Home Stories

The WhatsApp Privacy Policy Saga: India’s Data Protection Regime And You

India, as a data economy, can no longer afford a lackadaisical approach to dealing with intermediaries that compromise citizens’ data, writes Medhavi Mishra

By Medhavi Mishra
New Update

WhatsApp A user sending a private message on WhatsApp | Photo courtesy: Special arrangement

WhatsApp’s Privacy Policy is yet again in the limelight. On August 25, a division bench of the Delhi High Court dismissed the appeal filed by WhatsApp and Meta against the probe ordered by the Competition Commission of India (CCI) into the messenger’s Privacy Policy. The court upheld the CCI probe and said that the 2021 privacy policy was leaving WhatsApp users in a “take it or leave it” scenario without any ‘opt-out’ option, thereby creating a “mirage” of choice and forcing its users into an agreement. 

Also Read: Can the Government Read my WhatsApp Messages?

But what does it mean for the user? We’ll get into that in a bit, but first, let’s roll back to the beginning of this saga, to 2014. 

Ever since WhatsApp was taken over by its now parent company Facebook (Meta), in 2014, it raised eyebrows and attention from data protection and privacy professionals. There were worldwide concerns that WhatsApp may end up sharing sensitive personal data with Facebook, compromising user privacy. For privacy advocates, heavens were indeed falling but public assurances by WhatsApp led to its successful takeover by Facebook. 

In a data-driven economy today, this was an overwhelming concern which sadly came to be true in 2016. In August 2016, despite assurances, WhatsApp updated its Privacy Policy for sharing user data with Facebook for targeted advertisements, with a dubious ‘opt-out’ option. For users, it meant that they had precisely 30 days to opt-out of the condition that allowed sharing of data with Facebook for targeted ads. However, if the users, in any case, did not exercise that option within these 30 days, the consent for data sharing would become implied. Further, the users joining the platform after August 2016 were not even given a choice to exercise this option. This meant that such users had consented to share their data with Facebook without even being asked if they wanted to.

In 2016, this led to the first round of court battles before the Delhi High Court against WhatsApp’s Privacy Policy in India by Karmanya Singh Sareen, currently a Partner at Kommit Techno Legal LLP. Sareen had approached the court demanding a proper ‘opt-out’ option, which could be exercised beyond the arbitrary 30 days threshold. On 23 September 2016, the Delhi High Court division bench refused to grant the requisite relief to the petitioners. However, the Bench directed the messaging application to delete the collected user data till 25 September 2016.

Shockingly, the judgment allowed sharing of data collected post 25 September with the parent company Facebook under the new Privacy Policy. Aggrieved by the judgment, the petitioners Sareen and Shreya Sethi knocked on the gates of justice at the Supreme Court, challenging the 2016 Privacy Policy of WhatsApp in their Special Leave Petition (SLP). The Internet Freedom Foundation (“IFF”), represented by Senior Advocate K.V Vishwanath, is also one of the intervenors in this case.

Tanmay Singh, Senior Litigation Counsel at the IFF, describes why such a legal challenge is essential. He says, “India today is one of the few major democracies with no government authority or institutional recourse to safeguard user privacy. In the legal challenge to WhatsApp’s Privacy Policy, we strongly felt that the rights of internet users needed a voice in court, as complex issues of net neutrality, online privacy and licensing of online platforms were being considered. Today, citizens and internet users are concerned about their informational privacy and have little recourse to the law. We firmly believe that India needs to protect privacy in law and ensure we have an enforceable data protection regime”.

Privacy A graphic image related to data protection and privacy | Photo courtesy: Special arrangement

In 2017, the celebrated landmark judgment of the Supreme Court in K.S. Puttaswamy v. Union of India recognised the “Right to Privacy” as inherent to the “Right to Life” under Article 21 of the Constitution, thereby making the Right to Privacy a fundamental right. In the aftermath of this judgment, the government set up a committee led by retired Supreme Court judge Justice B.N. Krishna to deliberate on the Data Protection Framework in the country. 

Based on the report, in December 2019, the Ministry of Electronics and Information Technology tabled the Personal Data Protection Bill 2019 in the Rajya Sabha. Between 2019 and 2022, the Personal Data Protection Bill faced numerous challenges, from corporation stakeholders to privacy activists. 

Back to the saga, in January 2021, WhatsApp rolled out its new Privacy Policy and Terms of Service, which again compelled the users to press “I agree” to sharing data with other Meta companies. In the 2016 update, the users had an ‘opt-out’ option with a 30 days threshold, but in the 2021 update, even that was eliminated. On February 15 2021, an application was filed before the Supreme Court in the Karmanya Singh Sareen case stating that the policy discriminated against Indian users as against European Users. The Bench comprising the then Chief Justice issued notices and directed the parties to file replies. The case now awaits a hearing.

In a separate turn of events, in March 2021, the Competition Commission of India found a violation of Section 4 of the Competition Act and ordered a probe into the messaging app’s Privacy Policy. Multi-National Corporations often have an advantage of the vast and important data sea stored in their servers, and they are capable of targeted advertising and have become the giant ‘dominant’ players in every sector. The CCI, in its order, notes that since the policy is unilateral, the data sharing terms in the Privacy Policy demanded an investigation in terms of ‘abuse of dominant position’ by the messaging app. The regulatory authority also states that data analytics is extremely integral and important to the competitive performance of digital ventures. 

Also Read: Fake Loan Apps Thrive As Authorities Fail To Crackdown, Leaving Consumers Vulnerable

The social media giant approached the Delhi High Court in its Letters Patent Appeal to stay the probe ordered by CCI. WhatsApp argued that since the policy was kept in abeyance due to the Personal Data Protection Bill being introduced in Parliament along with pending litigation before the Supreme Court, the CCI probe must stay. However, on 25 August, the Delhi High Court division bench upheld the probe ordered by the Competition Commission of India as a setback to WhatsApp. Although the Delhi High Court dismissed the appeal filed by WhatsApp, the whole saga still awaits its climax at the Apex Court. 

WhatsApp WhatsApp on a users mobile phone | Photo courtesy: Special arrangement

So, what’s WhatsApp up to?

Violation of Section 72 of the Information Technology Act, its 2011 rules and the Right to Privacy 

The Special Leave Petition filed by Sareen argues that the WhatsApp Privacy Policy violates Section 72 of the Information Technology Act. Section 72 is a provision penalising for breach of confidentiality and privacy. The petitioners claim that since WhatsApp has been sharing such information, it is in direct contravention of this section. It is alleged that WhatsApp is also violating the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which mandate full and true disclosures with respect to Privacy Policies. At last, since WhatsApp is sharing personal user information with Meta companies, it is in violation of the Right to Privacy which is now a fundamental right within the ambit of Article 21.

Unilateral terms

Facebook, in its counter affidavit before the Supreme Court, claims that its Privacy Policy and Terms of Service are governed by the Information Technology Act 2000, its rules and the Indian Contract Act, 1872. The claim is simple since the users voluntarily consent to the terms, there is little or no room for the court’s interference. However, it is clear that the WhatsApp Privacy Policy is a take it or leave it deal. The privacy advocates argue that the new Privacy Policy is unilateral and the dodgy way of obtaining consent on the opening screen itself reveals dubious intentions of the platform.

Kanika Seth, cyber lawyer and advocate at the Supreme Court of India says, “Right to Privacy is a fundamental right of every citizen of India and the Constitution of India grants and protects this right. Social media companies that collect data from their users ought to have fair, open and transparent Privacy Policies that respect and safeguard the rights of their users. It must also respect the choice not to disclose or use their personal data in any manner a user does not grant express consent for”.

Meta Meta logo on glass building | Photo courtesy: Special arrangement

Collecting and sharing your data with Meta companies

Although WhatsApp had given public assurances of not sharing data with its parent company, it later came out with its 2016 policy allowing sharing of data with Facebook for targeted advertisements. Data protection professionals insist that it’s not just about the sensitive personal data but having access to the phone numbers itself is a major win for the social media giant. Before acquiring WhatsApp, Facebook had no access to phone numbers unless voluntarily given by its users. Hence, linking Facebook profiles with WhatsApp accounts would undoubtedly help Facebook influence user behaviour. 

The updated policy also mentions collecting IP addresses, and other information like phone numbers and area codes are likely to point to the location of the user even if the location data is explicitly not collected. The biggest worry is that as part of the new policy, WhatsApp may start processing payment/transactional information of its users, and it includes the transaction amount, shipping details, amongst others.

No “Opt-Out” option.

The 2016 update had an opt-out option with a threshold limit of 30 days. However, the 2021 policy is close to a black mirror nightmare with no “opt-out” option. This means the user cannot opt-out of sharing his/her information with Meta companies. It is alleged that the user has no option of protecting sharing of data with interested third parties. 

Not in accordance with the law for minors 

The new policy, according to Sareen’s case, seeks license to the works created by its users and shared through the messaging application. This is not in accordance with the law for minors in the country since they are incapable of granting such consent/license.

Facebook Facebook logo on a glass building | Photo courtesy: Special arrangement

International uproar 

When WhatsApp initially announced its takeover by Facebook in 2014, it had given public assurances not to share data with Facebook. While officially notifying the European Commission, Facebook informed that it would not be able to establish ‘reliable automated matching’ between Facebook users’ accounts and WhatsApp users’ accounts. However, when WhatsApp announced its 2016 privacy policy including the possibility of linking WhatsApp users’ phone numbers with Facebook users’ identities, the European Commission found that Facebook had misrepresented facts in the merger review process. Therefore, the Commission slammed Facebook with a fine of €110 million for providing incorrect or misleading information during the Commission’s investigation under the EU Merger Regulation of Facebook’s acquisition of WhatsApp in 2014. The Commission also found that Facebook staff was already aware of the possibility of matching Facebook and WhatsApp users’ identities.

In 2021, the Hamburg Commissioner for Data Protection and Freedom of Information, which is a German Regulator for data protection, ordered a three-month ban on Facebook for collecting user data from WhatsApp accounts. It further referred the case to a European Union watchdog raising concerns over election integrity. Facebook has received severe backlash and strong sanctions from France, Belgium and other European countries too. 

Currently, the social media giant is struggling with the EU regulators who are at odds trying to block Meta from sending Europeans’ data to the United States. Meta however maintains that blocking such transfer to the US would force it to shut its services down in Europe.

India’s pursuit of data protection law 

Data is the new oil. Therefore, like any other mining drill, it needs a protection framework. India still awaits a comprehensive data protection bill. However, India’s pursuit of data protection dates back to 2008. The Information Technology Act, 2000 was amended to add Section 43A, which puts the liability on companies to protect all sensitive personal data and information that they possess or handle. The companies have an obligation to protect this data with reasonable security measures. Section 43A also imposes a penalty for non-compliance. 

WhatsApp WhatsApp among multiple applications on a mobile phone | Photo courtesy: Special arrangement

Later, in 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 were brought in, laying down the basic standards for the protection of sensitive personal data. This is the law that requires companies in India to formulate Privacy Policies in the first place, requiring them to inform users of what data they collect, and how they collect it and to obtain consent when collecting/transferring sensitive personal data from users. Although the rules exist, they do not address the intricacies of data protection and data flow in today’s world. 

The demand for a more comprehensive framework first arose after the K.S. Puttaswamy 2017 judgment. The Supreme Court linked the value of privacy to individual dignity and held that the State has a positive burden of maintaining and preserving this dignity.

India’s Data Protection Framework has suffered various challenges from corporations to activists. The Personal Data Protection Bill 2019 was referred to the Joint Parliamentary Committee for review. The Joint Parliamentary Committee in its report in 2021 proposed 81 amendments and 12 recommendations to the existing bill. Although the bill was set to be discussed in this Lok Sabha session, Union Minister Ashwini Vaishnav withdrew the bill citing the recommendations made by the JPC. It is predicted that the Indian government is in the process of bringing a more comprehensive code in the future. 

On the issue of India dealing with data breaches by social media giants, Nikhil Naren, Chevening Scholar and Advocate at Scriboard Advocates and Consultants, says that “The obvious fact here is that these breaches and scrutiny are being carried out in the jurisdictions which have a comprehensive framework with respect to data protection and data sharing in place. India cannot force Meta for such measures because we do not have stringent laws that serve this purpose or mandate Meta to comply. On the other hand, Meta’s monopolisation in online communications needs to be relooked at and reassessed. Is the monopolisation making them feel at ease to flout the safeguards put in place?”

He adds, “India needs to put laws in place that call for strong compliance, and also aggressively monitor the collection, usage, and sharing of data. India does have provisions under the IT Act, 2000, read with the SPDI Rules of 2011, that address the concerns in the case of data processing and sharing. However, history speaks that it has not been able to make the ‘right noises!’”

Today, India is one of the world’s largest data economies; hence, it is more than important to have a working framework and a regulator for data protection. India has a lot to learn from the European Union’s exercise of strongarm over large corporations, formulating the strictest policies for compliance. India, as a data economy, can no longer afford a lackadaisical approach to dealing with intermediaries that compromise citizens’ data.