WhatsApp Privacy Policy applies only to India due to weak data regulations

In light of the recent hearing before the Delhi High Court of the petition challenging the controversial update in the privacy policy of the popular communication app WhatsApp, and the expiry of the May 15 deadline set by it for users to accept the updated policy, VINEET BHALLA and PRIYANKA DAVE summarise everything one needs to know about the policy update, the concerns surrounding it, and the judicial challenges made to it before various courts in India. 

AFTER receiving a lot of backlash from the media and general public, WhatsApp had earlier this year decided to push back its updated privacy policy from kicking in from the originally scheduled date of February 8, 2021, to May 15, 2021. Now, even as it defends its policy before the Delhi High Court against accusations of violating Indian laws from the Ministry of Electronics and Information Technology (Union IT Ministry), Whatsapp has seemingly doubled down on the implementation of its controversial new privacy policy.

The issue of contention

The problem with the up-gradation of the app’s existing privacy policy is the condition that if a user wants to continue using the app, they must agree to their metadata being used by WhatsApp, its parent company Facebook, and any third parties they are dealing with, regardless of whether the user has an account on or uses these other platforms. Earlier, users of the app could choose to opt-out of such data sharing, but the updated privacy policy makes it mandatory.

Facebook and Whatsapp were widely panned for this move when it was announced in January this year.

To be clear, Whatsapp messages are end-to-end encrypted, which means that the company cannot read, let alone provide access to third parties for, messages sent across the platform. However, Whatsapp collects several strands of metadata of its users: their usage data, their phone’s unique identifier, their location when the location service is enabled, among several other types.

In simple words, metadata refers to data about one’s data. So, for instance, the contents of your messages are not metadata, but everything except that is, such as who you messaged, how long or often do you message particular users, what time the messages were sent, and the location of the sender and the receiver.

In silos, such data might seem innocuous enough, but when one zooms out and sees that this data is being collected for every single message a user sends or receives, and for all users on the app, one can only begin to comprehend how much such data might reveal about the users’ personal lives. 

An analysis of telephonic metadata by researchers at Standford University in 2016 revealed that people’s metadata can be used to identify their personal information, such as their health details. Such information is a treasure trove for carrying out covert surveillance, either by public authorities or private parties.

No wonder, then, that Stewart Baker, a former general counsel of the US’s National Security Agency, once said: “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.”

Also read: How India’s Data Protection Regime Must Learn from the WhatsApp Privacy Policy Fiasco 

Threat to Right to Privacy

A right to Privacy is not directly and expressly mentioned in the Constitution of India. However, in its landmark judgment in the case of Justice K. S. Puttaswamy (Retd.) v. Union of India (AIR 2017 SC 4161), a constitutional bench of the Supreme Court recognised a fundamental right to privacy of every individual guaranteed by the Constitution, within Article 21 in particular and Part III of the Constitution on the whole.

Today, our country does not have any established laws governing privacy of data as such, with the Personal Data Protection Bill, 2019 on hold for well over a year now, seemingly stuck in the process of being reviewed by a Joint Parliamentary Committee.  Already in place are the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, promulgated under the Information Technology Act, 2000 (IT Act), which specifically deal with the protection of “sensitive personal data or information of a person”.

Also read: WhatsApp Privacy Controversy and India’s Data Protection Bill

Current status of the privacy policy update

In March this year, the Competition Commission of India ordered a probe by its Director-General into Whatsapp’s updated privacy policy, on the basis of its finding that WhatsApp had abused its dominant market position to coerce its 350 million users in India to accept its new policy with no scope of opting out.

It observed that “The conduct of WhatsApp in sharing of users’ personal data with other Facebook companies, in a manner that is neither fully transparent nor based on voluntary and specific user consent, appears prima facie unfair to users.” This order was challenged by Facebook and Whatsapp before the Delhi High Court, but a single-judge bench of the High Court dismissed their petition last month.

Earlier this month, Whatsapp filed an appeal against this order before a division bench of the High Court.

Separate pleas were filed before the Supreme Court and the Delhi High Court challenging this privacy policy earlier this year as well. In both cases, the respective courts issued notice to Whatsapp and Facebook. Currently, the matter is being heard by the Delhi High Court, where Whatsapp has claimed that its updated policy doesn’t violate any Indian laws, provides more transparency on its data practices, and is even better than industry standards.

Whatsapp had, in a media statement earlier this month, stated that it had decided to defer its May 15 deadline for users to accept the updated policy, and that it won’t delete the accounts of users who don’t accept the policy, as was feared by many users.

Instead, it will “follow up with reminders to people [who have not accepted the updated policy] over the next several weeks”. There is no time frame mentioned for these reminders or how persistent they would be.

However, earlier this week, Facebook and Whatsapp’s counsel contradicted this statement before the High Court, by stating that the policy has not been deferred and that while users that have not accepted the policy will not be immediately deleted after May 15, they will eventually be discontinued as users if they don’t consent to it.

Again, no timeline has been provided for when the removal of such users shall begin.

Also read: What Happens if You Don’t Accept Whatsapp’s New Privacy Policy?

In response, the union government has averred that the policy update violates Indian IT laws, and sought a detailed affidavit from the company confirming the policy’s conformity with the IT Act and rules made thereunder.

The High Court has listed the matter to be heard next on June 3.

A day after the hearing, the Union IT Ministry sent a communication to Whatsapp directing it to withdraw its new privacy policy, and giving it seven days to respond to the notice. In this communication, the IT ministry states that the changes to WhatsApp’s privacy policy and the manner of introducing the said changes undermine the sacrosanct values of informational privacy, data security and user choice and harms the rights and interests of Indian citizens. It reiterated that the policy violates several provisions of existing Indian laws and rules.

Specific targeting of India

An interesting aspect of this privacy policy update is that it applies only to India. On the other hand, European Whatsapp users won’t have to worry about their metadata being shared with Facebook and other third parties. This is because of the strong data regulation laws in Europe, and the multiple penalties faced by Facebook in Europe in the past few years due to data privacy violations.

This underlines yet again the need for India to adopt a strong data protection law, and for Indian users to consider shifting to other messaging platforms like Signal or Telegram that seem to respect users’ data privacy far more than Whatsapp.

(Vineet Bhalla is a Delhi-based lawyer and part of The Leaflet’s staff. Priyanka Dave is a student at Kirit P. Mehta School of Law, NMIMS, Mumbai, and an intern with The Leaflet. The views expressed are personal.)