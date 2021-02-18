The Ministry of Electronics & Information Technology Technology sent a letter to WhatsApp last month, interrogating changes the Facebook-owned messaging app had made to its privacy policy. MediaNama has obtained a copy of the letter under the RTI Act. “These changes enable WhatsApp, and other Facebook Companies, to make invasive and precise inferences about users which may not be reasonably foreseen or expected by users in the ordinary course of accessing these services,” MEITY said in the letter. “Whether this will enable better provision of services to users or not is besides the point, the issue is the impact it has on informational privacy, data security and user choice.”

In this context, the proposed changes raise grave concerns regarding the implications for the choice and autonomy of Indian citizens . Therefore, you are called upon to withdraw the proposed changes. Further, you are urged to reconsider your approach to respect the informational privacy, freedom of choice and data security of Indian citizens. — MEITY letter to WhatsApp (emphasis added)

We expect that this sovereign independence of India’s distinct identity and its people must be properly respected and any unilateral changes to the WhatsApp Terms of Service and Privacy would not be fair and acceptable.

WhatsApp announced changes to its privacy policy in January that led to widespread debate, as the changes amount to a deeper integration between the messaging app and Facebook’s other verticals. WhatsApp has argued that user data such as chats won’t be at risk, but the government took issue with Indian users not being provided a choice to opt out of the privacy update, unlike EU residents. Shortly before MEITY sent this letter, WhatsApp delayed enforcement of the updates.

The letter went on to ask WhatsApp about its privacy practices, such as the permissions its app requires and what data it collects. It also asked what systems the company had in place to disclose breaches, such as to the India Computer Emergency Response Team (CERT-in). “Provide complete technical architecture along with the information flows as well as cross border data flows if any,” one of the questions asks. MEITY also asked which servers Indian users’ data was stored in.

The letter, dated January 18, is addressed to CEO Will Cathcart.

Subject: Regarding the recent changes to the WhatsApp Privacy Policy

This is with reference to the recent changes proposed to the WhatsApp Terms of Service and Privacy Policy for Indian users. As you are undoubtedly aware, India is home to the largest segment of WhatsApp’s user base globally and is one of the biggest markets for the services offered by WhatsApp. Consequently, any changes to the WhatsApp Terms of Service and Privacy Policy will have a disproportionate impact on the Indian citizens.

The changes to the WhatsApp Privacy Policy and Terms of Service outline the vast amounts and categories of data that is collected by WhatsApp and how it will be shared with other Facebook companies. These changes enable WhatsApp, and other Facebook Companies, to make invasive and precise inferences about users which may not be reasonably foreseen or expected by users in the ordinary course of accessing these services. These changes notify users that WhatsApp will collect highly invasive and granular metadata, such as time, frequency and duration of interactions, group names, payments and transaction data, online status, location indicators, as well as any messages shared by users with business accounts. Further, these changes indicate that this information will be shared with other Facebook Companies for an extremely expansive and broad set of purposes, without providing users with any option to opt-out of this integration across social media platforms. Whether this will enable better provision of services to users or not is besides the point, the issue is the impact it has on informational privacy, data security and user choice.

The collection, and onward sharing with Facebook Companies, of sensitive personal data of individuals portends an ecosystem where any meaningful distinction between Facebook Companies and WhatsApp will cease to exist. This approach has the potential to infringe on core values of data privacy, user choice and autonomy of Indian users. Given the huge user base of WhatsApp and Facebook in India, the consolidation of this sensitive information also exposes a very large segment of Indian citizens to greater information security risks and vulnerabilities creating a potential honeypot of information. While the Government expects you to take all information security safeguards as per law, potential impact of these changes proposed by WhatsApp creates systemic vulnerability.

It hardly needs emphasis that India is a sovereign democratic republic where the enabling atmosphere created by the Government of India through transformative programmes like Digital India has created a very congenial atmosphere for Indian citizens to adopt technology, and as a consequence, the footprints of WhatsApp have expanded enormously in India. We expect that this sovereign independence of India’s distinct identity and its people must be properly respected and any unilateral changes to the WhatsApp Terms of Service and Privacy would not be fair and acceptable.

In this context, the proposed changes raise grave concerns regarding the implications for the choice and autonomy of Indian citizens. Therefore, you are called upon to withdraw the proposed changes. Further, you are urged to reconsider your approach to respect the informational privacy, freedom of choice and data security of Indian citizens.

Specifically, as you may be aware, the Personal Data Protection Bill, which is being discussed by a Joint Committee of the Parliament, is focused on the core value of purpose limitation in the processing of personal data. As per the changes to the WhatsApp Privacy Policy, any information shared with any Facebook Company can be used for an expansive variety of purposes, which may not be reasonably expected by users of WhatsApp. Since the Indian Parliament is seized of the issue, making such a momentous change for its Indian users at this time puts the cart before the horse. This may also lead to significant implementational challenges to purpose limitation should it become the law. Needless to say, as you are well aware, purpose limitation is not simply a principle incorporated in the Personal Data Protection Bill in India, but has been widely recognised from the time of the OECD Guidelines in 1980 and finds place in the laws of several jurisdictions where you operate. One might even state it is well on its way to becoming a customary international law.

In this context, it is an issue of great concern that the ability to opt-out of data sharing with Facebook Companies is not provided to Indian users who are being subjected to differential treatment when compared to their European counterparts with comparatively less choice. The Privacy Policy offered by WhatsApp to its European users specifically prohibits the use of any information shared with a Facebook Company for that Companies’ own purposes, while this clause is not present in the Privacy Policy offered to Indian users. This differential and discriminatory treatment of Indian and European users is attracting serious criticism and betrays a lack of respect for the rights and interests of Indian citizens, who form a substantial portion of WhatsApp’s user base. Such a differential treatment is prejudicial to the interests of the Indian users and is viewed with serious concern by the Government.

The Government of India is also concerned with the way in which Indian users have been made subject to these changes. By not providing Indian users with the ability to opt-out of this data sharing with other Facebook Companies, WhatsApp is treating users with an ‘all-or-nothing’ approach. This approach leverages the social significance of WhatsApp to force users into a bargain which may infringe on their interests in relation to informational privacy and information security. This ‘all-or-nothing’ approach takes away any meaningful choice from Indian users. It is expected that Facebook will value the principles of privacy and consent in the processing of information, as stated by the Hon’ble Supreme Court of India in its judgment in Justice (Retd.) K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.

The Government of India owes a sovereign responsibility to its citizens to ensure that their interests are not compromised. Accordingly, you are called upon to explain the changes made to the Privacy Policy and Terms of Service offered to Indian users and respond to the concerns that your proposed changes are prejudicial to the rights and interests of Indian citizens. You are also requested to specifically respond to the issues as noted in the attached questionnaire. Please provide an explanation and your responses to the issues mentioned above and in the attached questionnaire within seven days of issuance of this letter.

Yours sincerely,

[signed]

Questionnaire

You are hereby directed to furnish responses/clarifications to the following queries in relation to your privacy and data transfer and sharing policies, and general business practices:

1) Please provide details of the services provided by the WhatsApp application in India.

2) Please disclose the exact categories of data that the WhatsApp application collects from Indian users.

3) Please provide details of the permissions and consents required by different versions of the WhatsApp application, and the utility of each of these permissions with respect to the functioning and the specific service provided by the WhatsApp application.

4) In case the permissions and consents sought from the users in any other geographical locations across the globe are different from those sought from the users in India, please furnish full details and reasons for such differences, if any.

5) Does WhatsApp conduct profiling of Indian users on the basis of their usage of your application? What nature of profiling is conducted?

6) What is your incident response, version update, responsible vulnerability disclosure and vulnerability fix/mitigation process, including advance notices with Indian Computer Emergency Response Team (CERT-IN)?

7) Is there any difference between the privacy policy of the WhatsApp application in India and in other countries? Please share details of the variations in privacy policies of the WhatsApp application in India and in other countries.

8) Please furnish the following policies of the company, where applicable to India:

i) Data Security Policy

ii) Information Security Policy

iii) Cyber Security Policy

iv) Privacy Policy

v) Encryption Policy

9) Does the WhatsApp application share data with any other app or business unit of the same company or associated companies? Share details of the data flow among these apps, business units or associated companies.

10)Does the WhatsApp application capture the information about other apps running on the mobile phone device of the user? If yes, what information is being captured by the app and for what purpose is it being collected and used?

11)On which server is the data of Indian users transmitted and hosted? Is this data mirrored or transmitted to any other servers, apart from the primary server disclosed? Is the data hosted on these servers encrypted? If encrypted, please provide details on the location and access of the encryption keys, and the level of encryption used.

12)Provide complete technical architecture along with the information flows as well as cross border data flows if any.

13)Has the company or application provided any access to a third party to access a user’s personal data? If such information has been shared, please provide detailed particulars of the same.

14)Does the application harvest user data? Has the company faced any action in any country for surreptitiously harvesting user data?