Introduction:

The year 2021 began with a lot of skepticism. WhatsApp’s in-app notification informing a change in the privacy policy[1] (Policy) triggered a series of discussion with the government, amongst social thinkers, as a result of the unyielding confusion in the minds of the general public. The update left only a narrow margin to comply with the Policy either before February 08, 2021 or exit the platform, most people complied with it. While many aware users also opted for alternative internet-based messaging platforms like Telegram and Signal, the altered Policy has ever since triggered prolonged discussions As a result of the criticisms and disconcerted opinions amongst users, the deadline seeking mandatory compliance with the modified Policy has been extended to May 15, 2021. However, the open-ended issue which requires consideration hovers around the adequacy of the Policy in protecting user’s privacy.

This post seeks to analyzes the changes brought about in the Policy, with a focus on the ramifications of use of shared hosting services with WhatsApp’s group/ parent entity, Facebook. In the latter segment the post will analyze the conformity of WhatsApp’s Policy with the existing legal regime and the legal implications of the Policy.

What does the Policy Entail?

The WhatsApp Policy focuses on increasing data transparency by keeping users informed of: (a) the information collected by WhatsApp, (b) the processing and handling of user’s data, (c) the manner of use of user’s data by businesses who opt for Facebook hosting services to manage user information and (d) payments on WhatsApp.

  1. End-to-End Encryption:

Ever since the introduction of the Policy, WhatsApp has issued multiple notifications and FAQs[2] to assuage user concerns. A unique feature to WhatsApp, also the reason it has garnered manifold users across the globe, is the End-to-End Encryption (ETE) of user conversations. Simply put, the ETE feature masks the messages and communications of the sender by using unique keys/ codes so that the same is only decipherable by the intended receiver who has the special decrypting key.[3] An ETE feature does not allow any third party, not even WhatsApp or its related group entities, to intercept or decipher the content shared between the sender and the receiver. While fake news and rumours doing the rounds early this year spoke to the contrary,[4] the Policy does not alter the ETE signal protocol observed by WhatsApp when the messages are exchanged between users. The only exception to the mandatory ETE feature is an instance where WhatsApp under direction of a competent authority is required to intercept, monitor or decrypt the communications exchanged between users.[5]

  1. Collection and Processing of Data:

As per the Policy, while WhatsApp is not privy to user conversations, it collects manifold information and personal data including identifiers for its day-today operational activity. The new Policy provides more clarity on data points including the usage and log information collected by WhatsApp unlike the previous policy. Similarly, it also collects device related information such as hardware model connection information including phone numbers, time zones, IP addresses and identifiers, including the identifiers unique to Facebook associated with the same device or account. However, the Policy is concerning as it lacks clarity to the extent to which identified user information collected by WhatsApp is consequently shared with Facebook group companies, or other third-party service provider.

  1. Sharing of Data with Third Party Service Providers:

The Policy clarifies that it shares user log in information, device locations, unique identifiers relevant to Facebook, etc with Facebook group entities unlike the ambiguities and non-disclosures in the older policy of WhatsApp.[6] It is clear that WhatsApp engages with third-party service providers and other Facebook companies to operate, provide, improve, understand, customize, support, and market its services. Interestingly, this feature is not a new addition to the Policy and has been in existence even in the older version of the policy though, not in a granular form as the present one.

In certain other instances where users opt for only WhatsApp’s service and opt out of the services of other Facebook Group Entities, mandating the collection and sharing of data of the user with Facebook does not confirm with the data protection standards including the principle of providing a concise purpose limitation for processing and use of the data. Lastly, in case of conflict or compromise of user data, whether the terms & services and privacy policy of WhatsApp will prevail or will it be that of the other Facebook related group entity is unclear from the present Policy.

The different standards adopted by WhatsApp is evident from a perusal of WhatsApp’s privacy policy in the European Union (EU) region[7] and the other parts of the world. Interestingly, in order to be General Data Protection Regulation (GDPR) compliant, in the EU region WhatsApp does not voluntarily share user information with third party service providers for its infrastructural, service or program development unlike its policy in the remaining parts of the world. It is only when the user opts for the third-party services such as a cloud service integrated with the system for back up etc., that the user’s information is shared with third parties. In such cases, naturally the users will be bound by the terms and privacy policies of those services having opted for such services out of their own volition. This stark distinction between the policy of EU region and the other parts of the world clearly demonstrates that WhatsApp is more than willing to comply with stricter norms, however, the absence of norms is at times facilitating its commercial intent, while making it conducive for the platform to process large volumes of data.

  1. Communication with Business Accounts:

The newest feature of the Policy is the change in user privacy settings in a user-business communication. The Policy allows businesses to communicate and interact with each other and users, to browse through products, services as well as place orders. While WhatsApp has assured the users that ETE protocol is retained in case of user-business communications, a deeper analysis of the Policy speaks to the contrary. As long as communication is exchanged within WhatsApp, the ETE protection is guaranteed. However, once the business entity opts for Facebook or other third party hosting services, this principle gets compromised.[8] WhatsApp’s clever disclaimers caution the users about the fact that information shared with such business contacts may be used for the business entities’ own marketing purposes, which may even include advertisement on Facebook or may even be accessed by several employees in the business organisation. Interestingly, to safeguard and avoid any liability, WhatsApp also ensures that every user conversing with such business accounts is well informed by way of labels appearing at the top of such conversations indicating whether such business entities have opted for hosting services from Facebook.

The aforesaid aspect of the Policy also brings to us important questions- who will be liable for breach of privacy in such an arrangement? Can WhatsApp compel its users to tacitly consent to the processing of data by third party entities? Further, can a user be expected to be aware of the privacy policy of not just WhatsApp but also of the hosting services which may be of a third-party including Facebook companies? WhatsApp’s Policy does not provide clear answers to these questions. Therefore, from a user’s perspective who is concerned about the data protection, the only options are: (a) Refrain from communicating with business accounts on WhatsApp or (b) Switch to alternate internet messaging platforms.

Legality of the Policy:

The Information Technology Act, 2000 (Act) read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Rules) only provide limited protection to sensitive personal data without an effective enforcement mechanism. Therefore, the nuances in WhatsApp’s Policy, particularly, the sharing of information with third party service providers will go unnoticed. No doubt, in such a loosely worded legislative scheme, the Policy will effectively sail through.

However, from a constitutional perspective where horizontal rights enforcement against a private entity is recognized and informational privacy is considered as a fundamental right[9], it is important to analyzes if the Policy effectively meets the adequate data protection standards. The Supreme Court has recognized that as an important aspect of informational privacy, one must have complete control over the dissemination of information that is personal.[10] WhatsApp’s mandatory consent requirement to share information with third parties including Facebook Companies is in the teeth of this principle. This specific aspect formed the subject matter of challenge in a writ petition before the Delhi High Court[11] and is pending adjudication before the Supreme Court.[12]

Recently, a public interest litigation was filed before the Delhi High Court challenging the revised Policy.[13] Absence of a user’s choice to actively consent to the processing and sharing of his data is challenged as being violative of right to privacy. In fact, the petition also highlights the disparity between the Policy and WhatsApp’s privacy policy in the EU Region. The matter is pending adjudication before the High Court.

Conclusion:

WhatsApp’s privacy policy, particularly the mandatory scheme of requiring user consent to the sharing of data with Facebook companies has created a stir in India. The Ministry of Electronics and Information Technology has sought clarifications from WhatsApp in respect of the issues pertaining to its privacy, data transfer and sharing regime and general business practices. [14] As per the Indian government, the present Policy will have a disproportionate impact on the Indian citizens. However, till the time India lacks a regulatory regime for personal data protection, larger entities which indulges in generating of data such as WhatsApp/ Facebook will slither away from any strict compliance conditions.

In view of the user’s outrage, government demands and the pending court proceedings, WhatsApp has extended the deadline for accepting the Policy to May 15, 2021. It is only a matter of time when users will get to know the fate of their information on WhatsApp.

[1] WhatsApp Privacy Policy, as of January 04, 2021 https://www.WhatsApp.com/legal/updates/privacy-policy

[2] https://www.WhatsApp.com/privacy (last accessed on 26.02.2021, at 19:00pm); Answering Your Questions about WhatsApp’s Privacy Policy, https://faq.WhatsApp.com/general/security-and-privacy/answering-your-questions-about-WhatsApps-privacy-policy (last accessed on 26.02.2021, at 19:00pm); About New Business Features and WhatsApp’s Privacy Policy Update, https://faq.WhatsApp.com/general/security-and-privacy/about-new-business-features-and-WhatsApps-privacy-policy-update (last accessed on 26.02.2021, at 19:10pm); We’re updating our Terms of Service and Privacy Policy, https://faq.WhatsApp.com/general/security-and-privacy/were-updating-our-terms-and-privacy-policy?campaign_id=12074681943&extra_1=s%7Cc%7C491604076761%7Cb%7C%2BWhatsApp%20%2Bprivacy%7C&placement=&creative=491604076761&keyword=%2BWhatsApp%20%2Bprivacy&partner_id=googlesem&extra_2=campaignid%3D12074681943%26adgroupid%3D115857007189%26matchtype%3Db%26network%3Dg%26source%3Dnotmobile%26search_or_content%3Ds%26device%3Dc%26devicemodel%3D%26adposition%3D%26target%3D%26targetid%3Dkwd-374388685640%26loc_physical_ms%3D9061721%26loc_interest_ms%3D%26feeditemid%3D%26param1%3D%26param2%3D  (last accessed on 26.02.2021, at 19:00pm)

[3] Technical White Paper on WhatsApp Encryption Overview, https://scontent.WhatsApp.net/v/t39.8562-34/122249142_469857720642275_2152527586907531259_n.pdf/WA_Security_WhitePaper.pdf?ccb=3&_nc_sid=2fbf2a&_nc_ohc=BNVqvNOxfpIAX9EXKGZ&_nc_ht=scontent.WhatsApp.net&oh=cef7f9a2ccd7f941ca8cb625598ee1e0&oe=605A5499 (last accessed on 26.02.2021, at 19:20pm)

[4] Fact Check: No, WhatsApp is not recording your calls but privacy concerns can’t be ruled out yet, India Today, January 23, 2021 https://www.indiatoday.in/fact-check/story/fact-check-no-WhatsApp-is-not-recording-your-calls-but-privacy-concerns-can-t-be-ruled-out-yet-1762105-2021-01-23 (last accessed on 26.02.2021, at 19:30pm)

[5] The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009, Rule 3

[6] WhatsApp Privacy Policy, as of December 19, 2019 https://www.WhatsApp.com/legal/privacy-policy/revisions/20191219 (last accessed on 26.02.2021, at 16:45pm)

[7] WhatsApp’s Privacy Policy in the EU Region, as of April 2018, https://www.WhatsApp.com/legal/privacy-policy-eea?eea=1 (last accessed on 26.02.2021, at 16:20pm)

[8] Answering your Questions about WhatsApp’s Privacy Policy, https://faq.WhatsApp.com/general/security-and-privacy/answering-your-questions-about-WhatsApps-privacy-policy  (last accessed on 26.02.2021, at 19:15pm)

[9] Justice K.S. Puttaswamy (Retired) v. Union of India, WP (C) 494 of 2012

[10] Ibid, ¶81

[11] Karmanya Singh Sareen & Anr. v. Union of India & Ors., WP (C) 7663 of 2016, Delhi High Court

[12] Karmanya Singh Sareen & Anr. v. Union of India & Ors. SLP No. 804 of 2017

[13] Chaitanya Rohilla v. Union of India and Ors., WP (C) 677/ 2021, Delhi High Court

[14] Questions That India Asked WhatsApp on Privacy and Data Security, NDTV, January 19, 2021, https://www.ndtv.com/india-news/questions-that-india-asked-WhatsApp-on-privacy-data-security-2354710 (last accessed on 26.02.2021 at 19:40 pm)

Author:

Atmaja Tripathy, Senior Associate, TMT Law Practice

Atmaja is pursuing litigation at different courts and tribunals in Delhi, including the Supreme Court of India, High Court of Delhi, Telecom Disputes and Settlement Appellate Tribunal, the Competition Commission of India and the National Company Law Appellate Tribunal. Atmaja is enrolled with the Delhi Bar Council. At law school, she has won multiple scholarships for academic excellence, including the Nanhi Palkhiwala Scholarship for Constitutional Law, Ram Jethmalani Scholarship and the Director’s Gold Medal for Outstanding Excellence in the graduating batch. Her interests in technology, media and telecommunication laws, competition law and constitutional law, have led her to pursue prestigious moots and essay competitions. Atmaja has also published articles on contemporary legal issues in reputed international and national journals like European Competition Law Review, Kluwer Business Law Journal, BRICS Law Journal, All India Reporter and Company Law Journal.”

    Work With Us

    Resume/CV