Harish Salve, WhatsApp’s counsel, has pressed the pause button on a legal brawl by telling the Delhi High Court that the messaging service provider will not enforce its new ‘privacy policy and terms of service’ until the Personal Data Protection (PDP) Bill, 2019, becomes law.

WhatsApp can afford to wait. A Joint Committee of the Parliament that is examining the PDP Bill was given more time to do its work in March this year – till the first week of the monsoon session of 2021 of the Parliament. Since the monsoon session is scheduled to begin in July 19, the extended time is coming to an end very soon. Unless, yet another extension – the fifth – is given. Some experts have wondered whether the government is trying to cover up its own failure to pass such an important legislation as the PDP, which is more granular than the existing laws relating to personal data, by narrowly interpreting the existing laws to suit its convenience.

Also read: WhatsApp tells HC privacy policy on hold till Data Protection Bill comes

“Rather than vilify a company for following the letter of the law, India should focus on why there isn’t a better one,” writes Probir Roy Chowdhury, an advocate with the law firm, J Sagar Associates, in Mondaq.

SPDI Rules

Under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, or ‘SPDI Rules’, a service provider such as WhatsApp is not barred from collecting ‘personal information’ such as contact list details, usage or log information or other location-based information; for ‘sensitive personal data’, the service provider should get express consent from the customer, use the data so collected for a lawful activity, provide opportunity to the customer to withdraw consent and not share the data with a third party, unless expressly consented to by the customer. Chowdhury notes that during the hearing, the Delhi High Court observed that WhatsApp users do not have to agree to WhatsApp’s privacy rules as they could easily shift to other messaging networks if they don’t like the rules. Users could also go to other independent platforms of business or avail themselves of other hosting services.

Chowdhury observes that the WhatsApp issue seems to bring back the famous caveat emptor principle – or ‘buyer beware’– which expects the buyer to exercise diligence over his purchase first before blaming the seller for selling a defective product. ( Caveat emptor is a part of a sentence in Latin, whose translation is ‘let a buyer beware, for he ought not to be ignorant of the nature of the property that he is buying’.) He argues that the mere fact that the take-it-or-leave it nature of WhatsApp’s privacy policy, where you either click on the ‘I Agree’ button or not, with no scope for negotiations, does not make the policy unconscionable.

Also read: Won't compel users to accept new privacy policy, WhatsApp tells Delhi HC

Any business is entitled to follow the letter of the law – it is up to the governments to bring the letter of the law in complete sync with the spirit of the law. That is where enter the importance of the PDP, which is modelled on the European Union’s General Data Protection Regulation (GDPR), but only more stringent. For example, as Vijay Pal Dalmia, Partner, Vaish Associates, notes, the GDPR does not concern itself with non-personal or anonymised data, but under clause 91 of the PDP, the government may ask for non-personal data for policy making decisions. So, as of now, WhatsApp’s case rests. One has to see how well WhatsApp’s privacy policy holds up against the PDP. But it is only when the PDP Bill becomes an Act, would one remind himself of the famous words of Gabbar Singh in Sholay: ‘Abaayega maza’.

comment COMMENT NOW