This post seeks to analyzes the changes brought about in the Policy, with a focus on the ramifications of use of shared hosting services with WhatsApp’s group/ parent entity, Facebook. In the latter segment the post will analyze the conformity of WhatsApp’s Policy with the existing legal regime and the legal implications of the Policy.
What does the Policy Entail?
The WhatsApp Policy focuses on increasing data transparency by keeping users informed of: (a) the information collected by WhatsApp, (b) the processing and handling of user’s data, (c) the manner of use of user’s data by businesses who opt for Facebook hosting services to manage user information and (d) payments on WhatsApp.
- End-to-End Encryption:
Ever since the introduction of the Policy, WhatsApp has issued multiple notifications and FAQs to assuage user concerns. A unique feature to WhatsApp, also the reason it has garnered manifold users across the globe, is the End-to-End Encryption (ETE) of user conversations. Simply put, the ETE feature masks the messages and communications of the sender by using unique keys/ codes so that the same is only decipherable by the intended receiver who has the special decrypting key. An ETE feature does not allow any third party, not even WhatsApp or its related group entities, to intercept or decipher the content shared between the sender and the receiver. While fake news and rumours doing the rounds early this year spoke to the contrary, the Policy does not alter the ETE signal protocol observed by WhatsApp when the messages are exchanged between users. The only exception to the mandatory ETE feature is an instance where WhatsApp under direction of a competent authority is required to intercept, monitor or decrypt the communications exchanged between users.
- Collection and Processing of Data:
As per the Policy, while WhatsApp is not privy to user conversations, it collects manifold information and personal data including identifiers for its day-today operational activity. The new Policy provides more clarity on data points including the usage and log information collected by WhatsApp unlike the previous policy. Similarly, it also collects device related information such as hardware model connection information including phone numbers, time zones, IP addresses and identifiers, including the identifiers unique to Facebook associated with the same device or account. However, the Policy is concerning as it lacks clarity to the extent to which identified user information collected by WhatsApp is consequently shared with Facebook group companies, or other third-party service provider.
- Sharing of Data with Third Party Service Providers:
The Policy clarifies that it shares user log in information, device locations, unique identifiers relevant to Facebook, etc with Facebook group entities unlike the ambiguities and non-disclosures in the older policy of WhatsApp. It is clear that WhatsApp engages with third-party service providers and other Facebook companies to operate, provide, improve, understand, customize, support, and market its services. Interestingly, this feature is not a new addition to the Policy and has been in existence even in the older version of the policy though, not in a granular form as the present one.
- Communication with Business Accounts:
The newest feature of the Policy is the change in user privacy settings in a user-business communication. The Policy allows businesses to communicate and interact with each other and users, to browse through products, services as well as place orders. While WhatsApp has assured the users that ETE protocol is retained in case of user-business communications, a deeper analysis of the Policy speaks to the contrary. As long as communication is exchanged within WhatsApp, the ETE protection is guaranteed. However, once the business entity opts for Facebook or other third party hosting services, this principle gets compromised. WhatsApp’s clever disclaimers caution the users about the fact that information shared with such business contacts may be used for the business entities’ own marketing purposes, which may even include advertisement on Facebook or may even be accessed by several employees in the business organisation. Interestingly, to safeguard and avoid any liability, WhatsApp also ensures that every user conversing with such business accounts is well informed by way of labels appearing at the top of such conversations indicating whether such business entities have opted for hosting services from Facebook.
Legality of the Policy:
The Information Technology Act, 2000 (Act) read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Rules) only provide limited protection to sensitive personal data without an effective enforcement mechanism. Therefore, the nuances in WhatsApp’s Policy, particularly, the sharing of information with third party service providers will go unnoticed. No doubt, in such a loosely worded legislative scheme, the Policy will effectively sail through.
However, from a constitutional perspective where horizontal rights enforcement against a private entity is recognized and informational privacy is considered as a fundamental right, it is important to analyzes if the Policy effectively meets the adequate data protection standards. The Supreme Court has recognized that as an important aspect of informational privacy, one must have complete control over the dissemination of information that is personal. WhatsApp’s mandatory consent requirement to share information with third parties including Facebook Companies is in the teeth of this principle. This specific aspect formed the subject matter of challenge in a writ petition before the Delhi High Court and is pending adjudication before the Supreme Court.
In view of the user’s outrage, government demands and the pending court proceedings, WhatsApp has extended the deadline for accepting the Policy to May 15, 2021. It is only a matter of time when users will get to know the fate of their information on WhatsApp.
 Technical White Paper on WhatsApp Encryption Overview, https://scontent.WhatsApp.net/v/t39.8562-34/122249142_469857720642275_2152527586907531259_n.pdf/WA_Security_WhitePaper.pdf?ccb=3&_nc_sid=2fbf2a&_nc_ohc=BNVqvNOxfpIAX9EXKGZ&_nc_ht=scontent.WhatsApp.net&oh=cef7f9a2ccd7f941ca8cb625598ee1e0&oe=605A5499 (last accessed on 26.02.2021, at 19:20pm)
 Fact Check: No, WhatsApp is not recording your calls but privacy concerns can’t be ruled out yet, India Today, January 23, 2021 https://www.indiatoday.in/fact-check/story/fact-check-no-WhatsApp-is-not-recording-your-calls-but-privacy-concerns-can-t-be-ruled-out-yet-1762105-2021-01-23 (last accessed on 26.02.2021, at 19:30pm)
 The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009, Rule 3
 Justice K.S. Puttaswamy (Retired) v. Union of India, WP (C) 494 of 2012
 Ibid, ¶81
 Karmanya Singh Sareen & Anr. v. Union of India & Ors., WP (C) 7663 of 2016, Delhi High Court
 Karmanya Singh Sareen & Anr. v. Union of India & Ors. SLP No. 804 of 2017
 Chaitanya Rohilla v. Union of India and Ors., WP (C) 677/ 2021, Delhi High Court
 Questions That India Asked WhatsApp on Privacy and Data Security, NDTV, January 19, 2021, https://www.ndtv.com/india-news/questions-that-india-asked-WhatsApp-on-privacy-data-security-2354710 (last accessed on 26.02.2021 at 19:40 pm)
Atmaja Tripathy, Senior Associate, TMT Law Practice
Atmaja is pursuing litigation at different courts and tribunals in Delhi, including the Supreme Court of India, High Court of Delhi, Telecom Disputes and Settlement Appellate Tribunal, the Competition Commission of India and the National Company Law Appellate Tribunal. Atmaja is enrolled with the Delhi Bar Council. At law school, she has won multiple scholarships for academic excellence, including the Nanhi Palkhiwala Scholarship for Constitutional Law, Ram Jethmalani Scholarship and the Director’s Gold Medal for Outstanding Excellence in the graduating batch. Her interests in technology, media and telecommunication laws, competition law and constitutional law, have led her to pursue prestigious moots and essay competitions. Atmaja has also published articles on contemporary legal issues in reputed international and national journals like European Competition Law Review, Kluwer Business Law Journal, BRICS Law Journal, All India Reporter and Company Law Journal.”