On 25-8-2016, users of the popular messaging service WhatsApp started receiving popup updates on their screen in relation to privacy policy. The popup alert updates an user that they have 30 days till 25-9-2016 to click through the privacy policy update, opt out of data sharing, and prevent Facebook from suggesting friends or serving ads based on their WhatsApp data and usage patterns. After that, the users had an additional of 30 days to change their settings further.[1] While WhatsApp previously passed no user information to any entity and to Facebook since 2014, the new privacy policy allowed WhatsApp to directly integrate some user data with the social network behemoth. WhatsApp’s privacy policy update describes this as “improving your Facebook ads and products experiences”.
It is interesting to note that WhatsApp, which was launched in 2010 had in its initial privacy policy declared complete safety of user data and protection against any kind of data sharing so much so with total end to end encryption. It is even more surprising to note that the update popup only mentions the benign features like WhatsApp calling and document sharing capabilities, however once a user clicks “Read more” link, the actual motive to see of the data sharing arrangement begins to unfolds. The methodology adopted by WhatsApp to merge user data with Facebook, it should have given users opportunities to make choices about their privacy — starting with a clearer, more informative user interface and privacy policy updates rather than a hoodwinking approach of showcasing WhatsApp’s calling features. Further, the entire methodology reeks of unilateralist approach in sharing of data along with an opt-out approach. It is to be noted at this juncture that the consent seeking approach was more of a façade, as the methodology was of an opt-out mechanism, hence the fiction was already created that each user has already been considered for data sharing and if any user decides to withdraw (by unchecking a button) from the data sharing then he/she can opt out of the process. This presents a clear signal to the users on control they have on the user’s data and the limitless sharing and data mining WhatsApp or its related entities[2] are capable of.
The changes in data sharing is of less significance to an only WhatsApp user, but it gains paramount importance to a dual user of WhatsApp and Facebook. These changes allows Facebook access to several pieces of an user’s WhatsApp information, including the WhatsApp phone number, contact list, and usage data logs for e.g. last used and seen data, type of device used and type of OS you.[3] In addition, the privacy policy uses precisely crafted language such as “… your phone number and messages will not be shared onto Facebook”. The term “onto” is the operating part here as it only means that an user’s data or information will not be shared publicly on the Facebook platform/page. But the fact remains that the same will and shall unequivocally be shared with Facebook family of companies. WhatsApp did offer some insights for the change in the privacy policy ranging from fraud detection and spam to improvement of Facebook Ads. In a nutshell, getting a better count of unique users between the two platforms, and enabling “business to consumer” communication in the form of appointment reminders, flight updates, receipts, and other commercial notifications typically sent via SMS or email, relevant Facebook Ads, etc. are the driving force for this change. Simply put…. Ad revenue is the word. However, the same also enables Facebook to reach deeper depth into our digital selves. Interestingly, in an announcement accompanying the privacy policy update[4], WhatsApp offered the example of “an ad from a company you already work with, rather than one from someone you’ve never heard of” — a concept involving data coordination and data mining.
This sudden change in privacy standards has not gone unnoticed in the international level as well. In the United States, two groups have asked the FTC to require WhatsApp to obtain “express opt-in consent” from its existing users for the privacy policy change.[5]
In India, two students initiated a public interest litigation under Article 226 of the Constitution before the Delhi High Court (“High Court”) challenging this new privacy policy on the grounds that it violated the fundamental right to privacy of the users. The petitioners claimed relief seeking a prohibitory order in relation to sharing of details and data of WhatsApp user with any entity including Facebook and its group entities. Further, it also sought to give direction to the Union of India and TRAI to frame appropriate laws/regulations for messaging services. On 23-9-2016, the Delhi High Court approved this policy with some riders and observations.
The High Court noted that users of WhatsApp have voluntarily availed of that WhatsApp service and are parties to a private contract between themselves and WhatsApp. Further, the court referred primarily some provisions of the 2012 WhatsApp privacy policy; first, the policy provided that by using WhatsApp user’s consent to transferring their data and subjecting it to laws of California and secondly, it also specified that in case of a merger, WhatsApp reserves the right to transfer information collected by users. Looking at these to clauses, the Court said that the users cannot now argue that WhatsApp ought to be “compelled to continue the same terms and services”. The Delhi High Court very rightly observed that the reliefs claimed by the petitioners on the ground of infringement of the right to privacy under Article 21 is not tenable in light of the pending determination on the validity of the right itself by the Supreme Court of India.[6]
The High Court held that “the position regarding the existence of the fundamental right to privacy is yet to be authoritatively decided” referring to the matter referred to the constitutional Bench of the Supreme Court. Consequently, the court dismissed the many challenges to the privacy policy albeit with some caveats. First, the court ordered WhatsApp to delete all user information/data/details for such users who completely delete WhatsApp before 25-9-2016. Second, the court ordered that existing user information till 25-9-2016 shall not be shared with Facebook and group companies. Only data post 25-9-2016 may be shared. Third, the court ordered the relevant government departments to decide at the earliest whether internet messaging applications like WhatsApp can be brought under statutory regulatory framework.
As per information supplied to the website Mashable, WhatsApp has stated that they have no plan to comply with the court order and it will have “no impact on the planned policy and terms of service updates”.[7] What may have prompted WhatsApp to not to comply with the directions of the Delhi High Court is Para 18 of the order. Para 18 states that as the terms of service of WhatsApp is not traceable to any statutory provisions therefore issue espoused is not amenable to writ jurisdiction under Article 226. It is quite absurd to have this paragraph at one hand and on the other hand issue directions on the same issues by the High Court. However, on 30-9-2016 had issued a statement saying it will follow the court order in India: “WhatsApp will comply with the order from the Delhi High Court. We plan to proceed with the privacy policy and terms update in accordance with the Court’s order. The Court’s emphasis on the importance of user choice and consent is encouraging.”
* Sourav Dan graduated in 2013 with BSc LLB (Hons.) and is currently working as an Associate in Intellectual Property and Information Technology Team of a top full service law firm.
[1] This option was available only to the existing users of WhatsApp. New users did not have the option to refuse these expanded uses of their data.
[2] The complete list of Facebook family of companies is available at <https://www.facebook.com/help/111814505650678>.
[3] WhatsApp’s statement on information sharing: “We plan to share some information with Facebook and the Facebook family of companies that will allow us to coordinate more, such as to fight spam and abuse, and improve experiences across our services and those of Facebook and the Facebook family. For example, once you have accepted our updated terms and privacy policy, we will share some of your account information with Facebook and the Facebook family of companies, like the phone number you verified when you registered with WhatsApp, as well as the last time you used our service.”
[4] Announcement titled as “Looking ahead for WhatsApp”, <https://blog.whatsapp.com/10000627/Looking-ahead-for-WhatsApp>. WhatsApp is also getting ready to welcome other services such as banks, airlines on the app itself. WhatsApp’s own blog says this: These services are coming soon, and they will start testing it on the app.
[5] Complaint copy available at <https://epic.org/privacy/ftc/whatsapp/EPIC-CDD-FTC-WhatsApp-Complaint-2016.pdf>.
[6] Order dated 11-8-2015 passed by a three-Judge Bench of the Supreme Court in K.S. Puttaswamy v. Union of India, (2015) 8 SCC 735 : 2015 SCC OnLine SC 708 whereby the determination of the right to privacy under Article 21 of the Constitution has been referred to a larger Bench. The matter is currently pending. The matter was referred due to the inherent contradictions in the various decisions passed by the Supreme Court.
[7] <http://mashable.com/2016/09/28/whatsapp-privacy-policy-delhi-high-court-india/#jtr0xAdJ2SqP>.