The hearing in the petition challenging WhatsApp’s privacy policy continued today. Arguments made during the course of yesterday’s proceedings can be accessed here. Before the respondents could resume their arguments on maintainability, the Additional Solicitor General made a brief representation on behalf of the Central Government. He submitted that even if the Court finds that a writ lies against the Government, it should refrain from issuing it as the Government was already in the process of framing a statutory regime for data protection. He stated that these binding regulations could be in the form of a statute, rules or Executive directions.

Counsel for Facebook subsequently resumed his arguments on the issue of maintainability of the special leave petition. He argued that the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘2011 Rules’) along with other provisions of the Information Technology Act 2000 (‘IT Act’) provided a complete regime for the collection, use and disclosure of personal information. He contended that it was not open to the petitioners to argue that these rules were insufficient, as that was squarely within the realm of public policy. Particularly with respect to the 2011 Rules, he stated that WhatsApp did not collect any of the eight categories of information covered by the definition of ‘sensitive personal data or information’[1].

The Court sought clarity on whether the respondents were covered by the 2011 Rules. For the intervenor, it was submitted that metadata was outside the ambit of the 2011 Rules. The petitioners’ counsel reiterated this, and also stated that the 2011 Rules were limited to only ‘sensitive personal information or data’, which excluded important information such as phone numbers. She also pointed out that on 24th August 2011, the Ministry of Communications & Information Technology had released a ‘clarification’, which restricted the applicability of the 2011 Rules only to companies located within India. All parties (as well as the bench) were baffled as to how a clarification could limit or amend the scope of statutory rules. For the time being, it appears that the Court will not be taking cognizance of this clarification.

Justice Dipak Mishra opined that an aggrieved citizen would be entitled to an alternate remedy if a violation of the rules also constituted a violation of a fundamental right. Facebook’s counsel responded stating that there was no violation of the rules in the instant case and that in any case, they were not required to take consent at all, considering they did not collect any sensitive personal information.

At this point, the Bench posed two questions to the petitioners. It asked for a clarification on the information collected by WhatsApp and an explanation on how metadata was generated. The petitioner’s counsel took the Court through several clauses of the policy including one where WhatsApp reserved the right to create ‘derivative works’ out of the content of a user’s message. She argued that notwithstanding the claim of end-to-end encryption, the language of the policy was ‘suitably ambiguous’ regarding access to content of messages. She also emphasized on WhatsApp’s access to other information, such as a user’s phonebook, which included numbers of individuals who were not users of the service. She argued that there was no privity or consent in the latter circumstance. With respect to metadata, she highlighted how it had the potential to reveal much more than actual data, enabling the private corporations to draw behavioral patterns. In her view, the fact that WhatsApp had been bought over for $19 billion signified that access to this data was a ‘goldmine’ for Facebook.

On behalf of Facebook, it was urged that besides the 2011 Rules, Sections 43A (compensation for failure to protect data), 45 (residuary penalty), 46 (power to adjudicate), 79 (exemption from liability of intermediary in certain cases) as well as the Information Technology (Intermediaries Guidelines) Rules 2011 created a complete code for the regulation of WhatsApp. It was also clarified that the sub-license clause in the policy was a standard clause, required to covert the message into its encrypted form. Additionally, Facebook offered to submit an affidavit to the effect that WhatsApp had not and could not access the content of a message.

Facebook elaborated on two other arguments made by it on the previous day –

1. The Court’s writ jurisdiction could not be invoked against a private party where the dispute was purely contractual. He also argued that neither WhatsApp nor Facebook performed a public function, or owed any public duty. Reliance was placed on Jatya Pal Singh v. Union of India (2013) 6 SCC 452, where the Supreme Court had held that service provided by telecom operators in a competitive market for commercial purposes did not amount to a public function. It further held that in order to establish public function, a party would have to ‘prove that the body seeks to achieve some collective benefit for the public or a section of public and [is] accepted by the public as having authority to do so.’
2. All submissions were couched on the issue of privacy or some form of it, which could not be raised in light of the pending reference. Facebook’s counsel took the Court through the reference order of 11 August 2015, highlighting that the determination of the very existence as well as scope of a fundamental right to privacy had been referred to the Chief Justice of India.

In response, the petitioners argued that pursuant to Secretary, Ministry of Information and Broadcasting v. Cricket Association of Bengal (1995) 2 SCC 161, electromagnetic waves facilitating transmission were a public good. While private, messages sent through WhatsApp were riding on a public medium. As per WhatsApp’s own policy, the service was intended as a replacement for conventional text messages. It was argued that a situation where telecom services were heavily regulated and licensed but Over The Top (OTT) services were not was anomalous. At this point, Facebook’s counsel interjected urging that the nature of an open Internet must be preserved. He argued that WhatsApp used the network of service providers that were properly licensed.

The petitioners’ counsel clarified that the argument was only intended to draw a comparison between competing choices from the point of view of a consumer. She stated that while licensing would be undesirable, OTT services must be subject to some form of regulation. The counsel for the intervenor also urged that they were strongly opposed to a licensing regime for OTT services. He urged the Court to take note of Vishakha v. State of Rajasthan, where the Supreme Court had found that the state had failed to protect and fulfill its obligation of safeguarding fundamental rights. As a result, it had framed interim guidelines for the prevention and redressal of workplace sexual harassment that would be applicable to all workplaces. Drawing an analogy, it was argued that the Supreme Court must step in in this case to frame appropriate guidelines for the protection of personal data.

Another argument advanced on behalf of the petitioner was that the contract between an individual and WhatsApp was unconscionable, and consequently attracted public policy considerations. With a user base of over 160 million, India was one of WhatsApp’s biggest markets. However, considering that the service was used by children as well as those who may not be literate, it was argued that the Court must step in to protect against procedural as well as substantive unconscionability. Placing reliance on the Italian anti-trust regulator’s decision to subject WhatsApp to a heavy fine, it was urged that WhatsApp owed the same public duty to Indian users.

The case has been adjourned to 21 July 2017, when arguments on maintainability are likely to conclude. It is believed that WhatsApp’s counsel will make additional submissions on this issue.

[1] Sensitive personal data or information of a person means such personal information which consists of information relating to;—

(i)  password;

(ii)  financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii)  physical, physiological and mental health condition;

(iv)  sexual orientation;

(v)  medical records and history;

(vi)  Biometric information;

(vii)  any detail relating to the above clauses as provided to body corporate for providing service; and

(viii)  any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: