Is the new privacy policy of WhatsApp legal considering the new privacy regime sought to be set up by the Personal Data Protection Bill, 2019? How does the tech giant’s new privacy policy square up against the Supreme Court ruling in Puttaswamy? AKSHAT BHUSHAN examines the legal implications for choice and privacy.
—-
ON 4 January 2021, WhatsApp announced its new privacy policy for India. As a result of this privacy update, WhatsApp will get permission to share with Facebook the metadata of users and their messages with business accounts. WhatsApp could take this step in India and not in the European Union because India does not have a robust data protection regime. However, in 2019, the Ministry of Electronics and Information Technology tabled the Draft Personal Data Protection (PDP) Bill in Parliament. It is currently with a Joint Parliamentary Committee and has not passed into law.
Consent specificity and purpose limitation
Clause 11(2)(c) of the PDP bill says that data principals must give specific consent. Clauses 5 and 6 mandate that the data fiduciary can collect data only for the purpose to which the data principal has consented. However, WhatsApp can easily evade these provisions. It can argue that users have specifically consented to let their metadata be used to facilitate the messaging service and shared with Facebook. Therefore, WhatsApp’s defence might be that it is not concealing anything from the user.
The issue with this privacy update is that it does not leave much choice for the user or the data principal. A user can either reject the terms of service altogether, in which case they would be unable to send messages on WhatsApp. Or a user must consent to their data being used for both purposes.
Clause 11(3)(c) requires the data fiduciary to take consent for processing sensitive personal data separately for each different purpose. This provision could have prevented WhatsApp from taking consent for both purposes together, because the metadata and chats with a business account that WhatsApp would have been able to share with Facebook could reveal sensitive personal data like health information, sexual orientation, etc.
However, to ensure a foolproof mechanism against tech giants like WhatsApp it would be desirable to make the provision more comprehensive by extending the ambit of this provision beyond sensitive personal data to include all personal data. Hence, a provision similar to Article 7(2) and Recital 32 of the European Union’s General Data Protection Regulation (GDPR) must be inserted in the PDP bill. It would require the data fiduciary to take consent for collecting and processing all personal data separately for each unrelated purpose. It would give greater control to the data principal over their data.
A user can either reject WhatsApp’s new terms of service altogether, in which case they would be unable to send messages on WhatsApp. Or a user must consent to their data being used for both purposes.
Clause 11(4) prohibits the data fiduciary from denying goods or services to data principals if they refuse to consent for processing data that is not required to provide those goods and services. Therefore, WhatsApp could not have denied messaging services to its users merely because they refused to consent to the collection and processing of their metadata, something that is not necessary to provide messaging services.
Invasive Sandbox provisions
Clause 40 of the PDP bill is particularly dangerous and could be detrimental to the data rights of the users of WhatsApp. This provision empowers the Data Protection Authority to include certain data fiduciaries in a regulatory sandbox who would be exempt from the obligation of taking the consent of the data principal in processing their data for up to 36 months. The GDPR does not have any provision related to the regulatory sandbox. Such a sandbox might be required to provide relaxations to certain corporations, such as those that deal with Artificial Intelligence so that they can test their technology in a Sandbox environment.
However, it is a commonly accepted practice that in a good regulatory sandbox the users whose data is taken voluntarily participate in the exercise. Such a condition is altogether done away with by this provision. The authority that has to assess the applications for inclusion in a regulatory Sandbox is the Data Protection Authority (DPA). The members of the DPA are to be selected by bureaucrats serving under the Union government. So, it cannot be expected to work independently of government control (Clause 42(2)).
The European Union’s General Data Protection Regulation says that a data fiduciary must seeks consent to collect and process all personal data separately for each unrelated purpose. Such a provision is required in India as well.
The DPA can permit the inclusion of a data fiduciary in the sandbox to promote, among other things, “any emerging technology in public interest”. This makes the provision vague because no guidelines have been laid down for the DPA to determine whether an “emerging technology” is in the “public interest”.
Notably, the Indian government made so-called electoral “reforms” through the Finance Acts of 2016 and 2017, which have allowed corporations, including those based out of India, to make unlimited anonymised donations to Indian political parties.
Considering this, many fear that it is not an unreasonable apprehension that tech giants such as WhatsApp could collude with the government to make donations in elections and as a quid pro quo arrangement use their influence to get approval from the DPA for inclusion in the Sandbox.
Inadequate remedies beyond data protection law
The data protection vacuum does not mean the WhatsApp privacy policy will go unchallenged. The privacy policy update can also be seen as a standard contract since its users do not have the option to negotiate the terms of service: they either have to accept the terms in toto or reject them altogether.
Though the Indian Contract Act, 1872 does not differentiate between a standard form of contract and an ordinary contract, the judiciary has evolved principles that must be respected given the unequal bargaining power between the parties.
When a person “has no choice or rather no meaningful choice” other than signing on the dotted line and accepting the unfair clauses of a contract, then such a contract must be considered unreasonable and unconscionable.
Such contracts completely take away an individual’s right to choose, which the apex court has said, is part of the right to privacy under Article 21 in Justice KS Puttaswamy (Retd.) vs Union of India.
The WhatsApp privacy policy operates in the same way because it does not give any choice to a user to accept the terms with some reservations or disable any features that enable the sharing of metadata. The Supreme Court held in 1995 that it is grossly unfair for a party to have the option to either sign a contract with unreasonable terms or forego the contract altogether and that such a contract should be declared void.
However, determining how reasonable terms of service are is somewhat subjective and leaves a lot of scope to varied judicial interpretation. This is particularly worrisome considering the recent oral observations of the Delhi High Court.
The court implicitly underplayed the privacy concerns of users when it said, “It is not mandatory to download WhatsApp on your mobile and it is voluntary. If you want to choose not to download WhatsApp, you can.”
Therefore, a comprehensive and specific statutory backing to the privacy rights of data principals is required. The PDP bill aims to check the powers of the data fiduciary by strengthening consent specificity and purpose limitation in India’s data protection regime.
Determining how reasonable terms of service are is also up to judicial interpretation. The Delhi High Court implied that users can simply choose not to install WhatsApp on their mobile if they dislike it. This underplays personal data protection and privacy.
But the regulatory sandbox provision strikes at the very root of the requirement of consent in section 11.
It is high time that the necessary changes are made to the PDP Bill and it is passed by Parliament; otherwise, the 2017 Supreme Court ruling that declares the right to privacy a fundamental right would become redundant.
(Akshat Bhushan is a second-year law student at Hidayatullah National Law University. The views are personal.)