Search

WHATSAPP PRIVACY POLICY IN INDIA- A Critical Evaluation


Privacy is dead. Social Media holds the smoking gun’ – quoted by Pete Cashmore & ‘Privacy is not something I'm merely entitled to, but it's an absolute pre-requisite’ - quoted by Marlon Brando.


INTRODUCTION

Social Media being the primary stakeholder in the present modern age, has proved its worth in various technical ways and has made things much easier and more feasible. Starting from dusk till ending at dawn, it has become one of those things we cannot give up to sustain ourselves, keep ourselves updated and more importantly, pace ourselves with the track of 'modern work-life'. They say social media has got nothing to help us with. Although, I can refute this on various aspects, it certainly sparks concern for the present developments in the social media arena. The concerns predominantly revolve around the subject of 'data privacy'. Up until now, for a large portion of time, whether through social media or any other platform over the internet, the first thing that as an individual we have tried to ensure is that whatever we put down as being personal stays personal. Wasn't this the reason Facebook introduced its new facility of 'shielding the display picture on one's account over Facebook'? As have been correctly put down, privacy is one such mechanism through which we can restrict data in the forms of images, files or inboxes from getting exposed to the public at large. Recent news on the WhatsApp updated privacy policy has ignited a yet spurring debate with regards to data privacy. There have been several issues that have been taken up by various petitioners all around the country.

This paper aims to engage in the recent WhatsApp policy development while contrasting it to the current data protection scenario of our country, along with more significant precedence on various social media scandals, thereby discussing the present placing of the Personal Data Protection Draft Bill, 2019, with an objective to land to a suitable conclusion with respect to the ongoing privacy issues in the country.



WHAT IS THE NEW POLICY ALL ABOUT?

On 4th January 2021, WhatsApp introduced this new privacy policy with the help of an "in-app notification." The first deadlines sorted by the company for its users was 8th February 2021, conditioned with the fact that if not agreed to the same, all access to such an app will eventually be lost by the user. With the sudden spark of the news, it received heavy and very reasonable backlash from its users. By permitting access to this new privacy policy, we are helping them enhance their business with the other companies (i.e, the Facebook shareholders) at the stake of losing our own privacy. As per the new policy tabled by WhatsApp, it does not restrict itself to only necessary data, but as a system, they intend to collect more critical data, which should be made available only at the consent of the party's data they aim to collect and share. Not only this policy reflects unnecessary use of policy implementation, but it also ignites a deep scepticism with respect to whom the data will be shared or whether they will be used for any specific practical purpose. This will be continued through regular non-stop pop ups, in case a person tries to avoid accepting those to the extent that WhatsApp even acknowledged that it would slowly but steadily stop its everyday functioning such as searching for contacts or receiving calls and etc. To make matters worse, WhatsApp has also intimated in the month of February that even total declination would also lead to the loss of full functionality. However, the company has since decided to progressively remove all parts of the machine for several weeks until finally, the app stops working by itself.


ISSUES OF THIS POLICY

Once again, the privacy policy update will make lives harder for people since those who refuse to comply with WhatsApp's policy demand won't be able to see their chat list or establish any form of interaction with their WhatsApp buddies, coupled with WhatsApp pulling the plug later on. However, there is a lot to argue on the legitimacy of this privacy policy as a whole since it consists of various issues that need to be addressed as soon as possible, and more from a private individual perspective and less from a profitable lens. The first issue, as discussed, is the very fact that important information such as a person's phone number, WhatsApp usage records, device IDs, IP addresses, and other information about your device is going to be shared with not only Facebook but also other third parties as well. Although this is true for all the nation, the later ones are country-specific. The second major issue with respect to this policy is its end-to-end encryption. While arguments regarding online criminal activity was raised, few lawyers and legal practitioners have also stated that the intermediary laws do not require breaching encryption for identification, but rather the capacity to tag perhaps the first communication, which ought to be available without revealing the information. Privacy is one such area that should be respected and protected at all costs. In the course of the recent debates and turnouts, section 79 of the Information Technology Act, 1999 was brought wherein it was stated that when it comes to cyber-crimes especially involving platforms such as the most prominent social networking sites, it would prefer to first aim for less invasive methods than turning to a more harsh and gigantic undertakings/procedures, in order to trace the creator of the flagged messages. The reason for this outrage revolves around the fact that WhatsApp serves as a daily application for all. Even if nobody has Instagram or Facebook or even Snapchat, everyone has at least WhatsApp for their regular usage. The ‘new normal era’ is the iconic testifier for the same. This rage has witnessed several oppositions due to outrage sparked by the ridiculous idea of breach of privacy. While WhatsApp has argued that its end-to-end encryption facility makes the use secured, 'traceability' is still enraging a more outstanding grievance among the rational public.


THIRD-PARTY SERVICE PROVIDERS

Another realm of concern is the issue of providers of third-party services. Facebook is the single stakeholder with WhatsApp with respect to this new policy, which means that the Information sharing is not confined to Facebook. Instead, it can also be shared with other third-party service providers, along with the parent stakeholder, i.e., Facebook. As discussed earlier through these policies, the data which is thus surfaced is the one that is essential and is recommended to be kept personal. As per section 17 (3) and section 7(1) of the current bill underway, every citizen has the right to be informed about their data and, most crucially, be notified through their consent. These citizens are also the data principals. As per these provisions, all information, including the people to whom the data are being made accessible, should be brought into the knowledge of the data principles. Ironically, today we have the only ability with respect to these issues. This brings us to the next possible case, which showcased the differential treatment on a global basis with regards to data protection is the different policy approaches in terms of function-ability.


DIFFERENT POLICIES FOR DIFFERENT COUNTRY(?)

WhatsApp's new policy has made it impossible for familiar people to protect their private data primarily due to its 'Like it or Lump its approach, which retrospectively can also lead to total deletion of such WhatsApp account if not agreed to their policy. In order to develop an understanding of how other countries are responding to the same, it was found out that the privacy policy status differed from country to country, especially the European countries, due to the fact of them having ultra-powered personal data legislation, also known as the GDPR, or the General Data Protection Regulation. According to GDPR, companies are only allowed to acquire critical information that is required to perform services. Companies and service providers that acquire more than necessary information face severe penalties under the GDPR. In case the suggestions of the GDRP are not met, it stipulated, thereby resulting in major punishment, which can thus have a massive impact on the company's annual global turnover. The European Commission penalized Facebook millions of pounds in the year 2014 for deceiving users about its WhatsApp purchase. Recent findings have found out that user data of the European countries are not being procured during the fear of GDPR, and moreover, the users in the European countries have the alternative to opt-out available to them, unlike any other country. While WhatsApp has argued that this separate policy is only available for Europe, which might be due to the possible fears from GDPR, WhatsApp still hasn't responded as to why bring a policy that could not clearly be trustworthy.


To counter the same, the Competition Commission of India revealed that through this policy, the information gathered would include the user's address, the type of equipment they're using, their provider of internet and broadband services, and who they're talking to, thereby putting lots of people's privacy at stake. This sparks fear of stalking or customer profiling and etc. Furthermore, it was also found that the whole ‘opt-out’ policy that was initially available was also removed. The Supreme Court rebutted this approach of the ‘take it or leave approach’ since, according to the apex authority of India, people and their privacy matters more than money or profit from a particular electronic business adventure.


IS ‘SIGNAL’ A BETTER ALTERNATIVE?

Like WhatsApp or Instagram, Signal is the new application that emerged in 2021, featuring instant texting voice and video calling just like any other social networking sites. Since the WhatsApp policy dispute and Signal's inception, the latter had witnessed total downloads of over 11 million, making it the topmost application on both Play Store and App Store. People can post end-to-end encrypted chat, message, image, audio, and videos with the help of Signal. Before you compose a message for someone, Signal asks for permission to access your contacts. Select Okay or Allow. You'll have to manually enter your contacts if you don't give Signal permission to access your contacts. The fascinating part about this application is that even if the user opts to use Signal instead of WhatsApp, all the information in the forms of clips, texts and media will be transferred to Signal with the help of the link-sharing feature, although one cannot confuse it with account transfer since it does not have such features and is not supported over Signal.


Critics are of the view that when it comes to 'privacy' and respecting 'personal data', WhatsApp is far behind in the game, and Signal does the best job for it. Although WhatsApp has stressed more and more on its end-to-end encryption arguments, it falls down when it comes to the question of metadata encryption. Signal is way ahead in terms of its encryption facility, which allows using a four-digit passcode to encrypt all local files and group calls that are encrypted. Secondly, in comparison to WhatsApp, data like user ID, type of device, locations and chats are not collected by Signal, and even if they do, it is in very minute portions. The controversial changes to the privacy policy have indeed ensured a backlash for the WhatsApp networking company, with people agreeing to exit from all the Facebook-owned networking sites, including Facebook. Currently, Signal is not the only party to the spotlight for its new and 'trusted' features, as Telegram is a great contender partly due to its ongoing rivalry with WhatsApp even before this recent change blew up. But the question is whether Signal turns out to be even better than Telegram overall?


TELEGRAM – An upscale competitor(?)

It is another such platform with the ultimate downloads of more than millions and millions of users. This application also allows for multiple device usage because it is a cloud chat facility, unlike WhatsApp. In contrast, the users have to approach WhatsApp web and change settings and then access it every time. Another feature that distinguishes it from WhatsApp is the end-to-end encryption feature which is not available at Telegram, thereby allowing the accessibility of these chat messages to anyone and everyone who's over the Telegram servers. But in order to make up for it, they do have a secret chat facility for which essentially involves bot interaction, and it will not be able to view the user texts due to the privacy instructions but on the downside, once made an admin, the messages will be available for the bots to read. This makes this whole privacy setting a bit sketchy compared to signal, which usually needs a contact number just for the sake of registration, after which no data from a particular user account is available to them for it to view, read or transmit. Additionally, the latter also uses screen security features, unlike others. Conclusively, WhatsApp's new stance on the latest privacy policy change makes it a 'sure no-go', compared to which Telegram serves the purpose, but it too cannot reach the same heights of Signal due to its lack of end-to-end encryption feature, and given all these, Signal does look like an attractive alternative.


CAMBRIDGE ANALYTICA SCAM

A similar resemblance of the present situation sits well with the very popularly known scandal known as the 'Cambridge Analytica Scam', which specializes in methods for creating psychographic profiles. Herein the central issue was with respect to the procuring of private data of several thousand and millions of users of the trendy social networking site Facebook by Cambridge Analytica, which is a British Consulting firm, without first obtaining any consent to use the same. Further research found that a third-party app named "thisisyourdigitallife" birthed at the Cambridge University Psychometrics Centre by a researcher. This was followed by around three hundred thousand and more downloads, which ultimately made it easier to access their own data and data of their friends. The most raging concern is when it was found out that it was used to control people's fears and emotions by collecting their private data and secrets to influence the political inclinations in one of the most powerful countries globally: the United States of America. Later on, it was even pointed out that it might have had some biased impact in the 2016 Trump election's digital campaign. There is a higher possibility that they had relied heavily on the online ad targeting through Cambridge Analytica collected personal data. This major political scandal had blasted all over the news channel, and various other print and electronic media due to its latest release of a secret conversation wherein the CEO and a few of his Executives have clearly stated their mal-intentions. Not only in the US, but this same event had also happened in India as well. Although initially, there was no clear evidence to substantiate the claims of influencing voters for the 2018 Congress elections, Facebook revealed a few days later that Cambridge Analytica accessed personal data of more than 5 Lakh Indian citizens. The same was executed with the use of an app created by GSR and installed by Indian users. Later on, it was also revealed that most of this well-known scandal took place around India wherein SCL, one of Analytica's major firm, was based in Bengaluru, Kolkata, Pune and Patna etc. Although many might blame the Cambridge built online data collecting scandal for what had happened, we still aren't sure about the stake-holding of Facebook and its founder in this whole event. Recent cases of WhatsApp privacy policy rages and thereby instilled a similar kind of fear and scepticism of it being any better than the 2014 online scandal, which was also through Facebook just like this one. The planned modifications to the WhatsApp privacy policy raise significant concerns regarding the ramifications for the freedom and autonomy of Indian citizens, India's Ministry of Electronics and Information Technology wrote in a letter to WhatsApp CEO Will Cathcart. All these happenings constantly remind us of how desperately we need data protection and privacy legislation to deter the scope of falling into international data scandal, putting our personal and private details at stake. GDPR for European countries does serve as a perfect model for the development of the same in India as well.


PERSONAL DATA PROTECTION BILL- Time for Data Protection Law in India & ANALYSIS

The Personal Data Protection Bill OR PDP was drafted after much debate and deliberation at the Srikrishna Committee in the year 2008, inspired by the renowned GDPR. Recent circumstances have put a scale on our shoulder and have shown us why legislation is mandatory for a country that can at any moment swing towards an arbitrary position with respect to a highly debated issue in the country. This is the time we realize why having impactful legislation will serve as the primary protection in both the real and the virtual world. While online or virtual workings have started long back, the ongoing global pandemic has instead forced us to be 24X7 virtual. It can be Virtual meetings, Virtual parties, Virtual traineeship and various other new virtual things that have been invented to cope with the new normal lifestyle pattern. It is now that we realized how strong advocacy for online privacy needs a push for proper and efficient implementation. A 'basic' privacy right does not define entitlements that must arise until the same is decided, and the absence of proper data protection makes us aware of it day by day. The mere absence of such legislation is creating a difficulty to understand our standing regarding online data privacy and data mining with respect to both us and the foreign countries. Even though one might argue that in the context of the private data online, multiple instances have been recorded wherein anyone and everyone is also claiming the protection of body corporates enshrined under the Privacy rules, even though an adjudicating structure with regards to this issue has been put down under section 43 & 46 of the Information Technology Act. Although this might be highly true, the bill definitely has some shortcomings of its own too. While few are of the opinion to bring in legislation, it is also necessary to mandate an effective one as well. Recent critics are of the view that the Personal Data Protection Bill might not be enough to fight the long battle of social media and online data privacy scandals. Many vital safeguards to protect the right to privacy are missing from the bill, thereby significantly impairing the very notion of the right to privacy. This then on results in more and more government surveillance which dilutes the whole purpose of such legislation. If kept up with this, soon right to privacy will become one of the bottom-chain of the topics to be deliberated upon. There is a strong need for the law and policymakers to endorse a vital vision clarity and move towards formulating a more tactful measure to ensure the ability of every resident of the country to exercise their privacy rights and protection along with public data, which is to be implemented to maintain creativity and innovations.


CRITICISM OF THE PDP BILL, 2019

It has been around two years now that the bill has been kept drafted. Many views that the reason for the same might be due to the criticism that it has received over a couple of years. The main issue is that a bill based on safeguarding the fundamental rights bestowed upon the Indian citizen was indirectly the one jeopardizing those fundamental rights. Since there is no proper and actual law protecting the same, it means the government also has the leeway of exercising power over the state or the country. Lacking appropriate legislation also makes way for the government to exercise absolute and unnecessary control over people's data and manipulate the same, thereby controlling personal & private data online. Whenever any emergency circumstance takes place, due to the lack of any stringent law dealing with the privacy rights of an individual in India, the government would work out a plan which even require the citizen of the country to allow access to their personal details online. This sounds very familiar to us, and that too in this very pandemic. An unmistakable resemblance can be drawn from the application known as Aarogya Setu, which initially aimed for alerting covid positive patients. Since there is no such upper hand authority in policy or hardy legislation, the government fills up the role, who can even pester for more and more personal data in certain situations. However, there is still a grey area with respect to the actual functionality of this application as well.


RECENT DEVELOPMENTS- Lawsuit & Traceability

With respect to the ongoing tussle over the hindering of personal data privacy, after a much-heated brawl, WhatsApp decided to sue the Indian government by filing a lawsuit in the Delhi High Court challenging the new additions to the IT Rules in India. Right to privacy takes us back to the leading originator of these fundamental rights, i.e., the case of K Puttaswamy v. Union of India, which advocated privacy as a fundamental right according to whom, the same was originated from article 21 of the Indian Constitution. The same case which backs the present lawsuit. If there's any hope to revitalize the picture of the right to privacy in India, it is only possible with the help of more rigorous and practical data protection legislation. According to WhatsApp, the primary purpose behind this lawsuit is to prevent the finalizing of any new regulation policy that many viewed, which might compel the Facebook-owned messaging app to break privacy protections. Second of all, the suit asks the court to analyze and direct that one of a new law incorporated under the Information Technology Act,1999 is violative of the right to privacy when it asks WhatsApp to contribute to finding the originator of a particular post. This statement can definitely contribute to a mixed reaction since the sole intention behind finding the originator was to prevent illicit and terror activities, which unfortunately takes place online on a large scale while, on the other hand, it increases the privacy concerns, which is already at stake. According to the new judicial order under section 69 of the Information Technology Act, 1999, it lays down that if the first creator of any information is housed outside of India's territory, the one based in India who is the creator of such news will be considered as the first originator in this case. However, the government is of the view that even if the encryption facility provides the assurance of data privacy, it can also be undertaken to instigate criminal activities such as hate crime, online cyber blackmailing, terrorist activities and whatnot. But WhatsApp had countered this with the fact that asking for the traceability option is the same as denying someone's right to privacy. 'Traceability' is one of the several problems that need to be sorted out to protect the people online.


Apart from the WhatsApp officials, even a few technology experts are of the say that taking down encryption feature is the stepping stone towards promoting absolute government control through online surveillance by the government officials. Practically, they are not alone in this fight for encryption, as even lawyers and other legal professionals also claim the traceability option of the government is totally unconstitutional, thereby breaching the citizen's right to privacy. What is even more shocking than this is that social media platforms such as Twitter even reported that the government is seeking to take down negative news. It is also urging for the same with respect to posts such as politics and governmental criticism. This also leaves no scope for us to even pick a side since the possibility of misuse of one's own privacy has a possibility of being handled with fraudulent governance at this juncture. Moreover, traceability is not the ideal option since message forwarding can also lead to the turning over of names which essentially means that even if the sender of the forwarded message is one person, he might not be the creator of the same as well. If this was not all, specific social media have also put up their concerns with respect to its full proof-ability. This is the main reason why WhatsApp is claiming the new IT rule, 2021 (such as the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) to be against the very notion of respecting data privacy in India. Thus, it can be hence interpreted as to why sudden stalling of "not limiting WhatsApp features" has been put forward wherein it waits for better privacy regulation to be brought in the country. Fortunately, recent communications reveal that WhatsApp has retracted back with the say that they would not limit any features as of now, but they will still be allowing regular reminder pop-ups for accepting the policy.


INDIA REQUIRES STRONGER DATA PROTECTION LAWS

Recent events have blossomed the impression people hold for their own privacy, which most of us prefer and appreciate when kept preserved as personal. That is why the mass prefers those virtual platforms that can serve that privacy well. With the advent of more technological advancements around the world, the main purpose still remains the same, which is ‘progress’, something which should not be achieved or aspired at the cost of people's privacy. While most of the application has the duty to ensure their privacy policy, much like any other impressive feature which is top-notch when it comes to preserving personal data, few instances may arise when they lack such backing. Although this is partly true, privacy protection should not be contingent on a particular application's privacy policy, which is very much visible in the current scenario. Overseeing such tech behemoths requires tactful regulatory oversight. Since more than 90% of us use the internet and other social media at least 5 hours a day, given the current pandemic scenario coupled with digital dependency, it is undoubtedly the time to enact ideal legislation for this country. European counties had made an impressive contribution by constructing the GDPR. This is because when a situation like the current one arises, this legislation, i.e., the GDPR, ultimately looks out for its citizen's privacy protection in a highly advanced digitalized era. Due to the absence of such effective regulatory legislation, India has found itself at the edge due to the challenges spurring up with respect to privacy protection.


CONCLUSION

This must be a lesson for India, to create a more stringent and effective privacy law in the country with a more holistic perspective and moreover, in order to combat the future privacy enigmas, it is needed to ensure that the legislation which comes into place (such as the Data Protection Law in India), must assure user privacy is protected at all times to the greatest extent possible while being compliant with trade, safety and economic factors. This law should be brought into effect after proper discussions and debates and not at one go since the law thus affected impacts the nation both domestically and globally. Although WhatsApp has kept a temporary stay on its steps to limiting WhatsApp features for people who do not accept its privacy policy, they have highlighted their wait for more acceptable privacy legislation in the country. Much of its decision is based on the fact that the government's approach to such a situation is not right first because it is challenging to procure the originator (or the actual creator) of a specific post. Secondly, it can lead to a lot of unnecessary challenges, such as mob lynching. Other forms of physical abuses and the concept of fake news are not alien concepts nowadays. India seems to have a rusty relationship with mob lynching, wherein people believe in every second thing with a 70% chance of not being true. Thirdly and most importantly, allowing traceability might lead to fragmenting the democratic framework that India is based upon since there is still a possibility of governmental misuse. Cambridge Analytica is a clear example of such abuse. After much heated deliberative battle with WhatsApp, both the government and the WhatsApp officials seems to have approached a commonality. This incident is a clear reflection of an effective and stringent privacy regulation that, at present, India is in dire need of. Now only time will tell.


SOURCES/REFERENCES

  1. https://thewire.in/tech/data-protection-law-india-right-to-privacy

  2. https://www.mondaq.com/india/data-protection/1022956/personal-data-protection-bill-status-of-the-legislation-and-data-regulation-regime-in-india

  3. https://www.business-standard.com/article/current-affairs/whatsapp-goes-to-court-against-india-s-it-rules-undermining-privacy-121052600171_1.html

  4. https://www.news18.com/news/tech/whatsapp-approaches-delhi-hc-says-new-media-rules-can-violate-user-privacy-3777173.html

  5. https://lexlife.in/2021/03/27/controversy-regarding-whatsapps-privacy-policy-and-need-for-data-protection-laws-in-india/

  6. https://www.wired.com/amp-stories/cambridge-analytica-explainer/

  7. https://www.wired.com/amp-stories/cambridge-analytica-explainer/

  8. https://sspconline.org/opinion-analysis/whatsapps-new-privacy-policy-how-safe-are-we-online-wed-02032021

  9. https://www.indiatoday.in/india/story/what-happened-to-cambridge-analytica-and-facebook-data-theft-case-1712793-2020-08-19

  10. https://www.hindustantimes.com/business/whatsapp-versus-signal-privacy-policies-data-collection-and-more-101610432026017.html

  11. https://economictimes.indiatimes.com/tech/technology/india-messaging-app-rules-whatsapp-sticks-to-its-stance-on-end-to-end-encryption/articleshow/81237981.cms?from=mdr

  12. https://www.techopedia.com/10-quotes-about-tech-privacy-thatll-make-you-think/2/33713

  13. https://matomo.org/blog/2014/01/data-privacy-day-january-

  14. https://www.mensxp.com/technology/apps/84604-whatsapp-privacy-policy-for-europe-different-than-india.html

  15. https://cis-india.org/internet-governance/blog/pdp-bill-is-coming-whatsapp-privacy-policy-analysis

  16. https://www.indiatoday.in/technology/news/story/signal-app-is-it-safe-how-to-use-it-and-all-other-questions-answered-1757882-2021-01-11

  17. https://www.indiatoday.in/india/story/what-happened-to-cambridge-analytica-and-facebook-data-theft-case-1712793-2020-08-19

  18. https://www.indiatoday.in/technology/news/story/why-whatsapp-users-in-europe-can-opt-out-of-new-whatsapp-privacy-policy-but-users-in-india-cannot-1793555-2021-04-21

  19. https://economictimes.indiatimes.com/tech/technology/india-messaging-app-rules-whatsapp-sticks-to-its-stance-on-end-to-end-encryption/articleshow/81237981.cms?from=mdr

  20. https://economictimes.indiatimes.com/tech/technology/india-messaging-app-rules-whatsapp-sticks-to-its-stance-on-end-to-end-encryption/articleshow/81237981.cms?from=mdr

  21. https://cis-india.org/internet-governance/blog/pdp-bill-is-coming-whatsapp-privacy-policy-analysis

  22. https://economictimes.indiatimes.com/tech/technology/india-messaging-app-rules-whatsapp-sticks-to-its-stance-on-end-to-end-encryption/articleshow/81237981.cms?from=mdr



ABOUT THE AUTHOR

Hritwik Barua is a third-year law student at The West Bengal National University of Juridical Sciences, Kolkata.


36 views0 comments

Recent Posts

See All

A CONCEPT OF DOUBLE JEOPARDY

Introduction Black’s law dictionary defines Double Jeopardy as: – A second prosecution after a first trial for the same offense. In India, protection against double jeopardy could be an elementary rig

FARMS ACTS 2020: FRIEND OR FOE TO FARMERS?

INTRODUCTION Indian Parliament, in the preceding year passed three bills related to agriculture and farming, together known as the Farmers Bill. The Bills include The Farmer’s Produce Trade and Commer