Law of Privacy- An answer to WhatsApp privacy issues

Reading time : 10 minutes

Introduction

WhatsApp, the most prevalent and famous messaging platform, not only in our country, but whole of the world is owned by Facebook since February, 2014. It accounts for nearly 40 cr. users in India. It has the largest user base out of any social networking platform out there. This makes India, as one of the most potent strategic investment areas for Facebook owned WhatsApp. The flow of messages across the nation has been at a terrific pace since the introduction of WhatsApp. Just with a single tap all kinds of messages, being correct or not, verified or not, socially decent or not are flown on WhatsApp and other like platforms at a very high rate. This information can very easily contain piece of personal and private data which can be shared even without the consent of the owner of such data. This makes the events like sexual abuse and child pornography, videos of people in embarrassing incidents, videos with music and images without copyright a very common thing to be shared. In these situations the safety and privacy of people often gets ignored and users are left embarrassed or annoyed and frustrated by these acts. These may also lead to the problems of suicide, depression and other situations of mental health.

Therefore, the facet of privacy has been considered as a very essential and fundamental right of every citizen in our country. This makes it mandatory for every organization working on the web to maintain and work by its privacy policy which explains how their website or organization will gather, store, guard, and utilize the personal data provided to it by its users. This set of personal data may include the names, addresses, payment details, locations, etc. So, the privacy policies of WhatsApp and other foreign based social media platforms have been in a lot of debate. WhatsApp has updated its privacy policy and asked its users to accept it by February 8th which was later changed to June 19th 2021. It needs the users to give consent to sharing transaction information, basic device information, locational data like IP address, etc. The policy also allows WhatsApp to share the business related information with its parent company Facebook and also with its subsidiary companies. Although, it still backs up the functioning of end-to-end encryption, but it is still alleged that there would be no safety and privacy relating to personal database of WhatsApp customers. The article will go through the judicial status of privacy and the concerned laws and regulations regarding privacy matters. It will try to analyze the policy and also suggest suitable measures.

The Indian Privacy Laws

The concept of privacy has not been specifically mentioned in Part III of the Constitution. So, it is clearly the constitutional or other statutory interpretations by the judicial systems that made privacy as an essential subject matter of Part III. The scope of Article 21 is multi- facetted and many dimensions including the right to privacy have been covered under the expression ‘personal liberty’ in due course of time. According to Article 17 of The International Covenant on Civil and Political Rights, 1966, a person’s privacy, home, family or correspondence should not be exposed to any arbitrary intrusion or interference.[2] Other international conferences like The Universal Declaration of Human Rights, 1948, and The European Convention of on Human Rights, 1953 also highlight the same set of features which ultimately form the importance of having privacy laws in a state.

After a series of cases going against the privacy matters, it was in August, 2017, that the Apex Court while hearing Justice K.S. Puttuswamy v. Union of India[3] unanimously held that ‘privacy’ was a key ingredient of Part III of the Indian Constitution and is a fundamental right enshrined under the purview of Article 21 of the Indian Constitution. The development of ‘privacy as a right’ had to overcome long steps of hurdles. There were many dissenting opinions of various judges in other matters, pertaining to the question of whether privacy was a fundamental right or not.

The year 1954 was the very first time that privacy was talked about in the Supreme Court as to its recognition as a fundamental right. While hearing a matter related to the powers of search and seizure, the Supreme Court, in M.P. Sharma v. Satish Chandra[4], held that privacy is not a fundamental right and it is in fact something unfamiliar to the Constitution. This stance was again reaffirmed by the Supreme Court in Kharak Singh v. State of Uttar Pradesh[5]. The issue of the case was whether surveillance does amount to infringement of fundamental right and whether right to privacy does come under the purview of fundamental right or not. The court upheld the M.P. Sharma case verdict and denied the right to privacy as fundamental right and even determined that the right of privacy is not a guaranteed right under the Constitution.  But Justice Subba Rao understood the need of psychological restrain, which gave an indication of the court of their recognition of the value of right to privacy. The court as a result denied the right to privacy as a part of fundamental rights clearly, but at the same time struck-down the said Act (pertaining to surveillance laws in question) as unconstitutional under Article 21.[6] Although being a minor observation, this was the first instance where privacy was recognized.

Gobind v. State of Madhya Pradesh[7] was another historic case which was pretty same in facts to the Kharak Singh case. Similar kind of police rules and regulations were challenged and this time the Apex court upheld the validity of these laws by covering them under the category of reasonable restrictions to Article 21 and other related fundamental rights. The case also gave a very vague interpretation as to the inclusion of privacy as a facet to fundamental rights. The judges refused to clarify on the matter and observed that a number of cases should decide on this situation instead of it being decided by a single case. As a matter of time, in 2017, the Supreme Court while hearing a petition against the Aadhar scheme of the central government, in Justice K.S. Puttaswamy v. Union of India[8]  held that privacy is a very integral part of the fundamental rights.  

This case was concerned with a challenge against the central government’s Aadhaar scheme in which the government made it a compulsion for getting the Aadhar for claiming any kind of government services and benefits. The issue was first raised before a three-judge bench of the Supreme Court on the basis that this Aadhar policy was against the right to privacy. Consequently, a nine-judge bench was decided to hear the matter and determine whether Right to Privacy acts within the provision of Article 21 of Constitution of India or not. As against the petition, the respondent side, however, argued that the Constitution only recognizes personal liberty as mentioned under Article 21 and it does not specifically and clearly include ‘privacy’. If so, they contended that it may include Right to Privacy to a limited extent only. The Supreme Court overruling the M.P. Sharma, and Kharak Singh judgments, unanimously observed that the Constitution enshrines the Right to Privacy as an essential part of the right to life and personal liberty under Article 21.

WhatsApp privacy policy- Issues

A privacy policy is a document in which there is an arrangement of all user data and how the company makes use of it. For WhatsApp, it is made to give an outlook of about what information they collect and how this affects their customers. For them, it describes the steps taken to protect user privacy, like building their messaging service in such a way that delivered messages aren’t stored by them and also the users are given control over who they want to communicate with. The messaging company gave until February 8 to the user to accept their new privacy policy. Here are some important features of the in-deliberation policy.

Firstly, WhatsApp claimed to deny services to those users who do not accept the latest privacy policy floated by them. However, users from the entire world do not have to agree to the new terms of service. WhatsApp operators of Europe can opt-out of the new privacy policy because of the laws prevalent in the EU. Known as the General Data Protection Regulation, the law seeks to protect the citizens from denying sharing information to Facebook and thereby, grants them the power to say no to WhatsApp’s new rapports of privacy. The GDPR also helps arrange and organize personal data. These include compliance of law, other public and legitimate interests. In India, there is a huge absence of such privacy rules and guidelines for its WhatsApp users. Indian users do not have a choice and have to comply with the new privacy policy in order to avail services.

At present, the only data protection statute in function is the Information Technology Act, 2000 and its corresponding rules. Some important features of personal data protection are highlighted by way of Section 43A and Section 72A. Section 43A terms that if any person is affected because of the negligence in security practices and data protection procedures by any firm handling such person’s personal information, then such firm shall be held liable.[9] Accordingly, in the latter provision if a firm holding access to any personal data about another person, with a dishonest and wrongful intention discloses such material to any other person, without such person’s consent, then an imprisonment of upto 3 years can be affected.[10] Although these provisions highlight some sense of data protection and privacy concerns but the scope under IT Act is very narrow. In fact, Section 72A is the only provision with a punishment for data breach. These laws apply only to a limited scope of personal data and do not render any safety to non-personal data. Moreover, these rules do not hold well in terms of contractual obligations and can easily be bypassed. This is enough to say that the requirement of personal data laws was urgent. Therefore, a committee headed by Retd. Justice B N Srikrishna was formed by the government to suggest a draft statute on personal data protection. Based on this committee’s reports, the Government of India in 2019 issued the Personal Data Protection Bill 2019. This Bill, if passed by legislative houses, will be our first legislation on the protection of personal data and will indeed be a big win of privacy rights.

Location Information isn’t covered under the meaning of individual information characterized under the IT Rules and consequently, any corporate body can plug such data to outsiders with no dread of being punished. Different applications, for example, as Facebook, Google, track our locations and without a particular arrangement forestalling the spread of location data, these applications can undoubtedly exchange our location data with outsiders. To defeat this, the Bill has proposed a more extensive meaning of personal data that will cover Geo-location data. The Bill has likewise proposed expanded appropriateness of consideration of preparing of personal data by state/government, organizations consolidated in India, and furthermore foreign organizations managing individual data of people in India.

Secondly, WhatsApp has very openly stated that the company will be sharing some data with their parent, Facebook and its subsidiaries like Facebook Messenger and Instagram. This data includes all the business related data that is flowing on the WhatsApp. In this digital age of marketing, the companies are using the internet to claim bull benefits of advertising, which is now easier and expansive than ever. You may have come across the kind of wristwatch that you have recently talked about to someone on facebook or searched on the Facebook or Instagram as an advertisement on the Facebook feed. This is the advertising model of Facebook where they sell material for advertisements to various companies who want to promote themselves on Facebook portals. In this new privacy update, every communication that a customer makes by way of phone, email, on whatsapp with any business can be used for promotional purposes. The company said that only the data related to such businesses which host and promote through Facebook companies will be shared with Facebook. It means that WhatsApp may share user content with any business account that interacts with the users and such business messages will no longer be end-to-end encrypted. Such business may use such data for their own marketing benefits.  The update is however not entirely new. This part of privacy update was a part of WhatsApp even before this new policy came to life. The only change which makes it a more controversial point is that earlier an option was given to the users to accept it or not. But this time, WhatsApp has given no such option and it has been made mandatory for the users to accept this term.

Thirdly, since the news of collection and usage of business data by WhatsApp and the fact that some business data will not be encrypted raises a lot of questions on the distribution of data by WhatsApp to the government. Earlier WhatsApp denied having any kind of data in its database and contended that all the user information and messages is end-to-end encrypted.[11] It argued before the government that they could not share any data with government’s surveillance committee’s as they didn’t have any. But now after this new privacy update WhatsApp has an impossible task to deny the sharing of such data to the government. It fuels the use of such data by the government for surveillance purposes. Some may argue that it is the right step as the government should have track of data which makes it easier for them to track crimes and terrorism. But, having no data protection laws in action, such data used by government will have no bar and could be excessively used by the state.

Fourthly, advertisements on WhatsApp are not a common feature that we come across. Amid this collection of business data on WhatsApp, it has denied to allow any third party advertisement banners on its platform. But WhatsApp says that in future, if the company intends to do so, then it will intimate the users about the same. This statement creates a suspicion in minds of the users about the possible advertisement banners being displayed by WhatsApp at some time.

Fifthly, The policy also states that when users use or take benefit off any third-party service that is integrated with WhatsApp, such third-party service may receive any data about what you share with them.” For instance, if you use Google Drive to backup WhatsApp chats and Google by default provides their services access to WhatsApp chats/messages.

However, this does not mean that WhatsApp is not abiding by the privacy principles. It has stated that due care of data privacy as a fundamental right will be taken care of by them. Certain misconceptions have arisen out of unclear facts and understandings on the issue which the company has itself tried to clarify on several occasions.

WhatsApp stated that the system of end-to-end encryption, that didn’t allowed any third-party to access and read the messages of two users, would still be intact. This step of encryption makes it a very safe and secure messaging system, compared to messenger and instagram direct. It means that the personal information like all the images, videos, and other forms of data which is flown from one user to another will still be protected against the third party views. This simply means that the data which is personal and private in nature, collected by WhatsApp from chats will not be shared by any third party organization or sub- co. including its parent, Facebook.  WhatsApp also clarified in a status to all the users that the private one-to-one messages and calls of users will not be seen by the company and nor by Facebook and will stay as a private message only.[12] Despite this, it is clear that WhatsApp will now be able to share a user’s status, mobile phone details, battery percentage, contacts information, profile pictures, internet and the phone number and respective locations being used by an account. This indeed, raises a lot of eyebrows.

WhatsApp vs Government

The government believes that it is the inherent right of the state to protect the interests and rights of Indian citizens as a result of which the Ministry of Electronics and Information Technology had ordered WhatsApp to withdraw its new privacy policy. It has stated that: “As you are doubtlessly aware, many Indian citizens depend on WhatsApp to communicate in everyday life. It is not just problematic, but also irresponsible, for WhatsApp to leverage this position to impose unfair terms and conditions on Indian users, particularly those that discriminate against Indian users vis- -vis users in Europe.”[13]

The judicial system has also expressed concern over the whatsapp’s privacy policy. “You may be a $2-3 trillion company (whatsapp) but people value their privacy more than money,” the Top court told Facebook’s WhatsApp when it was hearing a petition against the privacy policy for Indian users.[14]

In March 2021, the Competition Commission of India observed a very detrimental thing of WhatsApp that it had introduced a “take it or leave it” kind of privacy policy which may be unfavourable considering the market position that WhatsApp holds. CCI had additionally argued that the information gathered, which would incorporate a person’s location details, the sort of gadget utilized, their network access supplier, and whom they are chatting with, would prompt the making of a customer profile and such data may be used to determine customer preferences and behavior and lead to targeted advertising. They contended before the court that this sytem would give business working with WhatsApp an unfair advantage and could ultimately lead to monopoly. WhatsApp in return argued that the issues pertaining to data collection and sharing do not fall under the alleged ambit of the competition law. WhatsApp further contended that the update instead falls within the purview of IT Act and if anything is illegal owing to the IT rules, then WhatsApp should be punished.

The government department CCI said that, “This is borne from the fact that it seeks to capture, amongst others, transactions and payments data; data related to battery level, signal strength, app version, mobile operator, ISP, language and time zone, device operation information, service-related information and identifiers etc.; location information of the user even if the user does not use location-related features besides sharing information with Facebook on how user interacts with others (including businesses) when using WhatsApp services.” WhatsApp, in what can be termed as a detailed explanation, posted on their website that the company needs to acquire data in order to maintain, organize, support and market the services provided to them. The way a phone number is needed to avail the services, the same way, data needs to be provided without which services cannot be provided- they said.[15]

Another side of the said conflict between WhatsApp and Facebook is where the latest government rules regarding data collection and use are challenged by WhatsApp. According to Rule 4(2) of the said government rules in question, it is made obligatory for social media intermediaries to follow or keep track of the originator of a message or post whenever needed by a court or any authority under Section 69A of the IT Act. Although the guidelines explain that such an order may just be passed in cases of a genuine suspected criminal offense, but a few classifications under which government agencies can look for information, for example, ‘public order’ can be deciphered in a very comprehensive manner, representing a danger to free discourse and the right to data protection. In its petition, WhatsApp said the guidelines that became effective on Wednesday were a real threat to privacy and represent a danger to free discourse. The appeal asserted that implementation of Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) will break WhatsApp’s encryption system that guarantees messages must be perused by the sender and collector and will ultimately render WhatsApp’ privacy standards useless.

Though, these contentions of WhatsApp seem to be fair considering the risk of excessive and unregulated use of data by the government agencies, but the possible misuse and excessive abuse of powers of government cannot be a sole purpose for any rule to be invalid. Public order and security still remains a paramount function of the state which is surely, like any other fundamental right, an exception to right to privacy and state can without doubt make any such rules.

Solutions

A robust data protection mechanism could be the answer to all the problems related to privacy. India’s data protection law has been flagging for two years now. Like what happened in the European countries by the protection from GDPR laws, if India had a data protection law in place, it could be an option that WhatsApp would not have been able to implement the privacy policy. Therefore, India must prioritize the framing of personal as well as non-personal data protection laws. Not only framing of data laws is necessary but also such laws must keep pace with the changing needs in the technological industry. An independent privacy commission or committee could be set up to manage the effective implementation of privacy laws and other matters like investigations related to privacy concerns. Surveillance by government agencies is also a very key principle that needs to be analyzed by the data protection laws. There should be certain limits or proportional use prescribed by the laws for the use of data by the surveillance or intelligence agencies of government.

Usually, users blindly agree to whatever policy comes across them on the platform. According to many experts, WhatsApp users in India do not care too much about these issues, which also are generally difficult to be understood by the general public. Therefore, the government and other civil societies must involve in awareness programs to make the public aware of the importance of digital privacy.


[1] Author is a second year Law student pursuing BBA. LLB(H) from Amity Law School, Noida

[2] The International Covenant on Civil and Political Rights, 1961, available at: http://www.legalservicesindia.com/article/1630/Right-To-Privacy-Under-Article-21-and-the-Related-Conflicts.html. Right To Privacy Under Article 21 and the Related Conflicts (last visited on Feb 25., 2019).

[3] Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1

[4]  M.P. Sharma v. Satish Chandra AIR 1954 SCR 1077.

[5] Kharak Singh v. State of Uttar Pradesh AIR 1964(1) SCR 332

[6] LawTeacher. November 2013. Evolution of the Right to Privacy. [online]. Available from: https://www.lawteacher.net/free-law-essays/constitutional-law/evolution-of-the-right-to-privacy-constitutional-law-essay.php?vref=1 [Accessed 9 June 2021].

[7] Gobind v. State of Madhya Pradesh 1975 (2) SCC 14

[8] Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1, AIR 2017 SC 4161

[9] Refer to Section 43A, Information Technology Act, 2000

[10] See Section 72A, Information Technology Act, 2000

[11] WhatsApp denies existence of ‘backdoor’ for government snooping, available at https://economictimes.indiatimes.com/tech/internet/whatsapp-denies-encrypted-messages-can-be-intercepted/articleshow/56536763.cms, Last Updated: Jan 16, 2017

[12] See WhatsApp privacy policy, visit https://www.whatsapp.com/legal/updates/privacy-policy/?lang=en

[13] IT Ministry directs WhatsApp to withdraw new privacy policy: Govt sources, available at https://www.nationalheraldindia.com/india/it-ministry-directs-whatsapp-to-withdraw-new-privacy-policy-govt-sources, Last visited June 17, 2021

[14] Why WhatsApp users in Europe can opt-out of New WhatsApp privacy policy but users in India cannot?, available at: https://www.indiatoday.in/technology/news/story/why-whatsapp-users-in-europe-can-opt-out-of-new-whatsapp-privacy-policy-but-users-in-india-cannot-1793555-2021-04-21 (Last Modified April 22, 2021, India Today)

[15] WhatsApp privacy policy, visit https://www.whatsapp.com/legal/updates/privacy-policy/?lang=en

Author: Kushagra Sharma, Amity University

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s