WhatsApp’s Privacy Policy is yet again in the limelight. On August 25, a division bench of the Delhi High Court dismissed the appeal filed by WhatsApp and Meta against the probe ordered by the Competition Commission of India (CCI) into the messenger’s Privacy Policy. The court upheld the CCI probe and said that the 2021 privacy policy was leaving WhatsApp users in a “take it or leave it” scenario without any ‘opt-out’ option, thereby creating a “mirage” of choice and forcing its users into an agreement.
Also Read: Can the Government Read my WhatsApp Messages?
But what does it mean for the user? We’ll get into that in a bit, but first, let’s roll back to the beginning of this saga, to 2014.
Ever since WhatsApp was taken over by its now parent company Facebook (Meta), in 2014, it raised eyebrows and attention from data protection and privacy professionals. There were worldwide concerns that WhatsApp may end up sharing sensitive personal data with Facebook, compromising user privacy. For privacy advocates, heavens were indeed falling but public assurances by WhatsApp led to its successful takeover by Facebook.
In 2016, this led to the first round of court battles before the Delhi High Court against WhatsApp’s Privacy Policy in India by Karmanya Singh Sareen, currently a Partner at Kommit Techno Legal LLP. Sareen had approached the court demanding a proper ‘opt-out’ option, which could be exercised beyond the arbitrary 30 days threshold. On 23 September 2016, the Delhi High Court division bench refused to grant the requisite relief to the petitioners. However, the Bench directed the messaging application to delete the collected user data till 25 September 2016.
Shockingly, the judgment allowed sharing of data collected post 25 September with the parent company Facebook under the new Privacy Policy. Aggrieved by the judgment, the petitioners Sareen and Shreya Sethi knocked on the gates of justice at the Supreme Court, challenging the 2016 Privacy Policy of WhatsApp in their Special Leave Petition (SLP). The Internet Freedom Foundation (“IFF”), represented by Senior Advocate K.V Vishwanath, is also one of the intervenors in this case.
In 2017, the celebrated landmark judgment of the Supreme Court in K.S. Puttaswamy v. Union of India recognised the “Right to Privacy” as inherent to the “Right to Life” under Article 21 of the Constitution, thereby making the Right to Privacy a fundamental right. In the aftermath of this judgment, the government set up a committee led by retired Supreme Court judge Justice B.N. Krishna to deliberate on the Data Protection Framework in the country.
Based on the report, in December 2019, the Ministry of Electronics and Information Technology tabled the Personal Data Protection Bill 2019 in the Rajya Sabha. Between 2019 and 2022, the Personal Data Protection Bill faced numerous challenges, from corporation stakeholders to privacy activists.
In a separate turn of events, in March 2021, the Competition Commission of India found a violation of Section 4 of the Competition Act and ordered a probe into the messaging app’s Privacy Policy. Multi-National Corporations often have an advantage of the vast and important data sea stored in their servers, and they are capable of targeted advertising and have become the giant ‘dominant’ players in every sector. The CCI, in its order, notes that since the policy is unilateral, the data sharing terms in the Privacy Policy demanded an investigation in terms of ‘abuse of dominant position’ by the messaging app. The regulatory authority also states that data analytics is extremely integral and important to the competitive performance of digital ventures.
Also Read: Fake Loan Apps Thrive As Authorities Fail To Crackdown, Leaving Consumers Vulnerable
The social media giant approached the Delhi High Court in its Letters Patent Appeal to stay the probe ordered by CCI. WhatsApp argued that since the policy was kept in abeyance due to the Personal Data Protection Bill being introduced in Parliament along with pending litigation before the Supreme Court, the CCI probe must stay. However, on 25 August, the Delhi High Court division bench upheld the probe ordered by the Competition Commission of India as a setback to WhatsApp. Although the Delhi High Court dismissed the appeal filed by WhatsApp, the whole saga still awaits its climax at the Apex Court.
So, what’s WhatsApp up to?
Violation of Section 72 of the Information Technology Act, its 2011 rules and the Right to Privacy
The Special Leave Petition filed by Sareen argues that the WhatsApp Privacy Policy violates Section 72 of the Information Technology Act. Section 72 is a provision penalising for breach of confidentiality and privacy. The petitioners claim that since WhatsApp has been sharing such information, it is in direct contravention of this section. It is alleged that WhatsApp is also violating the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which mandate full and true disclosures with respect to Privacy Policies. At last, since WhatsApp is sharing personal user information with Meta companies, it is in violation of the Right to Privacy which is now a fundamental right within the ambit of Article 21.
Unilateral terms
Kanika Seth, cyber lawyer and advocate at the Supreme Court of India says, “Right to Privacy is a fundamental right of every citizen of India and the Constitution of India grants and protects this right. Social media companies that collect data from their users ought to have fair, open and transparent Privacy Policies that respect and safeguard the rights of their users. It must also respect the choice not to disclose or use their personal data in any manner a user does not grant express consent for”.
Collecting and sharing your data with Meta companies
Although WhatsApp had given public assurances of not sharing data with its parent company, it later came out with its 2016 policy allowing sharing of data with Facebook for targeted advertisements. Data protection professionals insist that it’s not just about the sensitive personal data but having access to the phone numbers itself is a major win for the social media giant. Before acquiring WhatsApp, Facebook had no access to phone numbers unless voluntarily given by its users. Hence, linking Facebook profiles with WhatsApp accounts would undoubtedly help Facebook influence user behaviour.
The updated policy also mentions collecting IP addresses, and other information like phone numbers and area codes are likely to point to the location of the user even if the location data is explicitly not collected. The biggest worry is that as part of the new policy, WhatsApp may start processing payment/transactional information of its users, and it includes the transaction amount, shipping details, amongst others.
No “Opt-Out” option.
The 2016 update had an opt-out option with a threshold limit of 30 days. However, the 2021 policy is close to a black mirror nightmare with no “opt-out” option. This means the user cannot opt-out of sharing his/her information with Meta companies. It is alleged that the user has no option of protecting sharing of data with interested third parties.
Not in accordance with the law for minors
The new policy, according to Sareen’s case, seeks license to the works created by its users and shared through the messaging application. This is not in accordance with the law for minors in the country since they are incapable of granting such consent/license.
International uproar
In 2021, the Hamburg Commissioner for Data Protection and Freedom of Information, which is a German Regulator for data protection, ordered a three-month ban on Facebook for collecting user data from WhatsApp accounts. It further referred the case to a European Union watchdog raising concerns over election integrity. Facebook has received severe backlash and strong sanctions from France, Belgium and other European countries too.
India’s pursuit of data protection law
Data is the new oil. Therefore, like any other mining drill, it needs a protection framework. India still awaits a comprehensive data protection bill. However, India’s pursuit of data protection dates back to 2008. The Information Technology Act, 2000 was amended to add Section 43A, which puts the liability on companies to protect all sensitive personal data and information that they possess or handle. The companies have an obligation to protect this data with reasonable security measures. Section 43A also imposes a penalty for non-compliance.
Later, in 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 were brought in, laying down the basic standards for the protection of sensitive personal data. This is the law that requires companies in India to formulate Privacy Policies in the first place, requiring them to inform users of what data they collect, and how they collect it and to obtain consent when collecting/transferring sensitive personal data from users. Although the rules exist, they do not address the intricacies of data protection and data flow in today’s world.
India’s Data Protection Framework has suffered various challenges from corporations to activists. The Personal Data Protection Bill 2019 was referred to the Joint Parliamentary Committee for review. The Joint Parliamentary Committee in its report in 2021 proposed 81 amendments and 12 recommendations to the existing bill. Although the bill was set to be discussed in this Lok Sabha session, Union Minister Ashwini Vaishnav withdrew the bill citing the recommendations made by the JPC. It is predicted that the Indian government is in the process of bringing a more comprehensive code in the future.
He adds, “India needs to put laws in place that call for strong compliance, and also aggressively monitor the collection, usage, and sharing of data. India does have provisions under the IT Act, 2000, read with the SPDI Rules of 2011, that address the concerns in the case of data processing and sharing. However, history speaks that it has not been able to make the ‘right noises!’”