(Updates from the SCOI) WhatsApp-Facebook Data Sharing (Day – I): From Content to Metadata

Today marked the first substantive hearing in the petition challenging the Delhi High Court’s judgment upholding WhatsApp’s updated privacy policy. Summaries of arguments in the previous hearings in this case can be found here and here. Curiously, despite the petitioners’ counsel being available in Court, the Court asked the counsel appearing for the intervenor to lay out the issues in the case. As mentioned earlier, the Internet Freedom Foundation had filed an intervention application, which had been allowed by the Court on the last date of hearing.

IFF’s counsel began by apprising the Court that India lacked a statute on data protection. He argued that the absence of a legislative framework allowed corporations to collect extensive data, including metadata. This, he contended, enabled these corporations to aggregate information and create an extensive profile of an individual, including revealing sensitive information such as that related to health and sexual preferences. The lack of a data protection authority or commissioner resulted in lack of knowledge about how personal data is held and exploited. He argued that in such a scenario, the Supreme Court must step in and hold that the state has a positive obligation to protect the rights infringed as a result of such data practices. In his view, exploitative data practices infringed an individual’s right to free speech enshrined under Article 19(1)(a) as well as Article 21. He located this positive obligation under Article 17 of the International Covenant of Civil and Political Rights (ICCPR), to which India is a signatory, as well as Article 12 of the Universal Declaration of Human Rights (UDHR).

Before he could continue, the counsel for Facebook Inc. objected to the case being heard on the ground that the existence and scope of a right to privacy had been referred to a larger bench for determination. (In 2015, a three-judge bench of the Supreme Court had cited some ambiguity in the jurisprudence on the right to privacy and referred the issue to the Chief Justice of India). At this point, the petitioners’ counsel responded, stating that the case at hand included possible violations of Articles 19(1)(a), 19(1)(c), 19(1)(d) as well as 21. She stated that the petitioners were basing their claims on these rights dehors a right to privacy. However, she also clarified that the right to privacy continued to exist under statutory law, common/tort law as well as under international covenants. She argued that foreign corporations could not be allowed to take advantage of a lacuna (if any) in the law till the time the larger bench decided the issue. In her view, there were laws in place to address the issues at hand.

Both counsels also apprised the Court regarding Italy’s anti-trust regulator fining WhatsApp €3 million for the same privacy policy and a German Administrative Court upholding the Hamburg Data Commissioner’s order to stop transfer of data between both entities for German users.

The intervenor’s counsel set out Facebook’s model for targeted advertisements, which allows advertisers to customise their audience. This targeting is in a large part, facilitated by the collection of metadata such as information about one’s device, network information, location etc. Before he could complete, Facebook’s lawyer again objected to this line of argument stating that none of these facts or issues had been raised before the High Court or in the main petition and would consequently warrant a separate response. The Court attempted to steer the proceedings back to WhatsApp’s privacy policy and asked the intervenor’s counsel to show how it infringed rights.

He argued that the some of the terms were in contradiction with WhatsApp’s stated claim of providing end-to-end encryption. These included their practice of retaining popular ‘content’ for a longer duration of time and stating that they do not retain messages in the ‘ordinary’ course of providing their services. On the aspect of metadata, it was argued the terms allowed for collection of extensive information (such as IP addresses, mobile device and network information as well as location information) and allowed its use and disclosure to several third parties, including Facebook. An analysis of these terms can be found here. Further, it was argued that while the 2012 policy clearly articulated what information WhatsApp did not collect, this was absent under the new policy. Additionally, the age for children to create an account was lowered from 16 to 13 years. He also argued that there was no informed consent with respect to accepting these changes.

In Justice Mishra’s view, arguments on consent were unhelpful as they brought the issues within the frame of contractual obligations. He urged the counsel to advance arguments on how the policy impacted individual rights. Recognising the value of metadata, he framed the issue as whether commercial exploitation of information pertaining to an individual’s identity had an impact on rights.

The counsel for Facebook India Ltd. shared with the Court that only a user’s phone number, device identification, account registration details and their ‘last seen’ status was shared with Facebook. This is significant, because the privacy policy is silent on this, and neither Facebook nor WhatsApp have explicitly stated this before.

Continuing with his arguments, the intervenor’s counsel argued that –

1. WhatsApp’s updated policy impacts the freedom guaranteed under Article 19(1)(a) and 21 – Article 19 was distinct from the other rights under the Constitution because it guaranteed (a right to) freedoms, and not solely a right. This was necessary for the self-fulfilment of an individual (Indian Express Newspapers v. Union of India (1985) 1 SCC 641). The extensive and unregulated collection of information by WhatsApp and Facebook inhibited this freedom, creating a chilling effect. The feeling of being under surveillance also attracted rights enshrined under Article 21.

Further, Article 17 of the ICCPR and Article 12 of the UDHR cast a positive obligation on the state to enact measures that would allow these rights to be meaningfully exercised.

2. There can be no waiver of fundamental rights guaranteed under Article 19(1)(a) and Article 21 – While several arguments were sought to be raised on the issue of consent, only this was urged, as Justice Mishra reiterated his objection to this line of argument. Citing Basheshar Nath v. CIT (1959 (Suppl) 1 SCE 528), it was argued that there can be no waiver till the person waiving her rights is fully informed as to her rights and abandons them with full knowledge.
3. Data protection laws of foreign countries prohibit sharing of personal and sensitive data without free consent – The counsel took the Court through the provisions of the German data protection statute for guidance. Importantly, provisions emphasising on certain inalienable rights (such as that of access, rectification and erasure) were also brought to the Court’s notice.
4. Right essential to exercise a fundamental right must be deemed to be a part of that fundamental right – He elaborated on the importance of ‘penumbral rights’ as articulated in the landmark United States Supreme Court decision Roe v. Wade and argued that a right essential to enjoy other fundamental rights would in itself be fundamental. He also cited Olga Tellis v. Bombay Municipal Corporation for this proposition.

In conclusion, the intervenor’s counsel laid out the reliefs sought from the Court – that data protection guidelines be framed by the Court till such time as the Parliament enacted a legislation. Alternatively, WhatsApp should be directed to provide all users with the opt-out clause (even after the thirty day period, as was provided), while continuing to access the service.

After almost an entire day’s hearing, the Court thought it appropriate to give the respondents a chance to raise the issue of maintainability – that is, to determine whether the petition was fit for hearing before the Court or not. Counsel for Facebook Inc. argued that –

1. The issue was purely in the realm of contract and the petitioners were precluded from any remedy under public law.
2. Neither Facebook nor WhatsApp were ‘state’ or agents or instrumentalities of the state so as to attract the Court’s writ jurisdiction
3. Under its terms, WhatsApp had reserved its right to renew its policies in the event of an acquisition or a merger.
4. The petitioners could not claim to speak for all users of WhatsApp and their grievances regarding consent would only be applicable to them and not others.
5. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, framed under the Information Technology Act 2000 provided a statutory regime for the regulation of services such as WhatsApp and Facebook.

The arguments on maintainability will continue tomorrow and the petitioners as well as the intervenor will be asked to respond to the submissions advanced.

Advertisement