Dwivedi’s perspective in this segment of Law & Policy Pod succinctly sheds light on various aspects of what such a suspension of the policy now means for Whatsapp’s user’s in India, what really is at stake for Whatsapp & whether this decision was a thought-out move for the social media giant.
Lawbeat: So what was the chronology of events like for this issue?
As on now, Delhi High Court is yet to decide the matter on stay of the investigation ordered by the CCI on the grounds that the matter on WhatsApp’s privacy policies is sub-judice before various courts in India.
Lawbeat: Why did this policy come under the scanner in the first place?
Lawbeat: Right. Now that the updated policy has been suspended, where do the WhatsApp users of India stand?
Dwivedi: At this juncture, this essentially means that while WhatsApp will continue to inform the users of the updates,
“it will not force users to accept the updates nor will it discontinue/ limit the services until the PDP Bill is enacted."
Dwivedi: The PDP Bill was sent for consideration of the Joint Parliamentary Committee in early 2020, which is to submit its report before the upcoming monsoon session. Going by media reports, several key changes are expected in the PDP Bill, one will have to wait and watch for the actual fine print.
Some provisions of the PDP Bill may be worth a mention here:
The last version of PDP Bill provides that any person may process the personal data for the purposes consented to by the data principal (i.e. the users in this case), or purpose which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected (Clause 5(b) of PDP Bill). This gives ample scope for creative drafting of the privacy policies.
At the time of collection of data, the users need to be given notice of the purpose of collection, the nature and categories of personal data collected, details of data fiduciary, right to withdraw the consent and the process for withdrawal, the individuals or entities with whom such personal data may be shared, so on and so forth (Clause 7(1)). The consent for processing needs to be free, informed, specific, clear and capable of being withdrawn (Clause 11(1)). For processing sensitive personal data (such as health data, biometric data, financial data, sexual orientation, etc.), explicit consent must be obtained from data principals.
Lawbeat: What’s in it for other stakeholders?
Dwivedi: The PDP Bill also provides grounds for processing of personal data without obtaining consent of the data principals, such as compliance with court orders, medical emergencies, health services, employment, etc.
Clause 14 lists out other reasonable purposes for processing of personal data without consent, which may include whistle blowing, mergers and acquisitions, prevention and detection of unlawful activity, and other grounds as may be provided by the Data Protection Authority. This leaves ample room for companies to creatively design and word their privacy policies as they would want to fall within one of the exceptions. One will also need to wait for what the Data Protection Authority notifies additionally.
WhatsApp will either rely on the consent based approach, or try to fall within one of the exceptions for processing without consent. If the latter is not an option, the consent based approach will require them to provide an opt-out option to the users from sharing their personal data with Facebook and its subsidiaries. Interestingly, WhatsApp has 2 versions of its privacy policies globally.
Dwivedi: As a data privacy lawyer, I would agree that this was the best available option to WhatsApp now given the strong resistance from all quarters in India, be the users, activist groups, the Government, the CCI or the courts. Also, the PDP Bill is quite exhaustive and the new privacy law will have newer compliances/ obligations, etc. It makes sense to wait for the new law to come and assess the policy and the next course of action then. The law as it stands today mandates a consent based approach coupled with right to withdraw consent as far as sensitive personal data is concerned.