WhatsApp privacy policy tweak highlights need for data protection law in India

WhatsApp privacy policy tweak highlights need for data protection law in India
Courtesy: LightRocket via Getty Images

WhatsApp’s unilateral change in its privacy policy in India, now on hold till May 15, discriminates against its Indian subscribers vis-à-vis their EU counterparts. The government should quickly enact the pending Personal Data Protection Bill to ensure there is no encore.

A sudden and unilateral change in WhatsApp’s privacy policy has all of India in a flap. The popular messaging app has tweaked its terms of use to allow it to share data on its 400 million users in India with its parent Facebook.

Though the US technology major hasn’t really been very forthcoming about what it plans to do with this information, it will, in all likelihood, allow Facebook to target users with more focused ads based on their location and areas of interest.

A sudden and unilateral change in WhatsApp’s privacy policy will allow it to share data on its 400 million users in India with its parent Facebook.

India needs a data protection law

The new WhatsApp policy doesn’t give users the choice to opt out, forcing them to accept the terms if they wish to continue using the service.
The new WhatsApp policy doesn’t give users the choice to opt out, forcing them to accept the terms if they wish to continue using the service.Courtesy: Getty Images

This issue has clearly highlighted the urgent need for India to quickly enact the data privacy law that has been under deliberation since 2019 to protect the private data of Indian users, keep it within the shores of this country and to prevent its exploitation for commercial purposes by multinational technology companies that use sophisticated tools such as artificial intelligence to mine information from humungous databases.

EU users treated differently from Indian subscribers

Two issues have compounded the sense of outrage and indignation felt by Indian users and privacy activists. The new WhatsApp policy doesn’t offer users the option of opting out. This means they will have to accept the terms if they wish to continue using the service. Worse, it was clearly discriminatory against Indian users as subscribers in the European Union (EU) won’t be subject to the new rules of engagement.

“There are no changes to WhatsApp’s data-sharing practices in Europe arising from this update. It remains the case that WhatsApp does not share European Region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or ads,” said a statement by Niamh Sweeney, Director of Policy for WhatsApp, Europe.

WhatsApp defers implementation of new policy

The new WhatsApp policy doesn’t offer users the option of opting out. It also clearly discriminates against Indian users as subscribers in EU won’t be subject to the new rules of engagement.

The outcry among Indian users, privacy activists and the intervention of the government has forced Facebook to defer the implementation of the new privacy policy till May 15. As of now it is not clear what will happen from that day onward.

The first question that arises here is what data WhatsApp is planning to pass on to its parent Facebook. All communications over the instant messaging service, whether as a string of messages, photos, calls, videos, personal contacts and their phone numbers, etc., are all encrypted end-to-end; this means even WhatsApp cannot access these. To that extent, users’ privacy is preserved.

But other data, such as the brand of phones being used, its operating system, its IP address, coarse location (meaning the city or the locality of the user) are among the sets of data that WhatsApp proposes to share with its parent under the tweaked terms of use.

Breach of privacy

WhatsApp’s differential treatment between India and EU subscribers can be explained by the fact that Facebook was fined €110 million in 2017 by the European Commission for providing incorrect information on data sharing.
WhatsApp’s differential treatment between India and EU subscribers can be explained by the fact that Facebook was fined €110 million in 2017 by the European Commission for providing incorrect information on data sharing.Courtesy: Getty Images

Privacy advocates says this is a breach of privacy and have called upon the Government of India to step in to resolve this matter.

This is the point at which the issue takes a complicated legal turn. Unlike the EU’s General Data Protection Regulation (GDPR), which has stringent and robust provisions, including provisions for imposing fines of up to € 20 million or 4 per cent of of the annual global turnover of the company, in India, Section 43A of IT Act, 2000 mandates the payment of compensation only of the subscriber can prove that the data has been collected without permission and has been misused.

Indian IT Act 2000 lacks clarity

The law, enacted years before data emerged as a major economic resource, is loosely worded and lacks clarity. It merely obliges businesses to adopt reasonable security measures to protect personal data. This means it is difficult to make out a watertight case needed to prove lack of permission and misuse in a court of law.

EU fine a lesson for Facebook

The difference in WhatsApp’s treatment of India and EU subscribers can be explained by the fact that Facebook was fined €110 million in 2017 by the European Commission for providing incorrect or misleading information about the possibility of sharing data during its 2014 acquisition of WhatsApp.

Then Commissioner Margrethe Vestager, in charge of Competition Policy at EC had said: “Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information. And it imposes a proportionate and deterrent fine on Facebook. The Commission must be able to take decisions about mergers’ effects on competition in full knowledge of accurate facts.”

Data Protection Bill can be a deterrent

India’s proposed Personal Data Protection Bill 2019 can act as a deterrent as it has provisions for stiff penalties in case of a minor or major violations of data privacy.

India’s proposed Personal Data Protection Bill 2019 can act as a deterrent to such unilateral actions. It has provisions for stiff penalties of $0.7-2.1 million or 2-4 per cent of a violator’s global turnover, whichever is higher, in case of a minor or major violations of data privacy.

But that law is in a limbo as of now. So, Indian users will have to wait for the government to take action to deal with this unilateral and open breach in their data security.

No stories found.
No stories found.
No stories found.
No stories found.
No stories found.
No stories found.
India Global Business
www.indiaglobalbusiness.com