WHO GOT MY DATA?
On January 4, millions of WhatsApp users across the world found an in-app pop-up notifying them that from February 8 the messenger platform’s terms of services and privacy policy would change, and users must accept the new terms to keep using the app. In the new privacy policy, WhatsApp removed a passage on allowing users to opt out of sharing certain data with Facebook, its parent firm.
This ‘take-it-or-leave-it’ policy led to massive outrage against WhatsApp for being cavalier with its users’ privacy. Many shifted to other chat platforms such as Telegram and Signal. WhatsApp saw a 7 per cent decline in daily instals within a week of the release of the new privacy policy. In contrast, Signal saw an 18-fold increase in downloads between January 6 and 10. In India, two PILs—one in the Supreme Court and one in the Delhi High Court— were filed seeking legal intervention to prevent WhatsApp from forcing users to share personal data. The Union government also wrote to WhatsApp head Will Cathcart asking him to “respect the informational privacy and data security of Indian users” and withdraw the latest terms and privacy policy in India.
Following the backlash, WhatsApp delayed the rollout of its new terms of services and sought to clarify that it had no intention of compromising the personal data of its users. ‘Your personal messages are protected by end-to-end encryption. We will never weaken this security and we clearly label each chat, so you know our commitment,’ read a statement
issued by WhatsApp.
The outrage or debate, however, is not about the privacy of encrypted chats, but the sharing by default of personal information stored in the electronic device of the user that the messenger platform has access to. Unless you opted out in 2016, when the company last offered the choice, WhatsApp shares with Facebook Inc. platforms information about a wide array of personal data, which, it maintains is ‘to operate, provide, improve, understand, customise, support and market’ their services.
But privacy advocates see this as an invasion. “If users are bombarded with adverts of services/ products they just discussed in a personal chat or ads are pushed on the Facebook account that relate to their financial transactions on WhatsApp, it feels like a breach of privacy and certainly seems problematic on an ethical front,” says Salman Waris of legal firm TechLegis Advocates and Solicitors. “Facebook has not been very ethical with its data handling as was evident in the Cambridge Analytica case. Users are apprehensive sharing even anonymised data with a company so callous with its data history.”
N.S. Nappinai, Supreme Court advocate and founder of CyberSaathi, an initiative that assists victims of cyber crimes, agrees. “It is not just about content or profiling but a heightened form of profiling by a corporate entity. The privacy and the Aadhaar judgments of the Supreme Court provide enough guidelines on what is permissible and what is not,” she says.
When india today contacted WhatsApp India CEO Abhijit Bose, his office sent out the following clarification: “WhatsApp wants to make it easier for people to both make a purchase and get help from a business directly on WhatsApp. While most people use WhatsApp to chat with friends and family, increasingly, people are reaching out to businesses as well. To further increase transparency, we updated the privacy policy so that going forward, businesses can choose to receive secure hosting services from our parent company Facebook to help manage communications with customers on WhatsApp.” Waris is not convinced. “The revised terms appear to be an abuse of WhatsApp and Facebook’s dominant position in the market.” WhatsApp, he says, could have offered users the choice to opt out of certain services if they refused to share data rather than make it compulsory, especially given the platform’s market share of around 400 million users in India.
WHERE’S THE BREACH?
To be clear, the controversial policy update has brought to light once again a disputable old practice. Following its acquisition by Facebook in 2014, the chat service provider launched a major privacy policy update in August 2016 and started sharing user information with FB. At the time, WhatsApp users were given 30 days to opt out of some of the sharing. That feature has long gone from the app settings (see What Does WhatsApp Collect from You?).
Users who missed that window have had their data shared with Facebook ever since. WhatsApp says as a group company, it ‘partners with Facebook to offer experiences and integrations across Facebook’s family of apps and products’. Facebook has been rolling out business tools on WhatsApp over the past year in an attempt to boost revenues by building an e-commerce infrastructure across the company’s various platforms.
One such move could be Reliance’s plan to integrate its e-commerce platform JioMart with WhatsApp in the next six months. In April 2020, Facebook bought a 9.9 per cent stake in Reliance Industries’ digital unit Jio Platforms for $5.7 billion. Reliance CMD Mukesh Ambani had then said that “JioMart and WhatsApp would empower nearly 30 million small Indian kirana shops to transact with every customer in their neighbourhood digitally”.
WhatsApp claims it does not keep logs of messages/ calls and does not share an individual’s contacts with Facebook. ‘We believe keeping (message
and call logs) for two billion users would be both a privacy and security risk and we don’t do it…,’ read a company statement. In 2018, WhatsApp had clarified that FB does not use its payment information for commercial purposes.
However, cyberlaw expert Pavan Duggal says that the new privacy policy goes far beyond and talks about sharing your sensitive personal data as defined under Indian law. “The Information Technology Rules, 2011, define financial records as sensitive personal data. When WhatsApp said it will share your transaction details, it violated the country’s existing legal framework,” he says.
The current controversy has, once again, brought into focus the unwarranted data-sharing not just by WhatsApp but by other digital platforms as well. Privacy advocates have renewed their demand for speedy implementation of a robust data protection law to protect users and their personal data from becoming marketable commodities without their explicit consent. India has a pending Personal Data
Protection Bill, 2019, which is being reviewed by a joint parliamentary committee (JPC). In fact, the WhatsApp privacy policy change will be discussed in a meeting scheduled on January 21 between the parliamentary standing committee on information technology and officials from Facebook and Twitter.
PROTECTING PRIVACY
The absence of a dedicated privacy law is letting digital platforms get away with unrestrained data mining, and the existing laws do not offer a clear framework to assess violations. The Delhi
High Court, on January 18, dismissed a petition against the revised privacy policy of WhatsApp saying the chat service was a “voluntary” thing and one could choose not to use it if the terms and conditions were not agreeable. Duggal, though, sees this as a classic case of abuse of dominant position and says the Competition Commission of India needs to take suo motu cognisance and initiate an investigation. “WhatsApp can dare to misuse their dominant position in India because there is a policy vacuum here. India does not have a law on data protection, privacy and cyber security. The absence of this trinity in our legislative framework makes India a very fertile ground for all kinds of arbitrary experimentation,” he says.
However, the SC advocate says users can file criminal complaints under the IT Act, 2000 against WhatsApp for failure to comply with the provisions of the Act. “Under the IT Act, 2000, WhatsApp becomes an intermediary and is required to exercise due diligence while discharging obligations under the law. By not complying, it has aided the commission of various cognisable offences,” says Duggal.
According to Nappinai, the expansive IT rules framed under Section 43A of the IT Act do provide protection with respect to consent, use, sharing and transfer of data collected in India. The Union government can formulate IT rules to protect sensitive personal data. “These rules can be expeditiously tweaked to include protections similar to those under GDPR (General Data Protection Regulation) of the European Union to guard against violation of the consent framework. Such an amendment would be warranted independent of the government’s directive to WhatsApp to treat Indians fairly, as this should be made normative for all platforms,” she says. In days to come, with so much more business to be transacted online, and personal data being such a monetisable asset in that universe, the salience of a robust data-protection regime can hardly be overemphasised.
INDIA’S LONG-PENDING PERSONAL DATA PROTECTION BILL IS CURRENTLY BEING REVIEWED BY A JPC; THE WHATSAPP PRIVACY POLICY UPDATE IS ALSO UP FOR DISCUSSION