WhatsApp’s New Privacy Policy: Appreciable or Criticism?

(By Somya Singh, BALLB 2nd Year, 3rd Semester, Jaipur National University, Jagatpura)

India has one of the fastest-growing internet connectivity and accessibility markets in the world.
This development has been driven largely by the rise of mobile and computer devices being
introduced in the market every other day. Even when the spread of internet connection is still
limited to 35% of the population, this expanded availability of internet services has given birth to
some major issues of concern. One such issue which has always been the topic of global debate
in the given era of technological advancement is the issue of privacy and the lack of protection
thereof. India is no less to not get caught in this facade because the digital India project has led to
excessive accessibility of online public and private services.s

In the 21st century, there is nothing more private, personal and confidential than the private
information and messages communicated through social media by a person to his family, friends
and acquaintance. There are various service providers whose service is utilized in India to
communicate or to engage in private conversation and share confidential data. One such popular
smart phone application which is used sin India is WhatsApp.

Every day, millions of people use WhatsApp to communicate with businesses, large and small.
In today’s world no one can assume their lives without it as it became the inseparable part of
everyone’s lives. According to the statistics, more than 2 billion are the active users of the
whatsApp1. But the recent updating of the certain policies of WhatsApp has left many unnerved
as data privacy has become a significant cause of concern. WhatsApp announced its new data
privacy policy in early February and prompted the users to comply with it by February 8, 2021.
However, due to an intense public misperception and confusion, WhatsApp eventually delayed
the implementation till May 15, 2021. WhatsApp currently offers three services to the users,
namely, WhatsApp (for personal chats), WhatsApp Business (for small service providers and
businesses) and WhatsApp API (for integrating the applications of larger organizations and also
1
https://www.statista.com/statistics/1306022/whatsapp-global-unique-users/
used by the government). The change in WhatsApp’s Privacy Policy majorly impacts the
WhatsApp Business application and not as much the other services. According to the new
privacy policy, WhatsApp will share user-data with other Facebook companies only2.

However, the WhatsApp claimed that these policy update does not affect the privacy of user’s
messages with friends or family in any way. The changes are related to optional business features
on WhatsApp, and provide further transparency about how they collect and use data. However,
there is much general misconception regarding the new privacy policy of the WhatsApp. To
begin with, the users are under this misconception that WhatsApp will tap into their chats,
communications, and media sharing through this metadata and make them public despite all
communications continuing to remain end-to-end encrypted. Another common misconception is
that as a result of collecting this, WhatsApp will now know who the user is interacting with on
its platform.

Although, the WhatsApp claimed that it is an incorrect inference because WhatsApp doesn’t
maintain log of the user. It is worth noting that user metadata is not equivalent to personal data,
and every other platform collects it to operate smoothly. Metadata is mostly the data used to
identify user’s device’s general location, IP addresses, time zone, phone model, OS, battery
level, signal strength, browser, mobile network, ISP, language, time zone, usage patterns,
diagnostic reports (in case your application crashes) and even IMEI.

If we look upon the expert’s opinion, they insist that it’s not just about the sensitive personal data
but having access to the phone numbers itself is a major win for the social media giant. Before
acquiring WhatsApp, Facebook had no access to phone numbers unless voluntarily given by its
users. Hence, linking Facebook profiles with WhatsApp accounts would undoubtedly help
Facebook influence user behaviour.

The updated policy also mentions collecting IP addresses, and other information like phone
numbers and area codes are likely to point to the location of the user even if the location data is
explicitly not collected. The biggest worry is that as part of the new policy, WhatsApp may start

2
https://www.financialexpress.com/industry/technology/whatsapps-new-policy-a-privacy- bogey/2270823/lite/
processing payment/transactional information of its users, and it includes the transaction amount,
shipping details, amongst others.

Now, the doubt which often arises why one should accept these policies. The answer to this
query is that if one doesn’t accept the new privacy policy, the users won’t lose full functionality
immediately as the company will gradually disable all the features. WhatsApp is saying that it
will continue to send the reminder to accept the new policy, and after a period of several weeks,
the company will limit the functionality for those who don’t accept the update3.

Nothing is the product of a single night there is a huge history or timeline behind the creation of
something. Similarly, in the case of the WhatsApp’s policies updating the story begins in 2016
when Whatsapp declared a shift to its privacy policies as a part of the Facebook family of
companies it would share information with Facebook. On 26th August 2016, a writ petition was
filed in Delhi high court by petitioners for protecting the rights of users of the application. In
September 2016, the High Court of Delhi discarded the writ petition and granted partial
relaxation to the petitioner. In response towards this order, a Special Leave Petition was filed
with the Supreme Court (Civil) seeking, first of, whether the privacy policy infringes the right to
privacy of its user groups, furthermore, whether the failure of the user to share their data with
Facebook is impermissible and, lastly, whether the way in which WhatsApp obtains user assent
is misleading.

The Supreme Court on September 6, 2017 required Facebook and Whatsapp to file affidavits
explaining what data is being shared by them, which were duly filed by the respective
respondent.

3
https://indianexpress.com/article/technology/social/whatsapp-heres-why-you-will-have-to-accept-the-messaging-
apps-new-privacy-policy-limit-of-features-7310480/
The case of Karmanya Singh Sareen vs. Union of India 4 revolves around the protection of
personal data and the right of privacy guaranteed under the Constitution of India, which is
contended to be exploited by WhatsApp under the New Privacy Policy of 2016. The Petitioners,
Karmanya Singh and Shreya Sethi, two messaging app users, contended that the new policy aims
to gather all details pertaining to any WhatsApp account, such as phone numbers, addresses,
comments, system information, as well as third-party records that can be used to fund activities,
evaluate consumer accounts and acts, and advertise their services.

The Special Leave Petition filed by Sareen argues that the WhatsApp Privacy Policy violates
Section 72 of the Information Technology Act. Section 72 is a provision penalizing for breach of
confidentiality and privacy. The petitioners claim that since WhatsApp has been sharing such
information, it is in direct contravention of this section. It is alleged that WhatsApp is also
violating the Information Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011, which mandate full and true disclosures with
respect to Privacy Policies. At last, since WhatsApp is sharing personal user information with
Meta companies, it is in violation of the Right to Privacy which is now a fundamental right
within the ambit of Article 21.

The question of the hour was whether the WhatsApp’s privacy policy issued in January 2021
violates the right to privacy which is a facet of the right to life under the Article 21 of the
constitution of India. The decision on the petition is still underway and, with a clear
acknowledgement of the fundamental right to privacy, it is anticipated to be a testing ground as
to whether the implementation of that right is intersecting. More explicitly, it is likely to be a
predictor of whether the positive responsibility of the State is exhausted or at least legally
satisfied with the implementation of the Data Law on Protection. While the court has denied
immediate relief, it has asked WhatsApp, Twitter and Google to submit responses relating to
their policies on disclosure of information to third parties.5

4
https://blog.ipleaders.in/karmanya-singh-sareen-union-india-whatsapp-facebook-privacy-case/

5
https://theprobe.in/the-whatsapp-privacy-policy-saga-indias-data-protection-regime-and-you/
The Supreme Court has been careful to ensure that the contours of informational privacy are
established while leaving the drafting to the legislature. In fact, the data security lawsuits brought
since the judgment have exposed some of the most significant shortcomings of the new data
protection system. With a verdict of the Supreme Court on such cases and laws, it can be
expected that India can make significant progress in data safety. The case was pending for the
final hearing on January 17, 2023. Data is the new oil. Therefore, like any other mining drill, it
needs a protection framework. India still awaits a comprehensive data protection bill. However,
India’s pursuit of data protection dates back to 2008. The companies have an obligation to

protect this data with reasonable security measures. Although the rules exist, they do not address

the intricacies of data protection and data flow in today’s world.