Consent specificity and purpose limitation
Clause 11(2)(c) of the PDP bill says that data principals must give specific consent. Clauses 5 and 6 mandate that the data fiduciary can collect data only for the purpose to which the data principal has consented. However, WhatsApp can easily evade these provisions. It can argue that users have specifically consented to let their metadata be used to facilitate the messaging service and shared with Facebook. Therefore, WhatsApp’s defence might be that it is not concealing anything from the user.
The issue with this privacy update is that it does not leave much choice for the user or the data principal. A user can either reject the terms of service altogether, in which case they would be unable to send messages on WhatsApp. Or a user must consent to their data being used for both purposes.
Clause 11(3)(c) requires the data fiduciary to take consent for processing sensitive personal data separately for each different purpose. This provision could have prevented WhatsApp from taking consent for both purposes together, because the metadata and chats with a business account that WhatsApp would have been able to share with Facebook could reveal sensitive personal data like health information, sexual orientation, etc.
However, to ensure a foolproof mechanism against tech giants like WhatsApp it would be desirable to make the provision more comprehensive by extending the ambit of this provision beyond sensitive personal data to include all personal data. Hence, a provision similar to Article 7(2) and Recital 32 of the European Union’s General Data Protection Regulation (GDPR) must be inserted in the PDP bill. It would require the data fiduciary to take consent for collecting and processing all personal data separately for each unrelated purpose. It would give greater control to the data principal over their data.
A user can either reject WhatsApp’s new terms of service altogether, in which case they would be unable to send messages on WhatsApp. Or a user must consent to their data being used for both purposes.
Clause 11(4) prohibits the data fiduciary from denying goods or services to data principals if they refuse to consent for processing data that is not required to provide those goods and services. Therefore, WhatsApp could not have denied messaging services to its users merely because they refused to consent to the collection and processing of their metadata, something that is not necessary to provide messaging services.
Invasive Sandbox provisions
Clause 40 of the PDP bill is particularly dangerous and could be detrimental to the data rights of the users of WhatsApp. This provision empowers the Data Protection Authority to include certain data fiduciaries in a regulatory sandbox who would be exempt from the obligation of taking the consent of the data principal in processing their data for up to 36 months. The GDPR does not have any provision related to the regulatory sandbox. Such a sandbox might be required to provide relaxations to certain corporations, such as those that deal with Artificial Intelligence so that they can test their technology in a Sandbox environment.
However, it is a commonly accepted practice that in a good regulatory sandbox the users whose data is taken voluntarily participate in the exercise. Such a condition is altogether done away with by this provision. The authority that has to assess the applications for inclusion in a regulatory Sandbox is the Data Protection Authority (DPA). The members of the DPA are to be selected by bureaucrats serving under the Union government. So, it cannot be expected to work independently of government control (Clause 42(2)).
The European Union’s General Data Protection Regulation says that a data fiduciary must seeks consent to collect and process all personal data separately for each unrelated purpose. Such a provision is required in India as well.
The DPA can permit the inclusion of a data fiduciary in the sandbox to promote, among other things, “any emerging technology in public interest”. This makes the provision vague because no guidelines have been laid down for the DPA to determine whether an “emerging technology” is in the “public interest”.
Notably, the Indian government made so-called electoral “reforms” through the Finance Acts of 2016 and 2017, which have allowed corporations, including those based out of India, to make unlimited anonymised donations to Indian political parties.
Considering this, many fear that it is not an unreasonable apprehension that tech giants such as WhatsApp could collude with the government to make donations in elections and as a quid pro quo arrangement use their influence to get approval from the DPA for inclusion in the Sandbox.
Inadequate remedies beyond data protection law
Though the Indian Contract Act, 1872 does not differentiate between a standard form of contract and an ordinary contract, the judiciary has evolved principles that must be respected given the unequal bargaining power between the parties.
However, determining how reasonable terms of service are is somewhat subjective and leaves a lot of scope to varied judicial interpretation. This is particularly worrisome considering the recent oral observations of the Delhi High Court.
The court implicitly underplayed the privacy concerns of users when it said, “It is not mandatory to download WhatsApp on your mobile and it is voluntary. If you want to choose not to download WhatsApp, you can.”
Therefore, a comprehensive and specific statutory backing to the privacy rights of data principals is required. The PDP bill aims to check the powers of the data fiduciary by strengthening consent specificity and purpose limitation in India’s data protection regime.
Determining how reasonable terms of service are is also up to judicial interpretation. The Delhi High Court implied that users can simply choose not to install WhatsApp on their mobile if they dislike it. This underplays personal data protection and privacy.
But the regulatory sandbox provision strikes at the very root of the requirement of consent in section 11.
It is high time that the necessary changes are made to the PDP Bill and it is passed by Parliament; otherwise, the 2017 Supreme Court ruling that declares the right to privacy a fundamental right would become redundant.
(Akshat Bhushan is a second-year law student at Hidayatullah National Law University. The views are personal.)