The WhatsApp Privacy Policy Dilemma

1. What the New Privacy Policy States

The privacy policy rolled out by WhatsApp on January 4, 2021 states as to how a users data would be impacted while interacting with businesses on WhatsApp and provides further information on such data sharing carried out by WhatsApp with Facebook. While users in the EU may choose to 'opt-out' out of data sharing with Facebook, this option has not been made available to the rest of the world. The privacy policy inter alia broadly states the following with respect to sharing of information and data with Facebook:

• Information such as browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook company products associated with the same device or account) shall be automatically collected.
• Even if a user does not use WhatsApp's location-related features, WhatsApp shall use IP addresses and other information like phone number area codes to estimate a user's general location (e.g., city and country).
• The businesses a user interacts with using WhatsApp's services may provide WhatsApp with information about their interactions with users. It is further stated that when a user messages with a business on WhatsApp, the content shared with such business may be visible to several other people in such business. In addition, some businesses may be working with third-party service providers (which may include Facebook) to help manage their communications with their customers.
• In order to support WhatsApp's services, WhatsApp shall work with third-party service providers and other Facebook companies and when WhatsApp shares information with such third-party service providers and Facebook companies, they would be required to use such user information on behalf of WhatsApp in accordance with WhatsApp's instructions and terms.
• If a user interacts with a third-party service or another Facebook company product linked through WhatsApp's Services, such as when a user uses the in-app player to play content from a third-party platform, information about the user, such as IP address and the fact that the user is a WhatsApp user, may be provided to such third party or Facebook company product.
• WhatsApp shall receive information from, and share information with other Facebook companies. Such information may be used by WhatsApp and/or the Facebook companies to help operate, provide, improve, understand, customize, support and market WhatsApp's services and their offerings, including the Facebook company products. This includes inter alia, making suggestions for the user, personalizing features and content, helping users complete purchases and transactions and showing relevant offers and ads across the Facebook company products.
• WhatsApp shall share information globally, both internally within the Facebook companies and externally with their partners and service providers, and with those with whom the user communicates around the world, in accordance with the privacy policy. The users information may, for example, be transferred or transmitted to, or stored and processed in, the United States; countries or territories where the Facebook companies' affiliates and partners, or WhatsApp's service providers are located; or any other country or territory globally where WhatsApp's services are provided outside of where the user lives for the purposes as described in the privacy policy.

2. The Delhi High Court Petition

In a writ petition filed at the Delhi High Court in the case of Chaitanya Rohilla vs. Union of India & Ors.^[1] challenging the updated WhatsApp privacy policy, the petitioner submits inter alia the following:

• That there remains no clarity as to which companies such user data will be shared with, as to when such data will be shared, to what extent it will be shared and what will be done with the users sensitive data.
• The petitioner emphasizes that in the absence of a data authority in India, it leaves the users at the mercy of the company's own assurances and privacy policies. The petitioner further highlights that Facebook being the largest social networking website in the world, it is embedded on every second website and collects data from such websites and that the integration of this data will essentially mean that the user is perpetually under the surveillance of the Facebook group of companies.
• The petitioner further submits that the privacy policy directly attacks the fundamental right of privacy guaranteed to all individuals under the Constitution of India. This right has been affirmed by the Supreme Court of India in the matter of Justice K.S. Puttaswamy and Ors. Vs. Union of India and Ors.^[2] whereby the Supreme Court recognized every individuals fundamental right to privacy to be protected as a part of the right to life and personal liberty guaranteed under Article 21 of the Constitution of India. It is pertinent to note here that the Supreme Court in this case has inter alia, held that "One aspect of privacy is the right to control the dissemination of personal information. And that every individual should have a right to be able to control exercise over his/her own life and image as portrayed in the world and to control commercial use of his/her identity."

3. Overview of the PDB Bill and Users Rights

The PDB Bill recognizes that the right to privacy is a fundamental right. The PDB Bill inter alia provides data principals or users the following rights:

• The right to confirmation and access: This includes the right to confirmation on whether the personal data is being processed and a summary of the processing activities undertaken, free of cost. The data principal/user shall have the right to access in one place, the identities of the data fiduciaries (i.e. any person/entity who alone or in conjunction with others determines the purpose and means of processing of personal data) with whom the data principal/users personal data has been shared with by any data fiduciary together with the categories of personal data shared with them, in such manner as may be specified by regulations.
• Right to correction and erasure: This pertains to the right to correct inaccurate or misleading personal data, complete incomplete personal data and request for updation of out of date personal data.
• Right to data portability: This right applies to personal data processed through automated means where: (a) the personal data was provided to the data fiduciary; (b) it has been generated in the course of provision of services or use of goods; or (c) it forms part of any profile on the users, or which the data fiduciary has otherwise obtained. Where this right applies, personal data shall be provided in a structured, commonly used and machine-readable format and may be transferred directly to another data fiduciary.
• Right to be forgotten: This pertains to the right to restrict or prevent the continuing disclosure of personal data where such disclosure: (a) has served the purpose for which it was collected or is no longer necessary for the purpose; (b) was made with the consent of the data principal/user under the PDB Bill and such consent has since been withdrawn; or (c) was made contrary to the provisions of the PDB Bill or any other law for the time being in force.

4. Data Protection Authority and Penalties under the PDB Bill

The PDB Bill also provides for the establishment of an authority who shall be responsible for taking steps to protect the interests of individuals, preventing misuse of personal data and ensuring compliance with the provisions of the PDB Bill. Further, the authority shall appoint adjudicating officers for the purpose of adjudging penalties or awarding compensation. The PDB Bill imposes heavy penalties for violations of provisions under the PDB Bill, including a penalty of up to fifteen crore rupees or four percent of the data fiduciaries total worldwide turnover of the preceding financial year, whichever is higher, on data fiduciaries for contravention of provisions relating to processing of personal data.

While the PDB Bill is not yet law, the new privacy policy has sparked a privacy debate in India. Although WhatsApp has postponed its date for users to accept its new policy to May 15, 2021 now, what remains to be seen is how in the absence of such law will the Government seek to ensure the data privacy of its citizens and whether any interim guidelines or measures in the meantime shall be put in place by the Courts.

Ashima Obhan is a Partner and Bambi Bhalla is an Associate at Obhan and Associates. Views are personal.