(Updates from the SCOI) WhatsApp-Facebook Data Sharing (Day – II): Can Fundamental Rights be Exercised Against WhatsApp?

The hearing in the petition challenging WhatsApp’s privacy policy continued today. Arguments made during the course of yesterday’s proceedings can be accessed here. Before the respondents could resume their arguments on maintainability, the Additional Solicitor General made a brief representation on behalf of the Central Government. He submitted that even if the Court finds that a writ lies against the Government, it should refrain from issuing it as the Government was already in the process of framing a statutory regime for data protection. He stated that these binding regulations could be in the form of a statute, rules or Executive directions.

Counsel for Facebook subsequently resumed his arguments on the issue of maintainability of the special leave petition. He argued that the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘2011 Rules’) along with other provisions of the Information Technology Act 2000 (‘IT Act’) provided a complete regime for the collection, use and disclosure of personal information. He contended that it was not open to the petitioners to argue that these rules were insufficient, as that was squarely within the realm of public policy. Particularly with respect to the 2011 Rules, he stated that WhatsApp did not collect any of the eight categories of information covered by the definition of ‘sensitive personal data or information’[1].

The Court sought clarity on whether the respondents were covered by the 2011 Rules. For the intervenor, it was submitted that metadata was outside the ambit of the 2011 Rules. The petitioners’ counsel reiterated this, and also stated that the 2011 Rules were limited to only ‘sensitive personal information or data’, which excluded important information such as phone numbers. She also pointed out that on 24th August 2011, the Ministry of Communications & Information Technology had released a ‘clarification’, which restricted the applicability of the 2011 Rules only to companies located within India. All parties (as well as the bench) were baffled as to how a clarification could limit or amend the scope of statutory rules. For the time being, it appears that the Court will not be taking cognizance of this clarification.

Justice Dipak Mishra opined that an aggrieved citizen would be entitled to an alternate remedy if a violation of the rules also constituted a violation of a fundamental right. Facebook’s counsel responded stating that there was no violation of the rules in the instant case and that in any case, they were not required to take consent at all, considering they did not collect any sensitive personal information.

At this point, the Bench posed two questions to the petitioners. It asked for a clarification on the information collected by WhatsApp and an explanation on how metadata was generated. The petitioner’s counsel took the Court through several clauses of the policy including one where WhatsApp reserved the right to create ‘derivative works’ out of the content of a user’s message. She argued that notwithstanding the claim of end-to-end encryption, the language of the policy was ‘suitably ambiguous’ regarding access to content of messages. She also emphasized on WhatsApp’s access to other information, such as a user’s phonebook, which included numbers of individuals who were not users of the service. She argued that there was no privity or consent in the latter circumstance. With respect to metadata, she highlighted how it had the potential to reveal much more than actual data, enabling the private corporations to draw behavioral patterns. In her view, the fact that WhatsApp had been bought over for $19 billion signified that access to this data was a ‘goldmine’ for Facebook.

On behalf of Facebook, it was urged that besides the 2011 Rules, Sections 43A (compensation for failure to protect data), 45 (residuary penalty), 46 (power to adjudicate), 79 (exemption from liability of intermediary in certain cases) as well as the Information Technology (Intermediaries Guidelines) Rules 2011 created a complete code for the regulation of WhatsApp. It was also clarified that the sub-license clause in the policy was a standard clause, required to covert the message into its encrypted form. Additionally, Facebook offered to submit an affidavit to the effect that WhatsApp had not and could not access the content of a message.

Facebook elaborated on two other arguments made by it on the previous day –

  1. The Court’s writ jurisdiction could not be invoked against a private party where the dispute was purely contractual. He also argued that neither WhatsApp nor Facebook performed a public function, or owed any public duty. Reliance was placed on Jatya Pal Singh v. Union of India (2013) 6 SCC 452, where the Supreme Court had held that service provided by telecom operators in a competitive market for commercial purposes did not amount to a public function. It further held that in order to establish public function, a party would have to ‘prove that the body seeks to achieve some collective benefit for the public or a section of public and [is] accepted by the public as having authority to do so.’
  2. All submissions were couched on the issue of privacy or some form of it, which could not be raised in light of the pending reference. Facebook’s counsel took the Court through the reference order of 11 August 2015, highlighting that the determination of the very existence as well as scope of a fundamental right to privacy had been referred to the Chief Justice of India.

In response, the petitioners argued that pursuant to Secretary, Ministry of Information and Broadcasting v. Cricket Association of Bengal (1995) 2 SCC 161, electromagnetic waves facilitating transmission were a public good. While private, messages sent through WhatsApp were riding on a public medium. As per WhatsApp’s own policy, the service was intended as a replacement for conventional text messages. It was argued that a situation where telecom services were heavily regulated and licensed but Over The Top (OTT) services were not was anomalous. At this point, Facebook’s counsel interjected urging that the nature of an open Internet must be preserved. He argued that WhatsApp used the network of service providers that were properly licensed.

The petitioners’ counsel clarified that the argument was only intended to draw a comparison between competing choices from the point of view of a consumer. She stated that while licensing would be undesirable, OTT services must be subject to some form of regulation. The counsel for the intervenor also urged that they were strongly opposed to a licensing regime for OTT services. He urged the Court to take note of Vishakha v. State of Rajasthan, where the Supreme Court had found that the state had failed to protect and fulfill its obligation of safeguarding fundamental rights. As a result, it had framed interim guidelines for the prevention and redressal of workplace sexual harassment that would be applicable to all workplaces. Drawing an analogy, it was argued that the Supreme Court must step in in this case to frame appropriate guidelines for the protection of personal data.

Another argument advanced on behalf of the petitioner was that the contract between an individual and WhatsApp was unconscionable, and consequently attracted public policy considerations. With a user base of over 160 million, India was one of WhatsApp’s biggest markets. However, considering that the service was used by children as well as those who may not be literate, it was argued that the Court must step in to protect against procedural as well as substantive unconscionability. Placing reliance on the Italian anti-trust regulator’s decision to subject WhatsApp to a heavy fine, it was urged that WhatsApp owed the same public duty to Indian users.

The case has been adjourned to 21 July 2017, when arguments on maintainability are likely to conclude. It is believed that WhatsApp’s counsel will make additional submissions on this issue.

[1] Sensitive personal data or information of a person means such personal information which consists of information relating to;—

(i)  password;

(ii)  financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii)  physical, physiological and mental health condition;

(iv)  sexual orientation;

(v)  medical records and history;

(vi)  Biometric information;

(vii)  any detail relating to the above clauses as provided to body corporate for providing service; and

(viii)  any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

Advertisements

(Updates from the SCOI) WhatsApp-Facebook Data Sharing (Day – I): From Content to Metadata

Today marked the first substantive hearing in the petition challenging the Delhi High Court’s judgment upholding WhatsApp’s updated privacy policy. Summaries of arguments in the previous hearings in this case can be found here and here. Curiously, despite the petitioners’ counsel being available in Court, the Court asked the counsel appearing for the intervenor to lay out the issues in the case. As mentioned earlier, the Internet Freedom Foundation had filed an intervention application, which had been allowed by the Court on the last date of hearing.

IFF’s counsel began by apprising the Court that India lacked a statute on data protection. He argued that the absence of a legislative framework allowed corporations to collect extensive data, including metadata. This, he contended, enabled these corporations to aggregate information and create an extensive profile of an individual, including revealing sensitive information such as that related to health and sexual preferences. The lack of a data protection authority or commissioner resulted in lack of knowledge about how personal data is held and exploited. He argued that in such a scenario, the Supreme Court must step in and hold that the state has a positive obligation to protect the rights infringed as a result of such data practices. In his view, exploitative data practices infringed an individual’s right to free speech enshrined under Article 19(1)(a) as well as Article 21. He located this positive obligation under Article 17 of the International Covenant of Civil and Political Rights (ICCPR), to which India is a signatory, as well as Article 12 of the Universal Declaration of Human Rights (UDHR).

Before he could continue, the counsel for Facebook Inc. objected to the case being heard on the ground that the existence and scope of a right to privacy had been referred to a larger bench for determination. (In 2015, a three-judge bench of the Supreme Court had cited some ambiguity in the jurisprudence on the right to privacy and referred the issue to the Chief Justice of India). At this point, the petitioners’ counsel responded, stating that the case at hand included possible violations of Articles 19(1)(a), 19(1)(c), 19(1)(d) as well as 21. She stated that the petitioners were basing their claims on these rights dehors a right to privacy. However, she also clarified that the right to privacy continued to exist under statutory law, common/tort law as well as under international covenants. She argued that foreign corporations could not be allowed to take advantage of a lacuna (if any) in the law till the time the larger bench decided the issue. In her view, there were laws in place to address the issues at hand.

Both counsels also apprised the Court regarding Italy’s anti-trust regulator fining WhatsApp €3 million for the same privacy policy and a German Administrative Court upholding the Hamburg Data Commissioner’s order to stop transfer of data between both entities for German users.

The intervenor’s counsel set out Facebook’s model for targeted advertisements, which allows advertisers to customise their audience. This targeting is in a large part, facilitated by the collection of metadata such as information about one’s device, network information, location etc. Before he could complete, Facebook’s lawyer again objected to this line of argument stating that none of these facts or issues had been raised before the High Court or in the main petition and would consequently warrant a separate response. The Court attempted to steer the proceedings back to WhatsApp’s privacy policy and asked the intervenor’s counsel to show how it infringed rights.

He argued that the some of the terms were in contradiction with WhatsApp’s stated claim of providing end-to-end encryption. These included their practice of retaining popular ‘content’ for a longer duration of time and stating that they do not retain messages in the ‘ordinary’ course of providing their services. On the aspect of metadata, it was argued the terms allowed for collection of extensive information (such as IP addresses, mobile device and network information as well as location information) and allowed its use and disclosure to several third parties, including Facebook. An analysis of these terms can be found here. Further, it was argued that while the 2012 policy clearly articulated what information WhatsApp did not collect, this was absent under the new policy. Additionally, the age for children to create an account was lowered from 16 to 13 years. He also argued that there was no informed consent with respect to accepting these changes.

In Justice Mishra’s view, arguments on consent were unhelpful as they brought the issues within the frame of contractual obligations. He urged the counsel to advance arguments on how the policy impacted individual rights. Recognising the value of metadata, he framed the issue as whether commercial exploitation of information pertaining to an individual’s identity had an impact on rights.

The counsel for Facebook India Ltd. shared with the Court that only a user’s phone number, device identification, account registration details and their ‘last seen’ status was shared with Facebook. This is significant, because the privacy policy is silent on this, and neither Facebook nor WhatsApp have explicitly stated this before.

Continuing with his arguments, the intervenor’s counsel argued that –

  1. WhatsApp’s updated policy impacts the freedom guaranteed under Article 19(1)(a) and 21 – Article 19 was distinct from the other rights under the Constitution because it guaranteed (a right to) freedoms, and not solely a right. This was necessary for the self-fulfilment of an individual (Indian Express Newspapers v. Union of India (1985) 1 SCC 641). The extensive and unregulated collection of information by WhatsApp and Facebook inhibited this freedom, creating a chilling effect. The feeling of being under surveillance also attracted rights enshrined under Article 21.

Further, Article 17 of the ICCPR and Article 12 of the UDHR cast a positive obligation on the state to enact measures that would allow these rights to be meaningfully exercised.

  1. There can be no waiver of fundamental rights guaranteed under Article 19(1)(a) and Article 21 – While several arguments were sought to be raised on the issue of consent, only this was urged, as Justice Mishra reiterated his objection to this line of argument. Citing Basheshar Nath v. CIT (1959 (Suppl) 1 SCE 528), it was argued that there can be no waiver till the person waiving her rights is fully informed as to her rights and abandons them with full knowledge.
  2. Data protection laws of foreign countries prohibit sharing of personal and sensitive data without free consent – The counsel took the Court through the provisions of the German data protection statute for guidance. Importantly, provisions emphasising on certain inalienable rights (such as that of access, rectification and erasure) were also brought to the Court’s notice.
  3. Right essential to exercise a fundamental right must be deemed to be a part of that fundamental right – He elaborated on the importance of ‘penumbral rights’ as articulated in the landmark United States Supreme Court decision Roe v. Wade and argued that a right essential to enjoy other fundamental rights would in itself be fundamental. He also cited Olga Tellis v. Bombay Municipal Corporation for this proposition.

In conclusion, the intervenor’s counsel laid out the reliefs sought from the Court – that data protection guidelines be framed by the Court till such time as the Parliament enacted a legislation. Alternatively, WhatsApp should be directed to provide all users with the opt-out clause (even after the thirty day period, as was provided), while continuing to access the service.

After almost an entire day’s hearing, the Court thought it appropriate to give the respondents a chance to raise the issue of maintainability – that is, to determine whether the petition was fit for hearing before the Court or not. Counsel for Facebook Inc. argued that –

  1. The issue was purely in the realm of contract and the petitioners were precluded from any remedy under public law.
  2. Neither Facebook nor WhatsApp were ‘state’ or agents or instrumentalities of the state so as to attract the Court’s writ jurisdiction
  3. Under its terms, WhatsApp had reserved its right to renew its policies in the event of an acquisition or a merger.
  4. The petitioners could not claim to speak for all users of WhatsApp and their grievances regarding consent would only be applicable to them and not others.
  5. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, framed under the Information Technology Act 2000 provided a statutory regime for the regulation of services such as WhatsApp and Facebook.

The arguments on maintainability will continue tomorrow and the petitioners as well as the intervenor will be asked to respond to the submissions advanced.

Supreme Court hears the WhatsApp-Facebook Data Sharing Case

The special leave petition against the Delhi High Court’s ruling upholding WhatsApp’s updated privacy policy came up for hearing before a bench of five judges today. This policy is contentious because it allows WhatsApp to share valuable personal information of its users, including phone numbers, contact lists and profile pictures, with its parent company Facebook. As reported earlier, today’s hearing was to determine whether a bench of five judges can hear the case and to fix a date for the hearing.

During the course of arguments, the petitioners’ counsel focused on the need for regulating platforms such as WhatsApp and Facebook. It was his contention that the High Court should not have relegated the matter to a simple issue of a private contract between a user and a company. Arguing that such a proposition was overbroad, he contended that the Telecom Regulatory Authority of India and/or the Central Government must form comprehensive regulations to guarantee the rights of individuals (including the right to privacy) using such services. To emphasise on the need for regulation, he took the court through WhatsApp’s privacy policy, outlining the nature and extent of information collected and shared by it.

The Attorney General interjected requesting the Court to adjourn the matter for a few months. It was his submission that the Centre was in the process of formulating a data protection framework to regulate private entities collecting personal data.

For WhatsApp, it was argued that the service is popular only because of its insistence on privacy. It was submitted that no part of the content of any message was shared with any third party. The counsels for WhatsApp and Facebook also questioned the setting up of a constitution bench to hear this case as according to them, the case lacked a question of constitutional importance.

In the order passed by the Court today, this opposition to setting up a bench of five judges to hear the matter was recorded. However, Justice Mishra went on to state that this contention would be addressed at the time of the final verdict, signifying the Court’s intention to go ahead with the matter. The petitioners have been requested to file their propositions (/questions of law) by the 24th of April 2017. The case will be taken up for hearing again on the 27th of April 2017.

Update from the Supreme Court hearing in the WhatsApp-Facebook Data Sharing Case

In September last year, the Delhi High Court had upheld WhatsApp’s updated privacy policy, which allows it to share users’ personal information with its parent company, Facebook. Aggrieved by the Court’s decision, the petitioners approached the Supreme Court earlier this year.

On 6th February, the Supreme Court had fixed 12th May as the date for final adjudication of this case. This was one of the three cases listed for hearing before a constitution bench during the Court’s summer vacation. During today’s hearing, the counsel for WhatsApp sought a fresh date citing his unavailability in May. The bench, comprising of the Chief Justice of India and Justice D.Y. Chandrachud, observed that it would be inappropriate for them to reschedule the date as it was ultimately going to be heard and decided by another bench of the Supreme Court.

This raised the question whether the matter was required to be heard by a constitution bench at all. It was argued on behalf of WhatsApp that the case was a simple contractual matter and needn’t be referred to a larger bench. On the other hand, Facebook’s counsel contended that if the petitioners intended to pursue their claim based on a fundamental right to privacy under Article 21, the case could not proceed in light of the pending constitutional reference. (The question of whether a fundamental right to privacy exists, and its scope was referred to a larger bench in 2015).

The petitioners’ counsel contended that the privacy claim in this case arose from Article 19(1)(a), as the ability to communicate and speak freely was an inherent aspect of privacy. As a result, the pending constitutional reference should not be considered a bar for this case to proceed.

The bench reiterated its discomfort with deciding any of these issues. The case has now been listed for hearing before a constitution bench on 18th April to determine if it can be heard by five judges, and for fixing the date for hearing.

Decoding Privacy Policies – WhatsApp

Last week, the Supreme Court admitted a petition challenging the Delhi High Court’s judgment upholding WhatsApp’s updated privacy policy. The revised policy allows it to share user data with its parent company, Facebook. While the petitioners were granted some relief, the High Court refused to consider whether the policy had violated individuals’ right to privacy. In the Court’s opinion, this was not a valid ground as the question of existence and scope of a constitutional right to privacy is pending before the Supreme Court of India.

WhatsApp’s updated privacy policy has sparked privacy concerns globally. Regulatory actions against the company are currently pending in Germany, UK and the US. Amongst other things, most regulators fear that the manner of seeking consent does not allow users to understand the full import of how data will be shared and used. Under pressure from several data protection authorities in Europe, Facebook later announced that data sharing between the two companies would be temporarily suspended.

In light of the privacy concerns surrounding the use of WhatsApp, this post analyses its privacy policy to understand its information practices. A privacy policy is a statement that explains how a company handles the personal information collected by it. The policy is analysed against nine privacy principles articulated under the 2012 Report of the Group of Experts on Privacy (‘2012 GoE Report’). The Group was tasked with making recommendations for a draft Privacy Bill in India. The nine privacy principles enunciated under the 2012 GoE Report stem from internationally accepted data protection norms. These principles are listed below along with an analysis of WhatsApp’s privacy policy against each principle –

  1. Notice

This principle requires that users know and fully understand a company’s information practices before consenting to them. It includes informing users if and when there is a change to the policy and notification in the event of a data breach.

The WhatsApp privacy policy (‘privacy policy’ or ‘policy’) states that users will be given notice of any amendments to the policy. However, the policy does not specify if this notice will be given prior to affecting changes, allowing users to opt-in to the updated practices. The recent update put the onus on users to opt out (that too, partially) of the proposed changes. The policy is also silent on data breach notifications. That is, users do not have a right to be informed if their personal information has been compromised for any reason.

  1. Choice and Consent

Wherever reasonably possible, users must have a choice regarding providing some or all of their personal information. The collection, use or disclosure of information must be pursuant to consent from users.

The policy contains nothing about the choices available to users to share their information with WhatsApp. Under the section ‘Managing Your Information’, it is stated that users can control how much of their information will be visible to others on the platform. However, it does not specify how users can effect these changes. Under Settings -> Account -> Privacy, users can customize their settings for ‘Last Seen’, profile picture and status updates. However, the choice is limited to sharing information with other users, and not with WhatsApp itself.

The policy does not mention the permissions required by the WhatsApp application to run on one’s device. These are extensive and include access to one’s camera, contacts, location, SMS and microphone amongst others.

  1. Collection Limitation

This principle states that only personal information which is necessary for the identified purpose should be collected. Collection must be lawful and fair.

Broadly, WhatsApp specifies three kinds of information collected by it. First, it collects information that is directly provided by users. This includes a user’s phone number, a profile picture as well as access to all contacts. Notably, WhatsApp not only collects the phone numbers of existing users, but also of those contacts who do not use the application. As per the policy, sharing such numbers amounts to an acknowledgement that a user has the authority to do so. This is legally dubious as it gives WhatsApp access to an individual’s personal information without their consent or knowledge.

Messages are ordinarily stored on a user’s device. Only if a message is undelivered is it stored on the company’s servers for a period of 30 days. The messages are end-to-end encrypted, meaning that no one (including WhatsApp) can read them. Recently, it was discovered that a technical vulnerability made it possible for WhatsApp to intercept some messages, if a device was offline. WhatsApp allows users to change their settings to receive notifications when another user’s security key changes and a chance to verify keys. However, the policy is silent about both – the existence of this vulnerability as well as the means to verify if such an interception has taken place.

Secondly, WhatsApp automatically collects certain information related to one’s activity on the platform including log files and information about one’s device. It also places cookies on the device to remember preferences.

Thirdly, WhatsApp collects information about users through several third parties. These can include other users. This allows WhatsApp to gather information about who we talk to, and what groups are common between users. Additionally, the company works with certain ‘third party providers’ to improve and market its services and collects personal information from them as well. This clause is vaguely drafted and there is no way to tell which information collection is legitimate and which is not.

The failure to identify any third party and limit avenues for collection of information raises concerns. There is also uncertainty with respect to how long information is stored. If a user deletes their WhatsApp account, the company deletes their undelivered messages ‘as well as any…other information we no longer need to operate and provide our Services’. The failure to specify what information is retained and for how long is problematic.

Pertinently, this deletion clause is also in contravention of the Delhi High Court’s judgment in the WhatsApp case, which held that for users who chose to delete their accounts (before the updated policy came into force), all information must be deleted.

  1. Purpose Limitation

Personal information must only be collected and used for specific and explicitly stated purposes. This principle prohibits the recycling of personal information for different purposes.

The policy states several uses for the information collected. WhatsApp uses user information to provide services such as customer support and to test new features. It is also verifies accounts and investigates suspicious activity. The policy is vague when it describes other uses for users’ personal information. WhatsApp ‘may’ use personal information for marketing its services and that of the Facebook family of companies (‘affiliated companies’), of which there are 11. It also uses this information to allow third party businesses to contact users through WhatsApp. There is no fixed purpose for this – these third parties can contact users for anything from ongoing transactions to marketing.

As a general remark, the policy states that it may use the information it receives from other affiliated companies and vice-versa. This recycling of information by different entities and for different purposes is exactly what this principle seeks to avoid. These clauses are vague, allowing WhatsApp to scale up its use of users’ personal information without actually having to inform them or seek consent again.

  1. Access and Correction

Users should have the right to access their personal information and amend or delete it if inaccurate. This right extends to obtaining a copy of their personal information.

Users are free to amend their personal information, including their phone numbers. However, there is no provision to obtain a copy of one’s information held by WhatsApp.

  1. Disclosure of Information

Users must be informed of how their personal information will be disclosed, and must give express consent to such disclosure. The privacy policy must identify the recipients or at least, a category of intended recipients for such consent to be meaningful.

WhatsApp discloses personal information to certain unidentified third parties. These third parties can be anyone who WhatsApp contracts with to operate, promote or market its services. This information is shared ‘in accordance with [WhatsApp’s] instructions…or with express permission from [the user]’. Therefore, a user’s consent is merely optional and one has little knowledge about the terms on which such information has been disclosed.

If a user uses third party services such as Google Drive or iCloud to back up their WhatsApp data, information received by them will be shared in accordance with their respective privacy policies.

  1. Security

This principle requires companies to adopt reasonable security safeguards to protect against loss, unauthorised access, destruction, use or disclosure of personal information.

The policy only mentions that the platform supports end-to-end encryption for messages and ‘other security features’. There is no general description of what these are.

  1. Openness

Information and security practices must be transparent and easily accessible.

The vague language of the policy makes it difficult to understand how information is used and the parties it is disclosed to.

  1. Accountability

Companies must be held accountable for compliance with data protection principles. An important aspect of accountability is appointing a grievance redressal officer for addressing privacy concerns.

The policy only lists a physical address for raising privacy concerns. A separate ‘contact us’ link redirects users to a form with pre-set questions. The questions are far from exhaustive – important questions related to choice and security practices are visibly absent. Ironically, for business inquiries and product support, a direct email is provided. A similar provision for privacy concerns is noticeably absent.

whatsapp

In the absence of a comprehensive data protection statute incorporating these principles, there is little regulatory oversight over how private entities handle personal information. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 are extremely narrow in scope and mostly apply only to ‘sensitive personal information’, which excludes valuable personal information such as names and phone numbers etc. This leaves individuals with little recourse when a company’s information practices create cause for concern. However, even in the absence of such a law, the ubiquity of WhatsApp as an Internet messaging platform uniquely positions it to take note of these concerns and address them by suitable amendments to its privacy policy.

WhatsApp’s Privacy Policy Gets the Stamp of the Delhi High Court

On August 25 2016, WhatsApp fundamentally changed its privacy policy in a manner that threatened to undermine privacy. In our previous post, we had explained how these changes allow WhatsApp to share account information (such as user’s phone number, contacts and profile picture etc.) with Facebook and other group companies compromising privacy of users. While user communication remains encrypted and secure, account information such as phone numbers, contacts etc. which are regarded by many as personally identifiable information may be shared.

A public interest litigation was filed before the Delhi High Court challenging the privacy policy on the grounds that it violated the fundamental right to privacy of users. On September 23 2016, the Delhi High approved this policy with some caveats (the High Court judgement can be accessed here).

In response to the contention of petitioners, the court noted that users of WhatsApp have ‘voluntarily’ availed of that service and are parties to a private contract. Further, the court noted some provisions of the 2012 WhatsApp privacy policy while arriving at this conclusion. First, the policy provided that by using WhatsApp the user’s consent to transferring the data to the United States and subjecting the transfer to laws of California. Second, it also specified that in case of a merger, WhatsApp reserves the right to transfer information collected by users. Looking at these to clauses, the Court said that the users cannot now argue that WhatsApp ought to be “compelled to continue the same terms and services”.

The court also dismissed the argument that the change violated the right to privacy emanating from Article 21 of the Constitution. It held that “the position regarding the existence of the fundamental right to privacy is yet to be authoritatively decided” referring to the matter referred to the constitutional bench of the Supreme Court. Consequently, the court dismissed the many challenges to the privacy policy albeit with some caveats. First, the court ordered WhatsApp to delete all user information/data/details for such users who completely delete WhatsApp before September 25 2016. Second, the court ordered that existing user information/data/details up till September 25 2016 will not be shared with Facebook and group companies. Only data post September 25 may be shared. Third, the court ordered the relevant government departments to decide whether Internet Messaging Applications like “WhatsApp” can be brought under statutory regulatory framework.

In the absence of a comprehensive data protection law and the existence of a fundamental right to privacy in doubt – it may seem that there is little the High Court could do. However, since the reference of the Aadhaar matters to the Constitutional Bench, multiple High Courts and even the Supreme Court (implicitly) have upheld the constitutional right to privacy. The High Court missed the opportunity to uphold 40 years of the Supreme Court’s jurisprudence on privacy which the Government is trying to overturn. Moreover, the direction to assess whether instant messaging (IM) applications can be brought within a regulatory framework should be closely watched. Any regulation of these services will require an amendment to the Telegraph Act and can have far reaching implications on the right to freedom of expression and the right to privacy.

WhatsApp Backtracks on Privacy, Faces Legal Hurdles

In February 2014, Facebook purchased WhatsApp for a whooping $19 billion. This deal came under scrutiny from various privacy advocates. They questioned if the standards of privacy and security of communication on WhatsApp would be maintained post acquisition. WhatsApp reassured users of its commitment to privacy through a blog post titled ‘Setting the record straight’. The blog clarified that WhatsApp would operate independently and autonomously with no new data being collected. In a separate post, WhatsApp categorically assured ‘nothing’ would change for the user. Reinforcing its commitment to privacy, earlier this year WhatsApp had even introduced end to end encryption.

However, on August 25 2016 WhatsApp introduced key changes in its privacy policy that threaten user privacy. These changes negate WhatsApp’s earlier assurances and raise fundamental concerns regarding privacy and security of user information on WhatsApp.

Changes in the Privacy Policy

Most users have already received a notification from WhatsApp about their updated Terms of Service. Although WhatsApp has presented users with the option to opt-out (though only partially), it has made it difficult for users to exercise this option. The option is only visible once you click on ‘read’. As users rarely inspect standard form contracts – it is likely that this option would be overlooked by many.

The key changes that this policy introduces pertain to sharing of account information with the ‘Facebook family of companies’ (i.e. Facebook along with Atlast, Instagram, Parse etc.). The first change allows WhatsApp to share WhatsApp account information to improve the users ‘Facebook ads and products experience’.  A user has two options to opt-out of this process. The user can opt-out of this process by un-ticking an option displayed on the ‘key updates’ page reached after clicking on ‘read’ (Option 1). If the user has already agreed to the privacy policy they can opt-out within a limited period of 30 days (Option 2). The second change is that WhatsApp will now be sharing data with the ‘Facebook family of companies’ for ‘other purposes’ which include but are not limited to improving delivery systems and fighting spam or abuse. Account information that is shared includes a user’s phone number, contacts and profile picture amongst other information. There is no opt-out option for this and the information will be shared by WhatsApp on a regular basis. (A pictorial representation of the changes may be found here)

Problems with the new Changes

These new changes are fraught with problems. First, WhatsApp has not sought consent for sharing data for purposes other than advertising. While examples of ‘other purposes’ are provided for, the list is non-exhaustive. This paves way for sharing of data and its use without knowledge and consent of the user. Further, the data shared may include phone number and pictures which are recognised by many as personally identifiable information. Sharing of personally identifiable information is subject to informed consent by data protection laws across the world. This policy ignores such requirements. Second, once the user agrees to share the terms of the policy – they only have a time period of 30 days to opt out. This time period is an unfair limitation on the rights of users to stop WhatsApp from sharing of data for advertising purposes in the future. By not incorporating an option to revoke consent at any point of time – WhatsApp again ignores one of key safeguards for protecting the right to privacy. Third, the policy provides for an opt-out mechanism as opposed to an opt-in mechanism. Instead of seeking user consent before sharing the data the mechanism is designed in a manner that requires users to take active steps to prevent sharing of information. Opt-out boxes assume user consent until the user un-checks the box and often run the risk of being missed by users. Fourth, at the time of acquisition of WhatsApp the Federal Trade Commission of USA had issued a letter to both Facebook and WhatsApp reminding them of the need to maintain their privacy commitments. The letter required affirmative express consent (such as opt-in) in case data is used in a manner inconsistent with the promises made at the time of collection of such data. An opportunity to opt-out was required in case of changes in collection, use and sharing of ‘newly collected data’. While this new policy applies to data that was collected earlier (such as phone number and contact details) it goes for an opt-out option as opposed to affirmative consent through an opt-in option.

Finally, WhatsApp and Facebook repeatedly assured users that ‘nothing’ would change as a result of the merger. The policy for use of data to customise advertising goes against WhatsApp’s earlier policies as well as the 2014 assurances of no change in data use. This new policy not only undermines the right to privacy in many ways – but goes a long way in undermining the trust of users.

Reactions to the Policy

The policy has been condemned by many. The absence of even an opt-out option for sharing of data for purposes other than advertising has invited even greater criticism. The Electronic Privacy Information Center from the United States has filed a complaint before the Federal Trade Commission against WhatsApp and Facebook. The Data Protection Authority in the UK, the Information Commissioners Office, has also stated that it would be investigating these changes. Reports indicate that most of the EU regulators will also be closely following the changes in the WhatsApp policy.

A public interest litigation has also been filed before the Delhi High Court arguing that these changes are in violation of Article 14, 19 and 21 of the Indian Constitution as well as Section 72 of the Information Technology Act 2000. The court has sought the government’s response on modification of the privacy policy. It remains to be seen how the regulators across the world respond to these changes.

(I would like to thank my colleague Kritika Bhardwaj for her assistance with this piece)