The recent advent of WhatsApp’s updated privacy policy has brought to light the legal loopholes that the Indian Data Protection Laws are laced with. A revised and updated change in Data Protection Laws in India could have prevented the possible infringements that may take place with WhatsApp’s new privacy policy.

The European Region has been able to circumvent this issue due to its updated Data Privacy Laws that successfully provide users with protection from such policies. These policies legally mandate WhatsApp to prevent the sharing of data with Facebook and a violation of it would infringe the provisions of the General Data Protection Regulation (GDPR).

We have discussed here the modifications that could possibly be added to the Personal Data Protection Bill (PDP Bill) in India in order to ensure an air-tight privacy regulatory authority.

RISING PRIVACY CONCERNS- A STUDY ON WHATSAPP’S PRIVACY POLICY

With an undeniable rise in the relevance and indispensability of the digital platform; comes the numerous concerns regarding its safety in terms of data and privacy protection norms. A case in this instance would be that of WhatsApp releasing its updated terms of Privacy on January 04,2021, under which it would deprive users of their choice to share data or other information with other apps, including those owned by Facebook. Moreover, this policy was accompanied by a condition under which users who did not accept the updated privacy terms, would have to quit using WhatsApp altogether- beginning February 08, 2021- when the updated terms and policies was planned to be enforced.

The updated privacy policies of WhatsApp leave the end-to-end encryption clause intact. This means that WhatsApp has no access to one’s text messages and cannot share the same with any other party. However, this clause does not cover the protection of metadata- which entails everything in a conversation apart from the actual text. This information can be shared with Facebook and other apps.

WHY THIS POSES A PROBLEM

A close perusal and analysis of the entire case reveals the observation that this issue could have been avoided with a concrete Data Protection Law or Regulation in place in India.

The core issue that centres the entire case is that people largely use WhatsApp to communicate with friends and family. The data thus shared on this App by individuals is now proposed to be shared with other companies to run their businesses, for monetary gains. This implies that the purpose for which WhatsApp would be using personal data and information is not even remotely connected to the purpose for which users had share that information on the app.

This issue assumes an even graver character due to the inability of the Indian Data Protection Laws to safeguard their users from a misuse of data. Without a data protection authority or regime in force; users will be exposing their data to the surveillance of the entire Facebook group of companies.

Its lack of effectiveness to provide remedies or relief in such situations stands in stark contrast to the legal frameworks that are in place in other jurisdictions, most particularly the European countries. These countries are equipped with laws that can impose fines on Facebook for unduly sharing and using information through WhatsApp. This clause came into effect when the Competition Commission of certain European countries imposed this condition on Facebook during its purchase and acquisition of WhatsApp.
An important point to take note of, is also the commitment made by WhatsApp during its launch in 2009- “to not sell user data or personal information to any third party”. This stance changed with the acquisition of WhatsApp by Facebook in 2014; and its sharing of data with its parent company in 2017.However, in 2017; users were given a choice to prevent the sharing of such data to other platforms. The updated policies have mandated the exposure of such data as a condition to continued usage of the App.
The users are thus breached of the expectations and commitments with which they had initially installed the App.

IMPLICATIONS ON USERS

Unfortunately, due to the technical and legal intricacies of the issue; a majority of the Indian population will stay unaware of this issue and not do much about it other than accept the terms being forced upon them.

However, there are sections of the population sensitive to data protection and privacy norms. This brings to light the possibility of shifting to alternate and safer platforms such as Signal, Telegram and iMessage. Moreover, petitions have also been filed in several legal courts pursuant to the policies introduced by WhatsApp in January 2021 seeking to stay the implementation of these policies. After all, Right to Privacy is a Fundamental Right granted under Article 21 of the Constitution of India and therefore, must not be compromised upon.

It is thus proposed that till an appropriate legal and concrete regulatory and supervisory authority is not in force vis-à-vis the Data Protection issues in India, the Court must prohibit the execution of this new Privacy Policy set forth by WhatsApp. Pursuant to this, the Supreme Court has directed WhatsApp and its parent company, Facebook, to file their replies to the petitions and growing concerns on privacy violations.

In furtherance of these directions, WhatsApp has most recently implemented its updated Privacy Policy with a new campaign. Through this updated campaign, WhatsApp aims to increase communication about its changes with its users through a small banner at the top of the chat, while also offering more time to let them read, understand and accept its terms. Following the backlash received, now the new Privacy Policy terms is expected to go into effect at a later date i.e. May 15, 2021.

HOW THE PDP BILL CAN BE MODIFIED TO INCREASE DATA PROTECTION

The PDP Bill can and must be modified in certain ways to ensure that arbitrary clauses in such online policies do not deprive the users of the rightful protection they are entitled to under the Right to Privacy. One of the main additions that the PDP Bill must incorporate is a clause or term in the law that prohibits the changing or modification of the terms of a contract after its enforcement. For instance, WhatsApp modified the terms of its contract resulting in a clause that was contrary to its initial commitments and objectives.

Moreover, since the PDP Bill has not been passed yet; it is crucial to look to other alternate legal provisions and statutes that may offer protection in such situations. For instance, the Information Technology Act of 2000, under Section 87 gives the government the authority to come up with regulations that can put a stop to arbitrary policies introduced by online platforms that pose a threat to privacy and data protection rights granted to individuals.

A company must not be able to modify terms according to their whims and mandate users to abide by it simply because they consented to the initial contract. Terms of such contracts must be regulated and privacy laws must ensure that changes in these policies have undergone user consent.

SUMMARY

In order to honour the Fundamental Right to Privacy, it is vital for the concerned platforms to provide clarity regarding its policies to ensure that a well-equipped and protective mechanism is set in force to deal with instances of data protection infringement in India. It is also crucial to formulate a structure on the PDP Bill that is well equipped to handle policy changes while ensuring a constant protection of data privacy rights. Other alternative laws must also be incorporated and interpreted in ways to prevent a breach of privacy.