WhatsApp’s decision to introduce an updated privacy policy has led it to its first legal challenge in India, with petitioners concerned about its detrimental impact on users’ right to privacy. The hue and cry around the update have precipitated a rise in scepticism surrounding the use of the app, with a survey by Cybermedia Research reporting that 79% of users were reconsidering using the application. More concerningly, 29% were committed to deleting the app altogether once the update was implemented. Admittedly, the false information surrounding the update is rampant. However, WhatsApp’s new policy has instigated an awakening amongst the Indian audience about the importance of data privacy, with a petition filed in a Supreme Court about how the current policy discriminates between European and Indian users. However, while it would serve India well to borrow from Europe’s data privacy framework, is this comparison even fair?
The allegation of discriminatory treatment of Indian users is based on the fact that the tech company has publicly reassured European audiences that the update was not applicable to them and that European users’ information would not be shared with the parent company—Facebook. Niamh Sweeney, WhatsApp’s Director for Policy in Europe, said, “It has been incorrectly reported that WhatsApp’s latest Terms of Service and Privacy Policy update requires users in the European region to agree to the sharing of data with Facebook for ads purposes.” This clearly exhibits that there is a different standard for data protection in Europe than in India.
That being said, while this does demonstrate a divergent approach in the application of the policy, the comparison is unjustified. To begin with, the authorities in the European Union (EU) and India treat their citizen’s privacy very differently, which is apparent from the legal framework surrounding the issue and its enforcement.
The European standard for data privacy and protection is one of the most stringent in the world and is ably-supported by the General Data Protection Regulation (GDPR), which was brought into effect in 2018. It not only extensively protects European users’ data, such as mandating the use of personal data for the purpose it was collected for, but also imposes remarkably high penalties on violators. For instance, in 2017, after an investigation by the European Commission concluded that Facebook had misled users about the WhatsApp takeover, it was penalised with a fine of around $ 110 million.
Meanwhile, Indian policymakers continue to delay the introduction of a comprehensive policy on the issue. The current law governing the subject is the Information Technology Act, 2000, which primarily focuses on cybercrimes and the nature of intermediaries’ liabilities, such as Facebook and Twitter, for content on their platforms. The Act does include a cursory mention of the importance of protecting personal data; section 43A of the law requires companies who handle their users’ private information or data negligently to compensate the person affected. However, this law is insufficient, as it not only fails to provide a clear definition of what constitutes “negligence” but also faces significant issues in enforcement. This is primarily because the law relies on the user to identify that their data has been used illegally, and then approach the court for the undetermined amount of compensation. Imposing the responsibility for an extensive assessment of the validity and value of their claim on users acts as a natural deterrent for them to access the remedies available in the law.
Meanwhile, apart from the exorbitant penalties, the GDPR also allows for government authorities to call such companies out for their illegal use of data. With the responsibility of ensuring compliance with the law lying with authorities specifically set up for data protection, the checks are more vigilant, consequently making the laws are more actively implemented. These robust laws, combined with the exorbitant penalties that the violation of these laws attracts, are the reason why companies like Facebook treat Europeans’ right to privacy differently.
The Indian Personal Data Protection (PDP) Bill, 2019 would have brought the Indian regime closer to the European one and was viewed by experts and advocacy groups as a definite step in the right direction. Yet, the introduction of the law continues to be delayed, as it has been referred to the Parliament’s Joint Parliamentary Committee, who is yet to present its report on the matter, leaving the issue of data privacy in India severely unaddressed.
The delay in passing the PDP has had a direct impact on the current controversy. For example, despite several reassurances from WhatsApp attempting to debunk the false information surrounding the update, the primary concern of experts is the change in the policy on the use of “metadata”. This means that while personal messages continue to remain encrypted, all other information, such as the phone number, information about the make and model of your device, contacts, duration of use of WhatsApp, and other such information can be disclosed to Facebook, who can then pass it onto businesses for targeted advertising. These issues would not have arisen had the PDP been implemented, as it replicated the GDPR in requiring data to be used for the purpose it has been collected for. Moreover, it also allows for a penalty of up to Rs. 15 crores being imposed on the violators of this provision. However, in the absence of the PDP, the Indian MEITY is left with no option but to urge WhatsApp to revoke the policy, or, in the worst-case scenario, ban the app altogether.
While India urgently requires a law protecting its users’ data, policymakers must be wary of the impacts of such policies. Prior to the implementation of the European law, an Impact Assessment report published by the European Commission, showed that the enactment of the GDPR would have severe economic consequences in terms of Gross Domestic Product (GDP) and employment. It also concluded that it would specifically impact small and medium-sized enterprises (SMEs), whom the Indian government has been working hard to empower. Moreover, the Impact Assessment report published by the United Kingdom evidenced that such a policy would in fact benefit large multinational corporations at the cost of SMEs, who will struggle to make profits due to the compliance costs.
If a GDPR-like policy is brought in, a similar impact can be expected on the Indian economy, too. In fact, a study done by the European Centre for International Political Economic concluded that a GDPR-like law in India would result in a 0.8% loss in the GDP and a further reduction of 1.4% in domestic investment. Therefore, blindly applauding the GDPR and following in its footsteps is not the solution, especially in a pandemic-struck economy. Indian policymakers must instead seek to establish a well-balanced law that protects the data of its 1.3 billion population while continuing to acknowledge the importance of incentivising and protecting SMEs and foreign investments. However, finding such a solution is an admittedly herculean task to complete and, in all probability, the economic goals of the government and businesses will have to be compromised on to achieve the level of data privacy that the Indian audience is now calling for.
WhatsApp’s recent policy is being challenged in the Indian Supreme Court and is subject to an assessment by the country’s Ministry of Electronics and Information Technology (MEITY). However, it faces a bigger threat from the barrage of false information surrounding data privacy. Nevertheless, this accidental awakening has resulted in a lot of other concerns surrounding the policy being pushed into the forefront. While the issue of data privacy has been increasingly attracting public scrutiny, such as with concerns being raised about the Aadhar card data and the Aarogya Setu application, the current call is unlike any other. Despite being instigated by a combination of genuine and misplaced concerns, advocacy groups need to ride the current wave and push lawmakers for more stringent data privacy and protection policy However, they must remain wary of the potential economic sacrifices the country will have to make in order to satisfy their demands.
Does WhatsApp’s New Privacy Policy Truly Discriminate Against Indians?
Several Indians are concerned about WhatsApp treating Indian and European privacy rights differently. However, Indian policymakers, not WhatsApp, are to blame for this.
February 4, 2021
SOURCE: FINANCIAL TIMES