The issue of contention
Facebook and Whatsapp were widely panned for this move when it was announced in January this year.
To be clear, Whatsapp messages are end-to-end encrypted, which means that the company cannot read, let alone provide access to third parties for, messages sent across the platform. However, Whatsapp collects several strands of metadata of its users: their usage data, their phone’s unique identifier, their location when the location service is enabled, among several other types.
In simple words, metadata refers to data about one’s data. So, for instance, the contents of your messages are not metadata, but everything except that is, such as who you messaged, how long or often do you message particular users, what time the messages were sent, and the location of the sender and the receiver.
In silos, such data might seem innocuous enough, but when one zooms out and sees that this data is being collected for every single message a user sends or receives, and for all users on the app, one can only begin to comprehend how much such data might reveal about the users’ personal lives.
An analysis of telephonic metadata by researchers at Standford University in 2016 revealed that people’s metadata can be used to identify their personal information, such as their health details. Such information is a treasure trove for carrying out covert surveillance, either by public authorities or private parties.
No wonder, then, that Stewart Baker, a former general counsel of the US’s National Security Agency, once said: “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.”
Threat to Right to Privacy
A right to Privacy is not directly and expressly mentioned in the Constitution of India. However, in its landmark judgment in the case of Justice K. S. Puttaswamy (Retd.) v. Union of India (AIR 2017 SC 4161), a constitutional bench of the Supreme Court recognised a fundamental right to privacy of every individual guaranteed by the Constitution, within Article 21 in particular and Part III of the Constitution on the whole.
Today, our country does not have any established laws governing privacy of data as such, with the Personal Data Protection Bill, 2019 on hold for well over a year now, seemingly stuck in the process of being reviewed by a Joint Parliamentary Committee. Already in place are the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, promulgated under the Information Technology Act, 2000 (IT Act), which specifically deal with the protection of “sensitive personal data or information of a person”.
Also read: WhatsApp Privacy Controversy and India’s Data Protection Bill
It observed that “The conduct of WhatsApp in sharing of users’ personal data with other Facebook companies, in a manner that is neither fully transparent nor based on voluntary and specific user consent, appears prima facie unfair to users.” This order was challenged by Facebook and Whatsapp before the Delhi High Court, but a single-judge bench of the High Court dismissed their petition last month.
Earlier this month, Whatsapp filed an appeal against this order before a division bench of the High Court.
Whatsapp had, in a media statement earlier this month, stated that it had decided to defer its May 15 deadline for users to accept the updated policy, and that it won’t delete the accounts of users who don’t accept the policy, as was feared by many users.
Instead, it will “follow up with reminders to people [who have not accepted the updated policy] over the next several weeks”. There is no time frame mentioned for these reminders or how persistent they would be.
However, earlier this week, Facebook and Whatsapp’s counsel contradicted this statement before the High Court, by stating that the policy has not been deferred and that while users that have not accepted the policy will not be immediately deleted after May 15, they will eventually be discontinued as users if they don’t consent to it.
Again, no timeline has been provided for when the removal of such users shall begin.
In response, the union government has averred that the policy update violates Indian IT laws, and sought a detailed affidavit from the company confirming the policy’s conformity with the IT Act and rules made thereunder.
The High Court has listed the matter to be heard next on June 3.
Specific targeting of India
This underlines yet again the need for India to adopt a strong data protection law, and for Indian users to consider shifting to other messaging platforms like Signal or Telegram that seem to respect users’ data privacy far more than Whatsapp.
(Vineet Bhalla is a Delhi-based lawyer and part of The Leaflet’s staff. Priyanka Dave is a student at Kirit P. Mehta School of Law, NMIMS, Mumbai, and an intern with The Leaflet. The views expressed are personal.)
Originally Published in The Leaflet