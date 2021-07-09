ARTICLE

Co author - Rohit Gupta, penultimate year student at West Bengal National University of Juridical Sciences.

I. INTRODUCTION

In January 2021, WhatsApp rolled out a new Privacy Policy and Terms of Service. While it is undeniable that WhatsApp has broadened the use of its users' personal information, the legal challenges do not seem well founded. This article attempts to supplant hysteria with an objective analysis of current data protection regulations. Rather than vilify a company for following the letter of the law, India should focus on why there isn't a better one.

II. WHERE DOES THE LAW STAND?

As compared to the Personal Data Protection Bill, 2019 ("PDP Bill"), the law as it stands is much less demanding of companies in the business of collecting and using their users' data. Under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the only data collected by WhatsApp that may be classified as sensitive personal data ("SPD") is that relating to "financial information such as Bank account or credit card or debit card or other payment instrument details". Account information, contact list details, usage and log information, and network connection and other location-based information are classified as 'personal information' rather than SPD, and do not warrant the application of provisions detailed below.

To collect SPD, SPDI Rules contain obligations for corporates to obtain (1) receipt of express consent and adoption of reasonable measures to facilitate an informed choice as to collection and processing of SPD, (2) limitation on collection, use, and storage of data to that which is necessary for a lawful function or activity, (3) availability of a withdrawal mechanism, before or during collection of data and accompanying use of service, and (4) restriction upon disclosure of SPD to a third party, unless consented to.

Interestingly, Rule 5(7), providing for the existence of a withdrawal mechanism, empowers corporates "not to provide goods or services for which the said information was sought" if the data subject does not provide the requisite information or withdraws consent subsequently. Notification requirements, in this respect, are restricted to type of data collected, the purpose of collection, the necessity and channels for disclosure to third parties, and the contact details of the intended recipients of such data.

The data protection map of India, however, does not end with the SPDI Rules. All legislation is also subject to interpretation by the judiciary which, over the years, has filled some gaps and opened others. The recognition of informational privacy and self-determination as a fundamental right was one such godsend which revolutionised the data protection landscape in India.

In the words of Justice Chandrachud, "informational control empowers the individual to use privacy as a shield to retain personal control over information pertaining to the person." In doing so, he also alluded at the 'mosaic theory of privacy', affirmed by the Supreme Court of the United States, which holds that long-term collection of unassuming or insignificant data or metadata may produce an aggregated mosaic which could reveal an obtrusive portrait of an individual (including "nature of the personality: food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation").

Interestingly, the Delhi High Court, hearing current challenges to WhatsApp's Privacy Policy, noted that users are not mandated to partake in such data sharing processes and may, just as easily, shift to other messaging networks if they are dissatisfied. Interactions with businesses can be restricted by each user by opting out from conversing with them over WhatsApp. Alternatively, users may seek independent platforms of businesses or utilize other hosting services contracted with by businesses to engage with them. In such cases, users may restrict data sharing with WhatsApp and other Facebook companies, unless provided for by the privacy policies of the respective businesses.

In 2016, too, the Delhi High Court, presiding over a challenge against WhatsApp's then revised policy, mandated the implementation of an opt-out mechanism to sharing data with Facebook which was only available for a period of thirty days. Thereafter, it was permissible for WhatsApp to restrict services to only those onboarding users (after September 25, 2016) who accepted its Privacy Policy. While the matter is currently pending adjudication before the Supreme Court, we can come to the conclusion that the mere absence of an opt-out clause cannot result in the invalidation of the policy in its entirely.

III. WHATSAPP'S NEW PRIVACY POLICY AND TERMS OF SERVICE: AN ACTUAL OVERREACH OR PARANOID PROTECTIONISM?

So, are WhatsApp's new Privacy Policy and Terms of Service incompatible with this framework? The key is to understand that the collection and processing strategies adopted by WhatsApp are not novel. WhatsApp collects account information (name and phone number, etc.), contacts in one's address book, transaction and payments data (for users of WhatsApp Pay), activity data (manner and duration of interaction with WhatsApp Services), and device and connection data (such as hardware information, ISP information, IP address, unique identifiers), etc.

The change in policy has been with respect to the collection and sharing of data associated with third-party services providers who choose Facebook's hosting services to manage customer-end communications through WhatsApp. It is only here that the promise of end-to-end encryption is not extended, and messages sent can be used by such businesses for marketing purposes.

An evaluation of the Privacy Policy reveals requisite compliance with all the requirements of the SPDI Rules. However, the criticism arising from an overzealous government may lead to incorrect and non-judicial compliance interpretations. For instance, the Privacy Policy allows users to withdraw consent by deleting their WhatsApp accounts, and thereby deleting data which is "no longer need[ed] to operate and provide" its services.

While WhatsApp clarifies the nature of data that shall be deleted (undelivered messages, message history, other account information, etc.), it does not clarify the nature of residual data that shall be retained (apart from log records). However, a grey area exists in determining the extent of information required for the constitution of 'informed consent'.

As resonated by the General Data Protection Regulation, information provided must be granular to the extent that it is not "unduly disruptive or confusing". The use of indicative terms which save users from hyper-technical language cannot necessarily be seen as non-compliance. Introducing such subjectivity within the standard for 'informed consent' may also open a floodgate which burdens corporates to discharge their burdens according to the degree of digital literacy exhibited by each class in their target audience and otherwise.

WhatsApp's policies also seem to be industry practice. The privacy policies of Discord, Viber, Truecaller, Zomato etc. also highlight that they collect data related to device information, IP address, interaction with websites and businesses, unique identifiers etc. They also notify users of their policies in a similar manner, with notifications appearing at the top of conversations, detailing the data collection activities of their respective platforms.

This is where the importance of informational autonomy empowers and expects users to not just possess a right of control, but to exercise the same by remaining vigilant as to the trajectory of their data. The foundational principle of caveat emptor – buyer beware, comes into play here. Governmental regulation – especially executive mandates, should not be reshaped to act as its dilutant.

The clickwrap method of obtaining consent, through a one-touch 'I Agree' button, has been posited as vitiating any possibility of the exercise of informed agency. Per se, such 'take-it-or-leave-it' contracts are not illegal, if they do not violate the doctrine of unconscionability, i.e., the imposition of unreasonable terms and conditions between unequal parties. In this regard, the Supreme Court, in 1995, held that 'dotted line' contracts do not afford an opportunity for negotiation, leading individuals to either accept the unreasonable terms or to forego the service entirely.

The mere lack of opportunity for negotiation do not make such contracts unreasonable since such a requirement would put an enormous burden upon corporates to open negotiation channels for each user. Unreasonableness may only include practices such as 'consent fatigue', by which data subjects are exhausted into assenting by being redirected to multiple webpages for the purpose of accessing basic terms of a service's privacy policy. Thus, the mere clickwrap nature of these contracts must not be exaggerated to imply unconscionability.

Lastly, the concern raised as to the enactment of different privacy policies for the European Economic Area and the rest of the world is a non-issue. Since WhatsApp and India are not privy to a 'most-favoured-nation' clause, WhatsApp is under no obligation to go above and beyond the requirements of India's privacy framework to provide GDPR-like safeguards. From a business and service providing perspective, WhatsApp, and like companies, cannot be expected to act as surrogates of the Government, ensuring more protections than are recognized for citizens. That is precisely why the more granular PDP Bill was formulated. Is the Government setting a precedent on the interpretation of the SPDI Rules, to compensate for its delay in passing the PDP Bill?

IV. BUT SOMETHING MUST BE WRONG, RIGHT?

That is not to say, however, that WhatsApp is completely in the clear. For instance, users are exposed to the mercy of other users who may force-add the former into group chats or on their broadcast lists without their permission or consent. Often, this feature is used by WhatsApp business accounts for pushing target marketing services by sending across bulk messages to profiled potential customers based on previous interaction and data provided by Facebook and other associated companies. Similarly, users who allow WhatsApp to access their contact directory also circumvent the consent of non-users into providing their contact details to a third party.

V. SO, WHAT NOW?

Report from the field? WhatsApp, as a response to MEITY's notice, is resolved to not limiting the functionality of its services until the PDP Bill comes into effect. It would be interesting to see whether its Privacy Policy now holds up against the Bill, heralded as India's much-needed data protection fix, albeit with its own sets of disappointment.

