This update had received red flags from data regulatory authorities and privacy experts for its extended data collection and sharing practices. Though most of the users on digital platforms agree to privacy and cookie policies without actually reading them, WhatsApp’s updated policy had, sparked a mass exodus as users at large are concerned that Facebook would be able to read their private messages.
- Profile names
- Profile pictures
- Users’ phone number
- IP address
- phone numbers stored in address book
- Status information including when a user was last online
- Usage and log information
- Device information
- Location related information
- Transaction and payment data if enabled
Key privacy concerns
- Data collected by WhatsApp, will be shared with Facebook-owned companies and third parties.
- Will continuously collect the user’s precise location information, IP addresses and other information to estimate their general location and usual travel location. Can use the data for ad-targeting purposes on other platforms.
- Violates the principle of data localisation, by allowing the transfer of personal data outside the jurisdictions.
- Usage of the information beyond the purposes for which the consent was given at the time of collection. Violates the principle of purpose limitation.
- The jurisdiction for disputes is mentioned as the District Court in California.
Competing apps privacy standards
As reported, the Government of India highlighting K S Puttaswamy judgements wrote to WhatsApp head Will Cathcart and asked
- to respect the informational privacy and data security of Indian users
- through questionnaire seeking more details about its data-sharing protocols and business practices
- the details about exact categories of data that WhatsApp collects from Indian users
- about permissions, user consent sought and the utility of each of these with respect to the functioning and specific service provided
- to provide details about the difference between its privacy policies in India and other countries.
- if WhatsApp conducts profiling of Indian users on the basis of their usage of application and the nature of profiling conducted
- details of the difference between WhatsApp’s privacy policies in India and other countries along with details of its data security, information security, cyber-security, privacy, and encryption policies
(Source: Hindustan Times[v])
Petitions and the CCI Probe
CAIT i.e. Confederation of All India Traders also approached Supreme Court of India. However, the plea being pending before the High Court, the Apex Court rejected the appeal. Most importantly, the Apex stated that “You may be a USD 2-3 trillion company, but people’s privacy is more valuable for them and it is our duty to protect their privacy” to WhatsApp. (Source: Times of India[vi])
Here, the CCI’s endeavour to explore the antitrust threads in the privacy regime puts it on tier-1 of global antitrust agencies as only a few have explored the conflation of these regimes. The order is challenged by WhatsApp and it remains to be seen what Court remedies in the instant case. It is pertinent to note that moreover an antitrust remedy has to be congruent with data protection law in such cases, otherwise, they may not have significant impact. Given that the Personal Data Protection Bill, 2019 is still dormant, an evaluation of whether the remedies compliance with data protection and privacy standards may be difficult.
Existing legal regime in India and way ahead
In India, the right to privacy is recognized by judicial precedence from prominent judgment of K.S Puttaswamy vs Union of India and the only regime around privacy is provided under Section 43A of the Information Technology Act, 2000, the Information Technology (Reasonable Security practices and procedures and sensitive personal data or Information) Rules, 2011 and that too is limited and is non exhaustive for legal remedy. However, the report for the proposed law on protection of the personal data of Indians, the Personal Data Protection Bill, 2019 is underway and is expected to soon be placed in both the houses of parliament in the winter session 2021 for outlining the law.
As compared to existing regime the 2019 Bill has wider scope starting from defining personal data to penalties for non-compliance. The bill provides for rights for the users to access and delete their personal data, clear privacy notice, informed consent mechanism, limitation for transferring personal data outside India, appointing data protection officer etc. In such scenario, WhatsApp would have to follow the law of land and citizens would have legal remedy for such infringement upon their privacy rights.
Lastly, it is evident that WhatsApp has provided separate updated privacy policies for the European, California and Brazilian residents due to existence of data protection laws in the respective regions. In India, WhatsApp has approx. 4 million users, which are far more as compared to these regions, however, due to lack of the data privacy law, the privacy rights are infringed upon and prolonged legal proceedings are initiated. Hence, the Right to Privacy is meaningless in absence of data protection law.