- News
- Columns
- Interviews
- Law Firms
- Apprentice Lawyer
- Legal Jobs
- हिंदी
- ಕನ್ನಡ
Recently, WhatsApp directed its users to accept its revised privacy policy, failing which they would not be able to use the app. Already, much damage is occurring to the large user base of WhatsApp due to concerns being raised on its privacy policy. In this scenario, it becomes important to have a close look at the key clauses in the WhatsApp User Agreement.
We also look at how legislation passed by California can be used as a template to safeguard data privacy in India.
But first, a passing reference to the Third Party Doctrine.
Third Party Doctrine - Smith v. Maryland
As propounded by the United States Supreme Court, the third party doctrine in practical terms means that a person has no right of privacy over data that is voluntarily given up and is held by a company. The individual loses sole-propriety over such data.
Forty-two years down the road, the precedent still holds good and is frequently cited before courts around the globe by law enforcement agencies. It is because of such judicial trends that the collection, retention, use and sharing of personal data by companies like WhatsApp gains significance. Let’s look at the key terms contained in the WhatsApp User Agreement and how they play out.
Key Terms in WhatsApp Privacy Policy
1. Messages: The policy provides that the messages sent and received by users are not retained on WhatsApp servers in the usual course once they are delivered to their destination. These messages are stored locally on the sender’s and receiver’s mobile devices. However, when users back up their messages on cloud services like Apple’s iCloud or Google Drive, the messages are forwarded from the mobile device’s local storage to these cloud service providers and their use of this data is governed by their own privacy policies which need to be studied separately.
The non-retention of messages by WhatsApp on its servers appears to be a genuine step towards securing its users’ privacy inasmuch as law enforcement agencies cannot ask WhatsApp for disclosure of messages to them for the simple reason of non-availability of messages with the company. Messages, if obtained by anybody from the device’s local memory or cloud storage, are not attributable to WhatsApp. While WhatsApp is doing its level best at averting warrants to disclose messages by not storing them at all, iCloud and Google Drive obviously have to save this data on their servers as an inherent feature of the cloud technology.
Here, it is not the privacy policy of these companies but the local laws of the countries where the data is stored that decide whether disclosure of such data can be sought by law enforcement agencies or not. Therefore, greater sensitization amongst lawmakers globally is required to uphold privacy on this front.
2. Account information, connections, status information, location, transactions and payments data: All of this data including how users use WhatsApp, with whom and for how long they communicate, their geo-location, model and distinctive identifiers of the device and connection used, etc. are some pieces of personal information that are stored by WhatsApp for various purposes. The retention and use by WhatsApp of these pieces of information is necessary for operation of various basic features of the app. For example, when a user tries to share a picture from their phone’s gallery over WhatsApp, the app shows the most frequently contacted person at the top of the list. There is no way that this feature can work without collection and retention of usage and log information.
When better-than-ever-before features are always expected by users, the collection and retention of an even wider platter of data is a sine qua non for making it possible. Similarly, the sharing of this data with group companies is aimed at providing an overall better experience to each user by customising the app interface to the user’s personal liking. Sure, there is a risk of excessive disclosure of information for improper considerations, but for that, separate safeguards can be put in place.
Unlike messages, when all this information is collected and retained by WhatsApp, its disclosure (if at all required) becomes subject of the local laws of the countries where data is stored. The privacy policy on this front clearly reads:
“We access, preserve, and share your information described in the "Information We Collect” section of this Privacy Policy above if we have a good-faith belief that it is necessary to: (a) respond pursuant to applicable law or regulations, legal process, or government requests; (b) enforce our Terms and any other applicable terms and policies, including for investigations of potential violations; (c) detect, investigate, prevent, or address fraud and other illegal activity or security and technical issues; or (d) protect the rights, property, and safety of our users, WhatsApp, the other Facebook Companies, or others, including to prevent death or imminent bodily harm.”
Even if it was not explicitly stated in the privacy policy, the requests for disclosure of retained information cannot be averted if the local laws of the countries where data is stored mandates disclosure of data on direction of law enforcement agencies.
3. Sharing of chats with business accounts: The storage of chats with business accounts and sharing of these chats with group companies is being assailed as the most gross violation of privacy of the users. But is it really that big an issue? Next time you visit a website for the first time, do note how quickly your finger hovers over and taps the ‘accept cookies’ button. A basic component of the modern internet, the sole function of these ‘cookies’, is to track your online activity and share that data with business and advertisement analysts and strategists. This data is in turn used to display content that you are likely to find interesting and engage in premised on your recorded behaviour. This is how YouTube recommends the most interesting videos and how you see an ad for the grey running shoes that your searched on Amazon the previous day.
WhatsApp seeks to do the same thing (but by being honest about it). In fact, Justice Sanjeev Sachdeva justly commented while hearing a writ petition challenging WhatsApp’s privacy policy that it is a private app and users may choose to delete it if they feel that it compromises their privacy.
The present unrest among users is primarily due to the possibility of breach of their privacy by sharing of their personal data amongst corporate players for iniquitous considerations. What steps could be taken to tighten the noose on this front? Inspiration from a foreign law discussed below may hold the redeeming power.
Steps towards the solution
The foremost thing to realize is that we are beyond the point where we can agitate about collection and storage of personal data by businesses like WhatsApp after this fact is disclosed in their privacy policies. Data collection and storage is indispensable for development of technology. In these circumstances, greater emphasis must be supplied on regulating the ways in which data can be utilised by them. To start with, a clue can be found in WhatsApp’s own privacy policy. It makes a reference to the California Consumer Privacy Act of 2018 (CCPA).
CCPA is a recent legislation which came into effect on January 1, 2020 in the US State of California. It is a sweeping legislation which mandates that businesses like WhatsApp tell customers what data they gather about them. The users have the right to seek information on the commercial purpose behind collection and sharing of their data, whether their personal data is sold or disclosed, and if so, to whom. The specific pieces of information so sold/disclosed can also be sought. Users can also place requests for deletion of data and give instructions to stop further sale/disclosure of their data to third parties.
The Act contains provisions which ensure that the users who exercise rights under the Act are not discriminated against or subjected to any form of retaliation by the businesses. Further, the Act provides for the establishment of the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to implement and enforce the Act. Any business, service provider, contractor, or other person who violates the provision of the Act can be served with injunctions and made liable to pay civil penalty of not more than $2,500 for each violation and $7,500 for each intentional violation.
More than anything, the legislation is a concerted effort towards making the big tech companies conscious of what data they collect, how they collect it, how they use it and with whom they share it. This is surely going to have a sobering effect on companies who in some cases have been found to be rampantly sharing personal data of billions of users for iniquitous purposes. What happened in the case of Cambridge Analytica is a classic example. In Section 2 of the Bill which was ultimately passed, the legislature had declared:
“(e) Many businesses collect personal information from California consumers. They may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.
(f) The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.
(h) People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.”
The challenges concerning violation of privacy are almost similar across all jurisdictions. Therefore, it becomes necessary that such safeguards are put in place by the legislature in India as well. At the cost of repetition, data collection is indispensable and not the problem. The problem is the lack of safeguards and guidelines on how this data can be used.
Instead of writing letters to WhatsApp and requesting it to withdraw its privacy policy, the government should work towards rectifying the lacunae in the Personal Data Protection Bill, 2019 and get it enacted before it is too late. Though the Personal Data Protection Bill, 2019 removed various shortcomings of the 2018 Bill like diluting the requirement of data localization, yet the provisions which empower the government to exempt government agencies from provisions of the Bill have still been retained and can defeat its purpose. Data needs to be protected not only from the businesses but also from the so-called custodians of our democracy. It is time to tighten the noose.
The author is a Delhi-based lawyer with a penchant for tech and policy.
Disclaimer: The views and opinions expressed in this article are those of the author's and do not necessarily reflect the views of Bar & Bench.