The Union Government on the Friday urged the Delhi high court to restrain WhatsApp from implementing its new privacy policy, contending the rules were vague, failed to protect user data from being shared with third parties, and did not guarantee deletion of all data once users withdrew their consent.
A bench of chief justice DN Patel and justice Jasmeet was told by the Centre in an affidavit that though the rules framed in 2011 under the Information Technology Act prohibits sharing of information with third parties, WhatsApp has stated that data and information will be freely shared with and received by other companies owned by Facebook.
It said that no details were given about the third parties with whom the information will be shared, and submitted that since the contract of a user is only with WhatsApp, all other Facebook companies are “third parties” and any sharing of data between them amounts to a violation.
The matter will be heard on April 20.
“WhatsApp has stated that data and information will be freely shared with and received from other Facebook companies. Since the contract of the user is only with WhatsApp, all other Facebook companies are ‘third parties’ and any inter-sharing of data obtained by it will amount to violation of the restriction on further disclosure,” it added.
The controversy relates to the company’s decision in January to enforce a new privacy policy that will allow it to share some data about users’ interactions with business accounts with its parent company Facebook, and that accepting these terms were mandatory in order to use the service.
WhatsApp was under fire by critics who said users will now not have an option but to consent to the sharing if they want to keep using the application. The company pushed back the roll-out of the policy to May 15 but reiterated in February that it will go ahead with its decision. This came despite the government writing a letter, asking the company to abandon its plans.
In its affidavit, the government also told the court that the new privacy policy does not provide the opportunity to review or amend the full information submitted by a user, pointing out that the changes allowed to be made are limited to the name, picture, mobile number and “about” information.
“The privacy policy is completely silent on correction/ amendment of information. It appears to provide an option to further manage, change, limit or delete your information of the policy, but upon close perusal, it is apparent that this ability is limited to a user’s profile name, picture, mobile number and the about information. For the policy to be compliant with the Rules, it must allow the users to exercise this option for all kinds of data collected by WhatsApp which are mentioned in the policy. The impugned privacy policy thus fails to fulfil these obligations,” the affidavit said.
WhatsApp did not respond to requests for a comment.
The Centre’s response came on a plea by Seema Singh through advocate Meghan, challenging the new WhatsApp privacy policy. The plea sought directions to the authorities to provide an option to opt out of sharing data with Facebook.
Reacting to the Union government’s response, advocate Meghan said: “The three rights prayed before the court to be declared authoritatively have not been talked about in the counter affidavit.” The three were the right to seek confirmation, access and rectification; to objection, restriction and portability of the data; and to be forgotten as part of Article 21 and the intrinsic to the right to privacy.
He also said the government has not proposed any measure to protect user privacy in the interim. “The mechanism to protect the citizen’s privacy in the interim has also not been heeded in the counter affidavit,” she added.
The Centre cited the 2011 IT Act rules to contend that the updated privacy policy fails to specify the types of “sensitive personal” data being collected, and with whom the information was being shared.
The government said that, in accordance with law, WhatsApp is required to explain the types of “personal” and “sensitive personal” information, but WhatsApp has used general terms to enlist the kinds of data collected, and made no distinction between “personal” data or “sensitive personal” data.
According to the 2011 rules, there are eight categories of information that qualify as sensitive personal data, including user passwords, financial instrument and transaction information, and biometrics information.
On January 15, a law student, Chaitanya Rohilla, too challenged the new privacy policy. WhatsApp initially made it mandatory for the users to accept the conditions by February 8.
The Delhi high court, while hearing Rohilla’s plea, on January 18 observed that WhatsApp is a private application, and it was not mandatory for people to not download it if they had problems with its privacy policy.
Experts welcome the government’s stand and said it was a unique decision. “WhatsApp updated privacy policy, from the perspective of a user, is a chaotic indication to disaster. It is stripping an individual from his right to privacy. Till now, the information was being shared only with the Facebook Group of companies, but now the data will also be shared with third parties and entities whom you have never had a relationship,” said advocate Pavan Duggal. He said,“It is heartening to see the stand of the government because normally, they don’t take such stands. But here the contraventions are so deliberate and intentional, that the government has no choice to take this stand because it has to protect the privacy of the citizens. Also the government can take action against WhatsApp under the new IT rules brought on February 25.”
A WhatsApp spokesperson reiterated that the update in question “doesn’t expand” company’s ability to share data with Facebook. “As we said in January when this matter was first raised: we wish to reinforce that this update does not expand our ability to share data with Facebook. Our aim is to provide transparency and new options available to engage with businesses so they can serve their customers and grow. WhatsApp will always protect personal messages with end-to-end encryption so that neither WhatsApp nor Facebook can see them. We are working to address misinformation and remain available to answer any questions..
