Though the US technology major hasn’t really been very forthcoming about what it plans to do with this information, it will, in all likelihood, allow Facebook to target users with more focused ads based on their location and areas of interest.
This issue has clearly highlighted the urgent need for India to quickly enact the data privacy law that has been under deliberation since 2019 to protect the private data of Indian users, keep it within the shores of this country and to prevent its exploitation for commercial purposes by multinational technology companies that use sophisticated tools such as artificial intelligence to mine information from humungous databases.
Two issues have compounded the sense of outrage and indignation felt by Indian users and privacy activists. The new WhatsApp policy doesn’t offer users the option of opting out. This means they will have to accept the terms if they wish to continue using the service. Worse, it was clearly discriminatory against Indian users as subscribers in the European Union (EU) won’t be subject to the new rules of engagement.
“There are no changes to WhatsApp’s data-sharing practices in Europe arising from this update. It remains the case that WhatsApp does not share European Region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or ads,” said a statement by Niamh Sweeney, Director of Policy for WhatsApp, Europe.
The first question that arises here is what data WhatsApp is planning to pass on to its parent Facebook. All communications over the instant messaging service, whether as a string of messages, photos, calls, videos, personal contacts and their phone numbers, etc., are all encrypted end-to-end; this means even WhatsApp cannot access these. To that extent, users’ privacy is preserved.
Privacy advocates says this is a breach of privacy and have called upon the Government of India to step in to resolve this matter.
This is the point at which the issue takes a complicated legal turn. Unlike the EU’s General Data Protection Regulation (GDPR), which has stringent and robust provisions, including provisions for imposing fines of up to € 20 million or 4 per cent of of the annual global turnover of the company, in India, Section 43A of IT Act, 2000 mandates the payment of compensation only of the subscriber can prove that the data has been collected without permission and has been misused.
The law, enacted years before data emerged as a major economic resource, is loosely worded and lacks clarity. It merely obliges businesses to adopt reasonable security measures to protect personal data. This means it is difficult to make out a watertight case needed to prove lack of permission and misuse in a court of law.
The difference in WhatsApp’s treatment of India and EU subscribers can be explained by the fact that Facebook was fined €110 million in 2017 by the European Commission for providing incorrect or misleading information about the possibility of sharing data during its 2014 acquisition of WhatsApp.
Then Commissioner Margrethe Vestager, in charge of Competition Policy at EC had said: “Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information. And it imposes a proportionate and deterrent fine on Facebook. The Commission must be able to take decisions about mergers’ effects on competition in full knowledge of accurate facts.”
India’s proposed Personal Data Protection Bill 2019 can act as a deterrent to such unilateral actions. It has provisions for stiff penalties of $0.7-2.1 million or 2-4 per cent of a violator’s global turnover, whichever is higher, in case of a minor or major violations of data privacy.
But that law is in a limbo as of now. So, Indian users will have to wait for the government to take action to deal with this unilateral and open breach in their data security.