Ahead of WhatsApp’s deeper integration into the Facebook group of companies (“Facebook Companies”) and acceleration of “interoperability of Facebook Messenger, Instagram and WhatsApp, on January 4, 2021 WhatsApp LLC (“WhatsApp”), owned by Facebook Inc., updated its privacy policy (“Policy”) and requested its users to accept the same before February 8, 2021. The most significant change in the Policy related to WhatsApp’s data sharing arrangement with third-party service providers and with other Facebook Companies whose products are integrated with WhatsApp services. As stated by WhatsApp, the objective behind the Policy update was to explain to the users the categories of data it collects and manner in which it shares that information with its parent company and to further inform its users that some businesses who use WhatsApp business account services, would soon be able to use Facebook-owned servers to store messages of consumers. However, soon thereafter, various interpretations started floating in the market which has confused the users who are concerned about the privacy of their private chats. This confusion led to a severe drop in WhatsApp’s userbase and sudden spike in number of users of competing applications, such as Signal and Telegram. Given the confusion and the negative user sentiment, WhatsApp for now has pushed the deadline for the acceptance of the Policy to May 15, 2021.

Basis the significant changes in the Policy and privacy concern among the users, the Ministry of Electronics and Information Technology (“MEITY”) pursuant to its analysis of the Policy, has sent a list of 14 (fourteen) questions to WhatsApp on the data security concerns. Some of the key questions pertain to disclosure of the categories of data collected by WhatsApp from its Indian users, details of the permissions and user consent sought by WhatsApp, utility of each of the permission with respect to the functioning and specific service provided, difference between Policy in other countries and India. Further, it is noted that MEITY has asked Will Cathcart, global Chief Executive Officer of WhatsApp, to withdraw the proposed changes to the Policy for Indian users. Objecting the ‘all-or-nothing’ approach of WhatsApp, MEITY has further asked WhatsApp to explain the reason for the differential treatment of the Indian users.

We have analysed in detail the key changes proposed in the Policy and its likely impact below:

Key Changes under the Amended Policy:

Acceptance of the updated Policy:

As discussed above, WhatsApp had initially requested its users to accept the amended Policy by February 8, 2020 in order to keep using their WhatsApp accounts post such deadline. However, this deadline has been further pushed to May 15, 2021. From the re-worded Policy, it appears that the users who do not accept the new Policy by such deadline, will not be able to use the application anymore.

Option to opt-out?

While the former Policy also allowed WhatsApp to share user data with Facebook Companies for better advertisement targeting, the users had a discretion to opt out of this feature and keep continuing the use of the application without such feature. However, under the amended Policy, this doesn’t appear to be the case.

Information collected by WhatsApp:

Upon review of the updated Policy, we note that following user information (not an exhaustive list) such as phone number, profile name, profile photo, profile status, last seen information, battery level of the phone, IMEI number of the handset, hardware model, signal strength, browser information, language and time zones, network services etc. used by the user, transaction and payments data (discussed below), business communications on WhatsApp (discussed below) is proposed to be collected by WhatsApp. It is stated in the Policy that the information collected by WhatsApp shall be used to “operate, provide, improve, understand, customize, support and market” WhatsApp services.

Business on WhatsApp:

WhatsApp business service will allow businesses to interact with regular users on the application using a variety of commercial features such as in-app purchases, businesses communication, sending order confirmations, flight tickets, tickets to other events, status update, etc. The Policy states that while the chats between a user and a business are end-to-end encrypted, once the message is received, it will be subject to the business’s own privacy practices and such businesses may share the same, with WhatsApp and/or third-party service providers which may include Facebook Companies. Accordingly, WhatsApp may keep a track on kinds of services or businesses the user interacts with and use such information and/or share it with Facebook Companies or such other third parties associated with it. Thus, this is likely to become WhatsApp’s data monetisation tool to be offered to entities who intend to purchase or use such consumer-specific information for understanding consumer preferences and targeted advertisement campaigns.

It also states that the content provided to a business may be accessible by “several people in that business.” This is important because, as per published reports, WhatsApp has nearly 50 (fifty) million business accounts globally. Therefore, in allowing businesses to further integrate other services into the application, the business account users of WhatsApp may not seek explicit consent of the non-business account users to share with anyone their data such as the transcripts of chat, user location (home address), financial information like bank account details etc.

Further, quite clearly, WhatsApp is proposing to shift the liability of maintaining privacy of the information shared by the users with the business accounts, to such business entity. Given that most of these business account users may be small unorganised businesses, we are not sure how these business account users will ensure protection of user data and comply with applicable laws. Also, it is yet to be seen if WhatsApp will require such business account users to adopt and adhere to minimum data privacy requirements before signing up to the WhatsApp Business accounts and what will be the liability of WhatsApp, if these business users faulter. In our considered opinion, being a platform and connecting both business and non-business users i.e., sellers and buyers, it should be primary obligation of WhatsApp to ensure that all the personal information of the users is protected. In this context, please note India’s social media intermediary guidelines is still under works and the current legal regime is not adequate to pin such responsibility onto intermediaries.

Inter-portability of User Data:

Facebook has already combined the direct messaging of Instagram and the Facebook messenger into one application as the Messenger and now it is in the process of integrating WhatsApp with these applications. Although such integration of these three applications together may offer a better user experience but probable exchange of user data across these platforms needs to be scrutinised.

Further, as WhatsApp will be able to receive information from, and share information with other Facebook Companies, it may keep a track on every digital footprint a user leaves behind right from accessing the user’s browser information, financial transactions, and their engagements with different business entities and so on.

Additionally, we note that on WhatsApp, once a user allows WhatsApp to access its phone’s address book (contact list), such information will be stored by WhatsApp. This means that, if the user is in somebody else’s contact list and they are using WhatsApp, such user may be added to the group chats and the broadcast lists by others who have the contact information of such user without any permission or consent. This feature may most likely be used by people using a WhatsApp business account and target their marketing services by simply adding the users to a broadcast list or WhatsApp group and send across bulk messages to 256 (two hundred fifty six) people at once (that is the maximum limit of person to whom a message can be broadcasted and also the maximum strength of a WhatsApp group at once). It is important to note here to that, in broadcast lists only the person originating a message will have the user number, but if the user is added to a group created by a business entity, then other members of the group may be able to see the user’s number and the other profile information such as profile photo and profile name on WhatsApp. Amidst the confusion, WhatsApp, in the recent FAQ, stated that it will use group membership only to deliver messages and protect such services from spam and abuse. Further, it stated that WhatsApp will not share the group chat data with Facebook for advertising as these are private chats and have end-to-end encryption However, as per our view, in the event, any business account is added to the group chat, the data shared by the users may become accessible to such business account. We have to wait for further clarification from WhatsApp in this regard.

Storage of Payment Information by WhatsApp:

Given that WhatsApp received nod to roll out its UPI-based payment service viz. WhatsApp Pay, the Policy also refers to storage of information pertaining to a transaction made via the application. Accordingly, if a person uses the payment service or uses the WhatsApp services meant for the purchases or other financial transactions, WhatsApp will process the additional information about the user, including payment account and transaction information. The payment account and transaction information may include the information needed to complete the transaction such as the mode of payment made or elected by the user (UPI/debit and credit card, online wallets etc.), shipping details like address/location of the user, and transaction amount.

While the Policy does refer to such payment services to be governed by its privacy practices as described in the applicable payments privacy policy, collection and storage of such information by WhatsApp must be reviewed from the perspective of the Reserve Bank of India’s data localisation norms, which mandates storage of all payment systems data in India.

What happens to the Private Chats with Friends and Family?

The Policy states that personal chats will be end-to-end encrypted and protected. Neither WhatsApp nor third parties associated with WhatsApp will be allowed to read these conversations. However, in group chats, the information like contact number and the profile photo of the user can be seen by anyone.

Amidst the widespread privacy concerns among the users, WhatsApp has clarified through a FAQ on its portal that neither WhatsApp nor Facebook can read the content of the private messages or hear the user calls. In addition to that, it is explained that WhatsApp does not keep the logs of such messages and calls and does not share the user contacts with Facebook.

No Third-Party Banner Ads on WhatsApp:

Unlike other social media platforms that use third party advertisements banners in the in-app features (based on the user information and access to such app), WhatsApp continues to claim, as under the archived Policy, that it still does not allow third-party banner ads and does not intend to introduce any such a feature on its platform yet. In future, WhatsApp may introduce this feature by updating their Policy. It may be noted that Facebook doesn’t qualify as a third-party and thus users may see ads of Facebook Companies’ products. An explicit provision has also been included in the Policy that the users will get offers and ads across all Facebook Companies’ products.

Global transfer of user information collected by WhatsApp with its data centres outside India:

According to the Policy, WhatsApp claims that it will share the user information “both internally with Facebook Companies and externally with its partners and service providers” around the world. The storage and usage of such data will be regulated by the privacy and data protection laws of the country where such data centres are located. For example, a user’s information may be transferred or transmitted to, or stored and processed in, the United States, or in a country or countries outside of where the user lives for the purposes as described in the Policy.

In this regard, we note that while WhatsApp Pay received permission for launch in India post confirmation by the National Payments Commission of India in relation to WhatsApp’s compliance with RBI’s data localisation parameters, there are concerns around such compliance. As stated above, the updated Policy, like its previous avatar, allows WhatsApp to transfer information outside the user’s country of residence, and no exception has been made, whether in relation to India or any other country, in connection with any data localisation norms.

Policy in EU:

For the users located in the European Union (“EU”), a separate Privacy Policy is framed by WhatsApp because the data transfer of users in EU is restricted by the General Data Protection Regulations (“GDPR”). Given the stiffer impediments under the GDPR, WhatsApp users in EU countries will not have their data shared with third parties. This differential approach of WhatsApp is heavily criticized by the Government of India.

India’s Data Protection Regulatory Framework vis a vis the updated Policy:

India lacks a dedicated law on privacy, cyber security and data localisation. The current data privacy regime viz. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Privacy Rules”) sit under the Information Technology Act, 2000 (“IT Act”) and is not sufficient to protect all kinds of data and is merely indicative of the practices and procedures to be followed. Had India had a robust legal regime, WhatsApp may have issued a Policy in line with the Policy in EU.

We note that, as per the government sources, the Policy may impact the status of WhatsApp as an ‘intermediary’ as defined under the Information Technology (Intermediaries guidelines) Rules, 2011 (“IT Intermediary Guidelines”) issued under the IT Act. The IT Intermediary Guidelines impose strict obligations upon an intermediary to put in place proper safeguards to ensure that all the personal information of a person is protected at all costs by such intermediary. Therefore, collection of information pertaining to financial settlements, location of the user by WhatsApp raises serious issues and the Policy must be reviewed from the perspective of the IT Intermediary Guidelines.

Under the IT Act, intermediaries are protected from any liability by virtue of the ‘safe harbour rules’. The rationale behind this protection is that intermediaries are not the owners of the data, but they only host such data or get access to such data in the course of transmission or publication of information. Thus, they are not liable for anything unlawful hosted on their platforms and but can be directed to remove any unlawful content, once directed by appropriate authority. In case the intermediary fails to do so or it is found that there is contributory default on part of the intermediary, such intermediary can be made liable for an action.

There is also a view that if WhatsApp decides to share the user data with Facebook Companies, this will effectively make them the owner of such data and hence may not qualify as an intermediary to be afforded any immunity. The intermediaries are neither supposed to be the owners of the data nor exercise any control over it. Considering this adverse impact, MEITY has stated that it will examine the Policy in detail and accordingly amend the IT Intermediary Guidelines to build adequate safeguards against such policies of sharing data with other entities.

MEITY has also asked WhatsApp to provide reasons for bringing such significant changes in the Policy right before the time where India is in the state of finalising the much-awaited Personal Data Protection Bill, 2019 (“Data Protection Bill”), which places a strong reliance on the principle of ‘purpose limitation’ with regard to the data processing. The wide integration of data of Indian users with other Facebook Companies which would make it difficult for WhatsApp to follow this principle as soon as the Data Protection Bill is effective.

Impact on Corporates and Start-Up:

As per the media reports, few corporates and multinational companies have notified their employees against using WhatsApp for conducting official business or sharing any company information thereon. Sharing of any official data or sensitive information on the WhatsApp business account may lead to privacy concerns and may expose the corporates’ information to third parties. Issuing advisories may not suffice and the corporates may consider revamping their communication policies and agreements with employees or third parties to refrain them from using the business account for conducting any official work. More importantly, organisations need to look for alternate collaboration and communication tools and also train their employees to use such tools, rather than relying on consumer apps for meeting business needs.

The drop in the userbase of WhatsApp is also likely to impact the small merchants who have made WhatsApp as means of communicating official information to their customers and business partners, as the users might now refrain from transacting on such platform. Moreover, such small merchants, may not have mature policies and procedures to deal with personal and financial data of their customers and the user data may be exposed.

Impact on Users:

While WhatsApp may accede to government pressure and consider ‘improving and refining’ its privacy settings and provide users with a sense of control over personal data, but in reality, this may not help. The users do not generally have control over the online platforms itself. Even if WhatsApp allows users to opt-out from sharing of their personal information with third parties, it will not necessarily protect them from the platform itself i.e. in this case, all Facebook Companies. The privacy policies and the terms of use (which are often ignored) allow platform owners to collect various kinds of data for various ‘legitimate’ purposes and the users agree to provide them ‘voluntarily’.

Opposing the Policy, recently, a writ petition[1] was filed in the Delhi High Court (“HC”) stating that it “virtually gives a 360-degree profile into a person’s online activity”, without any “government oversight”. The HC while deferring the issue of any notice stated that if user is in of the opinion that its information is compromised, it may refrain from using it and delete its account. The HC remarked that “It is a private app. Don’t join it. What is your grievance? I can’t understand your concern. If you feel WhatsApp will compromise data, delete WhatsApp”.

Therefore, we may assume that it is the user who needs to be careful and be aware of such policies. The user needs to decide whether to provide the permission or consent for any collection or sharing of data and also, whether to use the platform also or not and for what purposes.

  1. Chaitanya Rohilla v. UOI & Ors [Writ Petition (C) 677/2021 & CM APPL. 1638/2021]

-Neha Madan (Associate Partner), Priya Udita (Associate)

This material and the information contained herein prepared by the authors is intended to provide general information on a subject or subjects and is not an exhaustive treatment of such subject(s). Algo Legal is not, by means of this material, rendering professional advice or services. The information is not intended to be relied upon as the sole basis for any decision. Algo Legal shall not be responsible for any loss whatsoever sustained by any person who relies on this material.