We expect that this sovereign independence of India’s distinct identity and its people must be properly respected and any unilateral changes to the WhatsApp Terms of Service and Privacy would not be fair and acceptable.
In this context, the proposed changes raise grave concerns regarding the implications for the choice and autonomy of Indian citizens. Therefore, you are called upon to withdraw the proposed changes. Further, you are urged to reconsider your approach to respect the informational privacy, freedom of choice and data security of Indian citizens. — MEITY letter to WhatsApp (emphasis added)
The letter went on to ask WhatsApp about its privacy practices, such as the permissions its app requires and what data it collects. It also asked what systems the company had in place to disclose breaches, such as to the India Computer Emergency Response Team (CERT-in). “Provide complete technical architecture along with the information flows as well as cross border data flows if any,” one of the questions asks. MEITY also asked which servers Indian users’ data was stored in.
Text of the letter
The letter, dated January 18, is addressed to CEO Will Cathcart.
The collection, and onward sharing with Facebook Companies, of sensitive personal data of individuals portends an ecosystem where any meaningful distinction between Facebook Companies and WhatsApp will cease to exist. This approach has the potential to infringe on core values of data privacy, user choice and autonomy of Indian users. Given the huge user base of WhatsApp and Facebook in India, the consolidation of this sensitive information also exposes a very large segment of Indian citizens to greater information security risks and vulnerabilities creating a potential honeypot of information. While the Government expects you to take all information security safeguards as per law, potential impact of these changes proposed by WhatsApp creates systemic vulnerability.
It hardly needs emphasis that India is a sovereign democratic republic where the enabling atmosphere created by the Government of India through transformative programmes like Digital India has created a very congenial atmosphere for Indian citizens to adopt technology, and as a consequence, the footprints of WhatsApp have expanded enormously in India. We expect that this sovereign independence of India’s distinct identity and its people must be properly respected and any unilateral changes to the WhatsApp Terms of Service and Privacy would not be fair and acceptable.
In this context, the proposed changes raise grave concerns regarding the implications for the choice and autonomy of Indian citizens. Therefore, you are called upon to withdraw the proposed changes. Further, you are urged to reconsider your approach to respect the informational privacy, freedom of choice and data security of Indian citizens.
The Government of India is also concerned with the way in which Indian users have been made subject to these changes. By not providing Indian users with the ability to opt-out of this data sharing with other Facebook Companies, WhatsApp is treating users with an ‘all-or-nothing’ approach. This approach leverages the social significance of WhatsApp to force users into a bargain which may infringe on their interests in relation to informational privacy and information security. This ‘all-or-nothing’ approach takes away any meaningful choice from Indian users. It is expected that Facebook will value the principles of privacy and consent in the processing of information, as stated by the Hon’ble Supreme Court of India in its judgment in Justice (Retd.) K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
You are hereby directed to furnish responses/clarifications to the following queries in relation to your privacy and data transfer and sharing policies, and general business practices:
1) Please provide details of the services provided by the WhatsApp application in India.
2) Please disclose the exact categories of data that the WhatsApp application collects from Indian users.
3) Please provide details of the permissions and consents required by different versions of the WhatsApp application, and the utility of each of these permissions with respect to the functioning and the specific service provided by the WhatsApp application.
4) In case the permissions and consents sought from the users in any other geographical locations across the globe are different from those sought from the users in India, please furnish full details and reasons for such differences, if any.
5) Does WhatsApp conduct profiling of Indian users on the basis of their usage of your application? What nature of profiling is conducted?
6) What is your incident response, version update, responsible vulnerability disclosure and vulnerability fix/mitigation process, including advance notices with Indian Computer Emergency Response Team (CERT-IN)?
8) Please furnish the following policies of the company, where applicable to India:
i) Data Security Policy
ii) Information Security Policy
iii) Cyber Security Policy
v) Encryption Policy
9) Does the WhatsApp application share data with any other app or business unit of the same company or associated companies? Share details of the data flow among these apps, business units or associated companies.
10)Does the WhatsApp application capture the information about other apps running on the mobile phone device of the user? If yes, what information is being captured by the app and for what purpose is it being collected and used?
11)On which server is the data of Indian users transmitted and hosted? Is this data mirrored or transmitted to any other servers, apart from the primary server disclosed? Is the data hosted on these servers encrypted? If encrypted, please provide details on the location and access of the encryption keys, and the level of encryption used.
12)Provide complete technical architecture along with the information flows as well as cross border data flows if any.
13)Has the company or application provided any access to a third party to access a user’s personal data? If such information has been shared, please provide detailed particulars of the same.
14)Does the application harvest user data? Has the company faced any action in any country for surreptitiously harvesting user data?