WhatsApp updated its terms of service and privacy policy in January 2021 and asked its users to compulsorily comply with it if they wished to continue using the app. The updated terms would enable the app to collect the metadata of users such as mobile phone number, phone model, call logs, approximate location, duration of interactions, etc. and share it with business accounts and WhatsApp’s parent company, Facebook.

By Debopama Bhattacharya

WhatsApp has stated in its updated policy that if users choose to click on ads while using Facebook or Instagram, it may be used to provide personalised ads in the future based on user metadata. WhatsApp will be needing the consent of users in Europe for Facebook to even access their metadata like phone numbers or call logs.

The users may also choose to not give their consent and still continue using WhatsApp. For users in the rest of the world, as of now, the date to accept the policy changes in order to continue using the app has been extended till May 15, 2021, from the earlier deadline of February 8, 2021.

WhatsApp’s move has raised important questions on data privacy, data security and most importantly, the freedom of choice of individuals. This is especially so since the option to opt out of the policy changes was not provided. The changes also appeared discriminatory in nature since they applied only to users outside Europe and the United Kingdom — jurisdictions where there are strict data protection laws.

With a user base of more than 340 million, WhatsApp is one of the most popular messaging apps in India, accounting for the largest number of subscribers, followed by Brazil and the US. There was a backlash among users soon after the alert of the updated policy. A large number of users shifted to rival messaging apps like Telegram and Signal.

The massive influx of new users to Signal led to the disruption of its services on January 15, 2021. Telegram became the most downloaded non-gaming app worldwide for January 2021, with 24 percent of total downloads from India, according to the latest data provided by analytics firm, Sensor Tower.

Responding to the negative backlash, WhatsApp clarified via its own status updates that nothing had changed with respect to personal messaging, given that all personal conversations were protected with end-to-end encryption and no contacts and location updates were shared with Facebook, except for some business accounts.

The Issue of Data Privacy

WhatsApp’s new policy changes have led to growing concerns about the manner in which business data will be treated and how it will affect the privacy of the customers. For instance, many companies use this platform to deliver lab reports, air tickets, and other confidential information to customers.

The Ministry of Electronics and Information Technology (MeitY), has termed the policy changes as unfair and unacceptable in their current form, and has sought clarifications from WhatsApp regarding its information privacy. The differential treatment to the citizens of the country, as opposed to European citizens, was highlighted as a matter of concern.

The Delhi High Court, hearing a petition challenging the apps’ new privacy policy on grounds that it violated the right to privacy guaranteed under the Indian Constitution, stated that WhatsApp is a private app and downloading the app itself was not mandatory for citizens. It also highlighted the fact that not just WhatsApp but many other apps have similar terms and conditions.

It is pertinent to note that in February 2021, the government imposed a ban on nearly 60 apps, including TikTok, under section 69A of the Information Technology Act. Concerns regarding data collection, data security and user privacy — precisely the reasons regarding which MeitY has now sought clarifications from WhatsApp, were responsible for that ban.

The Supreme Court, in a unanimous judgement by a nine judge bench in the Justice K.S. Puttaswamy vs Union of India case in 2017, had held that data privacy is under the ambit of Right to Privacy, protected as a fundamental right under Article 21 of the Constitution. The petitioner of the case, Justice K.S. Puttaswamy (Retd.), had submitted that making Aadhar mandatory and linking it to the grant of state benefits was violative of the right to privacy of individuals. The Court in this judgment also overruled the previous judgments in the Kharak Singh vs State of UP (1962) and M.P Sharma vs Satish Chandra (1954) cases, in which it had held that Right to Privacy was not a Fundamental Right.

Data protection and privacy currently is regulated under the provisions of the Information Technology Act 2000. Article 21 of the Constitution has also evolved over a period of time to include the right to privacy as an essential component of the Right to Life. In the absence of a specific legislation on data privacy, however, the Union Government in July 2017, after the judgement by the Supreme Court in the Justice K.S. Puttaswamy case, formed the Justice B.N. Srikrishna Committee to deliberate on a data protection framework for the country. The Committee submitted its report in July 2018.

Personal Data Protection Bill 2019, which was tabled in the Lok Sabha in 2019, is currently under consideration by a parliamentary committee. As and when it is passed, it would be India’s first legislation on protection of personal data based on the recommendations of the Justice B.N. Srikrishna Committee. The committee recommended privacy by design on part of data processors and individual consent as essential frameworks to govern data sharing. It also called for the Right to be forgotten — the ability of individuals to limit, delink, and delete personal data on the internet. A specific regulatory mechanism of this kind is the need of the hour since private tech giants play a very significant role when it comes to managing and handling personal data.

The Way Forward

Amazon, Google, Apple, Microsoft, and Facebook are among the ten top-most valuable companies in the world and they all belong to the data sector. These tech-giants own a substantial amount of Big Data, the high volume of information generated by users using their services. Technological advances have enabled these companies to collect, store and process such data. Their ability to do so, however, should not infringe upon basic human rights. Providing safeguards to personal data using the highest-possible privacy settings by default, asking for consent and granting the right to revoke the consent anytime, are important standards in this regard. As India constantly strives to ensure the safety and sovereignty of the cyberspace and of personal data, the direction which the WhatsApp saga will take will be keenly watched.

This article first appeared in www.idsa.in and it belongs to them. The author is a research associate with IDSA.