Sunday, December 10

How WhatsApp case underlines need for laws on data privacy



Delhi High Court order difficult to implement in absence of regulatory framework, say activists.

On September 23, a Delhi High Court Bench led by Chief Justice G Rohini directed Internet-based messaging service WhatsApp to delete all information and data collected from users in India up to September 25.

The order protected both users who had opted to delete the WhatsApp application from their phones, as well as those who had chosen to continue using it after agreeing to WhatsApp’s new privacy policy under which it said it would share user data with web giant Facebook and its group companies. Facebook bought WhatsApp for $ 19 billion in 2014.

Watch What Else Is Making News

WhatsApp subsequently said it “plan(ned) to proceed with the privacy policy and terms update in accordance with the (High) Court’s order”, but did not confirm whether it had deleted, or begun deleting, the data.

No framework

While the judgment of a court is binding upon companies, in this case, both the implementation and monitoring of the order is difficult. This is essentially because India has no statutory or regulatory framework to control the working of WhatsApp and similar Internet-based messaging services.

Internet Freedom Foundation, an NGO that includes lawyers, researchers and activists who had earlier worked on Net neutrality, Internet privacy and censorship, has issued a statement expressing concern at the lack of an institutional mechanism to protect user privacy and provide a remedy to citizens.

In the current scenario, say members of the organisation, there exists no mechanism to enforce the court’s order.

The court’s judgment itself accepted that in the absence of regulations to protect the right to privacy or regulate terms of service of Internet messaging service providers, the change in WhatsApp’s policy could not be challenged in a writ petition. The court also observed that the company had clearly specified in its terms of usage that it could change the Terms and Conditions of the service.

The court did not ask for a compliance report from WhatsApp or Facebook. Instead, it asked the Department of Telecommunications and the Telecom Regulatory Authority of India (TRAI) to consider bringing Over The Top (OTT) services (where a third-party provider delivers one or more services predominantly over the Internet, and often independent of the service provider) under a statutory regulatory framework.

In March last year, TRAI had released a consultation paper that said WhatsApp and other OTT services were unlicensed entities using the telecom services network, and needed to be brought within the regulatory framework. The paper had also flagged issues regarding data storage, privacy and ownership of data.

The consultation process on the possible steps to be taken is still under way.

Global concern

Days after the Delhi High Court issued the judicial directions against data-sharing by WhatsApp and Facebook, a federal regulator in Hamburg, Germany, directed WhatsApp to stop sharing information with Facebook, and to delete all data collected so far.

The Hamburg Commissioner for Data Protection and Freedom of Information, through an administrative order on September 27, prohibited Facebook from collecting and storing data of German WhatsApp users, and asked it to delete all data already forwarded to it by WhatsApp.

The Hamburg Commissioner has the jurisdiction to issue such an order — the European Court of Justice (ECJ) had in July held that national data protection laws would be applicable if a company processes data in connection with a national subsidiary.

WhatsApp has 35 million users in Germany, and Facebook’s German headquarters are located in Hamburg. Facebook would appeal against the commissioner’s orders, Reuters and CNBC reported.

Also on September 27, Italy’s data privacy watchdog said that it had opened a probe into WhatsApp’s new privacy policy, asked the company to explain what information it planned to share with Facebook, and what was being done to explain to users how their data might be used, Reuters reported.

The Federal Trade Commission of the USA is also looking into the issue, after complaints were filed by a number of organisations, including the public interest Electronic Privacy Information Center (EPIC) and the not-for-profit Center for Digital Democracy (CDD).

The EPIC-CDD complaint said the changes to WhatsApp’s policy went against its promises to users that personal information would not be used for marketing purposes.

Earlier in August, the French data protection commission, Commission nationale de l’informatique et des libertés, or CNIL, had issued a statement saying the issue was of “the control of individual users over their own data when they are combined by major Internet players”.

CNIL is currently chair of the European Commission’s Article 29 Data Protection Working Party, made up of representatives of data protection authorities across Europe, the European data protection supervisor, and a representative of the European Commission. CNIL had said that each European authority would be following the changes made to WhatApp’s policy with “great vigilance”.

Also in August, the United Kingdom’s data privacy regulator, the Information Commissioner’s Office, had issued a statement saying it would look into the proposed changes in WhatsApp’s privacy policy to “protect consumers”.

And a report in Singapore-based The Straits Times had quoted Chinese daily Lianhe Zaobao as saying the country’s Personal Data Protection Commission (PDPC) had got in touch with Facebook and WhatsApp after receiving numerous queries from people concerned about their privacy.

Worries about private data being compromised, in fact, predate both the change in WhatsApp’s privacy policy, and its acquisition by Facebook. Back in 2013, WhatsApp had received a warning from Canadian and Dutch privacy watchdogs who found that users have to provide access to all phone numbers in their address books, including both users and non-users of the app, in contravention of privacy laws.

The company had at the time assured the Canadian Commission that it would look into introducing measures such as manual addition of contacts and encryption of data.