WhatsApp’s New Privacy Policy

WhatsApp is the top messaging platform used in India with 52% market share and India is the largest market for it with more than 34 crore users. Recently, in January 2021, WhatsApp updated its privacy policy which stated that it may share information of any of its users with its family of companies. This update led to serious apprehensions regarding the privacy concerns which the new policy poses.  The policy update aimed to highlight how the user data will be impacted in case of interaction with a business and provided details on WhatsApp’s integration with Facebook, its parent company. Even though Whatsapp issued a clarification assuring that user’s personal data with friends and family would not be affected and the changes are only concerned with interaction with a business. However, even after such clarification, there has been wide criticism of the policy update and it has shed light on the wider concern about data protection. 

What are the changes in the new policy update?

As clarified by WhatsApp, with the new policy update, the personal chats remain protected and end-to-end encrypted signifying that third parties will not be able to read it. Along with this, personal messages will not be used to target ads on WhatsApp and shared locations cannot be seen or shared with Facebook or any other platform. 

However, chats and content shared with a business will be accessible to “several people in that business”. For example, if a business is operating on WhatsApp and it has a database of clients then the business on the other side will also be able to see the conversations in order to show targeted ads on Facebook, Instagram etc. Some businesses work with other third-party service providers like Facebook to handle the communications and business with their customers. WhatsApp has also clarified that it will clearly label the chats with a business so that the users have the option to decide whether they want to be in a conversation or not because the details of it can be used to show targeted ads. 

Information related to account registration, service-related information, IP address and mobile device information will be shared with Facebook and other family companies of WhatsApp. The users have to accept the policy changes and if a user does not want to then the user has to delete the account. WhatsApp proposed large scale media ads to maintain the trust of its users and even deferred the implementation of the policy changes till May 2021 but it still has not cleared the apprehensions of the users about the data.

What are the privacy concerns?

● The Take it or Leave it Approach: The new policy of WhatsApp has not given much freedom to its users. If they disagree with the policy then they have no other option but to quit WhatsApp after the changes come into effect. It is pointless to quit WhatsApp and move to other Facebook products because the concerns will still be there. After the nation-wide criticism, other messaging apps like Signal, which is run by non-profit organizations, have gained much popularity. Due to the immense popularity of WhatsApp, the take it or leave it policy of WhatsApp is a direct abrogation of the rights of its users.

● Metadata Sharing: Even though WhatsApp ensured that its end-to-end encryption feature is still there in the new policy, it can share a user’s metadata which is essentially every other thing beyond the actual textual conversations. Metadata gives a full profile of a person’s online presence which is potentially more dangerous. The data can be anything ranging from attributes of identity, financial data, biometric data, religion and even political beliefs. 

● Contrary to the recommendations by Srikrishna Committee Report: Srikrishna Committee Report forms the basis of the Data Protection Bill, 2019 pending in the Parliament. The report stated that information is to be used for the purposes which should be reasonably linked with the purpose for which it was provided, which is also covered under Section 5 of Data Protection Bill 2019. Under this section, for example, financial data collected by WhatsApp cannot be used by Facebook or any other platform to target users with advertisements by related businesses.  But with the new policy update, WhatsApp is subtly providing for commercial exploitation and micro targeting by businesses and political campaigns along with Facebook. It is a fact that WhatsApp does not have a satisfactory record of data protection of its users and the Cambridge Analytics Data Scam is a proof of it. 

● Lack of legal framework: The Supreme Court in the K.S Puttaswamy v. Union of India judgement, declared the right to privacy as a fundamental right and this includes the right to control the usage of one’s data. The State has the obligation to protect the rights of its citizens especially when a private legislation is absent. Even though this new policy applies to every country including the US and Europe. The users in the European Union get more control over their data sharing because of its General Data Protection Regulation. GDPR is the most comprehensive and strictest privacy policy in the world. Users in the EU can also demand for full erasure of their information and they also have the option to withdraw their consent given to WhatsApp for processing of data. This option is not available in any other country. Apart from this, the policy can also affect other competitive businesses which are not associated with Facebook for marketing their services and hence it would lead to a monopoly by it in the digital marketing arena thereby leading to concerns in the antitrust and anti-competitive policies. 

Way Forward

India has not yet implemented the Personal Data Protection Bill and hence there is no control exercised over how user data is processed by tech companies. The Data Protection Bill 2019 has been languishing since the past two years now. If India had a strict and functional data protection law in place, then WhatsApp would not have been able to implement this update in the first place. The principle of purpose limitation would have made this update illegal in India. Along with this, there is a need to make the general public aware about the issue of data privacy because usually privacy policies are difficult to comprehend. The data privacy of billions of people in India is too precious to be left at the whims and fancies of commercial enterprises like WhatsApp. The Data Protection Bill is the need of the hour. Yet again, this is a classic case of an organization utilizing its monopolistic powers to implement something which is clearly not in the larger public interest.