Reading time : 10 minutes
WhatsApp, the most prevalent and famous messaging platform, not only in our country, but whole of the world is owned by Facebook since February, 2014. It accounts for nearly 40 cr. users in India. It has the largest user base out of any social networking platform out there. This makes India, as one of the most potent strategic investment areas for Facebook owned WhatsApp. The flow of messages across the nation has been at a terrific pace since the introduction of WhatsApp. Just with a single tap all kinds of messages, being correct or not, verified or not, socially decent or not are flown on WhatsApp and other like platforms at a very high rate. This information can very easily contain piece of personal and private data which can be shared even without the consent of the owner of such data. This makes the events like sexual abuse and child pornography, videos of people in embarrassing incidents, videos with music and images without copyright a very common thing to be shared. In these situations the safety and privacy of people often gets ignored and users are left embarrassed or annoyed and frustrated by these acts. These may also lead to the problems of suicide, depression and other situations of mental health.
The Indian Privacy Laws
The concept of privacy has not been specifically mentioned in Part III of the Constitution. So, it is clearly the constitutional or other statutory interpretations by the judicial systems that made privacy as an essential subject matter of Part III. The scope of Article 21 is multi- facetted and many dimensions including the right to privacy have been covered under the expression ‘personal liberty’ in due course of time. According to Article 17 of The International Covenant on Civil and Political Rights, 1966, a person’s privacy, home, family or correspondence should not be exposed to any arbitrary intrusion or interference. Other international conferences like The Universal Declaration of Human Rights, 1948, and The European Convention of on Human Rights, 1953 also highlight the same set of features which ultimately form the importance of having privacy laws in a state.
After a series of cases going against the privacy matters, it was in August, 2017, that the Apex Court while hearing Justice K.S. Puttuswamy v. Union of India unanimously held that ‘privacy’ was a key ingredient of Part III of the Indian Constitution and is a fundamental right enshrined under the purview of Article 21 of the Indian Constitution. The development of ‘privacy as a right’ had to overcome long steps of hurdles. There were many dissenting opinions of various judges in other matters, pertaining to the question of whether privacy was a fundamental right or not.
The year 1954 was the very first time that privacy was talked about in the Supreme Court as to its recognition as a fundamental right. While hearing a matter related to the powers of search and seizure, the Supreme Court, in M.P. Sharma v. Satish Chandra, held that privacy is not a fundamental right and it is in fact something unfamiliar to the Constitution. This stance was again reaffirmed by the Supreme Court in Kharak Singh v. State of Uttar Pradesh. The issue of the case was whether surveillance does amount to infringement of fundamental right and whether right to privacy does come under the purview of fundamental right or not. The court upheld the M.P. Sharma case verdict and denied the right to privacy as fundamental right and even determined that the right of privacy is not a guaranteed right under the Constitution. But Justice Subba Rao understood the need of psychological restrain, which gave an indication of the court of their recognition of the value of right to privacy. The court as a result denied the right to privacy as a part of fundamental rights clearly, but at the same time struck-down the said Act (pertaining to surveillance laws in question) as unconstitutional under Article 21. Although being a minor observation, this was the first instance where privacy was recognized.
Gobind v. State of Madhya Pradesh was another historic case which was pretty same in facts to the Kharak Singh case. Similar kind of police rules and regulations were challenged and this time the Apex court upheld the validity of these laws by covering them under the category of reasonable restrictions to Article 21 and other related fundamental rights. The case also gave a very vague interpretation as to the inclusion of privacy as a facet to fundamental rights. The judges refused to clarify on the matter and observed that a number of cases should decide on this situation instead of it being decided by a single case. As a matter of time, in 2017, the Supreme Court while hearing a petition against the Aadhar scheme of the central government, in Justice K.S. Puttaswamy v. Union of India held that privacy is a very integral part of the fundamental rights.
This case was concerned with a challenge against the central government’s Aadhaar scheme in which the government made it a compulsion for getting the Aadhar for claiming any kind of government services and benefits. The issue was first raised before a three-judge bench of the Supreme Court on the basis that this Aadhar policy was against the right to privacy. Consequently, a nine-judge bench was decided to hear the matter and determine whether Right to Privacy acts within the provision of Article 21 of Constitution of India or not. As against the petition, the respondent side, however, argued that the Constitution only recognizes personal liberty as mentioned under Article 21 and it does not specifically and clearly include ‘privacy’. If so, they contended that it may include Right to Privacy to a limited extent only. The Supreme Court overruling the M.P. Sharma, and Kharak Singh judgments, unanimously observed that the Constitution enshrines the Right to Privacy as an essential part of the right to life and personal liberty under Article 21.
Also read: The Recent Lakshadweep Crisis
At present, the only data protection statute in function is the Information Technology Act, 2000 and its corresponding rules. Some important features of personal data protection are highlighted by way of Section 43A and Section 72A. Section 43A terms that if any person is affected because of the negligence in security practices and data protection procedures by any firm handling such person’s personal information, then such firm shall be held liable. Accordingly, in the latter provision if a firm holding access to any personal data about another person, with a dishonest and wrongful intention discloses such material to any other person, without such person’s consent, then an imprisonment of upto 3 years can be affected. Although these provisions highlight some sense of data protection and privacy concerns but the scope under IT Act is very narrow. In fact, Section 72A is the only provision with a punishment for data breach. These laws apply only to a limited scope of personal data and do not render any safety to non-personal data. Moreover, these rules do not hold well in terms of contractual obligations and can easily be bypassed. This is enough to say that the requirement of personal data laws was urgent. Therefore, a committee headed by Retd. Justice B N Srikrishna was formed by the government to suggest a draft statute on personal data protection. Based on this committee’s reports, the Government of India in 2019 issued the Personal Data Protection Bill 2019. This Bill, if passed by legislative houses, will be our first legislation on the protection of personal data and will indeed be a big win of privacy rights.
Location Information isn’t covered under the meaning of individual information characterized under the IT Rules and consequently, any corporate body can plug such data to outsiders with no dread of being punished. Different applications, for example, as Facebook, Google, track our locations and without a particular arrangement forestalling the spread of location data, these applications can undoubtedly exchange our location data with outsiders. To defeat this, the Bill has proposed a more extensive meaning of personal data that will cover Geo-location data. The Bill has likewise proposed expanded appropriateness of consideration of preparing of personal data by state/government, organizations consolidated in India, and furthermore foreign organizations managing individual data of people in India.
Secondly, WhatsApp has very openly stated that the company will be sharing some data with their parent, Facebook and its subsidiaries like Facebook Messenger and Instagram. This data includes all the business related data that is flowing on the WhatsApp. In this digital age of marketing, the companies are using the internet to claim bull benefits of advertising, which is now easier and expansive than ever. You may have come across the kind of wristwatch that you have recently talked about to someone on facebook or searched on the Facebook or Instagram as an advertisement on the Facebook feed. This is the advertising model of Facebook where they sell material for advertisements to various companies who want to promote themselves on Facebook portals. In this new privacy update, every communication that a customer makes by way of phone, email, on whatsapp with any business can be used for promotional purposes. The company said that only the data related to such businesses which host and promote through Facebook companies will be shared with Facebook. It means that WhatsApp may share user content with any business account that interacts with the users and such business messages will no longer be end-to-end encrypted. Such business may use such data for their own marketing benefits. The update is however not entirely new. This part of privacy update was a part of WhatsApp even before this new policy came to life. The only change which makes it a more controversial point is that earlier an option was given to the users to accept it or not. But this time, WhatsApp has given no such option and it has been made mandatory for the users to accept this term.
Thirdly, since the news of collection and usage of business data by WhatsApp and the fact that some business data will not be encrypted raises a lot of questions on the distribution of data by WhatsApp to the government. Earlier WhatsApp denied having any kind of data in its database and contended that all the user information and messages is end-to-end encrypted. It argued before the government that they could not share any data with government’s surveillance committee’s as they didn’t have any. But now after this new privacy update WhatsApp has an impossible task to deny the sharing of such data to the government. It fuels the use of such data by the government for surveillance purposes. Some may argue that it is the right step as the government should have track of data which makes it easier for them to track crimes and terrorism. But, having no data protection laws in action, such data used by government will have no bar and could be excessively used by the state.
Fourthly, advertisements on WhatsApp are not a common feature that we come across. Amid this collection of business data on WhatsApp, it has denied to allow any third party advertisement banners on its platform. But WhatsApp says that in future, if the company intends to do so, then it will intimate the users about the same. This statement creates a suspicion in minds of the users about the possible advertisement banners being displayed by WhatsApp at some time.
Fifthly, The policy also states that when users use or take benefit off any third-party service that is integrated with WhatsApp, such third-party service may receive any data about what you share with them.” For instance, if you use Google Drive to backup WhatsApp chats and Google by default provides their services access to WhatsApp chats/messages.
However, this does not mean that WhatsApp is not abiding by the privacy principles. It has stated that due care of data privacy as a fundamental right will be taken care of by them. Certain misconceptions have arisen out of unclear facts and understandings on the issue which the company has itself tried to clarify on several occasions.
WhatsApp stated that the system of end-to-end encryption, that didn’t allowed any third-party to access and read the messages of two users, would still be intact. This step of encryption makes it a very safe and secure messaging system, compared to messenger and instagram direct. It means that the personal information like all the images, videos, and other forms of data which is flown from one user to another will still be protected against the third party views. This simply means that the data which is personal and private in nature, collected by WhatsApp from chats will not be shared by any third party organization or sub- co. including its parent, Facebook. WhatsApp also clarified in a status to all the users that the private one-to-one messages and calls of users will not be seen by the company and nor by Facebook and will stay as a private message only. Despite this, it is clear that WhatsApp will now be able to share a user’s status, mobile phone details, battery percentage, contacts information, profile pictures, internet and the phone number and respective locations being used by an account. This indeed, raises a lot of eyebrows.
WhatsApp vs Government
The government department CCI said that, “This is borne from the fact that it seeks to capture, amongst others, transactions and payments data; data related to battery level, signal strength, app version, mobile operator, ISP, language and time zone, device operation information, service-related information and identifiers etc.; location information of the user even if the user does not use location-related features besides sharing information with Facebook on how user interacts with others (including businesses) when using WhatsApp services.” WhatsApp, in what can be termed as a detailed explanation, posted on their website that the company needs to acquire data in order to maintain, organize, support and market the services provided to them. The way a phone number is needed to avail the services, the same way, data needs to be provided without which services cannot be provided- they said.
Another side of the said conflict between WhatsApp and Facebook is where the latest government rules regarding data collection and use are challenged by WhatsApp. According to Rule 4(2) of the said government rules in question, it is made obligatory for social media intermediaries to follow or keep track of the originator of a message or post whenever needed by a court or any authority under Section 69A of the IT Act. Although the guidelines explain that such an order may just be passed in cases of a genuine suspected criminal offense, but a few classifications under which government agencies can look for information, for example, ‘public order’ can be deciphered in a very comprehensive manner, representing a danger to free discourse and the right to data protection. In its petition, WhatsApp said the guidelines that became effective on Wednesday were a real threat to privacy and represent a danger to free discourse. The appeal asserted that implementation of Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) will break WhatsApp’s encryption system that guarantees messages must be perused by the sender and collector and will ultimately render WhatsApp’ privacy standards useless.
Though, these contentions of WhatsApp seem to be fair considering the risk of excessive and unregulated use of data by the government agencies, but the possible misuse and excessive abuse of powers of government cannot be a sole purpose for any rule to be invalid. Public order and security still remains a paramount function of the state which is surely, like any other fundamental right, an exception to right to privacy and state can without doubt make any such rules.
Usually, users blindly agree to whatever policy comes across them on the platform. According to many experts, WhatsApp users in India do not care too much about these issues, which also are generally difficult to be understood by the general public. Therefore, the government and other civil societies must involve in awareness programs to make the public aware of the importance of digital privacy.
 Author is a second year Law student pursuing BBA. LLB(H) from Amity Law School, Noida
 The International Covenant on Civil and Political Rights, 1961, available at: http://www.legalservicesindia.com/article/1630/Right-To-Privacy-Under-Article-21-and-the-Related-Conflicts.html. Right To Privacy Under Article 21 and the Related Conflicts (last visited on Feb 25., 2019).
 Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1
 M.P. Sharma v. Satish Chandra AIR 1954 SCR 1077.
 Kharak Singh v. State of Uttar Pradesh AIR 1964(1) SCR 332
 LawTeacher. November 2013. Evolution of the Right to Privacy. [online]. Available from: https://www.lawteacher.net/free-law-essays/constitutional-law/evolution-of-the-right-to-privacy-constitutional-law-essay.php?vref=1 [Accessed 9 June 2021].
 Gobind v. State of Madhya Pradesh 1975 (2) SCC 14
 Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1, AIR 2017 SC 4161
 Refer to Section 43A, Information Technology Act, 2000
 See Section 72A, Information Technology Act, 2000
 WhatsApp denies existence of ‘backdoor’ for government snooping, available at https://economictimes.indiatimes.com/tech/internet/whatsapp-denies-encrypted-messages-can-be-intercepted/articleshow/56536763.cms, Last Updated: Jan 16, 2017
Author: Kushagra Sharma, Amity University
Editor: Kanishka Vaish, Senior Editor, LexLife India.