- Apprentice Lawyer
We also look at how legislation passed by California can be used as a template to safeguard data privacy in India.
But first, a passing reference to the Third Party Doctrine.
Third Party Doctrine - Smith v. Maryland
As propounded by the United States Supreme Court, the third party doctrine in practical terms means that a person has no right of privacy over data that is voluntarily given up and is held by a company. The individual loses sole-propriety over such data.
Forty-two years down the road, the precedent still holds good and is frequently cited before courts around the globe by law enforcement agencies. It is because of such judicial trends that the collection, retention, use and sharing of personal data by companies like WhatsApp gains significance. Let’s look at the key terms contained in the WhatsApp User Agreement and how they play out.
1. Messages: The policy provides that the messages sent and received by users are not retained on WhatsApp servers in the usual course once they are delivered to their destination. These messages are stored locally on the sender’s and receiver’s mobile devices. However, when users back up their messages on cloud services like Apple’s iCloud or Google Drive, the messages are forwarded from the mobile device’s local storage to these cloud service providers and their use of this data is governed by their own privacy policies which need to be studied separately.
The non-retention of messages by WhatsApp on its servers appears to be a genuine step towards securing its users’ privacy inasmuch as law enforcement agencies cannot ask WhatsApp for disclosure of messages to them for the simple reason of non-availability of messages with the company. Messages, if obtained by anybody from the device’s local memory or cloud storage, are not attributable to WhatsApp. While WhatsApp is doing its level best at averting warrants to disclose messages by not storing them at all, iCloud and Google Drive obviously have to save this data on their servers as an inherent feature of the cloud technology.
2. Account information, connections, status information, location, transactions and payments data: All of this data including how users use WhatsApp, with whom and for how long they communicate, their geo-location, model and distinctive identifiers of the device and connection used, etc. are some pieces of personal information that are stored by WhatsApp for various purposes. The retention and use by WhatsApp of these pieces of information is necessary for operation of various basic features of the app. For example, when a user tries to share a picture from their phone’s gallery over WhatsApp, the app shows the most frequently contacted person at the top of the list. There is no way that this feature can work without collection and retention of usage and log information.
When better-than-ever-before features are always expected by users, the collection and retention of an even wider platter of data is a sine qua non for making it possible. Similarly, the sharing of this data with group companies is aimed at providing an overall better experience to each user by customising the app interface to the user’s personal liking. Sure, there is a risk of excessive disclosure of information for improper considerations, but for that, separate safeguards can be put in place.
3. Sharing of chats with business accounts: The storage of chats with business accounts and sharing of these chats with group companies is being assailed as the most gross violation of privacy of the users. But is it really that big an issue? Next time you visit a website for the first time, do note how quickly your finger hovers over and taps the ‘accept cookies’ button. A basic component of the modern internet, the sole function of these ‘cookies’, is to track your online activity and share that data with business and advertisement analysts and strategists. This data is in turn used to display content that you are likely to find interesting and engage in premised on your recorded behaviour. This is how YouTube recommends the most interesting videos and how you see an ad for the grey running shoes that your searched on Amazon the previous day.
The present unrest among users is primarily due to the possibility of breach of their privacy by sharing of their personal data amongst corporate players for iniquitous considerations. What steps could be taken to tighten the noose on this front? Inspiration from a foreign law discussed below may hold the redeeming power.
Steps towards the solution
CCPA is a recent legislation which came into effect on January 1, 2020 in the US State of California. It is a sweeping legislation which mandates that businesses like WhatsApp tell customers what data they gather about them. The users have the right to seek information on the commercial purpose behind collection and sharing of their data, whether their personal data is sold or disclosed, and if so, to whom. The specific pieces of information so sold/disclosed can also be sought. Users can also place requests for deletion of data and give instructions to stop further sale/disclosure of their data to third parties.
The Act contains provisions which ensure that the users who exercise rights under the Act are not discriminated against or subjected to any form of retaliation by the businesses. Further, the Act provides for the establishment of the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to implement and enforce the Act. Any business, service provider, contractor, or other person who violates the provision of the Act can be served with injunctions and made liable to pay civil penalty of not more than $2,500 for each violation and $7,500 for each intentional violation.
More than anything, the legislation is a concerted effort towards making the big tech companies conscious of what data they collect, how they collect it, how they use it and with whom they share it. This is surely going to have a sobering effect on companies who in some cases have been found to be rampantly sharing personal data of billions of users for iniquitous purposes. What happened in the case of Cambridge Analytica is a classic example. In Section 2 of the Bill which was ultimately passed, the legislature had declared:
“(e) Many businesses collect personal information from California consumers. They may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.
(f) The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.
(h) People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.”
The challenges concerning violation of privacy are almost similar across all jurisdictions. Therefore, it becomes necessary that such safeguards are put in place by the legislature in India as well. At the cost of repetition, data collection is indispensable and not the problem. The problem is the lack of safeguards and guidelines on how this data can be used.
The author is a Delhi-based lawyer with a penchant for tech and policy.
Disclaimer: The views and opinions expressed in this article are those of the author's and do not necessarily reflect the views of Bar & Bench.