The objections have been on whether WhatsApp will have access to the User’s content and share it with Face Book.
A brief review of the policies is attempted here for opening up more discussions. It is not easy to decipher the privacy policies of any large MNC like WhatsApp or even Google or Twitter since there could be many subtle wordings which can be technically and legally interpreted in different ways.
We also have to recognize that WhatsApp has created two different sets of policies, one offered by WhatsApp Ireland Ltd to the EU region and the other by WhatsApp LLC to other countries . Except for the ownership of the service, there does not appear to be any difference between the two policies. This is either a mistake or perhaps WhatsApp thinks that the world outside EU has no importance and hence any policy will do.
Perhaps WhatsApp will realize that countries like India are conscious of the data sovereignty principle and will not tolerate this arrogance.
1 Information We Collect
2. How we use Information
3.Information you and we share
4.How we work with other Facebook companies
5. Our legal basis for processing data
6. How we process your information
7. How you exercise your rights
8.Managing and retaining your information
9.Law, our rights and protection
10.Our Global operations
11.Updates to our policy
- Is there a Discrimination in refusing the service if permissions are not given?
In order to recognize the rights of WhatsApp to set pre-conditions with a right to reject the service if a certain information is not provided, we must recognize the nature of the WhatsApp service and the “legitimate Interest” built into it. According to its mission statement, WhatsApp started as an alternative to SMS and it now supports sending and receiving a variety of media: text, photos, videos, documents, and location, as well as voice calls.
As we understand, WhatsApp is a “Platform”. It enables a person to send a message to another provided they have downloaded the App in their device and subscribed to the service. Additionally in a “Group Communication”, one to many messages are sent to the WhatsApp server which distributes it one by one to all the members of the closed group. In this context, WhatsApp server is an agent to hold the content until it is downloaded by all the members within 30 days etc. The members of the group are collectively responsible as owners of the group. At present the “Admin” has only limited powers of admission or removal of members but has no powers to delete content posted. The member who posts the content to the group is the sole owner of the message and make it disappear or remove it within a certain time. This reiterates the status of the service that WhatsApp is a messaging service from the sender of the message to the receiver. The server provides certain intermediary services. The Admin has no role in the transmission of the message.
2. Information Collection and Storage
The information collected by WhatsApp is declared as specific to the “Options” used by the user. Hence it is declared as purpose specific. The mobile number and maintenance of log records of the use of the App therefore is directly related to the messaging service and hence within the rights of WhatsApp.
The “Storing” of the information in the servers for the intermediary period when it is yet to be downloaded by the receiver does not mean that the server is reading the information though technically this is possible even if it is in encrypted form. Encryption will prevent third party access but if Whats App really intends to read the message, they can always simulate either the sender’s phone or the receiver’s phone and use the keys to decrypt it. However this is an unreasonable suspicion and unless there is any evidence of the same, should not be considered as a possibility.
From the policy it appears that WhatsApp has two storage policies one for the Media and the other for the text message sent. The text part gets deleted from the server after delivery but the media remains in storage in an encrypted form to enable forwarding of the same. The company has a justification for this storage from the technical point of facilitating the forwards. When a forward occurs, this prevents the entire data related to the media travel again from the forwarder to the server. If the forward is to multiple persons, it will save on data transfer substantially. The media is held in the WhatsApp server not permanently but for a certain time so that forwards within this time span would save on data transfer.
Hence storage both from the point of view of maintenance of encryption and temporary storage can be considered legitimate. Criticisms in this regard is not sustainable.
3. Sharing of Information
The policy suggests that WhatsApp access, preserve and share certain information. This however refers to the information that is collected from the account holder such as the account information., messages (in encrypted form ) during the interim period when it is being held for deferred delivery, and meta data associated with the use of the services.
There is nothing in the policy to suggest that the message content will be read by WhatsApp and used for profiling etc.
In case the WhatsApp payment system or Contact upload feature, the users may be sharing more information related to the specific service.
4. Legitimate Interests
The policy declares that legitimate interest relied upon includes provision of accurate and reliable aggregated reporting to business and other partners and statistics on performance, need to demonstrate the value the partners realize etc.
It also states that Facebook products may be marketed to the users for direct marketing. This indicates that there could be “Advertising” messages sent to the users similar to Twitter inserting advertising in between messages.
Prevention of fraud, securing against spam, abuse etc are also stated as a reason to use information under legitimate interest.
Policy indicates that Pubic interest could also be a legitimate interest.
At first glance therefore the policy does not seem to raise grave concern. It is possible that the company may draw a profile and use it for advertising but that is only to be expected as a revenue generation method unless the service becomes a paid service.
Terms of License
Fore example in the paragraph “Your license to WhatsApp”, it is stated as follows:
Your License To WhatsApp. In order to operate and provide our Services, you grant WhatsApp a worldwide, non-exclusive, royalty-free, sublicensable, and transferable license to use, reproduce, distribute, create derivative works of, display, and perform the information (including the content) that you upload, submit, store, send, or receive on or through our Services. The rights you grant in this license are for the limited purpose of operating and providing our Services (such as to allow us to display your profile picture and status message, transmit your messages, and store your undelivered messages on our servers for up to 30 days as we try to deliver them).
Though at first glance this appears to indicate that WhatsApp may use the content for its own purpose, the issue is more related to IPR rather than Privacy. Also if the content is encrypted before it is shared by the user with the company, unless it is decrypted, it cannot be used in raw form by WhatsApp. The mention of “Limited purpose” indicates that there is no intention of creating “Derivative Works” from the user’s content and use it commercially though an “Enabling feature” has been wrote in.
Probably WhatsApp will be answerable for IPR violation if the user content is used for creating revenue generating product.
The statement that “WhatsApp does not claim ownership of the information” further corroborates the status that the content is owned by the user.
If WhatsApp tries to make derivative works out of the user’s content, they will also lose the status of an “Intermediary” under ITA 2000 and hence cannot claim any immunity for crimes that are committed with the service.
If WhatsApp claims absolute rights to use the content, then they will have to admit knowledge of the content which will make themselves liable for any drug related conversation or other offences using the WhatsApp messages.
It would therefore be advantageous for WhatsApp to claim that they are not aware of the encrypted content and they don’t use them for any of their purposes. This is evident in the terms also.
As can be expected there is a disclaimer that “WhatsApp does not accept responsibility for losses” if they have exercised due diligence.
The Dispute resolution clause is not properly constructed in the policy since the both the policy applicable to EU and other countries seem to state that in countries outside EU, the applicable law is that of Ireland.
This will not be acceptable in India. The amendment to the ITA 2000 intermediary rules as well as PDPB will ensure that WhatsApp is declared as requiring to open a separate Indian office and be considered as a Significant Data Fiduciary. At that time, WhatsApp will need to get itself licensed from the regulator and it may be refused a license to carry on its business unless the applicable law of India and jurisdiction of Indian Courts along with ODR usage is brought into the terms.
Even the RBI needs to take a look at this since it is responsible for letting WhatsApp to handle payments.
Summary Views on the Terms of Service
The applicable law and Jurisdiction clause of the Terms are not compatible to Indian legal environment.
The RBI should take steps to withdraw the permission given to WhatsApp for running the payment services unless this clause is changed immediately.
Meity has to issue a notice to WhatsApp under Section 79, that the Jurisdiction clause which is part of this “Implied Contract” between the user and the WhatsApp is not valid in India and it shall accept the jurisdiction of the Courts of India at the residential place of the user as evidenced by the SIM card information.
Also under the PDPB, WhatsApp needs to provide a grievance redressal system which is more data principal friendly by incorporating an ODR facility to resolve grievances. The DPA is yet to come into existence and until that time, Section 43A , 43, 72A, 67C, 69,69A,69B, 70B and other provisions of ITA 2000 will be applicable to WhatsApp and compliance of ITA 2000/8 is necessary to be demonstrated by WhatsApp.
CERT In should issue a notice to WhatsApp for an assurance that it is ITA 2008 compliant.
It is open to any interested parties to file a PIL to force WhatsApp to change the Jurisdiction clause if it has to maintain the payment services and operate in India.
It is also a great opportunity for an indigenous messaging app developer to introduce an equally efficient app and there will be lot of support from India.