About the author: Aniket Aggarwal is a commercial litigator and technology lawyer practicing in Delhi, India. His practice and research primarily revolve around matters arising out of contracts, misuse of technology, and debts gone bad. He loves reading mythology and listening to jazz.
In line with Mark Zuckerberg’s planned integration of services within the Facebook marquee, WhatsApp announced new privacy conditions for its users in January 2021. The update unveiled heightened sharing of data with parent company Facebook and required users to consent or lose access to the precious messaging service. This paved the way for better targeting of advertisements by collecting more metadata from WhatsApp, combining it with the Facebook ecosystem, and allowing third-parties to read user chats with business accounts. In the wake of Facebook’s involvement in data scandal after scandal, this move was expectedly met by febrile furore. Regulators issued warnings. Lawsuits were filed. Investigations began.
Following immense backlash, WhatsApp stalled, choosing to address the “rumors going around” and to seemingly defer the consent deadline indefinitely. “WhatsApp won’t delete your account,” an FAQ proclaims today. And yet, in reality, the company had not budged. Though no specific timelines were prescribed, users who did not agree to the new privacy policy were to receive persistent reminders to accept; their apps would slowly lose functionality until messages or calls were no longer delivered to them, which is when the existing policy for inactivity would apply (Singh). Accordingly, inactive accounts would stand deleted in 120 days. Since “the majority of users who have seen the update have accepted” the terms, WhatsApp reversed its stance, altering its earlier FAQ page to now state it currently has no plans to limit the functionality of the app.
That users had no real choice is manifest. Apart from Facebook’s plummeting privacy record and the recognition that privacy activists and policy professionals consider the platform’s clarifications misleading, there are other reasons why the promise of privacy seems hollow and possibly, mala fide.
Owing to the extensive General Data Protection Regulation applicable in Europe, separate terms were released for its residents. On a perusal, it becomes apparent that an in-built safety—that European data collected by WhatsApp “cannot be used for the Facebook Companies’ own purposes”—is not extended to other nations. Rather, the non-EU privacy policy (applicable to India) provides that data collected from WhatsApp may be used to improve and market Facebook’s offerings, including to show “relevant offers and ads across the” Facebook Products. These elements are conspicuously absent from the EU’s privacy policy and, indeed, would not be tolerated in India had the country’s proposed consent-centric data framework been in force. Ironically, despite enjoying greater protections, certain European nations have already initiated coercive measures against the updated conditions. These circumstances inform a reasonable inference: Facebook’s conduct implicitly admits curtailment of privacy in India (and in other countries outside the EU).
Also to note, in Zuckerberg’s vision for building an integrated networking platform under Facebook’s rubric, as also in the clarifications circulated by WhatsApp to allay public distrust, the thrust is towards underpinning end-to-end encryption as the panacea for user privacy concerns. This, I feel, is an entirely disingenuous argument. Facebook itself has developed a mass surveillance model capable of bypassing encryption’s protection by planting the necessary algorithms directly into a phone, into each WhatsApp mobile application.
These circumstances require WhatsApp’s assertions of not reading or logging messages, media, locations, and contact numbers to be viewed in juxtaposition with its unbridled capacity and readiness to do so, i.e., the paradigm that Thomas SCJ pressed for Twitter in the US as well. At any rate, it would be expedient to appraise whether and how the fundamental right to privacy in India is violated by WhatsApp-Facebook as of date, and if they do, whether a writ would be maintainable against the violation. That brings us to the final segment of this piece.
[I] IS THE RIGHT TO PRIVACY ACTUALLY VIOLATED?
According to the new privacy policy, WhatsApp collects data related to its users’ accounts (phone number; settings; frequency and duration of usage), their contact lists, their device and connection information (details of the phone and network used), their approximate geographical locations, and if the payments function is availed, their financial data. All of this information, except the contacts, is shared with Facebook. The conditions express there is no intention to use this information for targeted ads. In the same sentence, there’s a caveat: if there is a change in that intention, the privacy policy would be suitably updated. The terms ultimately end up contradicting themselves, explicitly stating that shared information will be used, inter alia, to show “relevant offers and ads across the Facebook Company Products” (that include WhatsApp) and for “personalizing features and content”.
I gauge the infringement of privacy in this frame of reference on two grounds. The first an arguendo premised in India’s proposed Personal Data Protection Bill (“PDP Bill”); the other arising from the ratio of Puttaswamy v. India, the constitution bench decision recognizing privacy as a fundamental right under India’s Constitution. Here, it is key to remember that WhatsApp’s collection of the data is really not under fire—that much may be necessary to provide the service of internet messaging—what is impugned is the sharing of that data with Facebook for the inevitable targeted ads and monetization.
The collected information falls within the definition of ‘personal data’ under the PDP Bill, which, given the factual circumstances, would be allowed to be processed solely on consent that is free, informed, specific, clear, and withdrawable (Clause 11). Further, only data necessary for the purposes consented to would be allowed to be processed (Clause 6). The contradictions within the privacy policy, and in truth, between the statements and actions of Facebook/WhatsApp create substantial ambiguities that impair user consent insofar it needs to be informed and specific; exactly what data is processed for which purpose is far from being as transparent as required.
Even if the terms were transparent, they would not abide by the proposed law. As sharing of data with Facebook bears no nexus to the provision of the core messaging service, making the continuity of WhatsApp accounts contingent on users’ acceptance of the same runs foul of Clause 11(4), according to which, the provision of a service (such as messaging) cannot be made conditional on the consent to any data processing unnecessary for that service (such as sharing messaging data for ads and marketing). Due to these reasons, the new conditions fail to meet the required rigors under the awaited PDP Bill and would be violative of privacy on that count.
Be that as it may, in anticipation of the data enactment, it is imperative to address the constitutional question at hand by inspecting the updated terms in context of the Puttaswamy decision, where privacy was unanimously declared as a fundamental right by a nine-judge bench of the Supreme Court. Though there were six concurring opinions differing in their interpretation of privacy’s ontogenesis, nearly the entire bench saw consent as a crucial component of individual autonomy over data. Khehar SCJ alone omits to allude to consent’s role. Recalling that a lead judgement constitutes binding precedent if no contrary stand is expressed in concurrences (Kaikhosrou Kavasji v. India) and that there is no dissent inter se the Puttaswamy opinions, I find it safe to deduce that the “centrality of consent” (Justice Chandrachud’s words) is sine qua non to the individual’s “zone of privacy” contemplated by the apex court. Chelameshwar and Nariman SCJs envisage control over the dissemination of personal data; they identify “sanctuary” as one of the zones that offers “protection against intrusive observation” and “allows an individual to keep some things private.” For Justice Bobde, privacy incorporates the “choice and specification of [...] which persons to exclude from one’s circle” and for Justice Kaul, it is exigent to ensure that “information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed.”
In light of these views, the new privacy policy and WhatsApp’s obstinacy thereon—that offers neither clarity nor any meaningful choice to users—evidently impinges the “protected zone of privacy” constructed by the Supreme Court of India. Certain economic and legal peculiarities associated with WhatsApp’s scale, conduct, and market (that are discussed ahead) additionally substantiate this inference. In providing personal data to avail the messaging service, users possess a “reasonable expectation of privacy” that stands shattered if that data is shared with Facebook to facilitate other purposes such as marketing and advertising. Therefore, it would appear that as of date, the fundamental right to privacy is violated by Facebook-WhatsApp in India.
[II] WOULD A WRIT BE MAINTAINABLE AGAINST FACEBOOK-WHATSAPP?
In India, writ jurisdiction is exercised by the Supreme Court under Article 32 of the Constitution and by the High Courts under Article 226. As per Zee Telefilms, “the pre-requisite for invoking the enforcement of a fundamental right under Article 32 is that the violator of that right should be a State first.” And to be construed as ‘State’ (Article 12), the control test must be satisfied—Pradeep Kumar Biswas requires the private body to be “financially, functionally and administratively dominated by or under the control of the government.” Since Facebook and WhatsApp are in no way patronized or instructed by the government, they ex facie fall short of the control test. Ergo, they cannot be construed as ‘State’ under Article 12 and a writ against them cannot be preferred before India’s apex court (Article 32).
The conundrum here harks back to Thomas SCJ’s inversion of the state action doctrine in Biden v. Knight Institute, by which he suggests exploring the horizontal application of individual constitutional rights on actions without governmental control. This has been pondered in India too (although in a very different factual setting). Besides reaffirming the absence of relief under Article 32 for violation of rights by bodies failing the control test, the majority in Zee Telefilms noted that “the violator of such right would [not] go scot-free merely because it or he is not a State.” Where private activity resembles public duty, “there is always a just remedy for violation of a right of a citizen [...] by way of a writ petition under Article 226 of the Constitution which is much wider than Article 32.”
The precedent so propounded was applied (and qualified) in BCCI v. Cricket Association of Bihar. While adjudging BCCI, Indian cricket’s self-regulatory body, to be a “trustee of general public interest” amenable to Article 226, the Supreme Court stressed the following factors: