WhatsApp's tactical retreat

Govt must move fast on personal data protection law

Facebook subsidiary WhatsApp has informed the Delhi High Court that it will not enforce its updated privacy policy until the law on protecting personal data is enacted. The Bill has been pending for over three years and WhatsApp’s privacy policy is just one of many areas where the absence of legislation causes huge concern. WhatsApp’s terms of service (ToS) remain in place, and the social media giant will keep prompting users to accept the new terms. WhatsApp had proposed an update to its ToS in October 2020 with a deadline of February 2021 for compliance, under the threat of being shunted off the platform. The new ToS were designed to enable businesses to operate easily. Under the new terms, business accounts can share private, personal data and metadata from individuals who interact with business accounts. Such data could be shared with parent Facebook, or with third-party service providers. End-to-end encryption would continue in chats between individuals though businesses can share location, banking details, billing details, times and duration of interactions, etc. Since WhatsApp is used to coordinate school activities, this can include sensitive details about minors.

The new ToS broke a 2016 commitment by WhatsApp, which had offered an opt-out from data-sharing to users. This ToS cannot be applied to users in the EU, since it violates the EU’s GDPR (General Data Protection Regulation), which is the world’s most evolved and comprehensive data privacy legislation. Even in the US, it would violate privacy and data protection laws. The ToS led to a storm of protest from India’s 530 million users, prompting WhatsApp to make compliance non-compulsory, allowing users to continue WhatsApp without agreeing to the ToS. If the WhatsApp data and metadata are linked to the data and meta-data harvested by Facebook directly from the social media platform, it would offer a 360-degree picture of the lives of many users and there are no granular opt-out clauses.

While WhatsApp has taken a sensible decision, its submission before the court has put the onus on the government. Unfortunately, the government has been dragging its feet on the legislation since 2017, when the Supreme Court decreed that privacy was a fundamental right and suggested steps be taken for a data protection law. A committee was appointed under retired Supreme Court judge B Srikrishna to formulate draft legislation. The committee submitted a draft Personal Data Protection Bill in July 2018, offering levels of granular protection, with consent to be taken before every step of data-collection and processing. But that draft was not placed in Parliament. A redrafted version presented in December 2019 was criticised by Mr Srikrishna as “Orwellian” due to the sweeping powers of surveillance and data-harvesting given to government agencies. That draft has not been passed into law, and no Bill has been presented since 2019. The recent rewrite of the IT Rules — The Information Technology (Intermediary Guidelines and Digital Media Ethics Codes) Rules 2021) —  also impinges on privacy and the right of free expression and faces multiple challenges on constitutional grounds. In the absence of a law, WhatsApp may rely on network effect to gradually persuade users to accept the ToS. Moreover, there is corporate pressure upon individuals to accept the ToS since service providers find WhatsApp convenient. By its refusal to legislate an effective privacy and data protection law that protects the fundamental rights of citizens, the government has left every Indian vulnerable to this trend of data harvesting.