This blog seeks to analyse 2 contentious points in the Policy – sharing of data with Facebook companies and business accounts, followed by assessing the legality of such sharing under the current legal regime. The post shall also explore what would have been the case if the Personal Data Protection Bill, 2019 (PDP Bill) were a law as of date.
1. E2E encryption and metadata collection: Before delving into how the Policy proposes to transfer data to Facebook group companies and third-party businesses, it is essential to understand what and how data is processed by WhatsApp.
One of WhatsApp’s marquee feature is that the chats between 2 users is end-to-end encrypted (E2E Encryption). This means that all messages, text, image, voice calls, video calls, audio messages exchanged between the users are changed into ciphertext (unreadable format) that can only be decrypted into plain text and read by the recipient user. This ensures that except for the 2 users, no third-party including WhatsApp can read the messages. E2E encryption refers to encryption in transition. This works by creating 2 security keys – one private key and another public key. When a message is sent, the public key enables creation of the ciphertext. The private key along with the cipher safely is delivered to the recipient, where the key helps decrypting the cipher to a readable format. The Policy clarifies that WhatsApp retains this feature for both user-user conversations as well as user-business conversations.
However, the bone of contention is the extent to which identified user information and metadata are collected by WhatsApp, and consequently, shared with Facebook group companies, or any other third-party service provider. Metadata refers to the background data that gives more insight into data. For example, IP address can give insight into an individual’s location and hence, is metadata. As such, metadata in combination with other data sets can reveal identity of the person. Interestingly, metadata is not protected by E2E encryption, and to certain extent, it is impossible for businesses to mask metadata, as it is essential for legitimate business purposes, including for good data governance and management practices.
As per the Policy, metadata and identified user information collected includes user interaction patterns like time, frequency and duration, group names, pictures and descriptions, features used, payment and business options, profile photos, last seen and about information. Further, hardware information such as model, operating system, battery level, signal strength, app version, browser information, mobile network are also collected. Alongside, WhatsApp collects Facebook identifiers associated with the same device. Facebook identifier is a unique number combination that does not directly disclose identity of the individual, but can lead to the person’s account.
From the above, it is evident that huge amounts of data in non-encrypted form is collected by WhatsApp. While WhatsApp cannot read the contents of personal messages, it surely can process metadata and other identified information that has the potential of disclosing personal information about users. Thus, the risk to one’s privacy exists. While some data sets and its consequent processing could be essential for legitimate business purposes such as developing new features, improving services, building security measures, or conducting studies, it is unclear from the Policy what is essential and what is collected over and above for other purposes, including those that may not be essential for WhatsApp services but for the Facebook group companies.
As a result, the Policy is a heavily layered one, where user is required to access WhatsApp FAQs and thereafter, redirect to individual Facebook companies’ terms to understand if information is afforded adequate protection. This is likely to result in consent fatigue. The end outcome could be a bizarre scenario where users agree to the terms without knowing what they have consented to. The changed stance also raises several user concerns – did WhatsApp enable backdoor access to user information in the past?; what is the nexus between WhatsApp services and those provided by Facebook group companies that necessitates the transfer?; how is transfer justified where the user is not using any other Facebook products?; how will WhatsApp control the manner in which information is handled, processed and protected by recipient Facebook companies?; and whether by agreeing to the Policy, the user is compelled to agree to the terms of Facebook companies? In any event, the volumes of data transferred can provide enormous insights into a user’s digital behaviour, and this could have potential profiling problems. Thus, it will be imperative for WhatsApp to clarify these concerns and build in more transparency around how and why data is being transferred to Facebook group companies.
3. Interaction with businesses: The Policy also provides that businesses can interact with users on WhatsApp through in-app purchases, communications, sending order confirmations, etc. But, here again the Policy seems to be ambiguous at various places when it comes to encryption of business account interactions. Even where business communications are protected by E2E encryption, there is no clarity on how access right is limited, once the communication is decrypted by the business account. To this effect, the Policy caveats that the messages sent to a business account could be read by several people. Further, the Policy states that businesses may share the interactions with WhatsApp, third-party service providers (which may include Facebook companies) to store, read, and manage those messages for the business. Moreover, once the message is received, it will be subject to the business’s own privacy policies. This in essence implies that user conversations with a business account despite encryption are likely to be shared with several third parties, without any visibility on how the transferred information will be processed.
This is plausible as WhatsApp views conversations between 2 users to be different form conversations with a business account. If one looks at the source code of WhatsApp Business API on Facebook developers’ website, the FAQs clarifies that not all business account conversations are E2E encrypted. Where a WhatsApp business account chooses a third-party service provider, the communications are not considered protected by E2E encryption. It also states that in future, where businesses use Facebook’s cloud-based API and are hosted by Facebook, messages will not be encrypted. This would allow Facebook to access, store and manage the communication between users and the business. In such situation, it is not unrealistic to consider a situation where Facebook adds the new data to the dossier of already shared information, allowing for data integrations at a deeper level without suitable checks and balances. As these details are provided elsewhere instead of the Policy, there is lack of transparency which is a cardinal principle for protecting informational privacy. These aspects are potentially problematic and it will be prudent to revisit the Policy.
4. Is the Policy legal under the present data protection laws? India does not have a robust data protection and privacy law. The Information Technology Act, 2000 (“IT Act”), does not expressly protect the privacy of conversations that take place on online messenger platforms like WhatsApp. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”) are not adequate enough to protect all kinds of data; rather, they are indicative of the practices and procedures to be followed while handling sensitive information. Suffice it to state that the scope of IT Rules is limited and hence, a legality assessment is futile.
However, the Policy could impact the status of WhatsApp as an intermediary under the Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediary Guidelines”) with respect to various data sets. Section 2(1)(w) of the IT Act defines an intermediary as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record. Thus, the role of an intermediary is to facilitate the transmission of content and information between the sender and receiver. Further, the Intermediary Guidelines strictly prohibit the selection of the recipient of the information and mandate intermediaries to put in place proper safeguards that ensure personal information protection. In light of the Policy, it can be argued that sharing of user data with Facebook group companies and determining the purposes for which the information shall be processed makes WhatsApp a controller instead of an intermediary. In such scenario, WhatsApp would be directly liable for the information transmitted and its processing, irrespective of disclaimers on liability.
5. What if PDP Bill were law? As it may be, the legality of the Policy would be questionable if PDP Bill were a law as of date.
PDP Bill seeks to regulate processing of personal data (PD) and is not limited to sensitive personal data. PD is defined as any data relating to a natural person, who is directly or indirectly identifiable, having regard to characteristic, trait, attribute or any other identification feature in online or offline medium, either standalone or in combination with other information, and shall include any inference drawn for purposes of profiling. The scope is wide, and has the potential of including user digital behaviour and metadata within its ambit. Accordingly, WhatsApp can carry out contemplated processing as per its Policy only in compliance with PDP Bill.
In the bare minimum, WhatsApp will be obligated to process PD in compliance with the core data processing principles, and specifically, purpose limitation and data minimisation. Purpose limitation under PDP Bill states that PD shall be processed in a fair and transparent manner for (i) purposes consented to by the individual data principal, or (ii) those which are incidental or connected with the consented purposes, or (iii) those which can be reasonably expected by the individual. Regarding data minimisation, PDP Bill states that PD collected shall be limited to the extent necessary for the purposes. If the Policy in its current form were to satisfy the above principles, it has to be shown that the individual has consented to the purposes listed, or they are incidental, or in the least, reasonably expects them. Further, it has to be proved that all information collected and processed is essential for these purposes. For instance, the Policy states that it shares user information with Facebook group companies to understand how WhatsApp or their services are used as well as improvise them. If we assume that the primary purpose for WhatsApp processing user PD is to provide messaging services, it cannot be argued that sharing PD with Facebook group companies is incidental or reasonably expected by the user. This will mean that WhatsApp can only share after obtaining user consent.
Now, let us take a quick look at the standard of consent that is required under PDP Bill. Consent is the primary basis of processing and for valid consent, it must be (i) free i.e., without any coercion, misrepresentation, undue influence, mistake or fraud, (ii) informed i.e., whether individual has been provided with information as mandated under pre-consent notice including information on purposes, right of principal to withdraw consent, information regarding cross-border data transfer, details of recipients, grievance redressal, etc. (iii) specific, having regard to whether principal can determine the scope of consent, (iv) clear with respect to affirmative action required for signifying consent, and (v) capable of being withdrawn as easily as the manner through which consent was obtained.
While there is a dearth of jurisprudence on data processing consent in India, reliance can be placed on consent provision under the European Union’s General Data Protection Regulation (EU GDPR) and its jurisprudence to understand what is required to comply with the abovementioned consent thresholds. Article 13 of EU GDPR mandates the controller to provide certain information to the data subject at time of collection such as identity and contact details of controller, processing purpose, recipients, etc. This information has to be provided in “concise, transparent, intelligible and easily accessible form, using clear and plain language”, and if requested by data subject, orally as well. Thus, it is fundamental that information disclosures are clear, concise, and easy to comprehend. To this effect, in January 2019, CNIL, the French data protection authority, imposed a fine of €50 million on Google for breach of its obligation to disclose necessary information in a clear and accessible manner. In this case, Google provided generic information about processing purposes and other details, spread over several pages. The authority observed that in some cases, user had to navigate and perform multiple actions to extract the information. It was also observed that description provided was too vague denying users to understand the scope and extent of processing. In light of this, we are of the opinion that for consent to be free, informed, specific and clear, information must be provided in a concise, clear and unambiguous fashion. Without such clarity and granularity, it will be difficult for a user to understand what they are consenting to, and this strikes at the very basis of free consent.
Further, PDP Bill states that provision of any goods or services, performance of contract, or enjoyment of legal right shall not be made conditional on consent to processing of PD that is not necessary for that purpose. Thus, if sharing of user information by WhatsApp is not essential or connected with providing messaging services, it cannot stop providing services where an individual refuses to consent to data sharing.
In light of the foregoing analysis, it is likely that the Policy in its current form would have failed to meet the essentials of processing under PDP Bill.
Conclusion: A petition against the Policy was filed in the Delhi High Court with the petitioner seeking an injunction against WhatsApp over privacy concerns. The Delhi High Court has remarked that it is not mandatory for an individual to use WhatsApp and adjourned the matter to March 1, 2021. Alongside, Ministry of Electronics and Information Technology has demanded responses as to why Indian users have been provided with different privacy terms when compared to EU users. While it will be important to see how WhatsApp handles the situations, the current situation clearly highlights the need for enacting the PDP Bill. Until such time, transparency and accountability matrices for data processing despite being essential for privacy will be difficult to implement.
 To learn more on what is metadata, access http://egovstandards.gov.in/metadata-and-data-standard (last accessed February 8, 2021)
 To learn more, access https://developers.facebook.com/docs/whatsapp/faq/#faq_188619461766385 (last accessed on February 8, 2021)
 Shreya Singhal v. Union of India A.I.R 2015 S.C. 1523