WhatsApp’s latest privacy policy update in controversy

On 4th January 2021, WhatsApp released an in-app notification asking users to accept its revised privacy policy by February 08, 2021. Its Privacy Policy and Terms and Conditions were revised stating clearly that the WhatsApp user data will be shared with Facebook and its subsidiaries. It also explicitly stated that in case user doesn’t accept the revised privacy policy then the messaging services will be impacted to the extent that the user will no-longer be able to use WhatsApp.  The changes to the policy is currently witnessing a global exodus of privacy-conscious users who are not ready to accept and comply with WhatsApp’s sharing of user data with its parent company, Facebook and its subsidiaries and see it as a violation of privacy.

WhatsApp’s latest privacy policy update in controversy

Facebook, which externally paints itself as a social media platform, is in actuality a data aggregation machine internally. In 2020 alone, it generated $80.9 billion in revenue from advertisements and is projected to generate $94.6 billion in 2021. Since WhatsApp is an ad- and subscription-free service, ever since its acquisition by Facebook in 2014 for $19 billion, the parent company has been exploring ways to monetise the app.  Facebook wanted to turn WhatsApp into a business friendly platform.

The company introduced WhatsApp Business and Business API in 2018 for businesses to chat directly with their customer base, make transactions and in return, pay a fee for accessing its users. The changes introduced in WhatsApp’s latest update are well-engineered for monetising the app, which as a by-product infringes upon users’ privacy.

So far, Facebook has a bad reputation in protecting the privacy space of its users.  In USA alone, it is making 30$ each from of its 170 million American users who are using Facebook.   In 2015, Cambridge Analytica harvested 87 million user profile from Facebook, out of which 70.6 million were from United States. 

Facebook has been accused to influence the US Elections 2016 by sharing the user data with Cambridge Analytica which then used psychometric profiling of US based Facebook users to influence the outcome of the elections by manipulating their behaviour to vote.  It came out during the investigation that Facebook has 5000 data points of each of its users.

It faced international backlash for the Cambridge Analytica scandal during the Brexit and 2016 United States Elections.  In the global context, The Cambridge Analytica scandal also brought to the forefront “the death of Privacy” of users and consumers who are using social media.

Also, during the time it was considering acquiring WhatsApp in 2014, it publicly committed to never share WhatsApp data with Facebook. However, in 2016, the messaging platform WhatsApp, released a new privacy policy that said that from now on it will connect the user phone number with Facebook’s system so that Facebook can offer better friend suggestions and show you more relevant ads. 

This means, WhatsApp had already been sharing some of the information with its parent company Facebook.  And, now with its latest 2021 Privacy Policy, it wants to share even more data with Facebook and its subsidiaries company that will include WhatsApp payment and transaction data.

Though the company has made it clear that the users chats are safe, and their calls remain end to end encrypted, their contacts are not shared with Facebook and neither WhatsApp nor Facebook can read the messages, the unnecessary need to collect excessive data in the name of showing relevant ads has raised suspicion among its users

The cliff-edged deadline for users to accept the updated terms had been set for Saturday, May 15, but this deadline has been constrained until India gets its Personal Data Protection law. WhatsApp has given this statement in the court of law and have kept in open ended.

Let’s dive into how and why:

WhatsApp’s double standards on data-sharing policy

For over 400 million Indian users, the Facebook-owned platform, WhatsApp has introduced not only privacy and data sharing policies that will allow WhatsApp to share data with Facebook and its affiliated companies but also a disparity in how it weighs the two economies–one with data regulation shielding its territory and the other without it.

This update in terms of service has raised eyebrows and escalated the need for the Draft Personal Data Protection Bill 2019 to be enacted into data protection law in India. Fuel to the fire for the Indian IT forefront is an unaltered privacy standard for the European Union where the app has refrained from imposing cross-platform data sharing policy in view of EU General Data Protection Regulation (GDPR).

Niamh Sweeney, Director of Policy for WhatsApp, Europe remarked “There are no changes to WhatsApp’s data-sharing practices in Europe arising from its update. It remains the case that WhatsApp does not share European Region WhatsApp user data with Facebook for the purposes of Facebook using this data to improve its products or ads.”

On May 13, the German data regulation body, which had been scrutinising WhatsApp’s new privacy policy since mid-April, finally enforced a temporary ban on the changes under EU GDPR rules, citing new rules as misleading and showing considerable contradictions. But unlike Europeans, who are covered by EU privacy laws, Indian users are shielded by fewer privacy laws and therefore, WhatsApp is trying its best to cash in the opportunity before Personal Data Protection Bill 2019 comes into force.

On May 17, 2021, even the National Commission for the Defence of Competition, Australia, and the Secretariat of Internal Trade of the Ministry of Productive Development has issued a precautionary measure for the company Facebook to suspend the implementation of new Terms of  Service and Privacy Policies of WhatsApp announced for May 15th deadline, New WhatsApp Terms of Service and Privacy Policies | Argentina.gob.ar

Analysis of the update

Let’s get an insight about  WhatsApp since it collects a huge amount of data from its users, which are:

  • Access to the address book
  • phone number
  • operations data for example if using Facebook Pay or Stores on WhatsApp
  • information related to the service
  • information about interaction with companies when using the service
  • information about the mobile device and the IP address
  • in addition to other data provided by you for you or is automatically collected by the application in accordance with the “Information we collect “ section of the privacy policy

On its official website, WhatsApp, on how it works with other Facebook and its subsidiary companies (Facebook Payments Inc., Facebook owned Israeli web analytics company Onavo , Facebook Technologies LLC and Facebook Technologies Ireland Limited, and WhatsApp LLC and WhatsApp Ireland Limited and content delivery and social monitoring platform CrowdTangle), explains its key updates, which include how user data is processed, how businesses can use Facebook-hosted services to store and manage their WhatsApp chats, and how the company partners with Facebook to offer integrations across the Facebook company products.

Some of the information, according to WhatsApp, which it receives from other Facebook and its subsidiary companies may be used for the following:

  • To help improve infrastructure and delivery systems
  • To understand how services provided by WhatsApp or Facebook and its subsidiary companies are used
  • To promote safety, security and integrity, as well as to fight spam and misuse of the platforms
  • To improve services and user experience, including personalising features and content, making relevant suggestions and displaying the relevant ads
  • Providing integrations that help users connect WhatsApp experiences with Facebook products

In its update, WhatsApp introduced three changes unilaterally–data processing, two-way data sharing with Facebook and its subsidiary companies, and integration of Facebook and its subsidiary companies Products with WhatsApp. Some key points of the update include:

  • Mandatory sharing of users’ data with Facebook companies
  • Collection of metadata such as battery level, application version, mobile network, etc.
  • Collection of location-related information (city or country), despite user opting not to use the application’s location feature
  • Platform’s right to retain all the payments, transactions, and account-related info (like payment method, shipping details, transaction amount)
  • Third parties may receive user data if the user opts for their services
  • Platform’s right to reserve previously stored data of users after the deletion of accounts via in-app feature

It has been a matter of serious debate among both users and the government if these updates are really required. WhatsApp in its rescue explained, “The new policy update was required because it needed to share some data with Facebook for the effective implementation of e-commerce features as well as the betterment of business accounts functioning. The changes are in favour of users and it applies to only the business accounts and the chats between businesses and users.”

However, the forced acceptance of Terms of Service and Privacy Policy of WhatsApp by the users is thereby enabling WhatsApp to collect excessive personal data and share personal information improperly with other applications of the group, such as Facebook and Instagram.

Privacy in India and WhatsApp’s Resolve

For Indians, recent outrage against WhatsApp’s privacy policy can be understood by distrust in big tech and their rampant abuse of privacy by sharing the personal data of the user across multiple platforms without their consent.

All that behind the curtain and now the internet regulations, designed to prevent “abuse and misuse of social media,” imposed upon tech platforms to hand over user information to law enforcement upon request is yet another encroachment on the privacy of users. Critics argue that such steps pave the way towards digital authoritarianism–much like government misuse of citizen’s data in China.

Combating all the weak privacy points, Facebook, in April 2020, bought a 9.99% stake in Jio Platforms for $5.7 billion to strengthen its grip in the Indian market. Furthermore, Reliance Jio Mart, an e-commerce platform, has already announced its intention in January 2021 to integrate Jio Mart in WhatsApp Platform.  It will provide WhatsApp an immediate access to the multi-billion dollar opportunity in the Indian e-commerce space which already has players like Amazon, Flipkart etc. The Indian e-commerce market is estimated to reach a humungous USD 1.3 trillion dollar by 2025. 

Kindly read more at Reliance aims to embed JioMart in WhatsApp (livemint.com)

 In yet another carefully orchestrated move, after two years of regulatory pushback and protectionism, WhatsApp Payments received government approval, opening the door for WhatsApp to compete in India’s payments market.

How the update infringes privacy of users?

According to Techcrunch,  Facebook is keen to collect phone numbers of users. A person can make a Facebook profile by just using an email ID, but for opening a WhatsApp account, one’s phone number is necessary, which is the final piece of the puzzle in building a 360-degree profile of users and thus, enhancing Facebook’s ability to serve personalised and well-targeted ads by linking identities across both platforms.

WhatsApp, which before the update operated as an intermediary in India with no ownership of the users’ content, with this update, establishes itself as data fiduciary (owner of the content) under the proposed Indian Personal Data Protection Bill, 2019 which prohibits data fiduciary to collect and process users’ personal data without prior notice or consent of the user.

The policy update violates the Guidelines issued by the Ministry of Electronics and Information Technology on disclosing sensitive information to third parties. The update is unclear on how and who will use the data for what purposes.

Lack of independent third-party regulation and proper governance like the case with Signal and Telegram prevents confidentiality by third parties benefitting user data, which may cause exploitation of user’s data as well as spreading of fake news and misinformation.

Metadata, which includes who a user messages, its duration, frequency, repetition, location of sender and receiver, in silos might not yield substantive outputs. But when collected for all users on the app, it becomes a topic of research how much that data can confess about one’s personal life. An analysis of telephonic metadata by researchers at Stanford University revealed that metadata can be treated to identify users’ personal information, such as their health data. Such information hides in plain sight and is a treasure trove for carrying out covert surveillance, especially by big techs who are infamous for it.

The worst part of this update is that users have no choice other than to click on “I Agree.” Furthermore, the policy, despite ratification from National Payments Corporation (NPCI) for initiating payment service in India, violates Notification on Storage of Payment System Data issued by the Reserve Bank of India (RBI).

Centre vs WhatsApp

In a letter written to Mr Will Cathcart, the global Chief Executive Officer of WhatsApp, the IT Ministry argued that the updated privacy policy enabled WhatsApp and other Facebook group companies to make invasive and precise inferences about users and asked to roll back updates that have implications for Indian users’ freedom of choice.

“​​As you are doubtlessly aware, many Indian citizens depend on WhatsApp to communicate in everyday life. It is not just problematic, but also irresponsible, for WhatsApp to leverage this position to impose unfair terms and conditions on Indian users, particularly those that discriminate against Indian users vis-à-vis users in Europe,” MeitY pointed out in the letter.

Soon after the policy was announced, the Confederation of All India Traders filed a writ petition in the Delhi High Court, claiming that the privacy policy update violated the fundamental right to privacy and allowed WhatsApp to profile user’s data without any government regulation.

With this update, the company has tried to cement the problematic status quo of WhatApp’s privacy policy update, 2016 which is pending litigation before the Supreme Court of India.

The 2021 privacy policy update has also been challenged in the same proceedings through an application filed in Karmanya Singh Sareen & Anr. v. Union of India & Ors., SLP (C) 804/2017, with contentions raised on differential treatment between Indian and European users, and how the policy infringes upon the fundamental right to privacy, which the Supreme Court has already declared under Article 21 of the Indian Constitution in Justice K.S. Puttaswamy (Retd) v. Union of India.

Although the case was still ongoing, the Confederation of All India Traders filed a similar plea before the Supreme Court. The Supreme Court refused to admit the writ petition as the case was already being heard by the Delhi High Court.

As per the filing in Delhi High Court, it was brought to the table that WhatsApp’s privacy policy violated the country’s information technology laws on several counts, including failure to specify the nature of user data being collected and notify users about it.

In response to a petition before the Delhi High Court, WhatsApp stated that it would no longer postpone its privacy policy rollout and that it would not force users into accepting the terms of application while being well aware that it continues to be the most widely used messaging application in India.

Recently, the GOI (Government of India) reportedly sent a notice to WhatsApp stating that its new privacy policy update violates several provisions of Indian laws and therefore, the Government will consider options available to it under the Indian laws in fulfilment of its sovereign responsibility to protect rights/interest of its citizens.

WhatsApp has responded that it won’t withdraw the privacy update; however, it will not limit the functionality of users and continue to show users the update until the country gets its Personal Data Protection Law.

“The Government has asked to shut down the policy. We have said we will not enforce it till the data protection bill is passed. That is open-ended because we don’t know when the Bill is going to come out,” Harish Salve, Senior Counsel appearing for WhatsApp and Facebook, told the Delhi High Court.

In response to the centre’s seeking directions on whether it was conforming to IT law, WhatsApp clarified that its new privacy policy had already come into effect from May 15. The platform also added that it would not start deleting the accounts of users who are yet to accept the privacy policy but would continue encouraging users to accept our terms who have not accepted the terms so far.

The Antitrust angle

When the update was announced, the Competition Commission of India (CCI) called for a probe into the matter, criticising the update’s take-it-or-leave-it nature. The commission criticised WhatsApp and Facebook’s abuse of their network effect in the Indian market, which in practice means limited choice for users to change platforms, as well as the entry made difficult for new market players.

The CCI vide its order dated twenty-four March 2021 took suo moto notice of WhatsApp’s policy update and interpreted it to be prima facie an instance of abuse of dominance in violation of Section 4 of the Competition Act, 2002. The CCI reasoned that WhatsApp, unlike its previous iterations, was not providing users with a choice to opt-out of sharing user data with Facebook companies and was forcing users to comply with its terms in an anti-competitive manner.

WhatsApp challenged CCI’s order in Delhi High Court, arguing that the CCI has exceeded its jurisdiction by taking account of a case that already has pending adjudication before the Delhi High Court and the Supreme Court. However, the DHC rejected WhatsApp’s challenge to CCI’s order, observing that though some issues may substantively be the same before the two fora, there can’t be an inviolable rule and that too because an issue was pending before the superior court.

Facebook argued before both the High Court and the CCI that it should be refrained from making a part of these proceedings as they operate as stand-alone legal entities. In response, the CCI reasoned that Facebook, ultimately, benefitted from the data-sharing arrangement and so, it rejected Facebook’s plea. The Delhi High Court as well rejected Facebook’s arguments, finding merit in the CCI’s justification.

Conclusion

WhatsApp is a convenient messaging platform used by countless people all over the world.  The chat app provides you with strong encryption of messages.  However, it still comes with some possible threats to privacy, since it collects a lot of information about you such as the phone number, location and contacts. And then these personal data are shared across the Facebook and its subsidiary companies like Instagram.

Amidst several of these apprehensions sparked from both the government and the public, and their resulting tussle with WhatsApp, it doesn’t seem privacy update by WhatsApp to come into effect in India any soon.

With two government warnings to date, the likelihood for WhatsApp to push its update seems unlikely now, some experts believe. If the question of banning WhatsApp arises, India can ban any app, however, banning WhatsApp will affect India-US relations on one hand and daily communication of 400 million Indian users on the other hand.

WhatsApp’s continuing determination to pursue changes to its privacy policy, despite widespread opposition, can be understood by how big techs see growth in India’s blossoming, less-regulated digital economy.

However, to pacify the users and consumers who are using the messaging platform WhatsApp, they have launched massive drive to clear the confusion and built the confidence and gain back their trust.  WhatsApp came out with huge advertisements in the daily newspapers and have launched a frequently asked questions page at WhatsApp Help Center – Answering your questions about WhatsApp’s Privacy Policy

Despite all the privacy concerns around the usage of WhatsApp platform for messaging, it remains the number one choice amongst the users across the globe by ensuring that the messaging chats amongst the users are end to end encrypted ruling out the possibility of any 3rd party to read it.

We at Data Secure(www.datasecure.ind.in can help you to understand Privacy and Trust while dealing with data and provide Privacy Training and Awareness sessions to improve upon the knowledge of Privacy what you already know.

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in.

For downloading the various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution

Leave a Reply

Your email address will not be published. Required fields are marked *