WhatsApp’s move to delay the implementation of its updated privacy policy by three months by itself will not be sufficient to alleviate the concerns kicked up by the new policy or the larger issue of data sharing and privacy breach, said experts.

 

In a blog post yesterday, WhatsApp also said that its updated privacy policy is only applicable to users communicating with a business account. This, experts said, not only points fingers at how and why its privacy policy does not attest to the same,   but also how an individual’s right to data protection and privacy cannot be compromised even whilst communicating with a business account.

In a blog post on January 15, Facebook-owned WhatsApp said that users’ accounts will not be suspended or deleted by February 8 - as stated by the updated privacy policy on January 4. “We're also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp,” it said. Nothing is changing with respect to personal conversations, it said, adding that the “update includes new options people will have to message a business on WhatsApp, and provides further transparency about how we collect and use data.”

Also read: “What happens in 3 months?” WhatsApp’s decision to delay privacy update receives mix response

All experts BusinessLine talked to agreed that the decision to delay is a good initial step. The 'take it or leave it' approach doesn't fit when the company says that privacy and security is in its DNA, said Prasanth Sugathan, legal director of the digital rights organisation, SFLC.in.

However, WhatsApp’s updated privacy policy, which was made known to the public on January 4, does not state that the changes are only applicable to those users communicating with a business account or using a business account.

“This throws up the question as to why their public statements now seem to be at odds with how their privacy policy was worded. And by no means can it be said that their privacy policy update was limited only to WhatsApp business,” said Arghya Sengupta, Research Director at Vidhi Centre for Legal Policy. “If they want to rework that - to clarify it and to make their intentions clear, that’s great,” he added.

“Firstly, when trying to say that it's only limited to business accounts, it doesn't alleviate fears on this issue because a lot of people do communicate with business accounts. So, just merely the fact that you're communicating with a business that uses WhatsApp, or somebody who's using a business account on WhatsApp, doesn't mean that you lose your individual right to data protection and privacy,” said Raman Jit Singh Chima, Asia Policy Director and Senior International Counsel at Access Now.

Even if the new privacy policy is only applicable to those communicating with business accounts, whether this is problematic or not also depends on what kind of data gets transferred, said Sugathan. “It is evident that they are trying to monetize the platform and there could be more issues when it tries to be an all-in-one platform integrating various services...WhatsApp should also look at minimising the amount of metadata that it collects. They should ensure that they collect the bare minimum data required to provide the service,” he said.

Moreover, a delay is not the same thing as listening to users and engaging in open consultations and moving towards changes, cautioned Chima. “Because in this delay, what are they doing? Are they holding open consultations with user groups and Indian citizens? Are they engaging in conversation with government regulators? And most importantly, given that there is a pending Supreme Court case on this topic, is WhatsApp and Facebook actually filing information about these changes and what's taking place before the Supreme Court’s constitutional bench on this matter? And taking their permission or at least reaching them?” he probed.

Personal data

An expert committee chaired by retired Justice BN Srikrishna had submitted its recommendations for drafting The Personal Data Protection Bill in 2018. Three years on, the proposed law has still not been passed, even as the Supreme Court in 2017 declared privacy a fundamental right.

While WhatsApp is resorting to a temporary delay, it is not changing the direction of what they set forth to do with the new privacy policy, said Chima. “They don't seem to be really paying heed to Indians’ data protection concerns - not just the law, but also in what everyday users seem to be very deeply affected by,” he said.

Moreover, this issue has less to do with the actual changes to WhatsApp’s privacy policy, and much more to do with the fact that as a company - especially following the Cambridge Analytica scandal - Facebook is not easily trusted by its users, Sengupta pointed out.

While rebuilding trust can take time, what would help is for WhatsApp to be more transparent than it has been till date, he said. “It can't say, on the one hand, that ‘ we respect your privacy and that there would be absolutely no compromises made’, and on the other, say that, we will - through some legal language - look at what you're saying in business accounts, and give it to all Facebook companies so that they can use it for providing their services better. Now, the two don't go hand in hand. Walking the talk on transparency is how to begin rebuilding trust.,” Sengupta explained.

“What is also concerning is that WhatsApp did not clarify or either brief the Government of India, namely the Ministry of Electronics and Information Technology, and take their views on this planned change - even while a data protection law may have to be passed by the Parliament. It is my view that the Meity should be informed and briefed on this topic. And WhatsApp and Facebook should be talking to them very publicly and transparently,” said Chima.

These are the measures that WhatsApp and Facebook would be required to undertake, or would be forced to undertake, in many other countries, Chima reminds. “The fact that they are not doing so in India, in my view - and this may be a harsh statement - seems like they think they can get away with it. And in a sense, they are treating India as a country with lesser importance, (with) lesser regulatory ability on their product and on Facebook’s data practices overall. They will not be able to do this so blatantly in Europe and in other countries. They seem to believe they can get away with doing this in India - that is deeply concerning,” he said.

comment COMMENT NOW