WhatsApp’s new privacy policy : Yet another reason India new needs privacy laws

Reading time : 6 minutes

 India’s privacy score is 2.4 according to a UK based research firm’s report which was published in 2019. India was ranked in the bottom three after China and Russia which is a proper indication of the failure of the privacy laws in India.

While Facebook owned WhatsApp’s updated privacy policy in India has been stocking concerns about privacy and data sharing with other apps, what is being missed amid this commotion is that if India had a strict data protection law in the first place WhatsApp would not have been able to go ahead with this new privacy update like it was not in the European states. Data sharing with WhatsApp and other third-party apps is not legally bound in Europe because of the provisions of the General Data Protection Regulation (GDPR). GDPR is a regulation in the European Union law on data protection and privacy in the European Union and the European Economic Area. India being one of the world’s largest markets for data theft as of now does not have any strict legislation and needs strict legislations like the European states have.

WhatsApp is a messaging app founded in 2009 which is available for free to download across all platforms i.e., phone, tablets, PCs, laptops and all the operating systems i.e., iOS, android, and windows. It was bought by Facebook in 2014 for 19 billion US dollars. The overtake by Facebook first brought WhatsApp under scanner for data protection practices.

On 4th of January, 2021 WhatsApp changed its data protection laws in the non-European states including India. The new policy primarily takes away the choice users had until now regarding sharing of data. WhatsApp updated its privacy policy for Indian users that made changes in data processing, data sharing with Facebook, and integration of Facebook’s other products with WhatsApp. Firstly, users have to permit mandatory sharing of their data with Facebook. Secondly, WhatsApp will collect hardware information such as battery level, application version, device operations, and mobile network. Thirdly, WhatsApp will collect location-related information (IP addresses, city, and country) of the user despite the user opting not to use the application’s location feature. Fourthly, a new feature for payments will help the platform retain all the payments, transactions, and accounts related information. Fifthly, if the user opts for third party services (in-app video player), these third- party services may receive information that the user shared with others. Lastly, even if the user deletes their account via the in-app delete feature, WhatsApp reserves the right to retain their previously stored data. WhatsApp claims to protect the users’ messages with end-to-end encryption, ensuring that only the persons messaging can access the data – not even WhatsApp can access it. These are the updates mentioned in the new policy.

At first WhatsApp was using the highway or my way approach by putting out a statement stating that accounts of the user would be deleted if they did not accept the update polices. After encountering huge criticism, clarifications have been made by the authorities that, changes in WhatsApp policy will only be applicable to the Business accounts for marketing purposes rather to personal accounts used for messaging to family or friends as they are protected by end-to-end encryption. The issue here is Protection of data which is resulting in infringement of individuals privacy. WhatsApp had ceased the provision till May 15,2021, relating to suspension of WhatsApp accounts of those who have not accepted the policy by February 8, 2021. Later a WhatsApp spokesperson said that no accounts will be deleted on 15 May for not accepting the policy update as of now. In July, appearing for WhatsApp and Facebook, senior counsel Harish Salve informed the high court that the new privacy policies were on hold that it would not enforce its updated privacy policies until the Personal Data Protection Bill came into force. India’s data protection law has been failing to make progress  for two years now. If India had a data protection law in place, WhatsApp would not have been able to go ahead with this update in the first place.

Background of WhatsApp Privacy debate:

On January 16, 2021 in M.P Sharma v. Sastish Chandra case in which the eight-judge bench of the Supreme Court talked and explained: How private is WhatsApp, what can Facebook see and should you look at alternatives?

On January 18, 2021 Delhi High Court on plea filed by Shreya Aggarwal against WhatsApp’s Updated Privacy Policy said that it is  a Private App, if you don’t want to use it, don’t use it .

In Kharak Singh v. State of Uttar Pradesh , a six- judge bench of the Supreme Court here stated that any intrusion in a person’s home is violative of the right to liberty.

But all together in both the cases the Supreme Court held that Indian Constitution does not specifically protect the Right to Privacy.

In R.M Malkani v. State of Maharashtra Supreme Court observed that telephone tapping is an invasion of right to privacy and freedom of speech and expression, if done so, then it would be violative of article 21 of Indian Constitution.

 In Gobind v. State of Madhya Pradesh the court said that the right to privacy in itself is a fundamental right.

In Peoples Union for Civil Liberties v. Union of India the court held that the right to hold a telephonic conversation is a privacy of one’s home and office without any interference and can certainly be claimed as Right to Privacy.

And at last, in the Case of Justice K.S Puttaswamy v. Union of India a nine-judge bench of the Supreme Court provides a clearer image of the Right to Privacy as a part of Right to Life, under article 21 of Indian Constitution , subject to reasonable restrictions to protect the legitimate interest of the state.

This Judgement was made in response to the Aadhar Controversy in which the government has mandated the use of biometric for all the services provided to its citizens. Where the petitioner Justice Puttaswamy argued that collection of biometric data should only be used for criminals as it will help the government to track the habitual offenders, instead applying it to common people for all the services they use it and also overruled the M.P Sharma v. Satish Chandra case and Kharak Singh v. Union of India.

There is no urgency now in hearing pleas challenging WhatsApp update as they have decided to put on hold the update and decided to roll back to the previous feature till the final decision regarding Privacy Data Protection Bill 2019 is made in the next session of parliament in 2021  said Delhi High Court In July.

Facebook on the outside seems like a social media platform to the general public, but it is a data aggregation machine for commercial gains through advertisements in actuality. It generated 80.9 billion US dollars in revenue from advertisements in 2020 and is estimated to generate 94.6 billion US dollars in 2021. This policy implies that Facebook and other affiliated applications might use WhatsApp for commercial gains, thereby breaching users’ privacy. Moreover, the policy lacks clarity on the consequence or liability of data breaches, such as mishandling bank account details shared on WhatsApp business accounts. Most importantly, it is unclear how and who will use the data and for what purposes. Lack of government or independent third-party regulation may cause exploitation of user’s data. It could also lead to spreading misinformation, fake news, and hate propaganda.

In Justice K.S Puttaswamy (Retd) v. Union of India, the Supreme Court of India ruled that privacy is a fundamental right under Article 21 of the Indian Constitution. Court held that informational privacy is an individual’s choice to share personal information, and it is a part of the right to privacy. Furthermore, it was held that both State and non-State actors could exploit data; the government must enact a strong data protection law. Recently, the writ petitions filed in the Supreme Court and the Delhi High Court sought an injunction to restrain WhatsApp from implementing the updated terms of service as it violates the right to privacy and threatens state security – owing to this, the implementation of the policy has been deferred in India. There is no specified legislation which is enacted on data protection in India nor India is a party to any International Convention on protection of personal data except two which are: Universal Declaration on Human Rights and International Covenant on Civil and Political Rights both recognise the right to Privacy. Other legislations are: Information Technology Act, 2012 popularly known as IT Act deals with data protection. Section 43(A) 13 of IT Act, 2000 states that a corporate body who is possessing, dealing or handling any sensitive personal data or information and is negligent in implementing and maintaining reasonable security practices resulting in wrongful gain or wrongful loss to any person, then such organisation will be held liable to pay damages to the affected party. Section 72(A) 14 of the same act: states that disclosure of information knowingly and intentionally without persons consent and for breach of lawful contract will lead to imprisonment for a term extending to 3 years and fine up to 5,00,000.

The IT act was amended in 2008 and known as Information Amendment Act, 2008. Certain sections which were inserted are section 43(A): Compensation for failure to protect data, section 66(E) 15 : Punishment for Violation for Privacy.

In 2011, Government notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,2011: it only deals with protection of sensitive data of a person including:

(a) Passwords

(b) Financial information such as bank account / credit card or other instrument details.

(c) Physical, psychological and mental health conditions

(d) Sexual orientation

(e) Medical records and history

(f) Biometric information

And the most important law which is still being awaited by the country is Personal Data Protection Bill (PDPB), 2019 which was presented before the Lok Sabha in December, 2019, by Ministry of Electronics and Information Technology and is still being examined by the Joint Parliamentary Committee and is set to be presented before Parliament in upcoming winter session 2021.

The messaging app, which has over 400 million users in India, has agreed to wait for now until the Personal Data Protection (PDP) law comes into effect.

The Privacy Data Protection bill was drafted by the Srikrishna Committee in 2018. The bill is influenced by the European Union’s General Data Protection Regulation (GDPR) and was drafted in response to the Supreme Court’s mandate to the Indian government recognizing privacy as a fundamental right.

The General Data Protection Regulation does not permit WhatsApp to share its data with Facebook or any other third- party company. Similarly, when converted into a law, Privacy Data Protection would grant extensive data protection rights to Indian citizens while imposing limitations on the collection and processing of personal and sensitive data.

In WhatsApp’s case, the company is defending itself that the Indian government is yet to introduce the Privacy Data Protection Law. Until the law is introduced, WhatsApp will not make any changes to its new privacy policy. It will, however, not limit the functionality of how WhatsApp works in the coming weeks.

India being the largest populated state has the major risk of data theft, and that too during pandemic when the whole world is dependent on technology, chances of data being misused is more. The need for this bill to become an act is now more necessary than ever before.

Earlier, WhatsApp functioned as an intermediary with no ownership of the content. However, according to the updated privacy policy, it becomes the owner of users’ data, making it a ‘data fiduciary’ under the Indian Data Protection Bill, 2019. The Bill prohibits collecting and processing personal data by ‘data fiduciaries’ without consent or prior notice. Moreover, it lays down data principles’ rights: the right to confirmation and access, right to data portability, right to be forgotten. Lastly, similar to Section 43A of the Information Technology Act, 2000, the Bill provides compensation for data-breach.

Moreover, the corporates are currently governed and regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, mandating them to provide a privacy policy for personal information or sensitive data. Furthermore, this policy violates the Guidelines issued by the Ministry of Electronics and Information Technology on disclosing sensitive information to a third party. Lastly, despite ratification from National Payments Corporation (NPCI) for starting payment service in India, the policy violates Notification on Storage of Payment System Data issued by the Reserve Bank of India.

WhatsApp’s different approach in India and Europe highlights the need for a codified data protection law in India like the European General Protection Regulation. Data localization and storage are also issues of concern. The Committee headed by Justice BN Srikrishna advocated for data localization, restricting users’ data to move out of the country for commercial exploitation for example: India needs data localization laws that enable data storage of Indian users in India itself, rather than at data centers owned by Facebook in the United States.

The fundamental right to informational privacy and freedom of speech can only be exercised if the conversations between citizens are private. This right is not absolute and is subject to reasonable restrictions by the State to promote public interest. It is too important to leave a billion citizens’ privacy and rights to a commercial enterprise; hence, a proactive data protection law is the need of the hour.

As with any other right, the right to privacy is not meaningful without our ability to successfully enforce this right. Indeed, it is not unprecedented for Indian courts to adopt this understanding of our fundamental rights and for courts to impose such responsibility on the state. In fact, in Vishakha and Ors. v. State of Rajasthan and Ors., the Supreme Court held the state indirectly accountable for its failure to introduce a law that adequately protected women against sexual harassment at workplaces, which violated their right to live with dignity, a fundamental right. The Supreme Court went so far as to publish its own guidelines to bridge the gap in law, until the government was obliged to introduce the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013.

There is a need for federated alternative messaging platforms with proper governance like Signal and Telegram. These applications’ models are designed to encrypt both the metadata and content, so even the application servers cannot decipher or retain the users’ information. Moreover, unlike Signal or Telegram, the data backup is not encrypted by WhatsApp, which leaves room for data exploitation. Thus, WhatsApp should learn to promote cyber security from these applications for linking and leaking sensitive data. Besides, social media or messaging applications should be segregated from payment applications or digital wallets to ensure secure financial transactions.

Without a data protection law, the government is failing each day in its positive obligation to create a framework that enables us to exercise our fundamental right to privacy effectively.

Sources :

  1. The Indian Express
  2. Live Mint
  3. India Today
  4. Law rounder
  5. The Wire


Editor: Kanishka VaishSenior Editor, LexLife India.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s