WhatsApp privacy policy: The controversy so for alarming the need of data protection law in India

Background

While world economies across the globe are enforcing privacy laws and India is awaiting the Joint Parliamentary Committee’s Report on the Personal Data Protection Bill, 2019 widely used Facebook-owned messaging app WhatsApp which is used by billions around the globe updated its privacy policy.

In February 2014, Facebook acquired WhatsApp for USD 19 billion which was free and encrypted. However, as expected sooner or later to happen, now plans to monetize its model for businesses and ad-targeting purposes which is reflected in its updated privacy policy as well. Highlighting a well known quote from the 1970s which connects with a present scenario: “If you are not paying for it; you're the product.”

This update had received red flags from data regulatory authorities and privacy experts for its extended data collection and sharing practices. Though most of the users on digital platforms agree to privacy and cookie policies without actually reading them, WhatsApp’s updated policy had sparked a mass exodus as users at large are concerned that Facebook would be able to read their private messages.

WhatsApp had however clarified[i] that it won’t be able to read the messages, but at the same time had different privacy policies for each region. This case had altogether alarmed the need for data privacy law in India.

What’s updated in Privacy Policy?

WhatsApp introduced its updated[ii] privacy policy on 4^th January 2021 and notified the users with the only option to accept it. Users were provided deadlines in order to continue using the app. The updated policy made it clear that WhatsApp will collect:

• Profile names
• Profile pictures
• Users’ phone number
• IP address
• phone numbers stored in the address book
• Status information including when a user was last online
• Usage and log information
• Device information
• Location-related information
• Transaction and payment data if enabled

Most importantly, the privacy policy confirmed that WhatsApp will allow Facebook companies and third parties to access messages that users share with businesses on the app.

Key privacy concerns

• Data collected by WhatsApp will be shared with Facebook-owned companies and third parties.
• Will continuously collect the user’s precise location information, IP addresses and other information to estimate their general location and usual travel location. Can use the data for ad-targeting purposes on other platforms.
• Violates the principle of data localisation, by allowing the transfer of personal data outside the jurisdictions.
• Usage of the information beyond the purposes for which the consent was given at the time of collection. Violates the principle of purpose limitation.
• The jurisdiction for disputes is mentioned as the District Court in California.
• Lastly, if users disagree with the updated privacy policy, they will have to quit WhatsApp or reduced functionality. (take it or leave it) No choice for users to opt-out.

Competing apps privacy standards

Amongst WhatsApp, there are two major players i.e. Telegram and Signal and briefly analysing the two competitor’s privacy policies we understand that Telegram comprises two layers of secure encryption. Server-client encryption is used in Cloud Chats (private and group chats), while the platform’s Secret Chats use an additional layer of client-client encryption[iii]. Whereas Signal’s privacy policy[iv] states that they undertake end-to-end encryption and the chat history for the app is stored on the user’s device itself. It is not for profit messaging app. Hence, no plans to monetise.

Government actions

As reported, the Government of India highlighting K S Puttaswamy judgements wrote to WhatsApp head Will Cathcart and asked

• to respect the informational privacy and data security of Indian users
• withdraw the latest terms and privacy policy in India proposed by the messaging service for users
• through questionnaire seeking more details about its data-sharing protocols and business practices
• the details about exact categories of data that WhatsApp collects from Indian users
• about permissions, user consent sought and the utility of each of these with respect to the functioning and specific service provided
• to provide details about the difference between its privacy policies in India and other countries.
• if WhatsApp conducts profiling of Indian users on the basis of their usage of the application and the nature of profiling conducted
• details of the difference between WhatsApp’s privacy policies in India and other countries along with details of its data security, information security, cyber-security, privacy, and encryption policies

(Source: Hindustan Times[v])

The Government of India (GOI) was also called to make submissions in petitions filled with the Hon’ble High Court of Delhi against WhatsApp’s updated privacy policy. The Ministry of Electronics & Information Technology, GOI in its submission to the Court mentioned the privacy concerns such as the types of sensitive personal data being collected, no option to review or amend the information and withdraw consent retrospectively, disclosure to third parties including other Facebook companies, no distinction between personal data or sensitive personal data is collected etc. GOI also highlighted a violation under Rule 6(4) of the Information Technology Act, 2002 which prohibits the disclosure of data received by a third party from a body corporate.

Petitions and the CCI Probe

Until now, there are three petitions filed with the High Court of Delhi against WhatsApp’s updated privacy policy, the parties including the Government of India, WhatsApp and its Parent Facebook were called to file their written replies and rejoinder on the matter for which next hearing is adjourned for later in  August and the decisions are awaited.

CAIT i.e. Confederation of All India Traders also approached the Supreme Court of India. However, the plea being pending before the High Court, the Apex Court rejected the appeal. Most importantly, Apex stated that “You may be a USD 2-3 trillion company, but people's privacy is more valuable for them and it is our duty to protect their privacy” to WhatsApp. (Source: Times of India[vi])

On the other front, the Competition Commission of India (CCI) took suo-moto cognisance and launched an investigation on the controversial privacy policy and terms of service of WhatsApp. The investigation concluded that the policy prima facie violates section 4 of the Competition Act 2002. CCI in its order[vii] observed that the policy enables WhatsApp to share user data with Facebook and its subsidiaries. This privacy policy is mandatory and non-consensual in nature and imposes a “take-it-or-leave-it” condition on the users.

Here, the CCI’s endeavour to explore the antitrust threads in the privacy regime puts it on tier-1 of global antitrust agencies as only a few have explored the conflation of these regimes. The order is challenged by WhatsApp and it remains to be seen what Court remedies in the instant case. It is pertinent to note that moreover, an antitrust remedy has to be congruent with data protection law in such cases, otherwise, they may not have a significant impact. Given that the Personal Data Protection Bill, 2019 is still dormant, an evaluation of whether the remedies comply with data protection and privacy standards may be difficult.

Existing legal regime in India and way ahead

In India, the right to privacy is recognized by judicial precedence from the judgment of K.S Puttaswamy and the only regime around privacy is provided under Section 43A of the Information Technology Act, 2000, the Information Technology (Reasonable Security practices and procedures and sensitive personal data or Information) Rules, 2011 and that too is limited and is non-exhaustive for legal remedy. However, the report for the proposed law on the protection of the personal data of Indians, the Personal Data Protection Bill, 2019 is underway and is expected to soon be placed in both the houses of parliament in the winter session 2021 for outlining the law.

As compared to the existing regime the 2019 Bill has wider scope starting from defining personal data to penalties for non-compliance. The bill provides for rights for the users to access and delete their personal data, clear privacy notice, informed consent mechanism, the limitation for transferring personal data outside India, appointing data protection officer etc. In such a scenario, WhatsApp would have to follow the law of land and citizens would have a legal remedy for such infringement upon their privacy rights.

Most recently after facing the backfire, WhatsApp submitted its statement before a single judge bench where they had appealed against the investigation into the matter by the CCI stating that the impugned Privacy Policy will not be enforced till the enactment of the Data Protection Bill and will be introduced only after observing due compliance with the new law. The matters pending for hearing before the Hon’ble Court are now adjourned since the Court perceived no urgency in the matter after the submissions being made. However, being an early win for Indian citizens, this has ultimately formed the case for the need of data protection law in India.

Lastly, it is evident that WhatsApp has provided separate updated privacy policies for the European, California and Brazilian residents due to the existence of data protection laws in the respective regions. In India, WhatsApp has approx. 4 million users, which are far more as compared to these regions, however, due to lack of the data privacy law, the privacy rights are infringed upon and prolong legal proceedings are initiated. Hence, the Right to Privacy is meaningless in absence of Data Protection Laws.

[i] https://faq.whatsapp.com/general/security-and-privacy/answering-your-questions-about-whatsapps-privacy-policy/?lang=en

[ii] https://www.whatsapp.com/legal/privacy-policy

[iii] https://telegram.org/privacy

[iv] https://signal.org/legal/#privacy-policy

[v] https://www.hindustantimes.com/india-news/government-writes-to-whatsapp-asks-it-to-withdraw-new-privacy-policy-101611046410921.html

[vi] https://timesofindia.indiatimes.com/business/india-business/supreme-court-issues-notice-to-facebook-whatsapp-over-new-privacy-policy/articleshow/80920037.cms

[vii] https://www.cci.gov.in/sites/default/files/SM01of2021_0.pdf

(Devdiscourse's journalists were not involved in the production of this article. The facts and opinions appearing in the article do not reflect the views of Devdiscourse and Devdiscourse does not claim any responsibility for the same.)