• Team Blogs Within

Privacy issue around the new WhatsApp policy

In early January, WhatsApp users received a pop-up message announcing updates to the app's privacy policy. A closer look revealed that all accounts that did not consent to the new terms by the February 8 deadline would be suspended or deleted. The update was imprecise for many, and a mention to Facebook had users fearing that the contents of their messages would be shared with the social media giant.

WhatsApp's updated privacy policy and terms of service provide information on how the app collects and handles user data. The new Policy has mentioned that it shares customer data with Facebook and other partner companies. WhatsApp has also included specific information on business interactions taking place through its messaging app.

Although, it is specifically mentioned that the new updated Privacy Policy is not applicable in the European Region, which is governed by the GDPR. However, India does not have a concrete data protection law that allows companies like WhatsApp and Facebook to operate without authority and scrutiny, and get access to critical and sensitive personal/ financial data of the user.

WhatsApp’s privacy policy update was challenged before the Delhi High court, where the petitioner asserted that it is violative of the citizens' Right to Privacy and threatening the National Security of India. The Petitioner has also stated that the recent update directly attacks the fundamental Right guaranteed under Part-III of the Constitution of India, as recognized by the Supreme Court in the landmark case Justice KS Puttaswamy & Ors. v. Union of India & Ors.

India lacks a dedicated law on privacy, cybersecurity and data localisation. The current data privacy regime viz. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Privacy Rules”) sit under the Information Technology Act, 2000 (“IT Act”) and is not sufficient to protect all kinds of data and is merely indicative of the practices and procedures to be followed. The Government may exercise its powers under Section 79 (2) (c) [read with Section 87 (2) (zg)] of the IT Act and ensure that WhatsApp does not share any data of its users with any third party or Facebook and its companies for any purpose whatsoever.

The Ministry of Electronics and Information Technology (“MEITY”) pursuant to its analysis of the Policy, has sent a list of questions to WhatsApp on the data security concerns. Some of the key questions about the disclosure of the categories of data collected by WhatsApp from its Indian users, details of the permissions and user consent sought by WhatsApp, the utility of each of the permission with respect to the functioning and specific service provided, the difference between Policy in other countries and India.

As per the government sources, the Policy may impact the status of WhatsApp as an ‘intermediary’ as defined under the Information Technology (Intermediaries guidelines) Rules, 2011 (“IT Intermediary Guidelines”) issued under the IT Act. The IT Intermediary Guidelines impose strict obligations upon an intermediary to put in place proper safeguards to ensure that all the personal information of a person is protected at all costs by such an intermediary. Therefore, the collection of information pertaining to financial settlements, location of the user by WhatsApp raises serious issues and the Policy must be reviewed from the perspective of the IT Intermediary Guidelines.

The new policy also contradicts the recommendations of the Srikrishna Committee report, which forms the basis of the Data Protection Bill 2019. The principle of Data Localisation, which aims to put curbs on the transfer of personal data outside the country, may come in conflict with WhatsApp’s new privacy policy. Whereas, the report by the Committee of Experts on Non-Personal Data Governance Framework, led by the MEITY (NPD Report), and the Data Empowerment and Protection Architecture (DEPA) paper released by NITI Aayog has built on the concept of data’s benefits. The report suggests that India should specify a new class of data at a national level, namely data of special public interest or high-value data sets, while also progressively identifying other priority sectors is important.

The issue has once again raised questions about what constitutes legitimate uses of data and how businesses, governments and political parties can and cannot use data. A White Paper produced by a government-appointed committee, headed by retired judge B.N. Srikrishna suggested a hybrid approach in the formulation of data protection law of the country which combines the EU rights-based approach, the U.S. approach of using data with consent to encourage innovation, and an Indian approach, which takes note of the Supreme Court’s ruling that privacy is a fundamental right subject to reasonable restrictions.

4 views0 comments