- Information such as browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook company products associated with the same device or account) shall be automatically collected.
- Even if a user does not use WhatsApp's location-related features, WhatsApp shall use IP addresses and other information like phone number area codes to estimate a user's general location (e.g., city and country).
- The businesses a user interacts with using WhatsApp's services may provide WhatsApp with information about their interactions with users. It is further stated that when a user messages with a business on WhatsApp, the content shared with such business may be visible to several other people in such business. In addition, some businesses may be working with third-party service providers (which may include Facebook) to help manage their communications with their customers.
- In order to support WhatsApp's services, WhatsApp shall work with third-party service providers and other Facebook companies and when WhatsApp shares information with such third-party service providers and Facebook companies, they would be required to use such user information on behalf of WhatsApp in accordance with WhatsApp's instructions and terms.
- If a user interacts with a third-party service or another Facebook company product linked through WhatsApp's Services, such as when a user uses the in-app player to play content from a third-party platform, information about the user, such as IP address and the fact that the user is a WhatsApp user, may be provided to such third party or Facebook company product.
- WhatsApp shall receive information from, and share information with other Facebook companies. Such information may be used by WhatsApp and/or the Facebook companies to help operate, provide, improve, understand, customize, support and market WhatsApp's services and their offerings, including the Facebook company products. This includes inter alia, making suggestions for the user, personalizing features and content, helping users complete purchases and transactions and showing relevant offers and ads across the Facebook company products.
- The Delhi High Court Petition
- That there remains no clarity as to which companies such user data will be shared with, as to when such data will be shared, to what extent it will be shared and what will be done with the users sensitive data.
- The petitioner emphasizes that in the absence of a data authority in India, it leaves the users at the mercy of the company's own assurances and privacy policies. The petitioner further highlights that Facebook being the largest social networking website in the world, it is embedded on every second website and collects data from such websites and that the integration of this data will essentially mean that the user is perpetually under the surveillance of the Facebook group of companies.
- Overview of the PDB Bill and Users Rights
The PDB Bill recognizes that the right to privacy is a fundamental right. The PDB Bill inter alia provides data principals or users the following rights:
- The right to confirmation and access: This includes the right to confirmation on whether the personal data is being processed and a summary of the processing activities undertaken, free of cost. The data principal/user shall have the right to access in one place, the identities of the data fiduciaries (i.e. any person/entity who alone or in conjunction with others determines the purpose and means of processing of personal data) with whom the data principal/users personal data has been shared with by any data fiduciary together with the categories of personal data shared with them, in such manner as may be specified by regulations.
- Right to correction and erasure: This pertains to the right to correct inaccurate or misleading personal data, complete incomplete personal data and request for updation of out of date personal data.
- Right to data portability: This right applies to personal data processed through automated means where: (a) the personal data was provided to the data fiduciary; (b) it has been generated in the course of provision of services or use of goods; or (c) it forms part of any profile on the users, or which the data fiduciary has otherwise obtained. Where this right applies, personal data shall be provided in a structured, commonly used and machine-readable format and may be transferred directly to another data fiduciary.
- Right to be forgotten: This pertains to the right to restrict or prevent the continuing disclosure of personal data where such disclosure: (a) has served the purpose for which it was collected or is no longer necessary for the purpose; (b) was made with the consent of the data principal/user under the PDB Bill and such consent has since been withdrawn; or (c) was made contrary to the provisions of the PDB Bill or any other law for the time being in force.
- Data Protection Authority and Penalties under the PDB Bill
The PDB Bill also provides for the establishment of an authority who shall be responsible for taking steps to protect the interests of individuals, preventing misuse of personal data and ensuring compliance with the provisions of the PDB Bill. Further, the authority shall appoint adjudicating officers for the purpose of adjudging penalties or awarding compensation. The PDB Bill imposes heavy penalties for violations of provisions under the PDB Bill, including a penalty of up to fifteen crore rupees or four percent of the data fiduciaries total worldwide turnover of the preceding financial year, whichever is higher, on data fiduciaries for contravention of provisions relating to processing of personal data.
Ashima Obhan is a Partner and Bambi Bhalla is an Associate at Obhan and Associates. Views are personal.