Delhi High Court order difficult to implement in absence of regulatory framework, say activists.
On September 23, a Delhi High Court Bench led by Chief Justice G Rohini directed Internet-based messaging service WhatsApp to delete all information and data collected from users in India up to September 25.
Watch What Else Is Making News
While the judgment of a court is binding upon companies, in this case, both the implementation and monitoring of the order is difficult. This is essentially because India has no statutory or regulatory framework to control the working of WhatsApp and similar Internet-based messaging services.
Internet Freedom Foundation, an NGO that includes lawyers, researchers and activists who had earlier worked on Net neutrality, Internet privacy and censorship, has issued a statement expressing concern at the lack of an institutional mechanism to protect user privacy and provide a remedy to citizens.
In the current scenario, say members of the organisation, there exists no mechanism to enforce the court’s order.
The court’s judgment itself accepted that in the absence of regulations to protect the right to privacy or regulate terms of service of Internet messaging service providers, the change in WhatsApp’s policy could not be challenged in a writ petition. The court also observed that the company had clearly specified in its terms of usage that it could change the Terms and Conditions of the service.
The court did not ask for a compliance report from WhatsApp or Facebook. Instead, it asked the Department of Telecommunications and the Telecom Regulatory Authority of India (TRAI) to consider bringing Over The Top (OTT) services (where a third-party provider delivers one or more services predominantly over the Internet, and often independent of the service provider) under a statutory regulatory framework.
In March last year, TRAI had released a consultation paper that said WhatsApp and other OTT services were unlicensed entities using the telecom services network, and needed to be brought within the regulatory framework. The paper had also flagged issues regarding data storage, privacy and ownership of data.
The consultation process on the possible steps to be taken is still under way.
Days after the Delhi High Court issued the judicial directions against data-sharing by WhatsApp and Facebook, a federal regulator in Hamburg, Germany, directed WhatsApp to stop sharing information with Facebook, and to delete all data collected so far.
The Hamburg Commissioner for Data Protection and Freedom of Information, through an administrative order on September 27, prohibited Facebook from collecting and storing data of German WhatsApp users, and asked it to delete all data already forwarded to it by WhatsApp.
The Hamburg Commissioner has the jurisdiction to issue such an order — the European Court of Justice (ECJ) had in July held that national data protection laws would be applicable if a company processes data in connection with a national subsidiary.
WhatsApp has 35 million users in Germany, and Facebook’s German headquarters are located in Hamburg. Facebook would appeal against the commissioner’s orders, Reuters and CNBC reported.
The Federal Trade Commission of the USA is also looking into the issue, after complaints were filed by a number of organisations, including the public interest Electronic Privacy Information Center (EPIC) and the not-for-profit Center for Digital Democracy (CDD).
The EPIC-CDD complaint said the changes to WhatsApp’s policy went against its promises to users that personal information would not be used for marketing purposes.
Earlier in August, the French data protection commission, Commission nationale de l’informatique et des libertés, or CNIL, had issued a statement saying the issue was of “the control of individual users over their own data when they are combined by major Internet players”.
CNIL is currently chair of the European Commission’s Article 29 Data Protection Working Party, made up of representatives of data protection authorities across Europe, the European data protection supervisor, and a representative of the European Commission. CNIL had said that each European authority would be following the changes made to WhatApp’s policy with “great vigilance”.
And a report in Singapore-based The Straits Times had quoted Chinese daily Lianhe Zaobao as saying the country’s Personal Data Protection Commission (PDPC) had got in touch with Facebook and WhatsApp after receiving numerous queries from people concerned about their privacy.
The company had at the time assured the Canadian Commission that it would look into introducing measures such as manual addition of contacts and encryption of data.