WhatsApp’s Privacy Policy- The Conundrum Continues

Authored by Vanshika Manglani, Student at HNLU Raipur


“Privacy is not an option, and it shouldn’t be the price we accept for just getting on the internet.” – Gary Kovacs.


The world is gradually heading towards digitalization, with nearly everyone now owning a smartphone and being technologically connected to one another. As per the report released by the Telecom Regulatory Authority of India (TRAI), the broadband internet subscriber base in India was 698.23 million at the end of June 2020.[1] The exponential increase in digitalization in India is also attributed to the Government’s Digital India Programme. However, this digital drive comes with its fair share of cons which can have severe implications on the users.

WhatsApp Inc. is a messaging platform owned by Facebook which allows its users to send text and voice messages, among other services. The former was acquired by Facebook in 2014.[2] At the beginning of 2021, WhatsApp updated its privacy policy according to which the users would not be able to stop the app from sharing its data with the parent company unless they delete their accounts permanently.[3] India does not have a stringent data protection law and this is the sole reason that big data companies introduce such discriminatory policies which violate the privacy of an individual. In this article, we shall assess the recently updated privacy policy of WhatsApp and how it will impact the Indian users with due emphasis on the European scenario. It also aims to provide an insight into the data protection framework of India and how the privacy policy violates these rules. We will conclude by giving various suggestions and how the Indian laws can be made effective to deal with such policies.

Privacy Policy in the European Union

WhatsApp’s new policy is intended for users worldwide only with an exception for people residing in the European region, people in that region have a choice to opt-out of the policy without deleting their app account, which thereby created a distinction on the basis of the region i.e. European and Non-Europeans Citizens.[4] Now a question arises that why are non-Europeans being discriminated against? Why is there a difference in the European region which cannot be made applicable to the users in India? The reason for this disparity is the existence of the General Data Protection Regulation (GDPR), which prohibits data sharing by organizations located in that zone without an express opt-out option available to customers. Article 6 of GDPR deals with the lawfulness of the processing- It means that data sharing will only be lawful if certain conditions are being complied with. It is one of the stringent data protection laws in the world. It came into effect in May 2018 and puts legal obligations on organizations across the world as long as they use data related to people of the EU.[5] With this policy European Union maintains a strong stance against data security and privacy of individuals. As a result of the presence of such effective and rigorous laws, corporations operating there are obligated to follow them, which is not achievable in India due to ineffective restrictions.

Issue of WhatsApp’s Privacy Policy in India

The main issue with the privacy policy in India is that the messaging app like WhatsApp may share much more commercial data with Facebook and allied companies because India does not possess any law as mentioned aforesaid and owing to that depict, WhatsApp stands protective from any kind of legal action taken against them in the future. This led to a huge uproar with many privacy experts apprehended that it would raise concerns over the extent of data sharing[6] Following this controversial policy, a petition was filed in Delhi HC challenging it.[7] The company maintained its stance that it is not forcing anybody to accept the policy; users have a choice and can delete their accounts if they do not wish to accept the same. The company clarified and gave an official statement that only those chats which come under the purview of ‘Business Conversations’ will be shared with the parent company for the purpose of advertising.[8] It also contended that such interference in privacy would have a detrimental impact on its own functioning. The Respondent also asserted that the claims of the petitioner regarding the disparity with European regions hold no ground as the updated policy of 2021 applies to many regions of the world and the different policy in European Region is due to the prevalence of General Data Protection Regulations (GDPR). The petitioners sought directions to the Central Government to frame guidelines as such policies are against the right to privacy.[9] This is how the issue arises as to how to regulate such policy change, however, there are few laws in the form of rules/regulations whose application can help in regulating the said policy change.

Current Data Protection Framework of India

As of now, India has no explicit statute or legislation which is solely related to data protection which is a cause for privacy violations by many big data companies. However certain aspects of data processing are covered under IT Act 2000 and Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules of 2011 (‘Data Protection Rules’). The IT Act under section 43A, states, ‘the maintenance of reasonable security practices and procedures by bodies corporate that possess, deal or handle any sensitive personal data or information and provides for compensation for failure to protect such data.’ However, the scope of this rule is only limited to the corporate sector which means that Government bodies do not come under the ambit of this law. The Data Protection Rules have been formed under section 43A of IT Act.[10] The Companies falling within the definition of ‘intermediary’ under clause (v) of sub-section (1) of section 2 of the IT Act, 2000 ought to comply with these rules. Rule 4 of the Rules 2011 requires a corporate body that collects and handles personal information to have a privacy policy that should be published on their official website.[11] As per Rule 5(1) the collector of any such data has to obtain the prior consent of the user regarding such sensitive personal data.[12] Further, sensitive personal data may be collected only for a lawful and necessary purpose as per Rule 5(2)(b). A body corporate (or any person acting on behalf of a body corporate) holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force. Rule 6[13] prescribed seeking prior consent from the users before disclosing the personal information to the third party. The rules do not prescribe any penalties for the breach however section 72A of the IT Act punishes any person who discloses such data without prior consent.[14] In this manner, the said rules along with the provisions of the IT Act acts as a threshold that all the intermediaries have to cross to use the users’ data.

Why is the Government against this Policy?

The Ministry of Electronics & Information Technology said that the policy compromises the privacy of the individual and hence illegal. According to them, the policy fails to specify which types of sensitive personal data was being collected, notify the details of personal information collected to the user, provide an option to review or amend the information and withdraw consent retrospectively and guarantee further non-disclosure by third parties including other Facebook companies. [15] The Ministry has also taken offense to WhatsApp policy being “discriminatory” against Indian users when compared to those in Europe. Thus the Government has maintained a strong stance against the privacy policy and asked the company to withdraw this discriminatory policy.

Personal Data Protection Bill- Why is it important?

India recently introduced the Personal Data Protection Bill to safeguard the interests of the public and provide data security, but the Bill is still pending in the Parliament and it is due to such pendency big tech firms exploit the privacy of the users without undergoing any legal obligations. It is pertinent to note that had the Bill been passed by now this privacy policy of WhatsApp would have ceased to be effective. As per section 11 of this Bill, Every data intermediary has to seek explicit permission from the user before sharing their data.[16] The Bill also classifies data as sensitive and critical and requires that such data be stored within the territory of India. Section 20 of the Bill[17] talks about ‘right to be forgotten’ which means data principal has the right to prevent disclosure of their personal data if the purpose for which it was collected ceases to exist or if the consent is withdrawn. Section 23[18] talks about transparency in the processing of user data which means that the data fiduciary has to disclose the entire process of how the data is collected and to what extent it is being shared. WhatsApp has not complied with these provisions as the entire process of data sharing with the parent company is not transparent. Users are not being informed about how their data is being collected, processed, handled, and shared with a third party. It is thus important for the Government to enact a law on data protection so that these restrictive policies cannot be introduced in the first place. 

Despite the reports of various committees the big tech companies continue to abuse the loopholes in the data protection legislation. An important challenge is large unprotected data that will be accessible to rival companies which can be used for unethical purposes. This can lead to serious privacy issues for individuals and have security implications for the nation. When the country today is fighting the threats of data protection, these policies by companies like WhatsApp add to the potential threats.[19]

Social Implications

Justice Sanjeev Sachdeva while hearing the case remarked that users always have the option of not giving their consent and the policy is completely voluntary in nature. He also suggested the existing users of Whatsapp switch to other platforms such as Signal or Telegram which could provide reliable communication services.[20] However a major section of the society is dependent upon WhatsApp as it has got certain inherent advantages for example- the design of the app, the consistent use of it for many years, and the accessibility of the WhatsApp services even in low bandwidth area adds to its advantage and hence makes it difficult for the users to shift to another application of similar accessibility.[21] Competition Commission of India has also observed that WhatsApp is misusing its dominant status to enforce arbitrary policies. [22] It is also critical to raise user knowledge about the consequences of such policies on their data, many individuals still do not understand what this policy is all about and frequently give their consent without understanding the implications. Therefore, a community with a large part of its population using the internet should run digital awareness efforts to create awareness in the public.

Conclusion and Way Forward

Experts have claimed that India needs to be careful while tackling this grave issue as many foreign agencies have been critical of the draft Data Protection Bill’s clause that personal data resides in servers located within the country.[23] This data can also pose challenges in the form of cyber-crimes and cyber-attacks which are directed towards critical national databases. Why should the citizens let go of their right to privacy? Why should citizens trust a company like Facebook which had previously violated many privacy norms?[24] The questions are many and the answer remains the same, no citizen should be placed in a position where they have to choose between technology or privacy. The recent example of WhatsApp’s privacy policy is the result of loopholes prevailing in the Indian Data Protection legislation. However, the Government is planning to pass the Data Protection Bill and various other guidelines to regulate the social media platform. But since the problem is big it requires an urgent and concrete solution. Such rules should be introduced with utmost urgency so that big tech firms can comply with these guidelines which limit data sharing and do not use the data without seeking the consent of the data principal.

Every individual has the right to privacy, as enshrined in the Constitution of India, and it is the State’s responsibility to protect that right.[25]  Privacy of data is not a privilege rather an essential condition which companies ought to follow.


[1] (2020), (last visited Jun 1, 2021).

[2]Alison Deutsch, WhatsApp: The Best Facebook Purchase Ever? Investopedia (2021).

[3]Danny Cruze, WhatsApp new privacy policy: What will happen if you don’t accept it Mint (2021).

[4] MeghaMandavia, WhatsApp’s unequal policies cause of concern: Govt to HC, The Economic Times (2021).

[5]What is GDPR, the EU’s new data protection law? – GDPR

[6]Experts on WhatsApp privacy policy: Don’t worry about data sharing, look at fine print on location and business messaging, The Indian Express (2021).

[7]Fitful approach: On WhatsApp privacy policy and need for data protection laws, The Hindu (2021).

[8]WhatsApp’s new terms of service are for business chats, the company clarifies Free Press Journal (2021).

[9]K. S.Puttuswamy v. Union of India, (2017) 10 SCC 1.

[10] The Information Technology Act, 2000 § 43, No 21 Acts of Parliament 2000.

[11] Rule 4 of the 2011 Rules.

[12] Rule 5(1) of the 2011 Rules.

[13] Rule 6 of the 2011 Rules.

[14] The Information Technology Act, 2000 § 72, No 21 Acts of Parliament 2000.

[15] Surabhi Agarwal, New WhatsApp policy violates IT rules: MeitY to HC, The Economic Times (2021). 

[16] Personal Data Protection Bill § 11, Bill No. 373 of 2019

[17] Personal Data Protection Bill § 20, Bill No. 373 of 2019

[18] Personal Data Protection Bill § 23, Bill No. 373 of 2019

[19]  Ramnath Raghunandan, Importance of Health Data Management Policy | Science Policy Forum (2021).

[20]Delhi high court: Don’t use WhatsApp if its terms worry you | Delhi News – The Times of India (2021).

[21]The Hindu, WhatsApp and its dubious claims, 2021, at 7.

[22]Competition Commission of India defends decision for probe into WhatsApp’s new privacy policy, The Hindu (2021).

[23]Rishi Raj, Data Privacy: Concern over WhatsApp’s new policy The Financial Express (2021).

[24]Supra, note 19.

[25]Supra, note 9.

Edited By: Ayush Verma

*Disclaimer: The content of this article is intended to provide a piece of general information. The views are expressed by the Author solely and BFTLR may or may not subscribe to the views of the Author.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button