By Na Vijayashankar
WhatsApp has been a popular messaging app with 400 million users in India out of about 2 billion users worldwide. On the other hand, it has about 68 million users in the US. The number of users in the EU region is estimated to be around 150 million. It is available in about 180 countries. But by far, India is the largest single country using WhatsApp, with Brazil at about 100 million coming a distant second.
WhatsApp is a generic name for messaging apps in India and it is used for social messaging, voice calling and video calling. Many businesses have also started using the personal version of the app though WhatsApp has introduced a business version with a revenue model.
It is also notable that part of the Judiciary in India had started recognising WhatsApp message as an admissible delivery of “Notice” and “Double Tick and Blue Tick” as admissible delivery and acknowledgement status, ignoring even the Section 65B (Indian Evidence Act) requirements. This legal recognition perhaps was questionable but indicated the perception that WhatsApp was an accepted mode of mass communication.
These statistics clearly indicate that India is an important market for WhatsApp, much bigger than the US or EU which WhatsApp cannot afford to ignore. However, the recent announcement of WhatsApp to introduce a new privacy policy seems to have shaken up the market to the extent that there is a significant shift of users from WhatsApp to Telegram and Signal. It will not be long before Line catches up and some Indian apps will emerge. Microsoft may also try to popularise its own version of instant messaging to fill the void.
There are two reasons which justify why WhatsApp could have decided to modify its privacy policy with a “take it or leave it” approach. The first is that it wants to enter into the payment systems, health insurance and pension schemes where it will start collecting “sensitive Personal Information”.
The second and more important reason could be that India is likely to come up with its own Personal Data Protection Act (PDPA) some time in February-March and that could make some changes to the system of collection of personal information and how the companies who have already collected personal information need to regularise the legacy data. WhatsApp perhaps sees an advantage in pre-empting the legislation.
Professionals who understand the need for upgradation of privacy policy are also aware of the fact that there are options where similar functions with greater privacy control are available. They now have the excuse to shake off the resistance to change and move out of WhatsApp to Signal and Telegram. Many are exploring “Line” which was hitherto unknown in India.
NIC has already developed an instant messaging app GIMS for use by the government and it is possible that it can also be used as a public version which many law abiding Indians, who do not have a compelling reason to hide their communication from privacy intrusion, may adopt. Companies like Zoho with Indian parentage have the ability to launch an indigenous app that can meet the standards set by WhatsApp or Telegram or Signal.
The biggest mistake WhatsApp has done is to challenge the sentiments of the users by suddenly popping up the “take it or leave It” message instead of explaining its compulsions. When people look at the privacy policy in depth along with the accompanying “Terms of Use”, they will see that though India is WhatsApp’s biggest market, they have chosen to introduce privacy policies exclusively only for EU and US and relegated India to a subordinate status where it will be dictated to by the laws of California.
It is unreasonable to expect that WhatsApp or any other commercial company will offer its services free forever. It is possible that even Telegram and Signal may eventually introduce some form of monetisation either through subscription or otherwise. Therefore, it must be admitted that there is a legitimate interest for WhatsApp to monetise its business. One of the ways of monetisation may be using the personal data whether in identified form or deidentified or anonymised form to create a profile and use it for targeted advertising.
But presently, there is some misunderstanding about what kind of data would be shared by WhatsApp with Facebook and used for monetising the transactions. It is possible that the content of WhatsApp messages is encrypted before it reaches the WhatsApp servers and may be deleted after it is delivered to the recipient or soon thereafter within a reasonable time. Hence what is shared with Facebook may be only the meta data associated with the message.
This data is also necessary to be stored for law enforcement purposes and may be released to the appropriate authorities under a due process. The privacy laws would not hinder the sharing of such meta data either for law enforcement or for monetisation if the policy is reasonably clear and explicit.
It is necessary to also remember that privacy protection even under the Puttaswamy judgment is a “Right for Self Determination” of the use of personal data by the data processor. Hence if the data principal is aware that his personal data is being shared for a specific purpose and the consent is obtained after proper notice, there is no infringement of privacy. If, however, a data fiduciary obtains consent for a certain purpose and uses the data for another purpose then there is violation of privacy. Hence as long as WhatsApp has made it clear in its privacy policy that certain information will be collected and shared with Facebook and that it will be used for serving ads or improving the service to the user, there is no infringement of privacy.
Another aspect which we look for in the privacy policy is whether the user has a “Right of Access”, “Right of Correction” and “Right of Deletion”. The WhatsApp policy is unclear about the “Right of Access”. The policy is also not clear about the location of data storage.
Also Read: WhatsApp plea: Delhi High Court judge recuses herself from hearing petition
Under the new PDPB 2019, it may be possible to transfer personal data which is not sensitive outside India with a normal consent for collection. Even the sensitive personal information may be transferred with an explicit consent. With the use of WhatsApp pay, the information collected would belong to the “sensitive” category and it would be necessary for WhatsApp to maintain a copy of all associated payment data to be kept in India.
It is however to be noted that WhatsApp is shy of admitting that the data will be used for advertisements whether it is on Facebook or on WhatsApp. This gives rise to suspicion that the personal data may be used for reasons which WhatsApp is not comfortable to share. Probably they can be more transparent about the data sharing plans and claim that monetising their activity is their legitimate right.
However, the conditions imposed in the terms of use which is part of the privacy policy has certain provisions which are not acceptable both from legal and moral grounds. According to the terms, the messaging service is being provided by WhatsApp Inc, a company registered in the US. The Intermediary rules (as per ITA 2000 Section 79) as per the proposed amendment stated that WhatsApp type of large intermediaries needed to establish a local office in India. This is missing in the terms.
There is therefore a need for WhatsApp to provide the services through an Indian company.
Additionally, the jurisdiction for disputes is mentioned as the district court in California and the applicable law is also that of California. It is legally unacceptable that an individual using the services of WhatsApp is subjected to the jurisdiction of the USA and disputes can be raised only in the US courts. It is possible that Indian courts may not recognise this jurisdictional clause, but it is necessary that a mention of this sort should not be allowed as a matter of principle. Further, the disputes are made subject to a binding arbitration according to Californian law. Since according to ITA 2000, (and the Personal Data Protection Act) WhatsApp is subject to Indian jurisdiction, and the Indian laws prescribe a statutory process of adjudication, binding arbitration is not in compliance with Indian laws.
Hence, more than the privacy policy being unacceptable, WhatsApp runs the risk of being rejected by Indian users because of the unreasonable terms of use. It is possible that WhatsApp may recognise the importance of the Indian market and introduce an India specific privacy policy and terms of use which are compliant with Indian laws. However, a breach has been created in the mindset of Indian users and the quest for a WhatsApp alternative has begun.
Also Read: Work won’t suffer, Purwa Tehsil advocates assure Allahabad HC
Hopefully some Indian entity would have the ability to challenge the near monopoly that Facebook-WhatsApp wants to establish in Indian digital communication system. Whether the beneficiary would be a Namaste Bharat, Jio Chat or Troop Messenger, or Naarador, only time will tell.
—The writer is a cyber law and techno-legal information security consultant based in Bengaluru