[Law & Policy Pod] Whatsapp’s Privacy Policy & The Personal Data Protection Bill

  • Sanya Talwar
  • 01:43 PM, 21 Jul 2021

After Whatsapp recently informed the Delhi High Court that it shall keep the rollout of its controversial Privacy Policy on hold till the Personal Data Protection Bill, 2019 is effectuated, Lawbeat reached out to Shweta Dwivedi, a Corporate Lawyer with over a decade’s experience and an expert in Data Privacy Laws, to unravel the ramifications of this decision on the Social Media giant.

Dwivedi’s perspective in this segment of Law & Policy Pod succinctly sheds light on various aspects of what such a suspension of the policy now means for Whatsapp’s user’s in India, what really is at stake for Whatsapp & whether this decision was a thought-out move for the social media giant.

Lawbeat: So what was the chronology of events like for this issue?

Dwivedi: All of us using WhatsApp in India started receiving notifications of updated Privacy Policy earlier this year. To a layman, it appeared that you accept the notification, else you won’t be able to access WhatsApp. The activist groups and media started raising the concerns on how the updated policy is lopsided, and pretty much like a ‘take-it or leave-it’. Soon, the competition regulator of India, the Competition Commission of India (CCI), initiated a suo motu action against WhatsApp and Facebook Inc. based on media reports on grounds that the social media giants are using their dominant market position to force users to accept the updated privacy policy.  An investigation was ordered by the CCI, which led the social media giant approach Delhi High Court, challenging it. A single judge bench rejected the plea. In appeal, WhatsApp informed a division bench of the Delhi High Court that it had voluntarily put the updated Privacy Policy on hold until the proposed privacy law (the Personal Data Protection Bill, 2019 (PDP Bill) in India comes into force. 

As on now, Delhi High Court is yet to decide the matter on stay of the investigation ordered by the CCI on the grounds that the matter on WhatsApp’s privacy policies is sub-judice before various courts in India.

Interestingly, CCI in its detailed order observed that the updated Privacy Policy and Terms and Conditions are broad, vague, and non-transparent, since the users are not fully made aware of how their personal data can be shared and for what all purposes can it be used for, which will be subject-matter of the investigation by the Director General.  

Lawbeat: Why did this policy come under the scanner in the first place?

Dwivedi: The controversy surrounding WhatsApp’s Privacy Policy began when it was announced around January 2021. Among other updates, the Privacy Policy mentioned that user data may be shared by WhatsApp with Facebook Inc. and its subsidiaries.

The previous updates to the Privacy Policy by WhatsApp in 2016 and 2019 provided users with an option to ‘opt-out’ if they didn’t want to share their data, and the users continued to avail the services in any case. However, this time, WhatsApp’s policy seemed like a ‘take-it or leave-it’ for the users. If users didn’t accept the revised Privacy Policy, they can no longer avail the services.

Lawbeat: Right. Now that the updated policy has been suspended, where do the WhatsApp users of India stand?

Dwivedi: At this juncture, this essentially means that while WhatsApp will continue to inform the users of the updates,

“it will not force users to accept the updates nor will it discontinue/ limit the services until the PDP Bill is enacted."

Lawbeat: What is the correlation between the PDP bill and WhatsApp’s Privacy Policy? What impact will our proposed Privacy Law have on WhatsApp?

Dwivedi: The PDP Bill was sent for consideration of the Joint Parliamentary Committee in early 2020, which is to submit its report before the upcoming monsoon session. Going by media reports, several key changes are expected in the PDP Bill, one will have to wait and watch for the actual fine print. 

“Once the new law is enacted, WhatsApp will need to assess if it’s Privacy Policy is complying with the new law or not, or amend it to comply.”

Dwivedi adds,

Some provisions of the PDP Bill may be worth a mention here:

The last version of PDP Bill provides that any person may process the personal data for the purposes consented to by the data principal (i.e. the users in this case), or purpose which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected (Clause 5(b) of PDP Bill). This gives ample scope for creative drafting of the privacy policies.

At the time of collection of data, the users need to be given notice of the purpose of collection, the nature and categories of personal data collected, details of data fiduciary, right to withdraw the consent and the process for withdrawal, the individuals or entities with whom such personal data may be shared, so on and so forth (Clause 7(1)). The consent for processing needs to be free, informed, specific, clear and capable of being withdrawn (Clause 11(1)). For processing sensitive personal data (such as health data, biometric data, financial data, sexual orientation, etc.), explicit consent must be obtained from data principals.  
“Broadly these principles also form part of the current privacy framework under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules, 2011), which apply to processing of sensitive personal data. Where consent is taken by users for processing of sensitive personal data, they also need to be provided with an option to withdraw consent. This is what essentially the industry and users have been demanding on the WhatsApp privacy policy controversy – the right to withdraw consent if they don’t wish to share their data with Facebook or other companies,” says Dwivedi.

Lawbeat: What’s in it for other stakeholders?

Dwivedi: The PDP Bill also provides grounds for processing of personal data without obtaining consent of the data principals, such as compliance with court orders, medical emergencies, health services, employment, etc.

Clause 14 lists out other reasonable purposes for processing of personal data without consent, which may include whistle blowing, mergers and acquisitions, prevention and detection of unlawful activity, and other grounds as may be provided by the Data Protection Authority.  This leaves ample room for companies to creatively design and word their privacy policies as they would want to fall within one of the exceptions. One will also need to wait for what the Data Protection Authority notifies additionally.
WhatsApp will either rely on the consent based approach, or try to fall within one of the exceptions for processing without consent. If the latter is not an option, the consent based approach will require them to provide an opt-out option to the users from sharing their personal data with Facebook and its subsidiaries. Interestingly, WhatsApp has 2 versions of its privacy policies globally. 

"Their privacy policy for Europe is far too stringent than rest of the world given the stringent privacy regime there. In Europe, WhatsApp provides an opt-out option to users who do not wish to share their personal data with Facebook and its subsidiaries. WhatsApp will hence wait and watch for the fine print of the new law in India, and assess if the new law is a take-it or leave-it for WhatsApp."

Lawbeat: Do you think this (of suspending the Updated Privacy Policy till the Privacy Law is enforced) decision was well-thought out for the SM giant?

Dwivedi: As a data privacy lawyer, I would agree that this was the best available option to WhatsApp now given the strong resistance from all quarters in India, be the users, activist groups, the Government, the CCI or the courts. Also, the PDP Bill is quite exhaustive and the new privacy law will have newer compliances/ obligations, etc. It makes sense to wait for the new law to come and assess the policy and the next course of action then. The law as it stands today mandates a consent based approach coupled with right to withdraw consent as far as sensitive personal data is concerned.

While India is a global technology hub and privacy laws have not been very robust historically, I believe it’s time that the new privacy law is strong and at par with global standards to inspire confidence of the users, citizens and global business community. If WhatsApp can have a separate privacy policy for Europe, there is no reason why India cannot be another exception for them.