WhatsApp is a free to download cross-platform messaging application which was founded in 2009. In 2014, Facebook acquired WhatsApp for $19 billion, which brought WhatsApp under scrutiny for its privacy practices. Facebook faced international backlash for the Cambridge Analytica scandal during the Brexit and 2016 United States Elections. Moreover, in 2018, news reports exposed Facebook’s private data-sharing deals with tech giants like Amazon, Spotify, and Netflix. As of now, WhatsApp has about 2 billion users worldwide, of which 340 million are Indians.

Recently, WhatsApp updated its privacy policy for Indian users that made three-fold changes unilaterally – data processing, data sharing with Facebook, and integration of Facebook’s other products with WhatsApp. Firstly, users have to permit mandatory sharing of their data with Facebook. Secondly, WhatsApp will collect hardware information such as battery level, application version, device operations, and mobile network. Thirdly, WhatsApp will collect location-related information (IP addresses, city, and country) of the user despite the user opting not to use the application’s location feature. Fourthly, a new feature for payments will help the platform retain all the payments, transactions, and accounts related information. Fifthly, if the user opts for third party services (in-app video player), these third party services may receive information that the user shared with others. Lastly, even if the user deletes their account via the in-app delete feature, WhatsApp reserves the right to retain their previously stored data. WhatsApp claims to protect the users’ messages with end-to-end encryption, ensuring that only the persons messaging can access the data – not even WhatsApp can access it.

Facebook seems a social media platform to the general public, but it is a data aggregation machine for commercial gains via advertisements in actuality. It generated 80.9 billion US dollars in revenue from advertisements in 2020 and is estimated to generate 94.6 billion US dollars in 2021. This policy implies that Facebook and other affiliated applications might use WhatsApp for commercial gains, thereby breaching users’ privacy. Moreover, the policy lacks clarity on the consequence or liability of data breaches, such as mishandling bank account details shared on WhatsApp business accounts. Most importantly, it is unclear how and who will use the data and for what purposes. Lack of government or independent third-party regulation may cause exploitation of user’s data. It could also lead to spreading misinformation, fake news, and hate propaganda.

In Justice K.S Puttaswamy (Retd) v. Union of India, the Supreme Court of India ruled that privacy is a fundamental right under Article 21 of the Indian Constitution. Court held that informational privacy is an individual’s choice to disseminate personal information, and it is a part of the right to privacy. Furthermore, it was held that both State and non-State actors could exploit data; the government must enact a strong data protection law. Recently, writ petitions filed in the Supreme Court and the Delhi High Court sought an injunction to restrain WhatsApp from implementing the updated terms of service as it violates the right to privacy and threatens state security – owing to this, the implementation of the policy has been deferred in India. 

Earlier, WhatsApp functioned as an intermediary with no ownership of the content. However, according to the updated privacy policy, it becomes the owner of users’ data, making it a ‘data fiduciary’ under the Indian Data Protection Bill, 2019. The Bill prohibits collecting and processing personal data by ‘data fiduciaries’ without consent or prior notice. Moreover, it lays down data principles’ rights: the right to confirmation and access, right to data portability, right to be forgotten. Lastly, similar to Section 43A of the Information Technology Act, 2000, the Bill provides compensation for data-breach.

Moreover, the corporates are currently governed and regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, mandating them to provide a privacy policy for personal information or sensitive data. Furthermore, this policy violates the Guidelines issued by the Ministry of Electronics and Information Technology on disclosing sensitive information to a third party. Lastly, despite ratification from National Payments Corporation (NPCI) for starting payment service in India, the policy violates Notification on Storage of Payment System Data issued by the Reserve Bank of India.

The differential treatment met to India and Europe by WhatsApp highlights the need for a codified data protection law in India, much like the European General Protection Regulation. It further raises issues of data localization and storage. The Committee headed by Justice BN Srikrishna advocated for data localization, restricting users’ data to move out of the country for commercial exploitation. Example: India needs data localization laws that enable data storage of Indian users in India itself, rather than at data centers owned by Facebook in the United States.

There is a need for federated alternative messaging platforms with proper governance like Signal and Telegram. These applications’ models are designed to encrypt both the metadata and content, so even the application servers cannot decipher or retain the users’ information. Moreover, unlike Signal or Telegram, the data backup is not encrypted by WhatsApp, which leaves room for data exploitation. Thus, WhatsApp should learn to promote cyber security from these applications for linking and leaking sensitive data. Besides, social media or messaging applications should be segregated from payment applications or digital wallets to ensure secure financial transactions.

The fundamental right to informational privacy and freedom of speech can only be exercised if the conversations between citizens are private. This right is not absolute and is subject to reasonable restrictions by the State to promote public interest. It is too important to leave a billion citizens’ privacy and rights to a commercial enterprise; hence, a proactive data protection law is the need of the hour. Tim Cook, the CEO of Apple, once said, “Right to privacy is really important, you pull that brick out, and another and pretty soon the house falls,” this sums up the whole debate around the WhatsApp privacy debacle.

Vrinda Bhardwaj is a Research Associate at the Centre for Policy Research, New Delhi, India and previously worked as Judicial Clerk at the Supreme Court of India.

Ankur Rana is an LLM student at the Faculty of Law, University of Delhi, India.

Suggested citation: Vrinda Bhardwaj and Ankur Rana, How WhatsApp’s Privacy Policy in India Infringes on Fundamental Right to Information Privacy, JURIST – Professional Commentary, February 4, 2021, https://www.jurist.org/commentary/2021/02/bhardwaj-rana-whatsapp-policy-india/.

This article was prepared for publication by Khushali Mahajan, a JURIST Staff Editor. Please direct any questions or comments to her at commentary@jurist.org.