WHATSAPP LEGAL ISSUE – PRIVACY AND FREE SPEECH VS NATIONAL SECURITY

Reading time : 12 minutes                                                     

ABSTRACT

The right to free speech and the right to privacy are two fundamental rights of the people which is the sine qua non of a democratic society. In the contemporary times, people get to use these rights more openly through the medium of internet, specifically – social media. It is important that social media stays accountable to the public in respect of protecting their privacy.

To what extent is the use of these rights acceptable?  What happens when the use of these rights pose a threat to the integrity and security of the land ? – These questions have arised from the recent legal issue of whatsapp.

The balance between these rights and their reasonable restrictions is required to enjoy these rights without hampering the law and social order. In this paper, I shall veer into the details of two instances of whatsapp and Indian government standoff and find about more about their contrasting nature.

Privacy –

The topic of privacy is a much talked-about issue in the country in recent years. In a landmark decision on August 24, 2017 [Justice K.S.Puttaswamy(Retd) vs Union Of India on 26 September, 2018 , (2017) 10 SCC 1][1] the Supreme Court of India declared the right to privacy to be a fundamental right protected by the Indian Constitution. The Court’s decision, declaring that this right stems from the fundamental right to life and liberty, has far-reaching implications.

In literal sense, privacy is “the quality or state of being apart from company or observation” and “freedom from unauthorized intrusion”[2], as defined by Merriam-Webster dictionary.  Black Law’s dictionary describes privacy as – the right of a person to be free from any unwarranted publicity, interference by the public in matters which the public is not necessarily concerned.

With the recent developments in the 21st century, the concept of privacy has widened and found it’s way into the internet sphere. Social networking services have attracted millions of individuals in recent years because they allow users to communicate in a variety of ways. In these social networks, are stored the private data of their users which may be sensitive in nature. Therefore, with the advent of social media, comes the concern of privacy. There are potential concerns to users’ privacy, as personal information is exposed to a wider audience on social media sites, and information about a user is frequently stolen by others without his or her knowledge. As a result, social media makes determining what personal information is made public more difficult. The government has made efforts to protect the privacy of it’s citizens. Despite that, the issue remains.

Case 1 – Privacy policy issue

The first standoff between Whatsapp and Indian Government started when WhatsApp Inc. updated their privacy policy and terms of service. The information provided as to how Whatsapp will share the user information with Facebook and it’s subsidiaries. The company made it mandatory for their users to accept this new policy in order to continue receiving their services. The government suspected a threat to the privacy of the users of Whaatsapp.

In the report[3] of Competition Commission of India, dated March 24,2021 the following have been observerd :

Further investigation found out that earlier in 2017, in the case of Shrii Vinod Kumar Gupta vs Whatsapp inc (Competetion commission of India, Case no. 99 of 2016)[4], within 30 days after consenting to the amended terms of service and privacy policy, WhatsApp users could ‘opt out’ of sharing user account information with Facebook.

The Competition Commission of India took suo moto cognizance of the matter and seeked response from Whatsapp and Facebook on certain issues. The response from Whatsapp was found to be not pursuant to the following two provisions, while Facebook did not respond.

Regulation 35 of the Competition Commission of India (General) Regulations, 2009[5] – whereby and under which a party desiring confidentiality must file an application outlining compelling reasons for doing so, as well as confidential and non-confidential copies of the information provided and document(s) to be filed.

Regulation 11 of the Competition Commission of India (General) Regulations, 2009 – the response was not signed according to the provisions contained therein.

Keeping in mind the discrepancies, Whatsapp and Facebook were again directed to submit a response adhering to the guidelines.

On 25.02.2021, Facebook submitted it’s response whereby it stated that while Facebook is the parent company of Whatsapp, these two have distinct legal entities. It further stated that the 2021 update is in relation to the Terms and Service and Privacy Policy of Whatsapp and that Whatsapp is the only appropriate entity to provide the information that is sought by the commission.

The commission found this response to be evasive and in non-compliance with the directions issued by the Commission vide its order dated 19.01.2021.

In response to the objection against it’s privacy policy, Whatsapp submitted that its current Terms of Service and Privacy Policy, as well as the proposed update to the same (the “2021 Update”), fall under the jurisdiction of India’s information technology law framework, and that these issues are currently being litigated in India’s courts and other forums.

WhatsApp has also stated that the questions raised in the Commission’s order are pending litigation, and that the Commission should not investigate the same set of issues. WhatsApp cited the Supreme Court’s decision in Competition Commission of India v. Bharti Airtel Limited and Others, (2019) 2 SCC 521[6], in which the court emphasised the importance of maintaining comity between decisions by different authorities on the same issues and held that the Commission should only exercise jurisdiction after the sectoral regulators had completed their proceedings. However, the commission believed that this judgement cited by Whatsapp is misplaced and erroneous. The Supreme Court’s decision in the Bharti Airtel case has no bearing on the facts of this case because the purpose of the decision was to maintain “comity” between the sectoral regulator (in this case, TRAI) and the market regulator (i.e. the CCI). WhatsApp has failed to identify any proceedings on the subject that have been brought to the attention of a sectoral regulator.

In accordance with Section 35 of the Competition Act and the General Regulations, WhatsApp requested that the Commission accept its response and other submissions filed on its behalf.

The commission rejected all pleas based on the response. The commission believed that WhatsApp has not only disobeyed the Commission’s orders, but it has also made arguments that are untenable at best. In this regard, the Commission observes that WhatsApp’s reference to Section 35 of the Act is completely misplaced. This section deals with parties’ appearances in front of the Commission. It excludes the signing of pleadings.

Whatsapp has made claims submitting that the current terms and conditions of service and privacy policy along with the update fall within the purview of information technology law framework. It has also made claims to defend itself stating that the 2021 Update has no effect on WhatsApp’s ability to share data with Facebook or on the privacy of WhatsApp users’ personal messages with their friends and family.

To this, the commission has stated that the option to not share the data, that was made available in 2017  is no longer available to users under the new policy, as evidenced by the latest policy statement published on WhatsApp’s website (as extracted in para 2), and as widely reported by the media. This means that user data will now be shared across Facebook Companies, even if they aren’t using any other service within the Facebook family of companies. Simply put, it appears that consent to the sharing and integration of user data with other Facebook Companies for a variety of purposes, including marketing and advertising, has been made a requirement for using WhatsApp. Users must now agree to WhatsApp sharing their personalised data with Facebook companies, and the policy also envisages data collection that appears to be “unduly expansive and disproportionate.” This is due to the fact that it aims to collect, among other things, transaction and payment data; data on battery level, signal strength, app version, mobile operator, ISP, language and time zone, device operation information, service related information and identifiers, and so on; and user location information, even if the user does not use location-related features.

Owners of personalised data have the right to know the extent, scope, and specific purpose of data sharing by WhatsApp with other Facebook companies. However, many of the information categories described in the Privacy Policy and Terms of Service (including the FAQs published by WhatsApp) appear to be “too broad, vague, and unintelligible” by the commission. WhatsApp’s practise of sharing users’ personalised data with other Facebook companies in a way that is neither fully transparent nor based on voluntary and specific user consent appears to be prima facie unfair to users. Users’ reasonable and legitimate expectations regarding quality, security, and other relevant aspects of the service for which they register on WhatsApp appear to be exceeded by the purpose of such sharing.

 Given its strong network effects and the lack of a credible competitor in India’s instant messaging market, WhatsApp appears to be a dominant company of the market. Facebook and it’s subsidiary – WhatsApp have been alleged to abuse this dominant position and have violated the provisions of Section 4(2)(c)[7] and (e)[8] of the Competition Act,2012 through their exploitative and exclusionary conduct.

In the above case, we can see the apparent threat to the privacy of the users of WhatsApp and the government trying to implement a check on the threat. A social media intermediary has to be accountable to the public and the government in order to maintain the right to privacy of the users and the user’s trust on the company. The next case is an example of such a case where the government’s action seem like an apparent threat to the right to speech and expression and right to privacy of the citizens. Before that, let’s talk about the importance of  the right to free speech.

Free speech –

 The concept of free speech which is of huge importance in the contemporary times. Privacy and Free Speech are two sides of the same coin. The right to free speech is accepted on an universal level. Article 19 of Universal Declaration of Human Rights[9] (UDHR) state that Everyone has the right to freedom of thought and expression, which includes the freedom to hold beliefs without interference and the freedom to seek, receive, and transmit information and ideas through any medium and across all borders. During the 15th ASEAN Summit on October 23, 2009, the 10 countries of the Association of Southeast Asian Nations (ASEAN) formally formed the ASEAN Intergovernmental Commission on Human Rights (AICHR). The Human Rights Declaration, which ensures freedom of expression, was also accepted by the group. The right to freedom of speech and expression is also guaranteed under Article 19 of the Indian Constitution[10], which was drafted with the goal of ensuring individual rights that the constitution’s framers deemed essential. As one of the six freedoms guaranteed by Article 19, freedom of speech and expression is one of them.

This right to free speech comes with reasonable restrictions. According to Article 19 (3) of International Covenant on Civil and Political Rights[11] (ICCPR), The exercise of the right to free speech entails specific obligations and responsibilities. It may thus be subject to some limitations, but only to the extent that they are imposed by law and are necessary:

For the sake of others’ rights or reputations;

In the interests of national security, public order, public health, or morals.

This clause of reasonability and restriction is also provided in Article 19 (2) of the Indian Constitution. It empowers the government to put reasonable restrictions the right to freedom of speech and expressions. Now, what will be accepted as “reasonable” is a matter subject to the courts.

Unreasonable use of privacy and free speech –

Unreasonable use of the right to privacy and free speech had often plagued the internet with false or fake news and information. We’ve seen how the proliferation of fake news has caused many difficulties and challenges countries in recent years. We’ve seen how destructive it can be to a country’s political situation in recent years. In the last several years, social media has influenced crowds in a variety of ways, from influencing voter decisions in a democracy to propagating false information. Propaganda, misinformation, and “fake news” have the capacity to polarise public opinion, promote violent extremism and hate speech, and, in the end, damage democracies and weaken public trust in democratic processes. It is the responsibility of the Government to keep a check on the spread of false news and take appropriate steps against the miscreants.

However, Along with the efforts made by the government to protect the national security and peace, comes the infringement of right to free speech and the right to privacy of the citizens. Stringent measures to protect privacy by the government often clashes with the right to free speech of the public. This can be best understood by the second case of a standoff between social media messaging company, Whatsapp and the Government of India – the Transparency issue.

Case 2 – Transparency issue

The second issue starts on when the Ministry of Electronics and Information Technology released the ‘Intermediary Guidelines and Digital Media Ethics Code[12] on 25th February,2021. This is a set of guidelines that the digital media is supposed to follow. One of such guidelines, Section 4(2) of the notification talks about additional due diligence that need to be observed by significant social media intermediaries.

 It states that a significant social media intermediary that primarily provides messaging services must enable the identification of the first originator of the information on its computer resource if required by a judicial order issued by a court of competent jurisdiction or an order issued by the Competent Authority under section 69 of the Information Technology Act and the same shall be supported with a copy of such information in electronic form.

It also provides a few conditions to the section which are provided hereunder –

An order may only be issued for the purpose of preventing, detecting, investigating, prosecuting, or punishing an offence involving India’s sovereignty and integrity, the state’s security, friendly relations with foreign countries, or public order, or incitement to an offence involving the foregoing or involving rape, sexually explicit material, or child sexual abuse material.

No order will be issued if other, less intrusive methods of identifying the source of the information are effective.

No other information on the first originator, or any other used shall be needed to disclose.

If the first originator of any information on an intermediary’s computer resource is located outside of India’s territory, the first originator of that information within India’s territory is deemed to be the first originator of the information for the purposes of this clause.

Section 7 of the notification provides provisions for non-observation of the given rules. It states that any law in force at the time, including the provisions of the Act and the Indian Penal Code, may be used to punish the intermediary.

WhatsApp, in it’s petition to the Delhi HC against the Union of India has raised 3 points against the notification which has been discussed below :

Whatsapp submitted that the said Section 4(2) of the notification infringes on the fundamental right to privacy of the users. Adhering to this section would expose the private messages of the users to a third party. This would also render the ‘end to end encryption’[13] policy of WhatsApp useless.

End to end encryption – All messages in whatsapp are secured with a lock, and only the recipient and sender have “the special key needed to unlock and read them,” according to the end-to-end encryption feature. WhatsApp has enabled end-to-end encryption for all accounts by default, so users will not need to enable any special settings to protect their messages. This means that the message sent by the originator can be read neither by WhatsApp itself nor by any other entity other except the receiver.

In it’s contention[14], WhatsApp had cited the judgement of  Puttaswamy v. Union of India, (2017) 10 SCC 1 to emphasis that this rule infringes on the fundamental right to privacy without meeting the Hon’ble Supreme Court’s three-part test: (i)legality; (ii) necessity; and (iii) proportionality.

Legality – There must be a valid law allowing for the invasion of privacy to meet the legality requirement. In India, however, there is no law requiring intermediaries to allow the identification of the first source of information on end-to-end encrypted messaging services in response to a government or court order. There is also no statute that allows such a requirement to be imposed through secondary legislation such as the Intermediary Rules.        

Necessity – . There must be a “guarantee against arbitrary State action” to satisfy the necessity requirement. Notably, the Supreme Court has emphasised the importance of judicial review prior to any invasion of privacy to protect against arbitrary government action. (Puttaswamy v. Union of India)

 Proportionality – Infringement of fundamental rights must “be through the least restrictive alternatives” to satisfy the proportionality requirement. (Kerala State Beverages (M&M) Corp. Ltd. v. P.P. Suresh, (2019) 9 SCC 710[15]) Enabling the identification of the first source of information in India, on the other hand, is not the least restrictive option. Because no one can predict which message will be the subject of a tracing order, intermediaries like Petitioner would have to build the capability to identify the first originator of every communication sent in India on their platforms for the rest of time, infringing on the privacy of even lawful users. In India, allowing for the identification of the first source of information violates end-to-end encryption and privacy principles.

The second contention of WhatsApp had been that this order will violate the fundamental right to speech and expression of the users as it suppresses even legal speech. Citizens will be hesitant to speak freely for fear of their private communications being tracked and used against them, which is in direct opposition to the goal of end-to-end encryption.

In the third contention, WhatsApp had stated that The requirement in Rule 4(2) to identify the first source of information in India is in violation of its parent statutory provision, Section 79[16] of the Information Technology Act, 2000 (“IT Act”), as well as the IT Act’s intent due to the given reasons –

There must be a clear policy declaration in Section 79 that Parliament intended to impose such a requirement on intermediaries like Petitioner to enable the identification of the first originator of information in India on their end-to-end encrypted messaging services. Section 79, on the other hand, contains no such declaration.

The Central Government can only prescribe the “due diligence” that intermediaries must follow in order to maintain their immunity under Section 79. Compelling an intermediary to fundamentally change its platform in order to identify the first source of information in India is far beyond “due diligence.”

The purpose of the IT Act, according to the preamble, is to achieve “legal uniformity” with other countries. Petitioner is unaware of any country that requires intermediaries to allow for the identification of the first source of information on end-to-end encrypted messaging services, even if it means fundamentally changing their platforms.

Apart from raising the three aforementioned points in the petition, the petitioner has also demanded that no action must be taken under Section 7 of the notification against their employees if they do not adhere to the guidelines.

 This issue stirred up waves of concerns all over the country regarding privacy issues. After which, the Government expressed their view on the issue in their press release[17] on 26th May, 2021. It stated that when WhatsApp is required to reveal the origin of a specific message, the government respects the right to privacy and has no intention of violating it. According to the government, such requirements apply only when the message is required for the Prevention, Investigation, or Punishment of Very Serious Offenses involving India’s sovereignty and integrity, the state’s security, friendly relations with foreign states, or public order, or incitement to an offence involving the foregoing or in relation to rape, sexually explicit material, or child sexual abuse.

The Government further stated that the Right to Privacy is not an absolute right but a subject of reasonable restrictions. One example of such reasonable restriction is the requirement in the Intermediary Guidelines regarding the first source of information.

In the second case we can see the clash between the right to few speech and privacy and restrictions for national security reasons. The Government wants a backdoor that will allow the Government to have a surveillance on the messages shared and forwarded. This power will allow the government to track and prevent any potential terrorist activities. In the recent years, terrorists have been using instant messaging platforms to recruit new members and carry out other functions. A reasonable control on such platforms are important to curb terrorist activities.

However, it’s important to note that WhatsApp already provides some operational guidelines[18] exclusively for law enforcement agencies. Law enforcement agencies can contact WhatsApp on certain ‘emergency situations’ like imminent harm to a child, risk of death, or any matter relating to child safety. However, this request system comes with some conditions. The requests have to be consistent with “internationally recognized standards including human rights, due process and rule of law.”

 In accordance to such special request, WhatsApp will preserve the account with the account under criminal investigation for 90 days from the day of such request. In their security and privacy policy, whatsapp has provided that they will look for and disclose information that has been specifically requested in a legal process and that they are reasonably able to locate and retrieve. Unless they receive a valid preservation request before a user deletes content from our service, WhatsApp does not retain data for law enforcement purposes.

CONCLUSION

In my personal opinion, this is inarguably true that this transparency clause will enable not only the government but also WhatsApp to get their hands on the data of each user. This poses a serious danger to the privacy of the users which as complying to these rules means WhatsApp will have to keep a fingerprint on every single message of  each user on  the platform. Which means that the data would be safe from neither the intrusion of the Government, nor the collection of WhatsApp. When a user is aware that his right to privacy could be infringed, he will get hesitant to express freely through the medium of the internet (through WhatsApp, in this particular case). Hence, this would also result in an unexpressed restriction to their constitutional right to free speech and expression. The safety of the users will also be compromised as they might be arrested under mere suspicion by the Government. A step like this is not proportional to maintaining the security of the land.

The above two cases collectively bring out the hypocrisy of both WhatsApp and the Government. In the first case, the government is pressurizing WhatsApp to repeal the update which poses an apparent threat to the right to privacy of the users. WhatsApp is upholding their update and claiming the new update to be “within the legal framework”. In the second case, the Government is imposing rules on WhatsApp which appear to be infringing the privacy and free speech of the users, on order to protect the security and privacy of the country while WhatsApp, the same company which is associated with user privacy infringements in not only India but other countries too, is advocating for the right to privacy of it’s users.

The result of these cases will set the precedence of the kind that had never been seen before. India is the biggest market for WhatsApp with more than 400 million users. The judgement of these two cases will affect the way social media functions and the use by users in India. The best outcome of the issue would be in a way which provides a middle ground without affecting the user privacy. While security of the land matters a lot, it should not be ensured with the cost of the Right to free speech and privacy.


[1] K.S.Puttaswami vs Union of India – https://indiankanoon.org/doc/127517806/

[2] Privacy definition – https://www.merriam-webster.com/dictionary/privacy

[3] Suo Moto case no. 01 of 2021 – https://www.cci.gov.in/sites/default/files/SM01of2021_0.pdf

[4] Case no. 99 of 2016 – https://www.cci.gov.in/sites/default/files/26%282%29%20Order%20in%20Case%20No.%2099%20of%202016.pdf

[5] Regulation 35 of the Competition Commission of India (General) Regulations, 2009 – https://indiankanoon.org/doc/139215358/#:~:text=Section%2035%20in%20The%20Competition,India%20(General)%20Regulations%2C%202009&text=(1)%20The%20Commission%20shall%20maintain,made%20to%20it%20in%20writing.

[6] Competition Commission Of India vs Bharti Airtel Ltd on 5 December, 2018 – https://indiankanoon.org/doc/130504148/

[7] Section 4(2), Competition Act,2012 – https://indiankanoon.org/doc/50235/

[8] Section 4(2)(e), Competition Act, 2012 – https://indiankanoon.org/doc/1527328/

[9] Article 19, UDHR – https://www.un.org/en/about-us/universal-declaration-of-human-rights

[10] Article 19, Indian Constitution – https://indiankanoon.org/doc/1218090/

[11] Article 19 (3), ICCPR – https://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx

[12] Intermediary Guidelines and Digital Media Ethics Code – https://www.meity.gov.in/writereaddata/files/Intermediary_Guidelines_and_Digital_Media_Ethics_Code_Rules-2021.pdf

[13] End to end encryption – https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/?lang=en

[14] Petetion of WhatsApp – https://www.medianama.com/wp-content/uploads/2021/05/WhatsApp-v.-Union-of-India-Filing-Version.pdf

[15] Kerala State Beverages (M&M) Corp. Ltd. v. P.P. Suresh, (2019) – https://indiankanoon.org/doc/2665405/

[16] Section 79, IT Act,2000 – https://indiankanoon.org/doc/844026/

[17] Press release – https://pib.gov.in/PressReleseDetail.aspx?PRID=1721915

[18] Operational guidelines of WhatsApp – https://faq.whatsapp.com/general/security-and-privacy/information-for-law-enforcement-authorities

Author: Biswayan Bhattacharjee, KIIT School of Law, Bhubaneshwar

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s