SC again defers plea against WhatsApp: What is new Data Protection Bill?

The Supreme Court has yet again deferred hearing the plea challenging WhatsApp's privacy policy of 2021. The Centre has again reassured the SC that the new Data Protection Bill will be tabled in the Parliament in the monsoon session.

This is the second time the SC has deferred the hearing. It had shelved the hearing earlier as the Centre said the new bill would likely be tabled in the Budget session.

The Parliament's monsoon session will begin in July. The Constitution Bench comprising Justices KM Joseph, Ajay Rastogi, Hrishikesh Roy, CT Ravikumar, and Aniruddha Bose shelved the hearing in the Karmanya Singh Sareen vs Union of India case until the bill is tabled.

The case challenges WhatsApp's privacy policy of 2021 on the grounds that it violates the right to privacy under Article 21 of the Indian Constitution.

What is the case against WhatsApp's privacy policy?

The plea against WhatsApp's privacy policy challenges the contract between the two companies to provide access to calls, photographs, texts, videos, and documents shared by users. This, the plea argues, violates the user's privacy and free speech.

The bench, in the meantime, directed WhatsApp to publicise the stand it took in May 2021 with full-page ads. WhatsApp had written to the Centre that no users would be removed from the platform for not accepting the privacy policy.

What is the new Data Protection Bill?

The Supreme Court of India recognised the Right to Privacy as a fundamental right in 2017 and prescribed important privacy principles relevant to data privacy.

In November 2022, the Ministry of Electronics and Information Technology (MeitY) proposed a new Digital Personal Data Protection Bill to replace the 2011 rules and some portions of the existing law. The Bill lists obligations for data fiduciaries along with the rights of individuals.

The Bill defines personal data as "data about an individual who is identifiable by or in relation to such data".

Here are key rights proposed in the draft Bill:

1. Right to information about the processing of their personal data and withdrawal of consent

The bill says that individuals have a right to know whether personal data about them is being processed or has been processed by a company; if yes, then the identity of the company and how the data is being processed.

"a summary of the personal data of the Data Principal being processed or that has been processed by the Data Fiduciary and the processing activities undertaken by the Data Fiduciary with respect to the personal data of the Data Principal"

The individuals can also withdraw their consent if they do not wish their data to be processed.

2. Right to correction and erasure of personal data

The bill gives the individual the right correct or erase their data. Upon receiving a request, the Data Fiduciary will have to

"..correct a Data Principal's inaccurate or misleading personal data; complete a Data Principal's incomplete personal data; update a Data Principal's personal data; erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose."

3. Right to redressal of grievances and Data Protection Board

The Bill proposes that individuals should be able to approach an office or authority appointed by a company to handle grievances. It further proposes establishing a Data Protection Board under the new bill. The individual can approach the board if he is unsatisfied with the company's response.

4. Right to nominate

Under this provision, individuals have the right to nominate another individual to exercise their rights in the event of death or incapacity.

"For the purpose of this section, "incapacity" means inability to exercise the rights of the Data Principal under the provisions of this Act due to unsoundness of mind or body." the Bill reads.

The Bill also provides for a special provision for the transfer of data outside India.

According to the provision, the Centre may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data in accordance with such terms and conditions as may be specified.