WhatsApp Privacy Policy and Data Protection in India

Reading time : 8 minutes


In the entire world there are more than 2 Billion+ users of WhatsApp out of which 400 Million+ exist in India itself because India is a great industry a huge market for WhatsApp at this point in time and growing exponentially every year. Whatsapp in January 2012 came up with the new privacy policy and asked the users to give consent to this policy and if the users do not give consent to this policy then Account won’t be deleted but certain Application of WhatsApp will be hindered.

WhatsApp Privacy policy:

  • Requires consent of the users to share transaction data, mobile device information, IP address of the users and data on how they interact with businesses, and share this data with Facebook.
  • It also allows WhatsApp and Facebook to share that information with 3rd party service providers also.
  • Certain information which included are phone number our locational data and other login information.

Earlier everybody had to be agreeing to the policy by February 8th but due to lots of controversy WhatsApp extended the timeline to accept the policy to May 15, 2021. Another major issue here was that India does not have a Data Protection Law. There is a Personal Data Protection Bill, 2019 and that is still pending in the Parliament and that was another major concern with this privacy policy that WhatsApp released.

WhatsApp update does not extend to European region due to its stringent General Data Protection Regulation. India, not having similar comprehensive data protection legislation, relies on the Information Technology Act, 2000, and its rules, for regulating the use of sensitive personal data a subset of personal data. The current legal regime is, therefore, inadequate to address the arising data privacy concerns due to, but not limited to, its lack of primary legislation and governmental regulatory authority, narrow scope, and limited penalties. The new Privacy Policy update has been challenged before Apex Court and the Delhi High Court with contentions rose on differential treatment between Indians and Europeans WhatsApp users and on how the policy infringes upon the Fundamental Right to Privacy. In response WhatsApp stated it would no longer defer its Privacy Policy rollout, and users were not been forced to use WhatsApp while knowing it well that it continues to be the most widely used messaging application in India. The Central Government called the update as violative of Indian Information Technology Laws and that the Ministry of Electronics and Information Technology has directed WhatsApp to quickly withdraw the Update and it harms the rights and interests of Indian users by undermining Informational Privacy as well as Data Security. The competition commission of India passed a suo moto order to initiate the investigation into whether WhatsApp was misusing its dominant position in the industry. The CCI noted in its order that earlier version of WhatsApp privacy policy had ‘opt-out’ provisions unlike in the present update, and observed the new version to be take it or leave it in nature. It called WhatsApp data collection to be expansive and disproportionate, and noted that such data concentration, and use, in itself raised anti- competitive concerns. The CCI thus ordered a detailed investigation into WhasApp’s market position and power. Claiming that the CCI was exceeding its jurisdiction by reaching into data privacy matters, and questioning Facebook’s implement in the same, the order was contested by WhatsApp and Facebook before the Delhi High Court which squashed its challenge.[1] (Prasad, 2021)

The personal Data protection Bill, 2019

It was introduced in Parliament year 2019. The bill establishes the framework to protect people personal data from entities which collect and use the data soon after introduction the bill was referred to a joint Parliamentary Committee for further examination. The bill places certain obligation on Data Fiduciaries for those who collect and use Data. It gives certain rights to individuals or Data principles to protect their personal data. It establishes a data protection authority to regulate and oversee Data Fiduciaries. The Bill raises some issues to consider Should a Public Service Providers be exempt from asking for consent?

Under the Bill Data entities cannot collect or process Personal Data without an individual Consent. Personal Data is any piece of information that can be used to identify a person’s identity for example- Financial information such as Pan, Aadhaar Number.

Consent will not be required to collect and process Data in case of:

  • Medical Emergencies
  • Legal Proceedings or
  • When the Government is providing services and benefits to the individuals.

If the Government is a soul provider of a benefit or a service such as   driving license then the question of consent does not arise because individual any way cannot refuse consent but in case of health insurance where the Government can provide a service alongside private actors then this raises question why Should the public insurers be given a exemption from taking consent when the private insurance companies under the Bill are required too?

Under the Bill entities which process Personal Data are required to:

  • Specify the purpose of Data Collection
  • Ensure that the processed Data is complete and are not misleading, and
  • Ensure that Data is only retained for the required period and not beyond.

They are exempted from this provision if they are processing Personal      Data form

  • For prevention, detention, investigation or prosecution of any offence.
  • In such cases Data entities only have to ensure that the processing is done for a clear, specific and lawful purpose.

This implies that the Fiduciaries may collect more Data than required and retain for a period longer than necessary further, the individual will not have rights over their Data.

The Personal Data Protection bill was drafted by the Srikrishna committee in 2018. The Bill is influenced by the EU’s General Data Protection Regulation and was drafted in response to the Supreme Court’s mandate to the Indian Government recognizing Privacy as a fundamental right. The GDPR does not permit WhatsApp to share its data with Facebook or any third party company. Similarly, when converted into a law, PDP would grant extensive Data Protection Rights to Indian Citizens while imposing limitation on the collection processing of personal and sensitive data.[2] (Money Control News , 2021)

Justice B.N Srikrishna Committee:

The 2018 expert Committee had argued that prevention, detention, investigation and prosecution for a violation of law are essential state functions. It recommended that these activities should be exempted from certain provisions of the bill. Such exemption should be proportionate to the interests being achieved.

According to the Bill individuals can make a complaint to a Data fiduciary if they act against the provision of the Bill, only if such violation has caused or likely to cause harm to them.

Under the Bill in the event of a Data breach the Data fiduciaries has discretion to decide whether the breach needs to be reported to the data protection authority. Under reporting of Data breaches is likely to protect market reputation.

Privacy notice

Section 7 of the purposed Bill puts an obligation on the data fiduciary to provide a privacy notice, i.e. a document containing granular details of the processing of personal data to the data principals. The details must be provided in a manner that is clear, concise and easily comprehensible to a reasonable person. The notice should also be provided in multiple languages where necessary and practicable. The importance of a clear and concise policy has been highlighted in a Justice Srikrishna Report on data protection. There is no guidance from the Indian authorities on what it constitutes. Guidance from the article 29 working party in the EU suggests that the policy must be presented in a manner that avoids information fatigue. In the digital context, it has been recommended that presenting a policy in a layered format enhances readability. The guidance also suggests that policy should avoid reliance on complex sentences and abstract terms to convey the details of the processing operations. The revised privacy policy of WhatsApp cannot be termed a clear and concise policy. The purely text- based policy, containing around 3800 words, is not presented in a layered format resulting in shockingly low readability for the amount and type of personal data collection the policy is attempting to convey. The policy contains vague language providing an average user a hazy understanding of the extent of data processing and can leave room for different interpretations. The earlier version of the policy also uses similar language and structure to convey details regarding the processing and does not provide transparent details regarding its data sharing with Facebook. Relying on a similar format as its earlier versions without revising it based on global discussions around the best methods seems to be an opportunity lost to remedy the privacy policy. The structure, form and language of the policy will have to be revised if the bill is enacted in its current form and the policy will also have to be provided in multiple languages.[3] (Reddy, 2021)

Data Principal Rights

The difference between the protection afforded to Indian resident users and European resident users is there in the rights accorded to the data principal under the two privacy policies. The European privacy policy has a section dedicated to how users can exercise their rights. These rights are a reflection of the protection afforded to data principles under the GDPR. As per the current version of the bill, the data principal will have the right to:

  • Confirmation and access (section 17)
  • Correction and erasure (section 18)
  • Data portability (section 19)[4] (Reddy, 2021)

If the current version of the bill is enacted, then WhatsApp will be required to amend its privacy policy regarding its applicability to India and incorporate the rights of data accorded to the data principal.[5] (Reddy, 2021)

Concerns Related to Personal Data Protection Bill: 

  • It is like a two-sided sword. While it protects the Personal data of Indians by empowering them with data principle rights, on the other hand, it gives the central government with exemptions which are against the principles of processing personal data.
  • The government can process even sensitive personal data when needed, without explicit permission from the data principals.[6] (Data Protection in India, 2021)


Justice KS Puttaswamy V.UOI (2017-SC-9-Judge Bench)

The Supreme Court in KS Puttaswamy Judgement stated that Right to Privacy is a Fundamental Right in India.

Government can interfere in Right to Privacy of a person only when it is:

  •  There should be a Legitimate Aim.
  •  There should be Proportionality in which the Right is been taken.
  •  And in the way it is been taken there should be a Legality attached to it.

Case Summary and Outcome

A nine-judge bench of the Supreme Court of India held unanimously that the right to privacy was a constitutionally protected right in India, as well as being incidental to other freedoms guaranteed by the Indian Constitution. The case, brought by retired High Court Judge Puttaswamy, challenged the Government’s proposed scheme for a uniform biometrics-based identity card which would be mandatory for access to government services and benefits. The Government argued that the Constitution did not grant specific protection for the right to privacy. The Court reasoned that privacy is an incident of fundamental freedom or liberty guaranteed under Article 21 which provides that: No person shall be deprived of his life or personal liberty except according to procedure established by law”.  This is a landmark case which is likely to lead to constitutional challenges to a wide range of Indian legislation, for example legislation criminalising same-sex relationships as well as bans on beef and alcohol consumption in many Indian States. Observers also expect the Indian Government to establish a data protection regime to protect the privacy of the individual. Further, the case is likely to be of wider significance as privacy campaigners use it to pursue the constitutional debate over privacy in other countries.[7] (Puttaswamy v. India)

In February 2021 the Government of India came up with new set of regulation called The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

This rules talked about two kinds of platform OTT (Over the Top) platforms i.e.  The application we use Netflix, Amazon Prime, Sony liv and so on and other social media platforms which is more than 50 lakhs subscribers or more than 5 million subscribers which includes WhatsApp, Instagram, Twitter and so on these was covered basic reason for covering these social media and OTT platforms was that there was a lot of hateful information / false information that was being circulated on these and due to this Government felt that there was a National Security issues that were created because of this Government brought certain sets of guidelines wherein every such organisation which is the OTT platforms or the social media platforms need to have a grievance officer; following National Laws; and Traceability Clause and that is the major cause of concern here it means that if the Government wants the social media platforms to reveal the name of persons who started the particular message and it became hateful or against the Government then it is the duty of the social media platforms to provide such names to the Government of India. This created a problem and the WhatsApp said that this is the violation of Fundamental Rights of people and violation of Human Rights.

On 25th May 2021 which was the last day of complying with This Particular Guidelines WhatsApp filed the case against the Government of India in the Delhi High Court. It stated that if Traceability Clause is a violation of WhasApp’s end-to-end encryption policy. It means all the messages we receive and send are only between sender and the receiver even WhatsApp cannot read those messages that is end-to-end encryption policy. WhatsApp argument is if we are compelled to share this information with the Government Authorities then its Violates our policy of end-to-end encryption and it also violates the Fundamental Rights of the citizens of India because Right to Privacy is a Fundamental Rights as per Case Puttaswamy Judgement. WhatsApp also stated that if these guidelines are implemented as it is with the Traceability Clause then there is certain innocent people who may be unnecessarily implicated which means they become a part of investigation unnecessarily even if they had spread the information out of concern just to tell people this is something wrong happening then also they may be the part of the investigation and they may have to go under a lots of hustle that is another concern here. WhatsApp released a memo on 25th May and made it clear that it has a separate department which works 24/7 assisting the Government Authorities if there is any information like National Security issues etc. WhatsApp has a department delegated to that particular thing in those circumstances WhatsApp can release otherwise it cannot release information whenever the Government want this is a violation of a Fundamental Rights.

WhatsApp will put policy on Hold till Data Protection Law Comes into Force 

WhatsApp said on Friday 9th July it has decided not to enforce its new privacy policy till India’s Personal Data Protection Bill is passed it has made the submission before the Delhi High Court. Appearing for the company, senior advocate Harish Slave told a bench of Chief Justice DN Patel and Justice Jyoti Singh it won’t limit the functions for users who don’t opt for the new Privacy Policy, Slave said. The Bill seeks to regulate the use of individual’s data by the government and private companies. The development came when the High Court was hearing a challenge of Facebook and WhatsApp against the Competition Commission of India’s order directing a probe into WhatsApp new privacy policy. Last month, an application was moved by WhatsApp for an interim stay on the probe but the court decline. Slave argued that since the genesis of the probe the privacy policy has been stalled for now, the inquiry into the same by the Competition Commission of India now academic. Senior Advocate Mukul Rohatgi, appearing for Facebook, objected the CCI probe, saying the Commission was jumping the gun by initiating a probe into privacy policy when a challenge to the same was pending before Supreme Court and the High Court. After hearing all the sides, the HC adjourned the matter till July 30 by when CCI’s stand would be on record. A single judge on April 22 has said that he saw no merit in the petitions of Facebook and WhatsApp to interdict the investigation directed by the CCI.[8] (Garg, 2021)


  1. Prasad, R.A.(2021). An unfolding Legal Battle: WhatsApp’s privacy policy update in India. Mondaq connecting knowledge &people


  •  Money control News. (2021, may). Retrieved from moneycontrol.com:


  • Reddy, P.B. (2021, January). The Centre for internet& society. Retrieved from cis-india.org:


  • Data Protection in India. (2021). Drishti IAS


  • Puttaswamy v. India. (n.d.). Global freedom of Expression Columbia University.
  • Garg, A. (2021, July). The Times of India. Retrieved from m.timesofindia.com:


  • Whatsapp privacy policy,


  1. Giving more time to recent Update


  1. WhatsApp privacy policy and legal battle with the government

New IT Rules- Keshav Malpani

  1. The personal Data Protection Bill 2019

[1] Raghunath Ananthapur &Prithvika Prasad,“ An unfolding Legal Battle WhasApp’s Privacy Policy update in India” MCK&P(2021)

[2] “Personal data protection bill: New WhatsApp privacy policy case is reminder India need to enact the law” Money control News, May 25, 2021

[3]  Pallavi Bedi& Shweta Reddy,”PDP Bill is coming: WhatsApp Privacy Policy analysis” cis (2021)

[4]  Pallavi Bedi& Shweta Reddy,”PDP Bill is coming: WhatsApp Privacy Policy analysis” cis (2021)

[5]  Pallavi Bedi& Shweta Reddy,”PDP Bill is coming: WhatsApp Privacy Policy analysis” cis (2021)

[6] “Data protection in India”(2021)

[7]  “Puttaswamy v. India” General Freedom of Expression Columbia University.

[8]  Editorial, “WhatsApp blinks, says Privacy Policy on hold” The Times of India, July 10, 2021.


Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s