On August 25 2016, WhatsApp fundamentally changed its privacy policy in a manner that threatened to undermine privacy. In our previous post, we had explained how these changes allow WhatsApp to share account information (such as user’s phone number, contacts and profile picture etc.) with Facebook and other group companies compromising privacy of users. While user communication remains encrypted and secure, account information such as phone numbers, contacts etc. which are regarded by many as personally identifiable information may be shared.

A public interest litigation was filed before the Delhi High Court challenging the privacy policy on the grounds that it violated the fundamental right to privacy of users. On September 23 2016, the Delhi High approved this policy with some caveats (the High Court judgement can be accessed here).

In response to the contention of petitioners, the court noted that users of WhatsApp have ‘voluntarily’ availed of that service and are parties to a private contract. Further, the court noted some provisions of the 2012 WhatsApp privacy policy while arriving at this conclusion. First, the policy provided that by using WhatsApp user’s consent to transferring their data and subjecting it to laws of California. Second, it also specified that in case of a merger, WhatsApp reserves the right to transfer information collected by users. Looking at these to clauses, the Court said that the users cannot now argue that WhatsApp ought to be “compelled to continue the same terms and services”.

The court also dismissed the argument that the change violated the right to privacy emanating from Article 21 of the Constitution. It held that “the position regarding the existence of the fundamental right to privacy is yet to be authoritatively decided” referring to the matter referred to the constitutional bench of the Supreme Court. Consequently, the court dismissed the many challenges to the privacy policy albeit with some caveats. First, the court ordered WhatsApp to delete all user information/data/details for such users who completely delete WhatsApp before September 25 2016. Second, the court ordered that existing user information/data/details up till September 25 2016 will not be shared with Facebook and group companies. Only data post September 25 may be shared. Third, the court ordered the relevant government departments to decide at the earlier whether Internet Messaging Applications like “WhatsApp” can be brought under statutory regulatory framework.

In the absence of a comprehensive data protection law and the existence of a fundamental right to privacy in doubt – it may seem that there is little the High Court could do. However, since the reference of the Aadhaar matters to the Constitutional Bench multiple High Courts and even the Supreme Court (implicitly) has upheld the constitutional right to privacy. The High Court missed the opportunity to uphold 40 years of the Supreme Court’s jurisprudence on privacy which the Government is trying to overturn. Moreover, the direction to assess whether instant messaging (IM) applications can be brought within a regulatory framework should be closely watched. Any regulation of these services will require an amendment to the Telegraph Act and can have far reaching implications on the right to freedom of expression and the right to privacy.