Print Friendly, PDF & Email

Insights into Editorial: Update debate: On WhatsApp and privacy




Personal data is data that relates to an identifiable living individual and includes names, email IDs, ID card numbers, physical and IP addresses.

Data is the large collection of information that is stored in a computer or on a network. Data is collected and handled by entities called data fiduciaries.

The processing of this data has become an important source of profits for big corporations.

Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise online.

The physical attributes of data where data is stored, where it is sent, where it is turned into something useful are called data flows.

Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.


Context: Facing Backlash, WhatsApp Delays Controversial Privacy Update by Three Months:

WhatsApp’s decision to delay the update of its privacy policy, following a backlash from its users, is an implicit acknowledgement of the increasing role played by perceptions about privacy in the continued well-being of a popular service.

Problems for the Facebook-owned app started earlier this month when it announced an update to its terms of service and privacy policy, according to which users would no longer be able to opt out of sharing data with Facebook.

February 8 was kept as the deadline for the new terms to be accepted. This triggered a mass exodus from WhatsApp, the likes of which it has never encountered, not even in the aftermath of the Cambridge Analytica scandal, which did bring a lot of bad press to its parent, or when the messaging app’s co-founders called it quits a few years ago.

The WhatsApp policy update has clearly spooked many users, who, concerned about their privacy getting compromised, have shifted to alternative platforms such as Signal and Telegram.


What data does WhatsApp collect?

It contains your account information such as Phone number, the name attached to the account, the profile photo you currently have for WhatsApp, the device you are using, the time when you have been online, all your contacts, all group names of which you are a part of, the device type, the IP address, device build number, device manufacturer, details of the web/desktop version and the platform which is used for WhatsApp Web, your Status.

It also has the exact time when you set the current profile photo and the current status message.

The list includes all contacts with whom you would have chatted on WhatsApp, and only the mobile phone numbers are mentioned.

It also has your settings for the app, including the privacy settings for Last Seen, Profile Photo, About Privacy and Status Privacy.

It also includes a list of the all numbers you have blocked and whether you have Read Receipts turned on.


What is the E.U. law on data protection?

  1. The European Union General Data Protection Regulation (GDPR) is, arguably, the most notable change in the data protection regime in the last two decades.
  2. For, Europe’s stringent General Data Protection Regulation, more popularly called GDPR, prevents such sharing between apps.
  3. Users there are in control of their data much more than anywhere else in the world. India could do with such a law. All it has is a draft version of a law, and it has been so for a few years now.
  4. Privacy of a billion citizens is too important a thing to be left just to the practices of a commercial enterprise. It will be reassuring if it is guaranteed by a strong law.
  5. The law, which comes into effect, has been designed to protect the personal data of E.U. residents.
  6. The GDPR reflects a paradigm shift in the understanding of the relationship individuals have with their personal data, granting the citizen substantial rights in his/her interaction with data controllers (those who determine why and how data is collected such as a government or private news website), and data processors (those who process the data on behalf of controllers, such as an Indian IT firm to which an E.U. firm has outsourced its data analytics).
  7. Under the GDPR, a data controller will have to provide consent terms that are clearly distinguishable, i.e., consent cannot be buried in the fine print that is incomprehensible to the layperson.


Why GDPR is relevant to India?

  1. The GDPR is being adopted at a time where SC recognised the concept of informational privacy and noted that legislation should be enacted to ensure enforceability against non-State actors (private entities).
  2. By this there are indications that a future data protection legislation in India will share several commonalities with the GDPR.
  3. From this perspective, GDPR compliance may be considered an opportunity for Indian companies to achieve early compliance with a potential Indian data privacy legislation.
  4. According to the Supreme Court in the Puttaswamy judgement (2017), the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy, whereas the growth of the digital economy is also essential to open new vistas of socio-economic growth.
  5. In this context, the government policy on data protection must not deter framing any policy for the growth of the digital economy, to the extent that it doesn’t impinge on personal data privacy.


Compare EU law vs India Law on privacy:


  1. India did not have specificlaws on data protection even India did notimplement the Personal Data Protection Bill; there is no control over how user data will be processed by companies.
  2. However InPuttaswamy v India (2017) case,Right to privacy was established as a fundamental right under article 21.
  3. The Information TechnologyAct (2000) (“IT Act”) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information.
  4. Under Section 72-A of the IT Act. The Act Penalises the offender for three year imprisonment or a maximum fine of Rs 5 lakh. on Breach of data privacy.
  5. The Aadharact Section 13 makes the processing of personal datawithout a person’s consent possible for any function of the Parliament or State Legislature.



The alleged data breach around Facebook and Cambridge Analytica has alerted people to the challenges of protecting data in a hyper-digitised environment.

The issue has once again raised questions about what constitutes legitimate uses of data and how businesses, governments and political parties can and cannot use data.

A White Paper produced by a government-appointed committee, headed by retired judge B.N. Srikrishna, which is formulating a national data protection law for India, has suggested a hybrid approach to privacy.

This combines the EU rights-based approach, the U.S. approach of using data with consent to encourage innovation, and an Indian approach, which takes note of the Supreme Court’s ruling that privacy is a fundamental right subject to reasonable restrictions.