While Facebook-owned WhatsApp’s updated privacy policy has been stoking concerns about privacy and data sharing with other apps, what is being missed amid the clamour is this: if India had a data protection law in place, WhatsApp would not have been able to go ahead with this update in the first place. In fact, India’s data protection law has been languishing for two years by now.


For instance, WhatsApp’s updated privacy policy guidelines won’t be applicable if you live in the European Region thanks to the data protection law in place there.

WhatsApp is legally bound to not share data with Facebook in the European Region because it’s a contravention of the provisions of the General Data Protection Regulation (GDPR), Arghya Sengupta, Research Director at Vidhi Centre for Legal Policy, told BusinessLine . GDPR is a regulation in the European Union law on data protection and privacy in the European Union and the European Economic Area.

WhatsApp’s updated privacy policy, which was made known on January 4, essentially takes away the choice users had until now to not share their data with other Facebook-owned and third-party apps. If users do not agree with the updated privacy policy of the messaging platform, they will have to quit WhatsApp by February 8 - when the new terms of service are set to come into effect.

Had the data protection law or regulation been in place, this issue would not have arisen in the first place, said Sengupta. “Section 5 of the Personal Data Protection Bill, which was introduced by the Parliament, and which came out of the Srikrishna Committee Report, says that you can only use the information for purposes that are reasonably linked to the purpose for which the information was given. If that section was there, then this (the new update in WhatsApp’s privacy policy) would have been illegal. This is exactly the reason as to why users in the European Union are safe from this change,” he said.

“What is practically happening is, I am a user who has signed up to WhatsApp because I want to communicate with my friends and family. So I am giving my data for this, while you are using this data and sharing it with people to run their own businesses. That, actually, is the core of the issue - that the purpose that you are using the information for is not reasonably connected to the purpose for which the user is giving that information to you,” Sengupta explained.

There is only very limited protection which is available under the Information Technology Act, said Apar Gupta, executive director of Internet Freedom Foundation, a digital liberties organisation. “It remains ordinarily unenforceable, and it does not provide any credible remedy. It stands in contrast to other jurisdictions, specifically European countries, where, in fact, fines have been imposed on Facebook for integrating WhatsApp data - which were one of the conditions under which Facebook was permitted to purchase and operate WhatsApp by the Competition Commissions of certain European countries,” said Gupta.

India’s dearth of a data protection law also means that there is no relief that a user can get in case of a breach or misuse of data, as pointed out by Prasanth Sugathan, legal director of the digital rights organisation, SFLC.in.

The updated privacy policy of WhatsApp can be seen as a move to ensure its seamless expansion into retail, said Sengupta. “It's quite clear that WhatsApp is integrating greater into Facebook so that Facebook, WhatsApp and Instagram all become part of one package.”

Some users took to Twitter, probing whether concerns around the updated privacy policy merely amounts to virtue signalling, or if there is indeed a lot at stake.

WhatsApp’s end-to-end encryption clause still remains intact, but this only ensures that it can’t see your messages, or share it with anyone. With the updated privacy policy, WhatsApp can now share one’s metadata - which is essentially everything beyond the actual text of the conversation - with Facebook and other apps, experts said.

“It virtually gives a 360-degree profile into a person's online activity. This level of insight into a person's private and personal activities is done without any government oversight at present or regulatory supervision,” said Gupta, adding that subtle forms of commercial exploitation, as well as micro-targeting by political campaigns are some of the possible outcomes of this.

Moreover, in the absence of a data protection authority, it leaves the users with a company’s own assurances and privacy policies, noted Gupta. “And if that company is...stating that it is now going to use your data and share it with the largest social network in the world, which is embedded on every second website and collect data from there as well, the integration of this data will essentially mean you're perpetually under the surveillance of the Facebook group of companies,” he cautioned.

When WhatsApp was launched back in 2009, it had made commitments that it will not sell user data to any third party. This changed after Facebook’s acquisition of the platform in 2014, and in 2017, it started sharing data with its parent company - but users were given a choice to not opt for this. Now, this has changed into a ‘take it or leave it’ policy.

So, the updated privacy policy also means the erasure of the choice of users to share their data with Facebook and other apps, and a breach of the expectations with which they had initially signed up for WhatsApp, Gupta added.

Does this mean that users will now start opting for alternate messaging platforms?

Sengupta feels that 99.9 per cent of WhatsApp users in India will not care too much about this issue, what with privacy policies being generally difficult to be understood by the public.

However, among communities of people who have a higher degree of awareness about data protection and privacy, this shift is already perceptible, according to Gupta.

Signal, iMessage and Telegram are safer alternatives when it comes to messaging platforms, experts said.