Last week, the Supreme Court admitted a petition challenging the Delhi High Court’s judgment upholding WhatsApp’s updated privacy policy. The revised policy allows it to share user data with its parent company, Facebook. While the petitioners were granted some relief, the High Court refused to consider whether the policy had violated individuals’ right to privacy. In the Court’s opinion, this was not a valid ground as the question of existence and scope of a constitutional right to privacy is pending before the Supreme Court of India.

WhatsApp’s updated privacy policy has sparked privacy concerns globally. Regulatory actions against the company are currently pending in Germany, UK and the US. Amongst other things, most regulators fear that the manner of seeking consent doesn’t allow users to understand the full import of how data will be shared and used. Under pressure from several data protection authorities in Europe, Facebook later announced that data sharing between the two companies would be temporarily suspended.

In light of the privacy concerns surrounding the use of WhatsApp, this post analyses its privacy policy to understand its information practices. A privacy policy is a statement that explains how a company handles the personal information collected by it. The policy is analysed against nine privacy principles articulated under the 2012 Report of the Group of Experts on Privacy (‘2012 GoE Report’). The Group was tasked with making recommendations for a draft Privacy Bill in India. The nine privacy principles enunciated under the 2012 GoE Report stem from internationally accepted data protection norms. These principles are listed below along with an analysis of WhatsApp’s privacy policy against each principle –

1. Notice

This principle requires that users know and fully understand a company’s information practices before consenting to them. It includes informing users if and when there is a change to the policy and notification in the event of a data breach.

The WhatsApp privacy policy (‘privacy policy’ or ‘policy’) states that users will be given notice of any amendments to the policy. However, the policy fails to mention if notice will be given before introducing a change or after. The former is arguably better as it gives users time to decide if they want to continue using the service. The policy is also silent on data breach notifications. That is, users do not have a right to be informed if their personal information has been compromised for any reason.

2. Choice and Consent

Wherever reasonably possible, users must have a choice regarding providing some or all of their personal information. The collection, use or disclosure of information must be pursuant to consent from users.

The policy contains nothing about the choices available to users to share their information with WhatsApp. Under the section ‘Managing Your Information’, it is stated that users can control how much of their information will be visible to others on the platform. However, it does not specify how users can effect these changes. Under Settings -> Account -> Privacy, users can customize their settings for ‘Last Seen’, profile picture and status updates. However, the choice is limited to sharing information with other users, and not with WhatsApp itself.

The policy does not mention the permissions required by the WhatsApp application to run on one’s device. These are extensive and include access to one’s camera, contacts, location, SMS and microphone amongst others.

3. Collection Limitation

This principle states that only personal information which is necessary for the identified purpose should be collected. Collection must be lawful and fair.

Broadly, WhatsApp specifies three kinds of information collected by it. First, it collects information that is directly provided by users. This includes a user’s phone number, a profile picture as well as access to all contacts. Notably, WhatsApp not only collects the phone numbers of existing users, but also of those contacts who do not use the application. As per the policy, sharing such numbers amounts to an acknowledgement that a user has the authority to do so. This is legally dubious as it gives WhatsApp access to an individual’s personal information without their consent or knowledge.

Messages are ordinarily stored on a user’s device. Only if a message is undelivered is it stored on the company’s servers for a period of 30 days. The messages are end-to-end encrypted, meaning that no one (including WhatsApp) can read them. However, recent reports have exposed a vulnerability in WhatsApp’s system which allows the interception of messages if a device is offline. The policy has not been updated to show if WhatsApp has resolved this vulnerability.

Secondly, WhatsApp automatically collects certain information related to one’s activity on the platform including log files and information about one’s device. It also places cookies on the device to remember preferences.

Thirdly, WhatsApp collects information about users through several third parties. These can include other users. This allows WhatsApp to gather information about who we talk to, and what groups are common between users. Additionally, the company works with certain ‘third party providers’ to improve and market its services and collects personal information from them as well. This clause is vaguely drafted and there is no way to tell which information collection is legitimate and which is not.

The failure to identify any third party and limit avenues for collection of information raises concerns. There is also uncertainty with respect to how long information is stored. If a user deletes their WhatsApp account, the company deletes their undelivered messages ‘as well as any…other information we no longer need to operate and provide our Services’. The failure to specify what information is retained and for how long is problematic.

Pertinently, this deletion clause is also in contravention of the Delhi High Court’s judgment in the WhatsApp case, which held that for users who chose to delete their accounts (before the updated policy came into force), all information must be deleted.

4. Purpose Limitation

Personal information must only be collected and used for specific and explicitly stated purposes. This principle prohibits the recycling of personal information for different purposes.

The policy states several uses for the information collected. WhatsApp uses user information to provide services such as customer support and to test new features. It is also verifies accounts and investigates suspicious activity. The policy is vague when it describes other uses for users’ personal information. WhatsApp ‘may’ use personal information for marketing its services and that of the Facebook family of companies (‘affiliated companies’), of which there are 11. It also uses this information to allow third party businesses to contact users through WhatsApp. There is no fixed purpose for this – these third parties can contact users for anything from ongoing transactions to marketing.

As a general remark, the policy states that it may use the information it receives from other affiliated companies and vice-versa. This recycling of information by different entities and for different purposes is exactly what this principle seeks to avoid. These clauses are vague, allowing WhatsApp to scale up its use of users’ personal information without actually having to inform them or seek consent again.

5. Access and Correction

Users should have the right to access their personal information and amend or delete it if inaccurate. This right extends to obtaining a copy of their personal information.

Users are free to amend their personal information, including their phone numbers. However, there is no provision to obtain a copy of one’s information held by WhatsApp.

6. Disclosure of Information

Users must be informed of how their personal information will be disclosed, and must give express consent to such disclosure. The privacy policy must identify the recipients or at least, a category of intended recipients for such consent to be meaningful.

WhatsApp discloses personal information to certain unidentified third parties. These third parties can be anyone who WhatsApp contracts with to operate, promote or market its services. This information is shared ‘in accordance with [WhatsApp’s] instructions…or with express permission from [the user]’. Therefore, a user’s consent is merely optional and one has little knowledge about the terms on which such information has been disclosed.

If a user uses third party services such as Google Drive or iCloud to back up their WhatsApp data, information received by them will be shared in accordance with their respective privacy policies.

7. Security

This principle requires companies to adopt reasonable security safeguards to protect against loss, unauthorised access, destruction, use or disclosure of personal information.

The policy only mentions that the platform supports end-to-end encryption for messages and ‘other security features’. There is no general description of what these are.

8. Openness

Information and security practices must be transparent and easily accessible.

The vague language of the policy makes it difficult to understand how information is used and the parties it is disclosed to.

9. Accountability

Companies must be held accountable for compliance with data protection principles. An important aspect of accountability is appointing a grievance redressal officer for addressing privacy concerns.

The policy only lists a physical address for raising privacy concerns. A separate ‘contact us’ link redirects users to a form with pre-set questions. The questions are far from exhaustive – important questions related to choice and security practices are visibly absent. Ironically, for business inquiries and product support, a direct email is provided. A similar provision for privacy concerns is noticeably absent.

In the absence of a comprehensive data protection statute incorporating these principles, there is little regulatory oversight over how private entities handle personal information. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 are extremely narrow in scope and mostly apply only to ‘sensitive personal information’, which excludes valuable personal information such as names and phone numbers etc. This leaves individuals with little recourse when a company’s information practices create cause for concern. However, even in the absence of such a law, the ubiquity of WhatsApp as an Internet messaging platform uniquely positions it to take note of these concerns and address them by suitable amendments to its privacy policy.