But what does it mean for the user? We’ll get into that in a bit, but first, let’s roll back to the beginning of this saga, to 2014.
Ever since WhatsApp was taken over by its now parent company Facebook (Meta), in 2014, it raised eyebrows and attention from data protection and privacy professionals. There were worldwide concerns that WhatsApp may end up sharing sensitive personal data with Facebook, compromising user privacy. For privacy advocates, heavens were indeed falling but public assurances by WhatsApp led to its successful takeover by Facebook.
In 2017, the celebrated landmark judgment of the Supreme Court in K.S. Puttaswamy v. Union of India recognised the “Right to Privacy” as inherent to the “Right to Life” under Article 21 of the Constitution, thereby making the Right to Privacy a fundamental right. In the aftermath of this judgment, the government set up a committee led by retired Supreme Court judge Justice B.N. Krishna to deliberate on the Data Protection Framework in the country.
Based on the report, in December 2019, the Ministry of Electronics and Information Technology tabled the Personal Data Protection Bill 2019 in the Rajya Sabha. Between 2019 and 2022, the Personal Data Protection Bill faced numerous challenges, from corporation stakeholders to privacy activists.
The social media giant approached the Delhi High Court in its Letters Patent Appeal to stay the probe ordered by CCI. WhatsApp argued that since the policy was kept in abeyance due to the Personal Data Protection Bill being introduced in Parliament along with pending litigation before the Supreme Court, the CCI probe must stay. However, on 25 August, the Delhi High Court division bench upheld the probe ordered by the Competition Commission of India as a setback to WhatsApp. Although the Delhi High Court dismissed the appeal filed by WhatsApp, the whole saga still awaits its climax at the Apex Court.
So, what’s WhatsApp up to?
Violation of Section 72 of the Information Technology Act, its 2011 rules and the Right to Privacy
Kanika Seth, cyber lawyer and advocate at the Supreme Court of India says, “Right to Privacy is a fundamental right of every citizen of India and the Constitution of India grants and protects this right. Social media companies that collect data from their users ought to have fair, open and transparent Privacy Policies that respect and safeguard the rights of their users. It must also respect the choice not to disclose or use their personal data in any manner a user does not grant express consent for”.
Collecting and sharing your data with Meta companies
Although WhatsApp had given public assurances of not sharing data with its parent company, it later came out with its 2016 policy allowing sharing of data with Facebook for targeted advertisements. Data protection professionals insist that it’s not just about the sensitive personal data but having access to the phone numbers itself is a major win for the social media giant. Before acquiring WhatsApp, Facebook had no access to phone numbers unless voluntarily given by its users. Hence, linking Facebook profiles with WhatsApp accounts would undoubtedly help Facebook influence user behaviour.
The updated policy also mentions collecting IP addresses, and other information like phone numbers and area codes are likely to point to the location of the user even if the location data is explicitly not collected. The biggest worry is that as part of the new policy, WhatsApp may start processing payment/transactional information of its users, and it includes the transaction amount, shipping details, amongst others.
No “Opt-Out” option.
The 2016 update had an opt-out option with a threshold limit of 30 days. However, the 2021 policy is close to a black mirror nightmare with no “opt-out” option. This means the user cannot opt-out of sharing his/her information with Meta companies. It is alleged that the user has no option of protecting sharing of data with interested third parties.
Not in accordance with the law for minors
The new policy, according to Sareen’s case, seeks license to the works created by its users and shared through the messaging application. This is not in accordance with the law for minors in the country since they are incapable of granting such consent/license.
In 2021, the Hamburg Commissioner for Data Protection and Freedom of Information, which is a German Regulator for data protection, ordered a three-month ban on Facebook for collecting user data from WhatsApp accounts. It further referred the case to a European Union watchdog raising concerns over election integrity. Facebook has received severe backlash and strong sanctions from France, Belgium and other European countries too.
India’s pursuit of data protection law
Data is the new oil. Therefore, like any other mining drill, it needs a protection framework. India still awaits a comprehensive data protection bill. However, India’s pursuit of data protection dates back to 2008. The Information Technology Act, 2000 was amended to add Section 43A, which puts the liability on companies to protect all sensitive personal data and information that they possess or handle. The companies have an obligation to protect this data with reasonable security measures. Section 43A also imposes a penalty for non-compliance.
Later, in 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 were brought in, laying down the basic standards for the protection of sensitive personal data. This is the law that requires companies in India to formulate Privacy Policies in the first place, requiring them to inform users of what data they collect, and how they collect it and to obtain consent when collecting/transferring sensitive personal data from users. Although the rules exist, they do not address the intricacies of data protection and data flow in today’s world.
India’s Data Protection Framework has suffered various challenges from corporations to activists. The Personal Data Protection Bill 2019 was referred to the Joint Parliamentary Committee for review. The Joint Parliamentary Committee in its report in 2021 proposed 81 amendments and 12 recommendations to the existing bill. Although the bill was set to be discussed in this Lok Sabha session, Union Minister Ashwini Vaishnav withdrew the bill citing the recommendations made by the JPC. It is predicted that the Indian government is in the process of bringing a more comprehensive code in the future.
He adds, “India needs to put laws in place that call for strong compliance, and also aggressively monitor the collection, usage, and sharing of data. India does have provisions under the IT Act, 2000, read with the SPDI Rules of 2011, that address the concerns in the case of data processing and sharing. However, history speaks that it has not been able to make the ‘right noises!’”
- First published: Sep 28, 2022 12:19PM
- First published: Sep 27, 2022 07:47PM
Sivakasi workers stare at black Diwali as environmentalists push for complete ban on all forms of firecrackersFirst published: Sep 26, 2022 11:08PM