How India’s Data Protection Regime Must Learn from the WhatsApp Privacy Policy Fiasco 

WhatsApp’s new privacy policy has made headlines the entire month of January. The 400 million users of the app in India have all kinds of questions ranging from the nature and implications of the changes in the policy to whether the law currently protects their sensitive data. PARVATHI SAJIV and SHAGUN BHARGAVA explain how the privacy policy has changed, the current data protection regime, and lacunas in it.


ON 5 January, WhatsApp notified its users in India and other countries of changes to its privacy policy and terms and conditions which would come into effect on 8 February. Though many users consent to changes in policies and terms and conditions without applying their mind, these alterations (now on hold) created a stir. Petitions have been filed against the policy at the Delhi High Court and Supreme Court.

There is an uproar against the new policy because when Facebook acquired WhatsApp in 2014 it had categorically said it would not share any information with Facebook.

However, in sharp contrast to this promise, in 2016 WhatsApp announced it would share information such as phone numbers, its users’ “last seen”, information on their pattern of interaction, mobile device details and service-related information with Facebook groups.

The sole redeeming factor was that pre-existing users had the option of opting out of sharing their information with Facebook.

In the latest policy, the majority of changes relate to WhatsApp business users. WhatsApp wants to share data about how its users engage with businesses on its app. It wants to give businesses on its platform the option to use Facebook’s hosting infrastructure to manage chats and deal with inquiries.

The debate over the WhatsApp privacy policy stresses the lack of choice given to Indian users to opt-out. Their only choice is to delete the app if they disagree. This is not how WhatsApp has dealt with users in the European Union. A possible reason is the strong data protection regulations in the EU. 

A possible consequence of this is that businesses hosted on WhatsApp, Facebook and other group companies will capitalise on information about their customers by providing targeted advertisements.

WhatsApp notes, “We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. The changes are related to optional business features on WhatsApp”. While users breathed a sigh of relief at this, the change in policy is still of huge concern to WhatsApp business enterprises.

Also Read: Kazi Syed Karimuddin: Relevance of Constituent Assembly Debates on Right to Privacy in Modern India

The new policy clarifies what WhatsApp shares with Facebook (and the Facebook group of companies). Metadata— data about data—will be shared between WhatsApp and its parent company. Metadata includes information such as the frequency and duration of users’ activity on the platform, their battery status, group names and so on.

Hence, while the contents of a user’s messages are not to be shared with Facebook and its group companies, other relevant information regarding a user’s activity will be.

It is important to note that this information was already being shared between WhatsApp and Facebook since 2016. The 2016 policy said, “Facebook…may use information from us to improve your experiences… However, your WhatsApp messages will not be shared onto Facebook for others to see. In fact, Facebook will not use your WhatsApp messages for any purpose other than to assist us in operating and providing our Services.”

In other words, WhatsApp’s policy since 2016 is that Facebook will use your messages to assist it.

Therefore, the only difference made by the changes in 2021 is that WhatsApp users no longer have the choice to opt out of sharing their information. After a severe backlash, WhatsApp has postponed its changes to May 15, hoping to bring users up to speed on the new policy.


Data is a powerful tool. In the wrong hands, it has the potential to even turn elections. This is why we need a strong legal system around data use and how authorities can regulate it. In 2017, a nine-judge Supreme Court bench in KS Puttaswamy vs Union of India (or the right to privacy case) affirmed privacy as a fundamental right.

Over eighty countries including India have also recognised the growing importance of data protection and have pushed for legislations. In the Budget Session of Parliament next month, a Joint Parliamentary Committee is expected to table its report on the Personal Data Protection (PDP) Bill, 2019.

A Joint Parliamentary Committee is expected to table its report on the Personal Data Protection (PDP) Bill, 2019 during the Budget Session next month. 

India’s proposed legislation defines “personal data” as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling…”

Our every transaction on the internet, from a social media post to an article we read, continually generates data. Companies use this data to make online consumption “easier” for us. They analyse billions of data points to curate content which their algorithms are programmed to believe are well-suited to us.

Using personal data, companies and the government can identify the people whom it is about, as happened in Delhi last year. Union Home Minister Amit Shah had said in Lok Sabha after the riots in Delhi that the police have identified 1,110 people through “facial recognition technology”. In fact, CCTV footage was matched against the voter database of the Election Commission of India and the vehicle registration database, e-Vahan, to identify these people.

Also Read: India’s New Normal: Privacy in a Post-Pandemic World

The High Court of Kerala, in Balu Gopalakrishnan v. State of Kerala passed an interim order regarding the export of COVID-19-related data from the government of Kerala to a US-based entity, Sprinklr, for data analytics. The High Court held that the government must anonymise this data, obtain the consent of citizens and ensure their data returns.

The debate over the WhatsApp privacy policy stresses the lack of choice given to Indian users to opt-out of what it plans to do with their data. The only choice they have is to delete the app if they disagree with the privacy policy but is not how WhatsApp has dealt with the same issue in its privacy policy for users in the European Union.

Data is a powerful tool. In the wrong hands, it has the potential to even turn electionsThis is why we need a strong legal system around data use and how authorities can regulate it. 

The possible reason is that the EU is better protected by its data privacy laws than many other regions, which is why WhatsApp has created two very different policies for India and the EU.


Protecting the identity of the data principal: India’s data protection bill defines data principals as the people to whom the data belongs. In line with the General Data Protection Regulation, the primary law governing how companies handle personal data in the EU law, the PDP Bill has a provision to correct or erase data, which is known as the “right to be forgotten”.

The bill also establishes the need to obtain the consent of users. Accordingly, digital firms will need permission from the users before collecting their data.

The legislation also provides for people whose data is being collected to request information on it from “data fiduciaries”. A data fiduciary is any individual, state or company that determines the purposes and means of processing personal data. The data principal will have the right to view their data in a clear, portable, readable, and structured format.

The bill defines critical and sensitive data and requires certain kinds of data to be stored only in India. This is in line with pre-existing protections such as the Reserve Bank of India’s requirement for local storage of payment-related data.  The localization mandate came into effect in 2018, but companies such as Google and Whatsapp have taken more than a year to comply with the mandate.

What we purchase, which businesses we interact with, or who we interact with can reveal our gender, preferences, orientations, and beliefs.

Sensitive data relates to health, religious beliefs, politics, biometrics, sexual orientation, finances and so on. The bill suggests the government must have access to this data in the interest of security. This has caused concern, for it could raise the potential for surveillance by the state and what is considered a national security issue can generate much debate and little consensus.

With the changes the new WhatsApp policy seeks to introduce, the biggest cause of concern—even if the bill becomes law—is the lack of protection of “non-personal data”.

Non-personal data in the bill is all data that is not personal or does not have personally identifiable information. Section 91(2) says the government can direct data-collectors to hand over anonymised personal information or other “non-personal data”.

Also Read: Surveillance, Data Imperialism and Transition to a Post Human World

A major issue here is that anonymised data can often be reidentified. For example, companies can use data from e-commerce platforms to draw inferences about their identities, such as sexuality or religious beliefs.

To cite another instance, the metadata that WhatsApp stores (and now intends to share with Facebook) can be qualified as “non-personal” data. Most of our online purchase history and other information that WhatsApp wants to share with Facebook can also be used to build a user profile which could potentially be “personal” data. What we purchase, which businesses we interact with, or who we interact with can reveal our gender, preferences, orientations, and beliefs.

Furthermore, there is currently no framework to regulate the use or processing of non-personal data. In September 2019, the Ministry of Electronics and Information Technology constituted a committee to deliberate non-personal data and suggest ways to regulate its use and collection.

Also Read: The Personal Data Protection Bill 2019:  Do you have the Right to be Forgotten from the Internet?

In July 2020, the committee released its report for public consultation. The recommendations, which range from creating a threshold of “Data Business” to establishing a non-personal data authority, could be beneficial, especially in light of WhatsApp’s new policy.

The Personal Data Protection Bill, 2019, has far-reaching implications for India’s data governance structures and will affect how business is conducted in the country. Each type of data and how it affects the State and companies are crucial to citizens. As we spend more time online, we end up sharing more of our data too. There need to be checks and balances around data collection and processing so that big tech companies and the state can be held accountable and responsible for citizens’ privacy.

(Parvati Sajiv is a journalism student and Shagun Bhargava is a law student and are interns at The Leaflet. Views are personal.)