Article by Vijay Pal Dalmia, Advocate, Supreme Court of India and Delhi High Court, Partner & Head of Intellectual Property Laws Division, Vaish Associates Advocates, India

Have you ever rummaged about something on the internet and opened a social media platform only to realise that it is now suggesting you advertisements of similar type of products and wondered how did they even sense the same in the first place?

From an individual's buying preferences to his/her health status, it is all covered under the ambit of Personal Data of an individual. Personal data is the data which is attributable to an individual/organization and helps in identifying their identity. This data cannot be freely disseminated by anybody without the prior permission of the subject.1 This is essentially what data protection laws envelope. These laws are legislated with the aim to protect the user's personal data from potential misuse by big corporations and the government in pursuance of their own respective agendas.

In this Article, the author attempts to enlighten the readers with the status quo as to the data privacy laws in India, why there is a need for a concrete data protection law in India and how consent even though superficially present in the contracts with such platforms is not present in its truest sense, thus rendering these contracts between the corporations and the users moot. Further, the author urges an immediate action in this regard considering the flagrantly violative privacy policy launched by Whatsapp.


Unfortunately, Data Protection laws are equivalent to negligible in India. Only a few statutes ranging from Information Technology Act2 to its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,3 concern themselves with data privacy.

This arena of law has been on the back hand of the government for legislation for quite some time now. This is mostly because data privacy laws are underemphasized in India and a layman himself is not aware of the significance of his own data. This lack of awareness and seriousness has led the users vulnerable to big corporations who exploit these weaknesses and thus misuse the data.

But through the landmark judgement of Justice K.S Puttaswami & another v. Union of India,4 the Honorable Supreme Court of India changed the landscape and outlook of people towards data privacy. The Judgment pronounced Right to Privacy a fundamental right under the ambit of Article 21 of the Indian Constitution.5 This judgement, in particular, raised awareness and made the general public realise that their data is truly intrinsic, important and therefore worthy of protection in the first place.

But despite such attempts by the Judiciary, no concrete law specifically for data privacy exists in India.


A plausible question that arises is that why the personal data of a person requires protection when it is not even the public domain without the owner's consent?  This question has two folds; first what is the rationale behind protecting the personal data when it is not even accessible to the public and second, what does the word consent imply and when can it be said to be truly given by the user.


Transaction-hijacking is a process wherein a platform may sense that a purchase is imminent and leap with an offer from a competitor offering more favorable terms.6 If put in simple words, the personal data marks a very small yet the most crucial part of a bigger marketing gimmick of these big corporations. The genesis of this gimmick stems from the idea that advertisers pay to get themselves advertised on social media platforms due to the huge user base these platforms provide. These advertisers not only desire to make a person aware of their product or service but also wish to target a selective consumer base that would turn into a loyal customer base of their Brand in the future.

Now this evident gap of advertisers, finding their target customers at the customer's time of need of their product and customers finding the right brand at competitive prices is what is bridged by such social media platforms which have turned this situation into a money minting opportunity for themselves. In the garb of artificial intelligence, these platforms tap user data, their buying preferences, their health status, their user history and what not, to tap the current need of a particular user and then supply this 'private' data to these advertisers who are targeting customers of the sort.7

This helps the advertisers to actually convert potential buyers into loyal customer bases and fills the already copious pockets of these platforms in return. Such Social media platform, thus, possess the capability to cross index a user's searches with cookies left by the websites visited by the user.


In the aforementioned judgment,8 Honorable Chief Justice of India, S. A. Bobde observed that

"Consent is essential for distribution of inherently personal data."

After being sanctioned by Courts all around the world, Social Media Platforms do realise that they require the consent of the user for pulling off a gimmick of this sort. In pursuance of this, they create a mirage of such kind that the user can neither escape nor get hold of the same. These exploitative terms and conditions are so surreptitiously camouflaged with the general terms that a layman agrees to all these conditions without even reading them once, attributable to the naivety coupled with lack of care and time with the user. Further, even if they do read the terms and conditions of a particular platform as a conscious citizen, it bears them no fruit because they cannot proceed or access the platform without agreeing to these conditions.

These kind of contracts are qualified to be called as 'Standard form Contracts.'9A Standard form Contract (also referred to as a contract of adhesion, a leonine contract, or a boilerplate contract) is a contract between two parties, where the terms of the contract are set by one of the parties, and the other party has practically zero ability to negotiate more favourable terms and is consequently placed in a 'take it or leave it' position.10 While these sorts of contracts are not illegal per se, there exists a potential for unconscionability,11 unfair terms12 and inequality of bargaining powers13 between the parties.

In Life Insurance Corporation of India v. Consumer Education and Research Centre and others,14 the Hon'ble Supreme Court has observed that

"If a contract or a clause in a contract is found unreasonable or unfair or irrational one must look to the relative bargaining power of the contracting parties. In dotted line contracts there would be no occasion for a weaker party to bargain or to assume to have equal bargaining power. He has either to accept or leave the services or goods in terms of the dotted line contract. His option would be either to accept the unreasonable or unfair terms or forego the service forever. With a view to have the services of the goods, the party enters into a contract with unreasonable or unfair terms contained therein and he would be left with no option but to sign the contract."15

Furthermore, even if the reader, for once, allows a particular app to access some of the user's files or data, it is inherent in this contract that the consent to access this information pertains to only the particular action in question and not a general green signal given to the platform for limitless exploitation of data. For instance, users often allow these platforms to access a device's current location but the said permission only pertains to that particular task and not for these platforms to save in their servers for their own use in future. Nevertheless, these overpowering platforms use that permission to collect user data to fulfil their organisational agendas and use this automatically 'saved' information on their servers for other purposes outside the scope of this limited contract that the user had entered into with them.16

At the time of the initial signing up at the platform, the user does not sign up for exploitation in this sense and such power by the application to unilaterally alter the privacy policies, renders the initial contract of the user with the application meaningless and the entire scheme unconscionable.17

Thus social media platforms are exploiting personal data in the garb of consent of the users.


It can be clearly observed that the updated terms and conditions of the Whatsapp App qualify for being a standard form of contract as the user has no ability, opportunity and/or expertise to negotiate more favourable terms with the corporation and is consequently placed in a 'take it or leave it' position. As promulgated by the Corporation,18 any user who has not assented to these updated terms and conditions by February 8 202119 will be ousted from the network and will have to mandatorily uninstall the app. 

A potential question that now surfaces is that are these terms and conditions in violation of the fundamental right to privacy of the user?

The answer is clearly a 'yes.' After agreeing to the said terms and conditions, the user data base of Facebook, Instagram and Whastapp will be combined as per the parent company's wishes. Although what a user talked about will be end-to-end encrypted but whom did the user talk to, when did they talk to and where did the user talk to is not end-to-end encrypted. This data would be shared to third parties such as businesses to further the parent companies' objectives of exploiting the user data to mint money.20

This move is expected to be beneficial for third parties such as businesses who could now have exposure to a huge database of users and can shift their customer care centres from Text messages and call to Whatsapp with convenient features like Chat bots that Whatsapp provides.  

The said terms and conditions are in unequivocal violation of the fundamental right of privacy of the user and expose the user to potential data leakage. Thus, these terms are unconscionable and unfair in nature, extent and scope; arising from the inherent inequality of bargaining powers between the parties in the said circumstances.

In conclusion, legislation of a concrete privacy protection law in India is the need of the hour, to prevent the users from exploitation.  The dangerous potential of these platforms to unlimitedly aggregate information from its users without their real consent or knowledge coupled with the unawareness and callous attitude of the users in this regard is what privacy activists are most concerned about. Thus, the status quo demands and makes it inevitable that the personal data of the individuals be protected by the courts, if not the government.


1 Branislav Ondrasik, 'Death of the "Free Internet Myth', (2007) 1 Masaryk U J.L. & Tech. 7.

2 Information Technology Act 2000.

3 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

4 Justice K.S Puttaswami & another Vs. Union of India Writ Petition (CIVIL) NO 494 OF 2012

5 Constitution of India, Art. 21.

6 Brian Kane, 'Balancing Anonymity, Popularity and Micro-Celebrity: The Crossroads of Social Networking and Privacy' (2010) 20 Albany Journal of Science and Technology 327, 339.

7 Snyder v. Millersville Univ [2008] Dist LEXIS 97943 (US).

8 Justice K.S Puttaswami & another Vs. Union of India Writ Petition (CIVIL) NO 494 OF 2012.

9 M Siddalingappa v. T Nataraj [1970] AIR 154 (Kant). 

10 D.C.M. Ltd. v. Assistant Engineer (HMT Sub-Division), Rajasthan State Electricity Board, Kota [1988] AIR  64 (Raj).

11 Ferro Alloys Corpn. Ltd. v. A.P. State Electricity Board and anr [1993] AIR 183 (AP).

12 Central Inland Transport Corporation Limited v. Brojo Nath [1986] AIR 1571 (SC).

13 Superintendence Company of India (P) Ltd v. Sh. Krishan Murgai [1980] 3 SCR 1278.

14 Insurance Corporation of India v. Consumer Education and Research Centre and ors [1995] 5 SCC 482.

15 Central Inland Transport Corporation Limited v. Brojo Nath [1986] AIR 1571 (SC).

16 Helen Anderson, 'A Privacy Wake-Up Call for Social Networking Sites?' (2009) 20(7) Entertainment Law Review 245.

17 Brian Kane, 'Balancing Anonymity, Popularity and Micro-Celebrity: The Crossroads of Social Networking and Privacy' (2010) 20 Albany Journal of Science and Technology 327, 339.

18Nandana James, 'WhatsApp's new privacy policy: Yet another reason why India needs data protection law' The hindu Business Line (Mumbai, 10 January 2021) (  

19 Shruti Dhapola, 'Explained: What is new in WhatsApp's privacy policy' The Indian Express (Chandigarh, 12 January 2021) (

20 Dr. Mohan Dewan, 'Personal Data Protection Laws in India' (R K Dewan, 13 May 2020) ( accessed 11 January 2021.

© 2020, Vaish Associates Advocates,
All rights reserved
Advocates, 1st & 11th Floors, Mohan Dev Building 13, Tolstoy Marg New Delhi-110001 (India).

The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.