The controversy sparked by recent media exposes on the data harvesting by Cambridge Analytica from Facebook users refuses to die down, with new revelations being made every day. The Indian news media has given this controversy prime time coverage, egged on by the fact that they are becoming acutely aware that their biggest competitors for digital ad revenue are Facebook and Google.The issue has also become a political slugfest between the BJP and Congress and it goes without saying that the controversy is going to have a bearing on the ongoing deliberations of the committee of experts headed by Justice Sri Krishna.The more important question is whether Facebook is legally liable under present Indian law (presuming that Indian citizens were involved in the incident) and whether a future data protection law will make a difference? Facebook’s founder Zuckerberg and COO, Sandberg have extended profuse apologies for violating the trust of users but a violation of trust isn’t the same as violation of the law. In fact, it is possible that Facebook is entirely aware that it bears little to no legal liability in this entire fiasco but is keeping quiet because a public statement on this aspect may perhaps lead to a worse backlash.What happened? To begin with, let us recount the basic facts. Alexander Kogan, a university researcher had developed an application called “thisisyourdigitallife” offering a personality prediction for users. The application was hosted on Facebook and was downloaded by 270,000 people who took the personality test. In the process the application also scooped up the data of not only the 270,000 people who took the tests but also the data of their friends. In all, it appears that the exercise resulted in the data of 50 million people being scooped up by the app. This data was allegedly then sold/licensed by Kogan to Cambridge Analytica and Eunoia Technologies.In the absence of a statutory data protection law in India, the only legal liability that flows out of the law is from the contractual agreements between the various parties.There are three contracts here. The first is between Kogan and the Facebook users. The second is between Facebook and its users. The third is between Facebook and Kogan.It is important to remember that there appears to be no contractual arrangement between Facebook and Cambridge Analytica because Kogan passed on the data directly to Cambridge Analytica and it is unlikely that Facebook can hold the latter liable. This is possibly the reason that we are yet to hear of Facebook initiating any lawsuit or arbitration against the latter.Did Kogan violate his contract with FB users?As per Facebook’s statement, available on its website, Kogan “gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time”. Simply put, Kogan informed users that their information and those of their friends would be collected if they used the application.The statement put out by Facebook, however also states that Kogan violated Facebook’s platform policies by passing on the collected data to Cambridge Analytica and Eunoia Technologies. It is not clear, if Facebook’s policies were legally binding on Kogan. Whether Kogan violated this contractual arrangement with users when he gave this information to third parties, is not clear. If Kogan informed users that there was possibility of this data being transferred into the hands of others then Kogan is simply not liable under the law.Did Facebook violate the terms of its contract with its users and can it be held liable for Kogan’s activities?The next issue is whether Facebook’s failure to curb Kogan’s activities has resulted in Facebook violating the terms of its contract with its own users. It is very likely that the company in 2014 had a clause informing users of the risks involved in using external apps and absolving itself of any liability.To further complicate matters, it is possible that Facebook is simply an intermediary that facilitated transactions between app developers and users. If Facebook is deemed to be a platform facilitating automatic transactions between others it follows that the company cannot be held liable for violations of the law by the people using its platform. This is because Section 79 of the Information Technology Act as amended in 2008 created a safe harbor for all intermediaries by ensuring their immunity for all acts that were a result of users.This immunity from legal liability is not absolute and depends in large part on the level of knowledge that Facebook had with regard to the activities of its users. The law is structured in such a way that the less knowledge Facebook has of its user’s activities, the less it is liable for the activities of its users provided that it fulfills a minimum ‘due diligence’ requirement under Section 79.The rationale for the safe harbor provisions in the early days of the internet was that internet intermediaries needed such immunity in order to grow their fledgling businesses because if they were liable for everything their users did it would make their business very risky and very expensive to run. A good reminder is the bazee.com case where the CEO of the company was arrested because one of the users on his platform tried selling a pornographic CD. The existing safe harbor provision was strengthened thereafter in 2008 to make it even more difficult to sue intermediaries.Given the manner in which Facebook is structured, there is a strong possibility that Facebook will enjoy immunity under Section 79 especially since the Supreme Court judgment in Shreya Singhal requires intermediaries to take down content only after a court order. If this assumption that Facebook is an intermediary is correct, the company cannot be held legally liable if the offending action is committed by a third party.The choice of law problemThere has been some talk that Facebook can perhaps be held liable under Section 43A of the Information Technology Act or that a future data protection law will empower Indian authorities to take action against Facebook.Most of this discussion misses the point that Facebook’s contract with its users are governed by American law and not Indian law. In other words, Facebook is exporting a service from America, to Indians in India, who by clicking on the ‘I agree’ button have agreed to be bound by American law. These kind of service contracts are hardly extraordinary but pose unique problems in the digital world. For the last several years, RSS ideologue Govindhacharya has been litigating a PIL before the Delhi high court seeking directions to Facebook and Google to comply with the Indian IT Act, including archaic requirement of posting on their websites, the names and contact details of grievance redressal officers. This requirement is ignored by virtually all internet companies.Can India via a future data protection law force a foreign entity like Facebook Inc., which has no physical presence on Indian soil, to change the ‘choice of law’ governing the terms of its use with citizens of the said jurisdiction? Parliament can certainly try to do by tying a data protection law to other financial legislation which Facebook and Google cannot avoid but policymakers should be aware that any such unilateral attempt will invite reciprocal action from the US Trade Representative.Ideally, in situations involving contracts spread over multiple jurisdictions, the only credible and workable solution is an international treaty forcing all countries to adopt similar rules based on principles of reciprocity. The other solution is to threaten a blockade of Facebook until it agrees to change the governing law of its contracts to Indian law. That is not an option for the Indian government given the popularity of the platform in India.Prashant Reddy T. is an assistant professor at the National Academy for Legal Studies and Research (NALSAR), Hyderabad and is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP)