WhatsApp is updating its policy, is it time for India to update its laws as well?

WHAT IS WHATSAPP CHANGING IN ITS POLICY AND HOW WILL IT IMPACT USERS? The popular social media platform WhatsApp recently updated its privacy policies and notified its users of the same. The update is that WhatsApp will now share its users’ data with Facebook. It later clarified that private chats, images, messages, calls, videos are […]

by Chhavi Singh - February 11, 2021, 4:02 pm

WHAT IS WHATSAPP CHANGING IN ITS POLICY AND HOW WILL IT IMPACT USERS?

The popular social media platform WhatsApp recently updated its privacy policies and notified its users of the same. The update is that WhatsApp will now share its users’ data with Facebook. It later clarified that private chats, images, messages, calls, videos are end to end encrypted and these will not be shared as even WhatsApp has no way of seeing these. Whatsapp can only share metadata with Facebook including details like device identifiers, IP addresses, operating system, time zone, browser details, phone number, logs etc. However, if a user interacts with a business account on WhatsApp, these chats are not secure and data can be shared with Facebook. The most likely end result of this will be an increase in targeted advertisements across Facebook and other platforms owned by Facebook.

RIGHT TO PRIVACY AND INDIAN LEGISLATIONS ON DATA PROTECTION

Right to Privacy was recognized as a Fundamental right and part and parcel of the Right to Life under Article 21 of the Consitution in the landmark judgment of K.S. Puttaswamy v. UOI by the Supreme Court of India in 2018. Justice D.Y. Chandrachud held that- “In the context of Article 21 an invasion of privacy must be justified on the basis of a law which stipulates a procedure which is fair, just and reasonable.” It was also held that there is a positive obligation on the state to take all the necessary measures to protect an individual’s privacy. In order to sufficiently regulate data protection and privacy, a comprehensive law like the EU’s General Data Protection Regulation (GDPR) is needed. The Personal Data Protection Bill 2019 (PDPB), very similar to the GDPR was formulated on the basis of the report on a suitable Data Protection Framework for India, by the Justice BN Srikrishna Committee. Apart from the PDPB 2019, there aren’t any other laws suitable to deal with regulation of social media platforms and protection of data. Till the PDPB 2019 is not passed, Indian courts can only take recourse to the Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (IT Rules). These legislations primarily protect “personal information” or “sensitive personal data or information”. Section 43A of the IT Act imposes an obligation on corporations to maintain and adopt reasonable security practices with respect to handling of sensitive personal data. Firstly, it only grants protection to sensitive personal data which has not been clearly defined in the Act so it cannot be said with certainty that the data that Whatsapp will share with Facebook falls under the ambit of Section 43. Moreover, there are practical problems in enforcement as it is difficult for the users to prove that the collection of their data was illegal or it has been misused in any way. The IT act has not kept pace with technological developments and is more suited to deal with cases of cyber security or hacking. These lacuna in the legislation can be fixed if the PDPB is made an enforceable law.

As of now, Whatsapp has delayed the implementation of its new policy but concerns about the breach of privacy likely to happen as a result of this policy still remain. The biggest issue is that, currently neither does India have a concrete data protection law nor is there any regulatory body to overlook the functioning of various social media platforms. The Delhi High Court, while hearing the petition against Whatsapp’s new policy questioned the basis for seeking an injunction against Whatsapp in the absence of any law in place which the Act is violating. This points to the urgency of making the Personal Data Protection Bill, 2019 into a law.

HOW WILL PDPB IMPACT WHATSAPP’S UPDATED PRIVACY POLICY?

The IT Act is silent on regulation of social media platforms. Other regulatory bodies such as the Telecom Regulatory Authority of India, Regulators for banking sector, insurance sector, medical sector only regulate privacy protection and data protection in specific sectors and there is no one regulator to overlook functioning of all social media platforms which gives them considerable leeway to abuse the privacy of users. The PDPB provides for the formation of a regulatory body. Under the PDPB, the Central Government is required to set up the Data Protection Authority(DPA) of India under Section 49 and the functions of DPA are mentioned under Section 60 of the Act. The DPA would be authorized to monitor and enforce the provisions of this bill and prevent any misuse of personal data. As per Section 60(2)(b), the DPA would also be authorized to specify reasonable purposes for which personal data of a data principal may be processed by a data fiduciary. On this point, the PDPB takes a more stringent approach than the GDPR by authorizing the regulatory body to define reasonable purposes for processing of personal data rather than leaving it up to the data controller/fiduciary. The DPA, in its attempt to specify reasonable purposes shall be required to take certain factors into consideration under Section 17(1) including but not limited to – the interest of the data fiduciary in processing for that purpose, whether the data fiduciary can reasonably be expected to obtain the consent of the data principal and the effect of the processing activity on the rights of the data principal. These considerations can further restrict the kinds of activities that can be qualified as reasonable purposes. Since Whatsapp is an app meant for communication between two parties, it is unlikely that processing and selling users’ data to Facebook for targeted advertisements would qualify as a reasonable purpose.

Additionally, section 12(3) of the Act the data fiduciary cannot make the provision of goods, services, performance of any contract conditional on consent to processing of any personal data not necessary for that purpose. Consequently, Whatsapp discontinuing its services to users as a result of not giving consent for processing any data to be sold to Facebook will be in violation of the bill. Section 12 of PDPB states that consent will be considered valid if it also capable of being withdrawn. Section 27 of the PDPB confers the Right to be forgotten on individuals to prevent or restrict continued disclosure of personal data if data is no longer needed for the purposes for which it was processed and the data principal withdraws consent wherein processing of data happened based on the consent given by the individual. This would mean that, as per Section 12 and Section 27 of the PDPB, individuals who wish to discontinue with the updated policy after they have consented to it should be allowed to do that and Whatsapp would be required to delete the data collected for sharing with Facebook.

There have been allegations of Whatsapp sharing its users’ data with Facebook after Facebook bought Whatsapp in 2014. Pursuant to this, Whatsapp announced a change in its privacy policy in 2016 to share users’ data with Facebook and its group companies. This was then challenged by filing a PIL before the Delhi High Court in Karmanya Singh Sareen v. Union of India. While the court did acknowledge that the right to privacy was being violated Whatsapp, it could only grant interim relief and ruled that Whatsapp servers must delete data of those users’ who delete the app. In this case, the Court also directed that online apps like Whatsapp must be brought under a regulatory framework. Had there been a regulatory body for apps like Whatsapp and a proper comprehensive data protection law in place, the Court could have declared the policy to be violative of right to privacy. 4 years later, we are still struggling with the same problem and the hands of the Judiciary are tied as there is no law that Whatsapp’s updated policy is violating.

THE EUROPEAN SCENARIO

The PDPB 2018 is very similar to the GDPR law in European Union. Whatsapp is not implementing its updated policy in EU as it is directly in violation of Article 5 of the GDPR which lays down the principles for processing of users’ personal data, “purpose limitation” and “collection limitation” which restricts the processing of data to only certain reasonable purposes and data collection is also to be limited to those purposes. Similar to the GDPR, Articles 5 and 6 of the PDPB also incorporate purpose limitation and collection limitation which could restrict the kind of data processing that Whatsapp can do and hence, users’ data will be better protected.

The Bill is currently being scrutinized by a Parliamentary Standing Committee which is expected to give its report soon. The Bill provides for a very comprehensive data protection law which is the need of the hour given the widespread use of social media for every other purpose. If the Bill is passed and made into a law, big players like Whatsapp can no longer abuse the privacy of their users’ and while the Bill may have its flaws, it is still a very significant step towards data protection.