Introduction:

The year 2021 began with a lot of skepticism. WhatsApp’s in-app notification informing a change in the privacy policy[1] (Policy) triggered a series of discussion with the government, amongst social thinkers, as a result of the unyielding confusion in the minds of the general public. The update left only a narrow margin to comply with the Policy either before February 08, 2021 or exit the platform, most people complied with it. While many aware users also opted for alternative internet-based messaging platforms like Telegram and Signal, the altered Policy has ever since triggered prolonged discussions As a result of the criticisms and disconcerted opinions amongst users, the deadline seeking mandatory compliance with the modified Policy has been extended to May 15, 2021. However, the open-ended issue which requires consideration hovers around the adequacy of the Policy in protecting user’s privacy. 

This post seeks to analyzes the changes brought about in the Policy, with a focus on the ramifications of use of shared hosting services with WhatsApp’s group/ parent entity, Facebook. In the latter segment the post will analyze the conformity of WhatsApp’s Policy with the existing legal regime and the legal implications of the Policy.

What does the Policy Entail?

The WhatsApp Policy focuses on increasing data transparency by keeping users informed of: (a) the information collected by WhatsApp, (b) the processing and handling of user’s data, (c) the manner of use of user’s data by businesses who opt for Facebook hosting services to manage user information and (d) payments on WhatsApp.

a. End-to-End Encryption:

Ever since the introduction of the Policy, WhatsApp has issued multiple notifications and FAQs[2] to assuage user concerns. A unique feature to WhatsApp, also the reason it has garnered manifold users across the globe, is the End-to-End Encryption (ETE) of user conversations. Simply put, the ETE feature masks the messages and communications of the sender by using unique keys/ codes so that the same is only decipherable by the intended receiver who has the special decrypting key.[3] An ETE feature does not allow any third party, not even WhatsApp or its related group entities, to intercept or decipher the content shared between the sender and the receiver. While fake news and rumours doing the rounds early this year spoke to the contrary,[4] the Policy does not alter the ETE signal protocol observed by WhatsApp when the messages are exchanged between users. The only exception to the mandatory ETE feature is an instance where WhatsApp under direction of a competent authority is required to intercept, monitor or decrypt the communications exchanged between users.[5]

Collection and Processing of Data:

As per the Policy, while WhatsApp is not privy to user conversations, it collects manifold information and personal data including identifiers for its day-today operational activity. The new Policy provides more clarity on data points including the usage and log information collected by WhatsApp unlike the previous policy. Similarly, it also collects device related information such as hardware model connection information including phone numbers, time zones, IP addresses and identifiers, including the identifiers unique to Facebook associated with the same device or account. However, the Policy is concerning as it lacks clarity to the extent to which identified user information collected by WhatsApp is consequently shared with Facebook group companies, or other third-party service provider.

  1. Sharing of Data with Third Party Service Providers:

The Policy clarifies that it shares user log in information, device locations, unique identifiers relevant to Facebook, etc with Facebook group entities unlike the ambiguities and non-disclosures in the older policy of WhatsApp.[6] It is clear that WhatsApp engages with third-party service providers and other Facebook companies to operate, provide, improve, understand, customize, support, and market its services. Interestingly, this feature is not a new addition to the Policy and has been in existence even in the older version of the policy though, not in a granular form as the present one.

In certain other instances where users opt for only WhatsApp’s service and opt out of the services of other Facebook Group Entities, mandating the collection and sharing of data of the user with Facebook does not confirm with the data protection standards including the principle of providing a concise purpose limitation for processing and use of the data. Lastly, in case of conflict or compromise of user data, whether the terms & services and privacy policy of WhatsApp will prevail or will it be that of the other Facebook related group entity is unclear from the present Policy.

The different standards adopted by WhatsApp is evident from a perusal of WhatsApp’s privacy policy in the European Union (EU) region[7] and the other parts of the world. Interestingly, in order to be General Data Protection Regulation (GDPR) compliant, in the EU region WhatsApp does not voluntarily share user information with third party service providers for its infrastructural, service or program development unlike its policy in the remaining parts of the world. It is only when the user opts for the third-party services such as a cloud service integrated with the system for back up etc., that the user’s information is shared with third parties. In such cases, naturally the users will be bound by the terms and privacy policies of those services having opted for such services out of their own volition. This stark distinction between the policy of EU region and the other parts of the world clearly demonstrates that WhatsApp is more than willing to comply with stricter norms, however, the absence of norms is at times facilitating its commercial intent, while making it conducive for the platform to process large volumes of data.

  1. Communication with Business Accounts:

The newest feature of the Policy is the change in user privacy settings in a user-business communication. The Policy allows businesses to communicate and interact with each other and users, to browse through products, services as well as place orders. While WhatsApp has assured the users that ETE protocol is retained in case of user-business communications, a deeper analysis of the Policy speaks to the contrary. As long as communication is exchanged within WhatsApp, the ETE protection is guaranteed. However, once the business entity opts for Facebook or other third party hosting services, this principle gets compromised.[8] WhatsApp’s clever disclaimers caution the users about the fact that information shared with such business contacts may be used for the business entities’ own marketing purposes, which may even include advertisement on Facebook or may even be accessed by several employees in the business organisation. Interestingly, to safeguard and avoid any liability, WhatsApp also ensures that every user conversing with such business accounts is well informed by way of labels appearing at the top of such conversations indicating whether such business entities have opted for hosting services from Facebook.

The aforesaid aspect of the Policy also brings to us important questions- who will be liable for breach of privacy in such an arrangement? Can WhatsApp compel its users to tacitly consent to the processing of data by third party entities? Further, can a user be expected to be aware of the privacy policy of not just WhatsApp but also of the hosting services which may be of a third-party including Facebook companies? WhatsApp’s Policy does not provide clear answers to these questions. Therefore, from a user’s perspective who is concerned about the data protection, the only options are: (a) Refrain from communicating with business accounts on WhatsApp or (b) Switch to alternate internet messaging platforms.

Legality of the Policy:

The Information Technology Act, 2000 (Act) read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Rules) only provide limited protection to sensitive personal data without an effective enforcement mechanism. Therefore, the nuances in WhatsApp’s Policy, particularly, the sharing of information with third party service providers will go unnoticed. No doubt, in such a loosely worded legislative scheme, the Policy will effectively sail through.

However, from a constitutional perspective where horizontal rights enforcement against a private entity is recognized and informational privacy is considered as a fundamental right[9], it is important to analyzes if the Policy effectively meets the adequate data protection standards. The Supreme Court has recognized that as an important aspect of informational privacy, one must have complete control over the dissemination of information that is personal.[10] WhatsApp’s mandatory consent requirement to share information with third parties including Facebook Companies is in the teeth of this principle. This specific aspect formed the subject matter of challenge in a writ petition before the Delhi High Court[11] and is pending adjudication before the Supreme Court.[12]

Recently, a public interest litigation was filed before the Delhi High Court challenging the revised Policy.[13] Absence of a user’s choice to actively consent to the processing and sharing of his data is challenged as being violative of right to privacy. In fact, the petition also highlights the disparity between the Policy and WhatsApp’s privacy policy in the EU Region. The matter is pending adjudication before the High Court.

Conclusion:

WhatsApp’s privacy policy, particularly the mandatory scheme of requiring user consent to the sharing of data with Facebook companies has created a stir in India. The Ministry of Electronics and Information Technology has sought clarifications from WhatsApp in respect of the issues pertaining to its privacy, data transfer and sharing regime and general business practices. [14] As per the Indian government, the present Policy will have a disproportionate impact on the Indian citizens. However, till the time India lacks a regulatory regime for personal data protection, larger entities which indulges in generating of data such as WhatsApp/ Facebook will slither away from any strict compliance conditions.

In view of the user’s outrage, government demands and the pending court proceedings, WhatsApp has extended the deadline for accepting the Policy to May 15, 2021. It is only a matter of time when users will get to know the fate of their information on WhatsApp.