The learned senior advocates Kapil Sibal and Arvind Datar submitted to the Delhi High Court that WhatsApp’s contentious new privacy policy came into effect from May 15, 2021. Mr. Sibal raised the central question of national importance, “The question is, does India have a public policy for privacy? If a public policy of privacy is there in India, does it apply to WhatsApp policy?” This question acquires relevance due to the dominant market status of WhatsApp-Facebook-Instagram. In its affidavit to the Delhi High Court, WhatsApp defended its privacy policy and explicitly named Google, Microsoft, Zoom, Zomato, Republic World, Ola Cabs, Truecaller, Big Basket, Koo, and public companies such as Aarogya Setu, Bhim, Air India, Sandes, Government e-Marketplace, and the Indian Railway Catering and Tourism Corporation of having similar policies, of relying on collecting user data.
Also read | Centre asks WhatsApp to withdraw privacy policy update
Advantages of WhatsApp
In the submission, WhatsApp suggested that users who did not agree to its terms and conditions could discontinue use of its service. Apps such as Signal and Telegram provide alternate reliable communication services. While this is a reasonable option for urban users of messaging apps, researchers working with rural and disenfranchised sections have pointed out the reliance on WhatsApp’s services due to the design of the app. WhatsApp has an inherent advantage with its messaging and audio-video calling even in low-bandwidth Internet areas. This has to be seen in conjunction with WhatsApp Pay which allows users to transfer money to others. Thus, a mass migration to more privacy-respecting services appears near-impossible due to vendor lock-in. The observation of the Competition Commission of India that WhatsApp is misusing its dominant status appears relevant here.
Editorial | Fitful approach: On WhatsApp privacy policy and need for data protection laws
The claim that the new privacy policy is applicable to only the business version of the app is not comforting. This is because metadata from the non-business versions are already being exchanged with other services of the Facebook company. Profiling of individual users has already been well documented with the exposure of the Facebook-Cambridge Analytica scandal both internationally and in India. For businesses using WhatsApp, there would be a reasonable expectation that the services would be more secure than the normal version. Thus, diluting the privacy policy for the business version appears counterintuitive. Looking at the practices of large monopoly businesses wherein smaller companies are bought out or innovative services are copied in order to increase the customer base provides an answer. Thus, one would have to surmise that it is possible to extract metadata from documents that are exchanged over a communication app with a diluted privacy policy. The lessons learned from the United States v. Microsoft Corporation antitrust case from early 2000 would appear relevant in this context.
Data protection
We would have to understand that a WhatsApp exception, as suggested by Mr. Sibal, would only open the floodgates to further privacy violations by both the state and private entities dealing with user data. There is the issue of potential violation of privacy of children through Ed-Tech apps due to the lack of both a comprehensive ethics policy and a data privacy law akin to the European General Data Protection Regulation (GDPR). In the context of services provided by the above-mentioned companies, the Personal Data Protection Bill of 2019 does not even attempt to provide a fig leaf of protection to users of services.
To ensure that the privacy of the Indian citizen is protected in the digital sphere, the data protection Bill needs to be reformulated to ensure that it focuses on user rights with an emphasis on user privacy. A privacy commission would have to be established to enforce these rights. The government would also have to respect the privacy of the citizens while strengthening the right to information. There is an overarching need for a strong data protection Bill.
Vikram Vincent holds a PhD from IIT Bombay
COMMents
SHARE