Whats App Privacy Policy Issue.. Will the new Data Protection Act apply retrospectively?

Most of the observers of Privacy and Data Protection in India are aware that when WhatsApp tried to introduce its new Privacy Policy in 2017 there was an exodus of users in opposition to the policy. Subsequently WhatsApp did not enforce the policy.

In the meantime the withdrawal of the PDPB 2019 despite the assurance of quick re-introduction of a modified version has again brought the  discussion on where the industry stands in terms of their obligation to protect the privacy to the fore front.

Recently, the Delhi High Court dismissed an appeal by WhatsApp to stall the  investigation by the Competition commission of India (CCI)order calling for an investigation into the messaging apps’ new privacy policy, noting the policy places its users in a “take-it-or-leave-it” situation.  The Court felt that the new  privacy policy of WhatsApp virtually forces its users into agreement by providing a mirage of choice, and then proceeding to share their sensitive data with Facebook companies envisaged in the policy, (ANI report).

The Court made a caustic remark as follows.

“the Court finds merit in the submission of the ASGs appeared for CCI that one of the key issues with the 2021 Policy is its propensity to share the data of its users with Facebook Inc., the parent company of WhatsApp. Solely for the reason that the policies itself do not emanate out of Facebook Inc., the Appellant cannot hide behind the fact that it is the direct and immediate beneficiary of the data sharing mechanism envisaged by the policies.”

Facebook and WhatsApp said that since the issue of WhatsApp’s privacy policy is being heard by the Supreme Court, and High Court, therefore, there was no requirement for CCI to order the probe.

Now WhatsApp has again raised the issue before  the Constitution bench of the Supreme Court, a brief report about which was made yesterday. During the proceedings, it was brought to the notice of the Court that in 2017 the matter had been briefly heard by the Supreme Court. It was also mentioned that the new Data Protection Act may provide a solution to the conflict.

However, the Court agreed to have a final hearing of the case and fixed January 17 as the date of hearing so that even before the Government could pass the Act, the Court could pass an order that binds the Government.

The urgency of the litigants is clear that they apprehend that the Act may bring some kind of restrictions on their operations and it is better if they arm themselves with the order of the Court so that they can claim immunity for their past data collection and usage actions and claim that the new Act will apply only prospectively.

Interestingly, one of the observations and recommendations made by the JPC on PDPB 2019 was that sensitive data transferred out of India in the last 2 years should be brought back to India. If the New version of the Bill incorporates this part of the recommendation, it would be a headache for most MNCs both in principle because they oppose the right of the Indian Government to the data collected in India but also for commercial reasons.

It must be observed that India presently has ITA 2000 which under the amendment of 2008 introduced Section 43A and the rules under Section 43A and 79 released in April 2011 specified most of the Privacy protection requirements now being considered under PDPB2022/23 (new version under draft). Hence the actual provisions of PDPB 2019 (withdrawn) was considered as “Due Diligence” under ITA 2000-Section 43A/79.

This situation will continue  till the new Act is passed and specifically repeals Section 43A of ITA 2000.

Hence in the intervening period most companies have to complete their data loot. One of the early successful executions of such data loot has already been discussed in these columns and it was TransUnion taking control of 500 million Indian users’s credit card usage profiles by buying into the shares of CIBIL.  Now VISA and others have been transferring sensitive personal data abroad for processing and the law enforcement agencies are experiencing problems in extracting data from such companies.

We are aware that Twitter had openly challenged the Indian Government that it will protect the Privacy of Indian Citizens through its own privacy policy and terms of use and defied the jurisdiction of the Indian Government. Given a choice the WhatsApp-FaceBook will also assert that they have a specific jurisdiction of their own which the Indian Government cannot intervene.

If we recall the views expressed in these columns (please refer to this article) we had said that while WhatsApp is free to request consent for use of personal data through an appropriate informed consent, the critical issue about their privacy policy was the jurisdiction clause as follows:

Forum And Venue. If you are a WhatsApp user located in the United States or Canada, the “Special Arbitration Provision For United States Or Canada Users” section below applies to you. Please also read that section carefully and completely.

If you are not subject to the “Special Arbitration Provision For United States Or Canada Users” section below, you agree that any claim or cause of action you have against WhatsApp relating to, arising out of, or in any way in connection with our Terms or our Services, and for any claim or cause of action that WhatsApp files against you, you and WhatsApp agree that any such claim or cause of action (each, a “Dispute,” and together, “Disputes”) will be resolved exclusively in the United States District Court for the Northern District of California or a state court located in San Mateo County in California, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claim or cause of action, and the laws of the State of California will govern any such claim or cause of action without regard to conflict of law provisions. Without prejudice to the foregoing, you agree that, in our sole discretion, we may elect to resolve any Dispute we have with you that is not subject to arbitration in any competent court in the country in which you reside that has jurisdiction over the Dispute.

Governing Law. The laws of the State of California govern our Terms, as well as any Disputes, whether in court or arbitration, which might arise between WhatsApp and you, without regard to conflict of law provisions.

Time Limit To Bring A Claim Or Dispute. THESE TERMS ALSO LIMIT THE TIME YOU HAVE TO BRING A CLAIM OR DISPUTE, INCLUDING THE TIME TO START AN ARBITRATION OR, IF PERMISSIBLE, A COURT ACTION OR SMALL CLAIMS PROCEEDING TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. We and you agree that for any Dispute (except for the Excluded Disputes defined below) we and you must bring Claims (including commencing an arbitration proceeding) within one year after the Dispute first arose; otherwise, such Dispute is permanently barred. This means that if we or you do not bring a Claim (including commencing an arbitration) within one year after the Dispute first arose, then the arbitration will be dismissed because it was started too late.

These conditions need to be taken into account both by the CCI and the Supreme Court to understand what would be the damaging impact of allowing a free hand to WhatsApp to set its own Privacy Policy outside the jurisdiction of the Indian law and create a Twitter like argument that Face Book can make laws for Indian Citizens which overrides the laws made by the Parliament.

I wish some of the lawyers bring forth these facts before the Court in their pleadings.

Additionally, the Government needs to think if they have to include “Retrospective” effect of the data protection laws and provide that since the date of the Puttaswamy judgement all personal data collections made in India by companies and transferred out of India should be copied back to the Indian servers so that at least a copy of the data collected will remain in India. The prospective rule on not transferring the data out of India except with an explicit consent or otherwise can be incorporated in the law.

We have separately discussed how this right of the Government may be protected in the new law through the series of articles on “The Shape of Things to Come” which have been published earlier.

It is to be noted that one of the media has recorded the following report:

“The new regime could be enacted during the winter session of the Parliament, a point the apex court took note of and said it will give the Centre time till the winter session to pass a law.
But if a law does not come into effect guaranteeing the protection of data security, then in January, the Supreme Court will resume hearing this case and will decide the issue. So all stakeholders are waiting with bated breath as far as government’s moves are concerned on a data protection regime.”
This could mean a pressure on the Government to pass the law by December -2022 session instead of the February -2023 session. 
Since it is uncertain whether the Government would be ready to pass the law in December 2022, or the opposition in the Parliament would allow even if the Government is keen, the risk of WhatsApp getting its way through the Court is high. 


Also Refer:

Previous article (This was a quick response based on sketchy information then available)

Live updates from livelaw.com

Report in cnbc.com

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.