Rob Sherman, Vice President of Policy and Deputy Chief Privacy Officer at Meta, is no stranger to India’s long road toward enacting a data protection law. “One of the first things I worked on when I joined the company 13 years ago was an earlier iteration of India’s privacy law,” Sherman said in an interview to Moneycontrol on April 10.
Now, with the Digital Personal Data Protection Act (DPDP Act) enacted and the rules soon set to be released, Meta is once again closely tracking the developments—particularly as they intersect with the company’s ambitions around artificial intelligence and emerging technologies.
Supportive, but with caveats
Sherman described the Indian government’s approach to data protection as “thoughtful,” noting that it attempts to strike a balance between empowering users and enabling innovation. “India regulates for scale, and that’s something few countries do effectively. It leads to more pragmatic decisions about what works for a billion-plus people and the technologies they use,” he said.
But he also pointed to areas of ambiguity that Meta believes need further clarity. “There are still open questions—especially around how the law treats personalization and profiling of teens, restrictions on cross-border data transfers, and obligations on significant data fiduciaries,” Sherman said.
Teens and profiling: A double bind
One major area of concern is the provision restricting profiling of minors under the age of 18. Sherman explained that Meta’s services, like Facebook and Instagram, inherently rely on personalisation—both to serve tailored content and to detect harmful or unsafe behavior.
“If there’s an outright ban on analyzing user behavior for those under 18, it could prevent us from offering a core part of our service and, more importantly, from doing harm detection,” he said. “That’s a shared goal with the government—we both want to keep people, especially teens, safe.”
While the DPDP Act allows the government to carve out exceptions for specific cases, Sherman said the current exceptions listed in the annex—especially Exceptions 1 and 4—don’t yet cover the full scope of what’s needed. “We need explicit provisions that allow for personalisation necessary for user safety and experience,” he added.
Age verification: Who decides and how?
On the issue of verifying the age of teen users—and obtaining parental consent where required—Sherman indicated that Meta is watching how the final rules shape up. “There seems to be alignment with the global norm of asking users for their age and then applying protections based on that input,” he said.
Sherman also floated the idea of delegating age verification to smartphone operating systems or app stores. “From a parental point of view, it would be far more efficient to set age restrictions at the device or app store level and have that info cascade across apps,” he said.
“There have been some early positive signals from Apple, but you’d have to ask them where they stand on this.”
Cross-border data: The elephant in the room
The government has maintained that the DPDP Act does not explicitly enforce data localisation. But a recent clause allowing the Centre to “notify countries or territories where personal data may not be transferred” has raised eyebrows in the tech industry.
Sherman acknowledged this provision could have major implications, depending on how it is implemented.
"We're all using services from different countries. We're communicating with people in different parts of the world. We're also doing business, buying things from sellers who may be located in different countries. And all of that requires data sharing and data transfer. So if you were to say no data can pass outside of India, it would effectively prevent people from engaging in that kind of commerce and engaging in that kind of communication and using global Internet services. And so I think and hope that that is not where this goes” he said.
He added that while previous iterations of India’s privacy framework flirted with rigid localisation norms, the current environment appears more pragmatic. “I hope what’s been proposed isn’t meant to block general data transfers but is limited to sensitive sectors like payments or national security.”
Significant data fiduciaries: New responsibilities, old habits
The DPDP Act designates certain entities as “significant data fiduciaries,” a status likely to apply to large platforms like Meta. These fiduciaries face enhanced compliance obligations, such as conducting regular Data Protection Impact Assessments (DPIAs) and ensuring algorithmic fairness.
Sherman said Meta is already familiar with many of these processes. “We’ve had a comprehensive privacy review system in place since 2018. Every time we make a significant change in how we process data, we evaluate risks and document mitigation steps. So the idea of DPIAs is not new to us.”
However, Sherman cautioned against overly broad interpretations of algorithmic accountability. “We spend a lot of time testing our models for safety, security, and bias. But to say we must avoid all harm or monitor every use case of our open-source models—that’s not realistic or scalable,” he said.
Llama, smart glasses, and scraping the open web
Sherman also addressed how the DPDP Act’s consent provisions could impact emerging products like Meta’s AI model Llama 4 and its Ray-Ban smart glasses, both of which process large amounts of real-world data.
“Like every major AI model, Llama is trained on publicly available Internet data,” he said. “The Act allows exceptions for public data, but how those exceptions are interpreted will directly affect our ability to build or deploy these models in India.”
Sherman recounted a story from a workshop earlier that day, where participants tested the accessibility features of Meta’s smart glasses. When asked to read a server’s name tag, the AI refused. “We’ve built in privacy filters that strip personally identifiable information before it gets processed by the AI. So when the glasses ‘see’ a name tag, that info is removed by design,” he said.
Still, Sherman emphasized that Meta will need more clarity from the Indian government to ensure such technologies are compliant going forward.
With Meta investing heavily in AI, smart wearables, and the metaverse, India is a crucial market. But the company is waiting for regulatory clarity to shape its product strategy. “We’re excited about the future here. But we’re also watching closely to make sure we can operate responsibly—and legally—within India’s evolving data ecosystem,” Sherman said.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
