Restrain WhatsApp From Implementing New Privacy Policy, Government Requests Delhi High Court

The central government has requested the Delhi High Court to restrain WhatsApp from implementing its new privacy policy.

The government has said this in its reply to a PIL filed by Seema Singh and Advocates Meghan and Vikram Singh. The case is being heard by the Delhi High Court division bench headed by Chief Justice DN Patel.

In January this year, WhatsApp had updated its privacy policy to say that it now reserves the right to share some user data with the broader Facebook network, which includes Instagram. WhatsApp had asked users to agree to the new policy by Feb. 8 but later pushed that deadline to May 15. The text for the policy is different for EU users compared with the rest of the world.

WhatsApp’s Privacy Policy Violates IT Rules, Government Says

In its reply to the Delhi High Court, the Ministry of Electronics and Information Technology has pointed out that WhatsApp comes under the definition of ‘’body corporate’’ according to the Section 43A of the Information Technology Act. Therefore, the ministry said, it is covered by the IT Rules 2011.

A body corporate, according to the IT Act, is any company, firm, sole proprietorship, or other association of individuals which is engaged in commercial or professional activities.

The government says WhatsApp's new privacy policy violates the rules on five counts.

• It fails to specify the types of sensitive personal data which is being collected: The government says WhatsApp policy uses extremely general terms for the kinds of data being collected and does not make any distinction between personal data and sensitive personal data.

• Fails to notify users about details of the collection of sensitive personal information: The rules say that the user must have the knowledge of the fact that the information is being collected as well as the purpose of collection; intended recipient of the information; the name and address of the agency collecting information and the agency that will retain the information. The government said none of these details are provided. For instance, the privacy policy mentions the involvement of third-parties who may have access to data but does not provide their name and other details.

• Fails to provide an option to review or amend information: According to the 2011 rules, a user is allowed to review the information shared by her and seek correction of inaccurate information. The privacy policy, the government said, is silent on such a mechanism. According to the affidavit, the ability to correct the information is limited to a user's profile name, picture, mobile number, and the "about" section.

• Fails to provide an option to withdraw consent retrospectively: The IT rules allow the user to not consent and even revoke earlier consent given for sharing the information. If an earlier consent is withdrawn, the reply said, it effectively means that the earlier collected data has to be deleted. In WhatsApp’s policy, a user may choose not to share data and can be denied the service. But it fails on the second parameter as even if a user deletes their account, a substantial corpus of information may be retained.

• Fails to guarantee further non-disclosure by third parties: The IT rules bar third parties to further share the information received from a ‘’body corporate’’ and any privacy policy that allows for that scope is non-compliant with the rules. WhatsApp’s privacy policy, according to the government, falls short on this parameter as well. It said the policy also has provisions for sharing data with other Facebook companies which would qualify as third parties but the contract of the user is only with WhatsApp.

The PIL by Dr. Seema Singh came up for hearing before the high court on Friday and will be taken up next on April 20.

WhatsApp’s privacy policy is facing more than one legal challenge. Apart from Seema Singh’s petition, another plea is pending before the single-judge bench of the Delhi High Court. No notice has been issued on it yet.

The top court, too, is seized of the issue. It is hearing an application by Karmanaya Sareen who had also challenged the 2016 privacy policy of WhatsApp. The latter is currently pending before a Constitution bench of the top court. The apex court has issued notice on Sareen’s application and has asked for the central government’s response. A reply to that petition is yet to be filed by the government.

WhatsApp on its part has maintained that its privacy policy does not compromise the personal data of its users in any manner. It has earlier argued that the policy for Indian users is the same as for the rest of the world. For EU, there is a difference owing to their laws.