About the author: Aniket Aggarwal is a commercial litigator and technology lawyer practicing in Delhi, India. His practice and research primarily revolve around matters arising out of contracts, misuse of technology, and debts gone bad. He loves reading mythology and listening to jazz.
In line with Mark Zuckerberg’s planned integration of services within the Facebook marquee, WhatsApp announced new privacy conditions for its users in January 2021. The update unveiled heightened sharing of data with parent company Facebook and required users to consent or lose access to the precious messaging service. This paved the way for better targeting of advertisements by collecting more metadata from WhatsApp, combining it with the Facebook ecosystem, and allowing third-parties to read user chats with business accounts. In the wake of Facebook’s involvement in data scandal after scandal, this move was expectedly met by febrile furore. Regulators issued warnings. Lawsuits were filed. Investigations began.
Following immense backlash, WhatsApp stalled, choosing to address the “rumors going around” and to seemingly defer the consent deadline indefinitely. “WhatsApp won’t delete your account,” an FAQ proclaims today. And yet, in reality, the company had not budged. Though no specific timelines were prescribed, users who did not agree to the new privacy policy were to receive persistent reminders to accept; their apps would slowly lose functionality until messages or calls were no longer delivered to them, which is when the existing policy for inactivity would apply (Singh). Accordingly, inactive accounts would stand deleted in 120 days. Since “the majority of users who have seen the update have accepted” the terms, WhatsApp reversed its stance, altering its earlier FAQ page to now state it currently has no plans to limit the functionality of the app.
That users had no real choice is manifest. Apart from Facebook’s plummeting privacy record and the recognition that privacy activists and policy professionals consider the platform’s clarifications misleading, there are other reasons why the promise of privacy seems hollow and possibly, mala fide.
Owing to the extensive General Data Protection Regulation applicable in Europe, separate terms were released for its residents. On a perusal, it becomes apparent that an in-built safety—that European data collected by WhatsApp “cannot be used for the Facebook Companies’ own purposes”—is not extended to other nations. Rather, the non-EU privacy policy (applicable to India) provides that data collected from WhatsApp may be used to improve and market Facebook’s offerings, including to show “relevant offers and ads across the” Facebook Products. These elements are conspicuously absent from the EU’s privacy policy and, indeed, would not be tolerated in India had the country’s proposed consent-centric data framework been in force. Ironically, despite enjoying greater protections, certain European nations have already initiated coercive measures against the updated conditions. These circumstances inform a reasonable inference: Facebook’s conduct implicitly admits curtailment of privacy in India (and in other countries outside the EU).
Also to note, in Zuckerberg’s vision for building an integrated networking platform under Facebook’s rubric, as also in the clarifications circulated by WhatsApp to allay public distrust, the thrust is towards underpinning end-to-end encryption as the panacea for user privacy concerns. This, I feel, is an entirely disingenuous argument. Facebook itself has developed a mass surveillance model capable of bypassing encryption’s protection by planting the necessary algorithms directly into a phone, into each WhatsApp mobile application.
These circumstances require WhatsApp’s assertions of not reading or logging messages, media, locations, and contact numbers to be viewed in juxtaposition with its unbridled capacity and readiness to do so, i.e., the paradigm that Thomas SCJ pressed for Twitter in the US as well. At any rate, it would be expedient to appraise whether and how the fundamental right to privacy in India is violated by WhatsApp-Facebook as of date, and if they do, whether a writ would be maintainable against the violation. That brings us to the final segment of this piece.
[I] IS THE RIGHT TO PRIVACY ACTUALLY VIOLATED?
According to the new privacy policy, WhatsApp collects data related to its users’ accounts (phone number; settings; frequency and duration of usage), their contact lists, their device and connection information (details of the phone and network used), their approximate geographical locations, and if the payments function is availed, their financial data. All of this information, except the contacts, is shared with Facebook. The conditions express there is no intention to use this information for targeted ads. In the same sentence, there’s a caveat: if there is a change in that intention, the privacy policy would be suitably updated. The terms ultimately end up contradicting themselves, explicitly stating that shared information will be used, inter alia, to show “relevant offers and ads across the Facebook Company Products” (that include WhatsApp) and for “personalizing features and content”.
I gauge the infringement of privacy in this frame of reference on two grounds. The first an arguendo premised in India’s proposed Personal Data Protection Bill (“PDP Bill”); the other arising from the ratio of Puttaswamy v. India, the constitution bench decision recognizing privacy as a fundamental right under India’s Constitution. Here, it is key to remember that WhatsApp’s collection of the data is really not under fire—that much may be necessary to provide the service of internet messaging—what is impugned is the sharing of that data with Facebook for the inevitable targeted ads and monetization.
The collected information falls within the definition of ‘personal data’ under the PDP Bill, which, given the factual circumstances, would be allowed to be processed solely on consent that is free, informed, specific, clear, and withdrawable (Clause 11). Further, only data necessary for the purposes consented to would be allowed to be processed (Clause 6). The contradictions within the privacy policy, and in truth, between the statements and actions of Facebook/WhatsApp create substantial ambiguities that impair user consent insofar it needs to be informed and specific; exactly what data is processed for which purpose is far from being as transparent as required.
Even if the terms were transparent, they would not abide by the proposed law. As sharing of data with Facebook bears no nexus to the provision of the core messaging service, making the continuity of WhatsApp accounts contingent on users’ acceptance of the same runs foul of Clause 11(4), according to which, the provision of a service (such as messaging) cannot be made conditional on the consent to any data processing unnecessary for that service (such as sharing messaging data for ads and marketing). Due to these reasons, the new conditions fail to meet the required rigors under the awaited PDP Bill and would be violative of privacy on that count.
Be that as it may, in anticipation of the data enactment, it is imperative to address the constitutional question at hand by inspecting the updated terms in context of the Puttaswamy decision, where privacy was unanimously declared as a fundamental right by a nine-judge bench of the Supreme Court. Though there were six concurring opinions differing in their interpretation of privacy’s ontogenesis, nearly the entire bench saw consent as a crucial component of individual autonomy over data. Khehar SCJ alone omits to allude to consent’s role. Recalling that a lead judgement constitutes binding precedent if no contrary stand is expressed in concurrences (Kaikhosrou Kavasji v. India) and that there is no dissent inter se the Puttaswamy opinions, I find it safe to deduce that the “centrality of consent” (Justice Chandrachud’s words) is sine qua non to the individual’s “zone of privacy” contemplated by the apex court. Chelameshwar and Nariman SCJs envisage control over the dissemination of personal data; they identify “sanctuary” as one of the zones that offers “protection against intrusive observation” and “allows an individual to keep some things private.” For Justice Bobde, privacy incorporates the “choice and specification of [...] which persons to exclude from one’s circle” and for Justice Kaul, it is exigent to ensure that “information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed.”
In light of these views, the new privacy policy and WhatsApp’s obstinacy thereon—that offers neither clarity nor any meaningful choice to users—evidently impinges the “protected zone of privacy” constructed by the Supreme Court of India. Certain economic and legal peculiarities associated with WhatsApp’s scale, conduct, and market (that are discussed ahead) additionally substantiate this inference. In providing personal data to avail the messaging service, users possess a “reasonable expectation of privacy” that stands shattered if that data is shared with Facebook to facilitate other purposes such as marketing and advertising. Therefore, it would appear that as of date, the fundamental right to privacy is violated by Facebook-WhatsApp in India.
[II] WOULD A WRIT BE MAINTAINABLE AGAINST FACEBOOK-WHATSAPP?
In India, writ jurisdiction is exercised by the Supreme Court under Article 32 of the Constitution and by the High Courts under Article 226. As per Zee Telefilms, “the pre-requisite for invoking the enforcement of a fundamental right under Article 32 is that the violator of that right should be a State first.” And to be construed as ‘State’ (Article 12), the control test must be satisfied—Pradeep Kumar Biswas requires the private body to be “financially, functionally and administratively dominated by or under the control of the government.” Since Facebook and WhatsApp are in no way patronized or instructed by the government, they ex facie fall short of the control test. Ergo, they cannot be construed as ‘State’ under Article 12 and a writ against them cannot be preferred before India’s apex court (Article 32).
The conundrum here harks back to Thomas SCJ’s inversion of the state action doctrine in Biden v. Knight Institute, by which he suggests exploring the horizontal application of individual constitutional rights on actions without governmental control. This has been pondered in India too (although in a very different factual setting). Besides reaffirming the absence of relief under Article 32 for violation of rights by bodies failing the control test, the majority in Zee Telefilms noted that “the violator of such right would [not] go scot-free merely because it or he is not a State.” Where private activity resembles public duty, “there is always a just remedy for violation of a right of a citizen [...] by way of a writ petition under Article 226 of the Constitution which is much wider than Article 32.”
The precedent so propounded was applied (and qualified) in BCCI v. Cricket Association of Bihar. While adjudging BCCI, Indian cricket’s self-regulatory body, to be a “trustee of general public interest” amenable to Article 226, the Supreme Court stressed the following factors:
Since cricket was of considerable cultural significance in India (“more than just a sport for millions”; “applauded by the entire nation”), its administration was vested with public interest; and
BCCI exercised a “monopoly in the field of cricket” that subsisted with the tacit concurrence of the government and had “complete sway” over the sport.
In the absence of a clear normative baseline for measuring publicness, existing work on the subject (Shrivastava) cites this precedent to argue that WhatsApp cannot be answerable for fundamental rights violations under Article 226 unless it performs the function of facilitating online communication exclusively. It is contended that participation of users on multiple social media implies a “seamless migration between different platforms” making any single app’s monopoly impossible. I respectfully abnegate these views.
Were this the interpretation envisioned by the BCCI court, the public function at issue would have been the administration of sports, sensu lato, which is a frame of reference in which BCCI could not have held a monopoly, just as no social media app can claim exclusivity over online communication in general. Instead, the apex court chose a more nuanced approach, holding the relevant public function to be the administration of cricket, sensu stricto. Thus, arguing that WhatsApp is not amenable to writ jurisdiction as it does not have an exclusive monopoly over online communication is facile at the outset. To determine publicness, it is important to peruse the idiosyncrasies of the sphere in which the alleged violator operates and due regard is to be given to the facts and circumstances of each case (LIC v. Asha Goel).
As a matter of technology, social media platforms may be similar—they are all competing over-the-top services—but they are far from being substitutable. Some platforms mimic digital town squares (social network Facebook, professional network LinkedIn, and microblogging network Twitter); some platforms are primarily meant for sharing photos (Instagram and Pinterest) or videos (YouTube and Vimeo); and some are for instant messaging, either one-on-one or with selected groups (WhatsApp, Messenger, and Telegram). Digital platforms are as distinguishable from each other as various sports are. Though users do engage with multiple platforms (as viewers too enjoy multiple sports), this does not indicate a “seamless migration” between them. It is done to reach different audiences (Tucker) and even marketers tailor separate content for each platform. In a particularly interesting study, researchers found that each digital platform entails a “substantially different” consumer experience and lumping them together as “‘social media’ essentially disregards the prominent qualitative differences” between them. Suggesting a user may substitute WhatsApp with Twitter seamlessly as they both facilitate online communication is as absurd as suggesting a fan watch football instead of cricket because they fall under the same category of outdoor sports.
Building on this, I find WhatsApp and similar messaging services decidedly different from the other social media on an innate level; their usage being significantly more personal (and arguably more essential). Sending an instant message is akin to sending a sealed letter to the intended recipient(s), not meant for other eyes, whereas posts on any of the other platforms are less individualized, meant to reach a larger (albeit still predetermined) audience. With these factors in mind, the function of WhatsApp cannot be simply that of a mode of virtual communication, as suggested by Shrivastava. Rather, in line with the approach in BCCI, for purposes of an Article 226 analysis, the relevant function would be that of facilitating instant messaging.
This gives way to the pivotal dilemma of publicness. With the function at issue identified as instant messaging, the subsequent step is to ascertain whether WhatsApp has a public duty in its provision and whether (as the BCCI court put it) it makes the private entity a “trustee of general public interest.”
WhatsApp’s role and scale
The indispensability of human communication has been emphasised for over two thousand years (Aristotle). Recognising its import, the Indian government monopolised the communications sector post-Independence and began gradual privatisation only in the 1990s. Today, in the digitised world, WhatsApp plays an intrinsic role in human communication—the uproar following its impugned privacy update stands as testament. Some of the foremost and quotidian conversations, ranging from the professional and the confidential to the familial and the intimate, take place on the platform. And, in its owner’s own words, “with billions of people unable to see their friends and family in person due to COVID-19, people are relying on WhatsApp more than ever to communicate. People are talking to doctors, teachers, and isolated loved ones via WhatsApp during this crisis.” The apex court recognizes it as a valid mode of service. The platform has proven to be critical for businesses. To top legal and policy minds, it is a “public utility.”
In Binny v. Sadasivan (a bench with strength equal to BCCI), the Supreme Court opined that private actors “exercise public functions when they intervene or participate in social or economic affairs in the public interest.” WhatsApp did and does so. Its mission is admitted as the desire to let people communicate anywhere in the world and connect with the ones they care about, effortlessly and privately. The collective benefit of simple and private communication is sought to be achieved, and the public accepts it as having the sanction and means to do so. This is plainly demonstrated by WhatsApp’s figures. It is the most-used messaging app in the world, with above two billion users in total. Of those, around 530 million reside in India alone, which translates into direct control over unimaginable quantities of personal data on almost half of the entire Indian citizenry.
Balkin stresses that the most general obligation of digital platforms is that they may not act like con artists. WhatsApp cannot hold itself out as a provider of safe and secure communication, induce trust in millions of users, obtain personal information from them, and then turn around and betray that trust to favour its commercial interests. The act of advertising itself as a trustworthy messenger and obtaining personal data on that ground establishes a reasonable expectation of public trust that WhatsApp cannot break.
WhatsApp’s market and economics
I would submit that WhatsApp’s fundamental role in human communication and its gargantuan user base, coupled with the probability of infringement based on prior conduct prima facie indicate public interest in its function. This proposition is filliped by certain peculiarities in WhatsApp’s nature and market. On inspection, a few considerations vital to its publicness jump to the fore:
(a) Corporate unity among Facebook Companies: WhatsApp, Messenger, and Instagram (the “Facebook Products”) are on a common path towards the integration intended by Mark Zuckerberg. Since what is impugned is exactly the ineluctable conflation of data with the parent company’s ad-driven ecosystem (which is something Messenger and Instagram are already subject to), it is apposite to view these platforms as a collective corporate power while probing WhatsApp’s publicness in context of messaging and data protection, instead of as stand-alone platforms and entities. Given that the founders of both WhatsApp and Instagram exited their leadership roles due to privacy clashes with Zuckerberg, it is clear that their separation is only purposive and superficial. Each platform is de facto guided by the same head and brain, at least as far as data flows are concerned. The lack of autonomy—or rather, the virtual unity—of the Facebook Products creates a common data-centric ecosystem, the irrefutable acculturation to which is precisely what trammels the privacy of more than half a billion Indians under the take-it-or-leave-it terms. Thus, following Supreme Court precedent, the distinct corporate personalities in effect being “opposed to justice, convenience and [...] public interest” (Kapila Hingorani v. Bihar) may be overlooked “to look at the realities of the situation and to know the real state of affairs” (Subhra Mukherjee v. Bharat Coking Coal).
(b) Network effects and consumer bias: Also germane is the presence of network effects that entrench digital platforms and services. This refers to the economic phenomenon by which the utility and value of a platform increase with an increase in the participants on the platform. To exemplify, WhatsApp is useful only when friends and colleagues use WhatsApp. YouTube has a large number of viewers because it has a large number of content creators and vice-a-versa. Resultantly, users tend to get locked into a platform and grow averse towards switching to some other, new platform unless it is better enough to trigger a network migration, for e.g., people might download Telegram as an alternative, but they will likely not uninstall WhatsApp unless their contacts shift to Telegram too. While network effects are not a priori suspicious, the fact that this migration did not materialize (and a majority already accepted the terms) despite pressing privacy concerns signifies a status quo bias in users. This may be described as inertia trumping quality—users are staying with WhatsApp, the current option, even though superior, less invasive alternatives exist. Taken together, strong network effects and consumer bias associated with WhatsApp tip the market towards a monopolistic situation such that the messaging service competes vigorously only with other Facebook Products than with actual competitors. As much has been concluded by an American investigation into Facebook and is corroborated by stats. The top three social media apps used in India are all Facebook Products: in descending order, WhatsApp, Facebook, and Instagram (Slide 24). Specifically for instant messaging, the top platforms are also Facebook Products (WhatsApp and Messenger), followed by Skype and Telegram (Slide 47).
In cognizance of these economic peculiarities, WhatsApp users are unable to simply leave and join another messaging service, even in the face of the infringing privacy rules. This hypothesis is equally evidenced by data. The unitary nature and competitive monopoly of Facebook Products foreclose the probability of exit from WhatsApp for users. Now admittedly, WhatsApp does not exercise complete sway over instant messaging as BCCI does over cricket, but it does exercise an overwhelming and unparalleled sway that is currently in violation of the fundamental right to privacy of a substantial chunk of the Indian populace. We must be mindful of the guidance that the constitution “cannot be cut down by technical construction” (SC AOR Association v. India) and of Puttaswamy (supra), where a majority felt “the right to privacy cannot be denied, even if there is a minuscule fraction of the population which is affected”. Based on this, I would argue against any doctrinaire application in favour of a liberal and meaningful interpretation of the monopolistic nature contemplated in BCCI (supra).
The Delhi High Court decision in Jorawer Singh Mundy v. India adds to the plausibility of this argument. In this case, a single person’s right to privacy was invoked and enforced against private actors. Though the court did not mull over the publicness of their function, Google and Indian Kanoon were interdicted to provide access to an unreported judgment that infringed the petitioner’s right to be forgotten, a facet of the privacy right as recognized in Puttaswamy.
Impugned terms are against public policy
A supportive line of reasoning may also be drawn from contract law. Standard form contracts are those that are offered to everybody on uniform, non-negotiable terms; examples being the policies offered by insurers or the privacy conditions of various internet players. In Central Inland Water Transport v. Ganguly, the Supreme Court noted that standard form contracts are typically entered into between a “party with superior bargaining power” and “a large number of persons who have far less [...] or no bargaining power at all.” If such contracts are unfair, unconscionable, and unreasonable, on account of affecting a large number of persons, they would be “injurious to the public interest” [emphasis added]. The Supreme Court relied upon analogous reasoning in Pioneer Urban Land & Infra v. Raghavan to rule that a lopsided contract between a builder and purchaser was not enforceable under law.
If a contract falls under the principle so formulated, it is viewed as opposed to public policy and void under the Indian Contract Act, 1872 (Section 23). In the circumstances at hand, the impugned terms affect millions, undoubtedly constituting “a large number of persons”. The platform’s disproportionate economic strength together with its entrenchment in its users’ lives points to an imbalance in their relative bargaining power which, in turn, obstructs users’ meaningful choice to assent to the prescribed rules. This results in the imposition of unilateral terms disfavoring their rights. Shrivastava and Sen suggest that the provision of an opt-out mechanism could balance this inequality in favor of users, giving them actual agency to decide whether they want their data shared and commercialized. Until then, the terms are intrusive of their privacy. That the provisions of Part III of the Constitution (which now include the privacy right) are to be considered while deciding validity of a contractual term under Section 23 is also not novel (Rajasthan v. Basant Nahata). Due to these factors, the principle envisaged in Central Inland (supra) appears to inflict the new privacy policy, which invokes and injures public interest insofar as the inescapable data sharing is concerned. This additionally amplifies the existence of publicness in WhatsApp.
WhatsApp as a common carrier
“Indiscriminate offering of services on generally applicable terms” is the “traditional mark of common carrier service.” In examining Thomas SCJ’s suggestions in Biden v. Knight Institute (supra), I had pointed out that though internet platforms could be construed as common carriers, the imposition of the corresponding obligation of secrecy (though applicable) is not sought since it merely secures a right to sue for damages. Instead, of constitutional weight here is the notion that common law considers common carriers to exercise a public office, to have duties in which the public is interested (New Jersey Navigation v. Merchants’ Bank). Traditionally, these duties have been given effect through legislative intervention, nevertheless, Munn v. Illinois ruled that “if there are no statutory regulations upon the subject, the courts must determine what is reasonable” relief.
As Indian precedent on this aspect is underdeveloped, I seek to plug the common law perception of common carriers into the context of WhatsApp’s privacy debacle. WhatsApp devotes its infrastructure to a business that is useful to the public and affects the community at large—as much has been described in detail previously. Since it offers its messaging services “indiscriminately and on general terms,” it would stand to be relegated to common carrier status under common law and as a result would, ipso facto, be affected with public interest. This classification of big tech has been argued extensively by Candeub as well.
In the US, regulation of industry in the public interest is not barred by any constitutional principle (Nebbia v. New York). In India, Binny v. Sadasivan (supra) viewed economic participation in public interest as performance of a public function, a grievance from which, according to Zee Telefilms (supra), merits a remedy “not only under the ordinary law but also under the Constitution”. Misuse of common law publicness thus warrants constitutional relief. Accordingly, private actors who open up their property or offer their services to the public concomitantly have a responsibility to heed the constitutional interests of the public that uses that property or service (also see Lakier and Tebbe).
[III] CONCLUSION
I contend WhatsApp-Facebook to be vested with public interest and thereby amenable to writ jurisdiction and constitutional scrutiny for horizontal privacy violations because: first, it discharges the fundamentally important function of instant messaging for almost half of the Indian population, heightened additionally due to COVID-19; second, the sheer scale on which it operates is further fortified by network effects and status quo bias that tip the market in its favour; third, the virtual monopoly and corporate unity of the Facebook ecosystem entrenches WhatsApp and forecloses the probability of any real exit for users; fourth, being unreasonable and of standard form, the impugned terms invoke and injure public interest; and fifth, as a common carrier, WhatsApp is affected with public interest and prone to state regulation under common and constitutional law.
These factors, seen in junction with WhatsApp’s promises of privacy and freedom from ads, inhere a public duty in its function of providing private instant messaging that stipulates a positive obligation to honor the privacy of its users. Considering that the scope of Article 226 is much wider than Article 32 and that a writ cannot be denied where a public duty exists (Andi Mukta Sadguru v. Rudani), I would submit that relief in the nature of directing Facebook to provide an option to opt out of the currently mandatory data sharing terms under WhatsApp’s privacy policy would be maintainable and appropriate. Also apt would be a direction to delete the previously shared data of WhatsApp users who choose to exercise the opt-out option.