WhatsApp updated its privacy policy on August 25, 2016 for the first time since its acquisition by Facebook in October 2015. As per the updated policy, WhatsApp will now share limited user information including name/phone number with Facebook so as to serve more relevant ads and improve product experiences, and users were given a 30-day grace period to opt-out of sharing their data under the new policy. Soon after the policy was updated, a petition was filed in public interest before the Delhi High Court [Karmanya Singh Sareen & Anr. v. U.O.I & Ors. (W.P.(C) 7663/2016)] against WhatsApp, Facebook, Union of India (UOI) through its Department of Telecommunications (DoT) and the Telecom Regulatory Authority of India (TRAI) by two students, Karmanya Singh Sareen and Shreya Sethi, contending that the new policy severely compromised the rights of users and violated their privacy. They prayed to the Court that WhatsApp should undo the changes to its privacy policy, and also requested that the government be ordered to frame rules or guidelines so that Internet-based messaging apps do not compromise on users privacy.
This case becomes all the more interesting considering how Facebook has faced similar challenges in both the European Union (EU) and United States (US) over WhatsApp’s privacy policy changes, with both European privacy regulators and the US Federal Trade Commission (FTC) conducting independent inquiries into the matter. According to a statement issued by current chair of G29 (Article 29 Working Party; European privacy regulators), each European authority would be following the changes made to Whatsapp privacy policy “with great vigilance” and in their collective opinion, “what’s at stake is individual control of one’s data when they are combined by Internet giants.”1 The FTC is also looking into a complaint filed by the Electronic Privacy Information Center and the Center for Digital Democracy, in which they argue that using user data for advertising would fall under “unfair and deceptive trade practices.”2
Grounds
The PIL before the Delhi Hight Court raised some interesting grounds:
That the change in privacy policy would result in violation of the petitioners’ fundamental rights enshrined under Article 14, 19 and 21.
That the details and data of users of such a service belongs to the users and not the service provider, who only provides a medium to operate that service and thus, the latter is not entitled to any claim on the user data and the users should retain ownership at all times.
That the complete security and protection of users’ privacy and data has remained an essential, significant and basic feature of WhatsApp and the proposed change will severely compromise the rights of the users by sharing data with Facebook and its group of companies.
That the consent obtained is deceptive as a huge chunk of WhatsApp users in India are not equipped to comprehend solicitation of consent, which means any obtainment of consent should be done on an opt-in, rather than an opt-out basis.
That in the absence of any guidelines/regulations, there is a threat not only to the privacy and personal rights of the users, but also to the safety and security of the nation.
That the new policy enables WhatsApp to obtain a worldwide, non-exclusive license to all the users’ data (including images/video/audio) and by extension, to exploit this data for any purpose including creation of derivative works. Such a licensing is illegal as it involves minors below 18 years of age, who would be incapable under law of granting such licenses.
That confidentiality and privacy are also the statutory rights of the users granted under the Information Technology Act, 2000. Section 72 penalizes breach of these rights with imprisonment for a term not exceeding 2 years and/or a fine of Rs. 1 lakh.
That such acts of WhatsApp are impermissible and illegal because they have not followed the provisions of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. The terms “consent” and “disclosure” deserve to be interpreted so as to ensure that entities like WhatsApp are obliged to make full and true disclosure of the consequences of their privacy policy and only then should they permitted to operate i.e. after obtaining well-informed consent from the users.
That WhatsApp has misled its users as they built their user base on a commitment that they would not collect user data for commercial purposes and any reversal of this stand would be hit by the principle of Estoppel.
That through Facebook’s ownership of WhatsApp, Facebook has acquired the phone numbers and other information of millions of users worldwide, enabling them to build complete profiles of these users without consent to. Such a breach of privacy is tantamount to an act of coercing consent from users.
That there is settled jurisprudence that a company may not alter the privacy settings of its users without aptly informing them, which WhatsApp failed to observe, thereby denying the users the freedom to choose another product if they had anticipated such a change in policy.
Litigation
Day 1, 30th August 2016:
The matter was listed and came up before a two-judge bench comprising Chief Justice G Rohini and Justice Sangita Dhingra Sehgal. Only the counsels for DoT and TRAI i.e. Respondents 1 & 5 were present, and they accepted the notice and sought time to get instructions regarding the issues raised in the writ petition from their respective clients.
The bench expressed grave concern on the issue of compromising user privacy, and ordered both DoT and TRAI, to file responses by 14th September.
On hearing the petitioner;s submissions, the Chief Justice enquired of WhatsApp whether data is retained of those users who delete their accounts because they no longer wish to use WhatsApp. To this, WhatsApp submitted that once a user chooses to delete their account, the information belonging to that user is no longer retained on servers. However, other users with whom the outgoing user may have interacted with or shared any data will retain copies of the messages. WhatsApp does not retain anything on their servers, except for undelivered messages which may be kept for a period of up to 30 days until they are finally delivered.
WhatsApp also submitted that the petitioners are using the terms “user data” and “user information” interchangeably when there is a clear difference between the two. For users who accept the new privacy policy and decide to use their services, limited sharing of “user information” takes place (name/phone number) and no “user data” is shared by WhatsApp.
This was again opposed by Petitioners by pointing out that information as defined in the new policy includes messages sent by users. They further argued that according to the new policy, when many people are sharing a popular photo or video, WhatsApp retains that content on their servers for a longer period of time. This, according to the petitioners, implies that there is no encryption and they are looking at the content that is being shared by users.
After hearing both the sides, the bench said that it will pass an appropriate order on 23rd September.