Reading time : 10 minutes


WhatsApp, the popular messaging platform owned by Facebook, had recently announced its new privacy policy which has stirred a massive debate. According to the new policy, the data of the users shall be shared with its parent company i.e. Facebook. It has clarified that the sharing of data will be limited only to the data which is shared between the business accounts and the individuals. The private conversations of the users would not be shared. It shall be done to facilitate better services provided by Facebook. The company claims that the new policy also ensures “more transparency and accountability in sharing the users’ data.”[1]

It is also important to note that other than the data related to business chats the app will also share with Facebook the profile photo, status, groups that the individual has participated in and the information of payment that has been done through the app.


The policy has been criticized by the public for mainly two significant reasons:

  • Consent of users is not being taken for sharing their personal data; and
  • Sharing of metadata.

Before devising the new policy, WhatsApp used to share the users’ data with Facebook because of their policy that WhatsApp is a part of the companies owned by Facebook, therefore, any information received by the app would be shared with the parent company. However, the users had an option of opting out of it. The data could not be shared without the consent of the user. In the present updated policy, the biggest issue is that the users do not have a say in their information being shared. They have the option of either consenting to the terms of the policy or deleting their WhatsApp account. The present “all or nothing approach” of the policy has led to an uproar among the masses. When Facebook had acquired WhatsApp in 2014, it had vowed the protection of the privacy of its users and had claimed that in no case would it be compromised. Each time Facebook had been involved in data protection controversy, it had promised that the users would be given more control over their personal data.[2]  Upholding their vow, WhatsApp had always asked for the consent of the users before sharing their personal information with Facebook. The new policy has led to a belief among the users that Facebook has failed to adhere to its data protection commitment. They believe that there is a forced consent being taken; in order to disagree they would have to delete their account which they have been using for years. Fearing the aftermath of the policy implementation, a large number of WhatsApp users have opted for other instant messaging platforms that assure sufficient protection of their data. Signal and Telegram, the two competitors of WhatsApp have seen a growth of 17.8 and 15.7 million downloads respectively, a week after WhatsApp announced its new policy.[3]

  • The new policy will allow WhatsApp to conduct two data mining exercises:
  • interactions between the business accounts and the individuals  
  • collecting the metadata.

The latter part has made the policy a lot more controversial. It is observed that the metadata has the potential to reveal highly sensitive information about the individuals. Firstly, it is important to understand what metadata is. In simple terms, it means “data about data.”[4] The metadata collected by the WhatsApp includes contact information, location of the user, financial details etc. This metadata is then used to form a complete profile of that individual. This would further be used by Facebook to target the users with those business advertisements which will match with their profile. In the new policy, the users have not been given the freedom to consent for such metadata sharing.


India has taken a strong stand against the updated privacy policy of WhatsApp. The Indian government has asked WhatsApp to not apply its policy in the Indian market given it has the largest number of WhatsApp users. WhatsApp is the most popular instant messaging platform in India. With 340 million users, India is the biggest market for WhatsApp.[5] The government has asked WhatsApp to review its policy as it will affect the privacy of a lot of India users.

India is also against the differential and discriminatory treatment of WhatsApp to not apply its privacy policy on the European countries. The stringent privacy rules of the Europe called the General Data Protection Guidelines (GDPR) govern the data protection in European Economic Area and the European Union. It prevents data sharing between the applications and also provides that the consent must be taken from the application users which should be free and unambiguous.[6] The existence of GDPR has prevented WhatsApp to implement its new policy in the European region. India is against this differential treatment and has shown displeasure over the application of the policy on such large base of users.


At the time when GDPR was created, it was done to protect the data of the Europeans from any mishandling by the businesses and other companies. The purpose of the guidelines fulfilled when WhatsApp could not implement its new policy over the European regions. India could have avoided such situation had there been a data protection law in force in the country. Sharing of metadata of large base of users with Facebook without a statutory supervision has put Indians in a vulnerable spot. The boycotting of WhatsApp has shown how much the users value the privacy of their data. A user can only trust an online platform when they are assured that the protection of their data is kept at a high priority. Although it is an obligation of the applications to ensure data safety, there are several instances when they fail to do so. To fill up this lacuna, India needs a strict law that can protect the individuals from the breach of their data privacy. Given the rapid proliferation of data, there needs to be a regulatory watch over such tech giants. The ongoing COVID-19 pandemic has further led to an increased dependence on the digital platforms which further enhances the necessity of data protection laws in the countries worldwide. With changing times, Indian law has failed to cater to a huge problem posed by these networking apps. There is no law in India that specifically deals with the protection of data. The hackers or social media giants can easily have an access to the data of the Indians as there are no strict laws against them.

Presently, India does have a draft of data protection legislation which has been pending for over two years now. The Parliament had introduced The Personal Data Protection Bill in 2019. The bill mainly aims to protect the right to privacy of the citizens relating to their personal data and its usage. Right to privacy was recognized as a fundamental right in the landmark judgment of KS Puttaswamy v. Union of India.[7] It is that fundamental right which stems from right to life and liberty under Article 21 of the Constitution of India. The need was felt to form strict laws with respect to the right to privacy in the technological sector.


As discussed above, the aim of the bill is “to provide protection to the individuals with respect to the collection, usage and flow of their personal data and to establish a trust between the entities processing data and the individuals. It also provides norms for the cross border transfer of data, accountability of the entities and the remedies possessed by the persons.”[8] It is applicable to the government of India, companies operating in India and the foreign companies that deal with the personal data of the Indians.The provisions laid down by the bill are in line with the rules made under General Data Protection Guidelines (GDPR). The bill defines personal data as the data belonging to a natural individual that identifies the characteristics, attribute or any other trait of that individual either in the offline or an online manner. For example, the personal data collected by WhatsApp includes mobile phone number, messages, profile photo, media shared between the individuals etc. Such personal data is capable to identify or build the profile of any individual. The bill also names the entity that decides the purpose and means of data collection as a ‘data fiduciary’. Data principal is the individual whose data is being collected and processed.

The salient features of the proposed legislation are:

1. Kinds of Personal Data: The PDP Bill, 2019 categorizes personal data into three parts: personal data, critical personal data and sensitive personal data. As mentioned above, personal data is defined as the data relating to the traits and characteristics which can be used for identification of an individual. Under the bill, sensitive personal data is that data which may refer to or disclose the medical and financial information, ethnicity of the person, sexual orientation and political beliefs and associations. Provision for protection of sensitive personal data is also provided under the Information Technology Act, 2000, but the Act limits the scope of sensitive personal data. There is no specific definition for critical personal data; it is just defined as the data which may be considered critical by the Central Government.

2. Consent: The PDP Bill provides that the data cannot be processed without the consent of the individual. Prior consent is kept at an important measure for the protection of data. It also extends to collecting, transferring and erasing the data. The consent has to be free in accordance with Section 14 of the Indian Contract Act, 1872. The bill also provides that the data should only be used for the purpose for which the consent was given by the person. The data principal also has the right to withdraw his consent at any time before or after the collection of data.

If the PDP Bill was in force, the controversial policy of WhatsApp could not have been applied in India. WhatsApp would not have been able to share the data with Facebook without a prior consent of the Indian users. The present policy of WhatsApp gives individuals the choice of either agreeing to the policy or deleting the account. It could not have been considered as a ‘free consent’ under the PDP Bill, 2019.

3. Obligations of Data Fiduciary: Data fiduciary is the person or entity that decides the purpose and means of collection of data. The bill puts certain obligations to the data fiduciary to ensure the protection of data. Other than the responsibility of taking consent of the data principal, the data fiduciary has to also send a notice to that person which shall include:

  • the purpose for which data is collected;
  • the nature of the data collected;
  • right of the person to withdraw his consent;
  • the period for which the personal data shall be kept in use;
  • procedure for grievance redressal;
  • information regarding transfer of such data; and
  • any other such information

The data fiduciary has to ensure that the personal data is being collected and processed for a lawful cause. It shall also take sufficient measures to ensure transparency and accountability in the entire procedure of data utilization. The bill also specifically provides for data protection measures with respect to the sensitive personal data of the children. In such cases, prior consent of the parents or the guardian is must. The bill also lays down the punishment related to the violation of data protection. Any processing of personal data in contrary with the provisions of the law would amount to 15 crore or 4% annual turnover of the data fiduciary.

3. Social media intermediaries: The bill also includes provisions relating to social media intermediaries. It states that those social media intermediaries that have users higher than the prescribed threshold will be considered as ‘significant data fiduciaries’. Intermediary is defined “as any person or entity that stores, transmits or receives a particular electronic message.”[9] Significant data fiduciaries can be classified as the data fiduciaries that store large volume of data, collect sensitive personal data, pose greater harm as a result of breach of data and that use new technologies for the means of data collection. Such significant social media intermediaries have higher obligations to perform. It can be observed that the large social media platforms such as WhatsApp, Facebook, Instagram, etc. would fall under the category of significant social media intermediaries after the enactment of the PDP Bill. More restrictions would be placed on these platforms and they would be accountable for any breach or unlawful activity performed by them. 

4. Right to be forgotten: Right to be forgotten is the remedy provided by Section 20 of the Bill through which an individual has the right to disallow the data fiduciaries or the data processors to further store his data. The remedy can be availed of in three cases:

  • when the data has served the  purpose for which it was collected;
  • when the consent is withdrawn by the data principal; and
  • when such collection of data is in contrary with the provisions of the bill or any other law in force.

Right to be forgotten is different compared to the right of erasure in the sense that it           merely discontinues the disclosure of data. Right of erasure allows the individual to completely remove his data from the system of the data processors. Right to be forgotten can only be exercised with prior permission from the Adjudicating Officer.

5. Data Protection Authority: To ensure proper compliance with the provisions of the law, the bill proposes to set up a Data Protection Authority. The Authority comprises of members that have expertise in the field of information technology, data protection, data science, public administration and law. The Chairperson and the rest of the members of the Authority shall be appointed by a Selection Committee formed by the Central Government. If a person is not satisfied with the decision of the grievance committee of the data fiduciary, he can file a complaint with the Data Protection Authority. The decision of the Authority can be put for appeal before the Appellate Tribunal. The appeals from such Tribunal will then go to the Supreme Court.

These are the chief features of the proposed legislation on data protection in India. Other than these provisions, the bill also lays down certain other laws. It mandates the data fiduciaries to prepare a ‘privacy be design policy’ containing their obligations, their business practices, the technical system being used for the data protection, interests of the data principal and  transparency in processing the personal data.


The bill has been put on hold in the Parliament for 2 years now. The main reason for this is that it is faced with numerous criticisms from the opposition and the public. The biggest criticism faced by the PDP Bill is that although the legislation was framed to protect the fundamental right of privacy of the citizens, it is indirectly encroaching upon this right. The bill gives Central government the power to exempt any government agency from application of the act. The Central Government can direct that the act would not be applied on a government agency if it is satisfied that is necessary for the sovereignty, security and order of the country. This gives enormous power to the government to extract the personal data and sensitive personal data of the citizens. It can do so without taking consent from the citizens and without being transparent in their manner. The opposers of the bill are of the opinion that the terms ‘national interests, public order and national security’ are vague and have a wide scope. In any case of public disorder, the government would have the power to process the sensitive personal data of the citizens on grounds of national security and public order. There is no check over the powers that the Central government can exercise with respect to the data of the individuals. If the government decides that the provisions of the Act would not apply to a government agency, it can also be exempted from penalty in case of unlawful activity or personal data breach. The opposers also feel that the Data Protection Authority has been given lesser powers than the Central Government in terms of protection of data.


At present, the collection and usage of personal data and sensitive personal data is governed by the Information Technology Rules, 2011 which was made under IT Act 2000. However, it was felt that the technology has advanced from the time the rules were made. There were many shortcomings in the Act which could not provide sufficient assurance for protection of data. The Personal Data Bill, 2019 was framed with the intention that it would provide a wide protection in the usage and transfer of data. The bill lacks certain safeguards with respect to data protection and weakens the control of the individual on his data. From the current uproar against the new privacy policy of the WhatsApp it can be seen that the individuals are not in favour of sharing personal data without their consent.

The ongoing controversy also shows how important it is now more than ever to come up with a data protection legislation in India. In the times of ongoing pandemic, when every interaction is getting digitalized, enormous personal data of the individuals are being collected and processed. Indian consumers to electronic platforms are currently vulnerable to any data breach without there being a statutory protection. Other than the regulatory framework, there is need for awareness among the Indians regarding data protection and privacy. A large stratum of India’s population is not aware of how much personal data is being processed and what are the consequences of their personal data breach.

[1] Editorial, “Update Debate: On WhatsApp and privacy” The Hindu, Jan. 18, 2021.

[2] Editorial, “Facebook’s Mark Zuckerberg has promised to protect user privacy before. Will this time be different?” USA Today, Apr. 11, 2018.

[3] WhatsApp controversy highlights growing fears about data privacy, DW News, available at: (Visited on March 14, 2021).

[4] WhatsApp row: How messaging app’s new privacy policy impacts legal rights of Indian citizens, Firstpost, available at: (Last Modified January 21, 2021).

[5] WhatsApp Revenue and Usage Statistics (2020), available at: (Visited on March 13, 2021).

[6] Nicolo Ghibellini, “Some Aspects of the EU’s New Framework for Personal Data Privacy Protection” 73 The Business Lawyer 207-214 (2018).

[7] (2017) 10 SCC 1.

[8] The Personal Data Protection Bill 2019, India, available at: (Visited on March 14, 2021).

[9] The Information Technology Act 2000, India, available at: (Visited on March 15, 2021).

Author: Aditi Sharma, Symbiosis Law School Pune; 3rd Year BA LLB (Hons)

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s