WhatsApp

In a judgment on the 23rd of September, the Delhi High Court has held that users cannot demand that Whatsapp continue with its old terms of service, and choose to not share data with Facebook. The judgment says that ‘it is not open to the users now to contend that “WhatsApp” shall be compelled to continue the same terms of service’, in light of terms in past privacy policies. Whatsapp’s Privacy Policy from 2012 states that users allow for transfer of their data to the United States of America; agree to the fact that terms and conditions can change and users imply consent by continuing to use the service; and that Whatsapp cannot control what happens to user data, in the event of a sale.

This was a petition in response to a change of policy from Whatsapp. Our detailed comment on the changes in Whatsapp’s Privacy policy is here.

The court has also mentioned that users cannot seek refuge under Article 21 of the Constitution of India, (right to life and personal liberty) as a change in the privacy policy infringing the Right to Privacy guaranteed via this article, because “legal position regarding the existence of the fundamental right to privacy is yet to be authoritatively decided”, and the case is awaiting a larger bench of the Supreme Court.

The Delhi High Court has, however, done the following:

1. Whatsapp will have to completely delete information/data of those users who delete their Whatsapp account by 25th September 2016 (yesterday). This data will not be shared with Facebook.
2. Whatsapp will not share data of users up-to 25th September 2016 with Facebook, if users choose to remain on Whatsapp.
3. “The respondent Nos.1 and 5 shall consider the issues regarding the functioning of the Internet Messaging Applications like “WhatsApp” and take an appropriate decision at the earliest as to whether it is feasible to bring the same under the statutory regulatory framework.”

We checked with Facebook regarding whether they plan to challenge this order, and they’ve declined to comment (for now).

Read: the privacy nightmare no one in India talks about

MediaNama’s take

1. Users are responsible for their consent: If they continue to consent and use apps without reading terms and conditions, they’re responsible for the consent.

2. Apps are responsible for their terms, but we need to ensure these are in user interest: Terms and conditions are complicated, long, often written by lawyers in legalese. It can be argued that the complexity is intended to ensure that people don’t read these terms. It is upon the legislature and the courts to ensure that this doesn’t happen, and users are provided with more specific and human-readable terms. The terms and conditions of apps, as they stand today, are largely disingenuous because of their complexity: they’re meant to protect companies but not users.

3. Every change in T&C should require fresh consent: Whatsapp did the right thing by taking user consent and allowing users to opt-out from sharing data with Facebook. However, I do feel that the opting out wasn’t made particularly evident. As the petition mentioned, there could have been a ‘I don’t agree” button next to ‘I agree”, with equal prominence, giving users actual choice.

4. India needs a fundamental right to privacy, and a privacy law: The privacy of Indian citizens is the responsibility of the Indian government, and terms in compliance with Indian law. However, there isn’t a privacy in India. There was a draft Privacy law which surfaced in 2011, and we haven’t heard of it since. It’s shameful that the government of India, which is supposed to represent the interests of citizens, has gone to the Supreme Court arguing that privacy isn’t a fundamental right. This needs to be fixed.

5. Why should scrubbing of data have deadlines? The court asking Whatsapp to scrub user data was the right move, but the deadline really shouldn’t have been September 25th 2016. If companies are collecting data which is linked to specific individuals, and this is fine because it is meant for personalization, this data should be scrubbed as soon as a user leaves the service. Now if only users could opt out of Aadhaar, and have the liberty to have that data scrubbed. Here we’re holding companies to our expectations of standards of privacy: governments, which have substantially more power over citizens than online services, should be held to even higher standards of expectations of privacy.