Privacy issue around the new WhatsApp policy
India lacks a dedicated law on privacy, cybersecurity and data localisation. The current data privacy regime viz. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Privacy Rules”) sit under the Information Technology Act, 2000 (“IT Act”) and is not sufficient to protect all kinds of data and is merely indicative of the practices and procedures to be followed. The Government may exercise its powers under Section 79 (2) (c) [read with Section 87 (2) (zg)] of the IT Act and ensure that WhatsApp does not share any data of its users with any third party or Facebook and its companies for any purpose whatsoever.
The Ministry of Electronics and Information Technology (“MEITY”) pursuant to its analysis of the Policy, has sent a list of questions to WhatsApp on the data security concerns. Some of the key questions about the disclosure of the categories of data collected by WhatsApp from its Indian users, details of the permissions and user consent sought by WhatsApp, the utility of each of the permission with respect to the functioning and specific service provided, the difference between Policy in other countries and India.
As per the government sources, the Policy may impact the status of WhatsApp as an ‘intermediary’ as defined under the Information Technology (Intermediaries guidelines) Rules, 2011 (“IT Intermediary Guidelines”) issued under the IT Act. The IT Intermediary Guidelines impose strict obligations upon an intermediary to put in place proper safeguards to ensure that all the personal information of a person is protected at all costs by such an intermediary. Therefore, the collection of information pertaining to financial settlements, location of the user by WhatsApp raises serious issues and the Policy must be reviewed from the perspective of the IT Intermediary Guidelines.
The issue has once again raised questions about what constitutes legitimate uses of data and how businesses, governments and political parties can and cannot use data. A White Paper produced by a government-appointed committee, headed by retired judge B.N. Srikrishna suggested a hybrid approach in the formulation of data protection law of the country which combines the EU rights-based approach, the U.S. approach of using data with consent to encourage innovation, and an Indian approach, which takes note of the Supreme Court’s ruling that privacy is a fundamental right subject to reasonable restrictions.