. If anything, it helps underscore the urgent need for a comprehensive data protection law in India.

As a result, it would seem that even the remote possibility of extradition is off the table, as is the possibility of any criminal punishment for Facebook.

Also Read: BJP Using Cambridge Analytica to Divert Attention: Rahul Gandhi

BJP Needs Facebook Too Much for Other Consequences

The only option left to give any sort of pause to the billionaire is to seize Facebook’s assets in India or block the website. The former will not be possible unless some sort of economic offence or fraud can be shown to have taken place — of which there is no current evidence.

(Photo Altered by The Quint)

Blocking the site would be easier for the government to do under section 69A of the IT Act, for instance, which doesn’t require a criminal offence to have taken place, just that the government or one of its authorised officers be satisfied that this is necessary in certain circumstances.

Potentially, this could be used to make Facebook inaccessible in India, which would obviously be a big blow to the company and Zuckerberg, given that India has the highest number of Facebook users (around 250 million). Now this would be a threat that Zuckerberg might actually care about.

Too bad then, that there’s pretty much no possibility of it happening. Social media has been a key forum used by the ruling BJP to gain and maintain support, as anyone with the faintest online presence can attest.

The party’s strategy also relies heavily on Facebook, with its use specifically encouraged among party lawmakers. The Indian Express reports that at the BJP parliamentary party meeting – which took place two days after Prasad made his “stark observation” – MPs were “reminded of the importance of social media, especially Facebook, in their outreach programmes and poll campaigns.”

Forty-three BJP MPs who did not have Facebook accounts, and 77 whose accounts weren’t verified “were asked to do the needful and use the tool more enthusiastically.” The Printreports that these instructions, from the PM himself, also direct MPs to ensure they have at least 3 lakh followers on social media, or face losing their tickets for elections.

It would appear, therefore, that no matter what Union Minister Ravi Shankar Prasad says, pretty much everything Facebook does is likely to be tolerated. All threats, warnings and “stern observations” have no substance and are meant to deflect attention from other things — perhaps even the fact that Cambridge Analytica and its Indian arm claim that they have worked for the BJP.

It should also be pretty clear by now that the Hon’ble IT Minister’s warning was pure bluster, and that Mark Zuckerberg has nothing to fear personally and will not be getting any sleepless nights.