A spokesperson for Whatsapp said that they have responded to the Government of India’s letter and assured them that the privacy of users remains our highest priority.””As a reminder, the recent update does not change the privacy of people’s personal messages. Its purpose is to provide additional information about how people can interact with businesses if they choose to do so,” they said.
“We hope this approach reinforces the choice that all users have whether or not they want to interact with a business. We will maintain this approach until at least the forthcoming PDP law comes into effect,” the spokesperson said.
WhatsApp reported 2 billion monthly active users globally in February 2020 (before the pandemic), with 400 million reportedly being in India. It has launched its UPI-payments service in India. As of July, WhatsApp Business accounts had 50 million MAUs, with 15 million of those in India, per TechCrunch. As WhatsApp head Will Cathcart said, 175 million people globally message a business account each day.
WhatsApp’s new terms for users
In a later clarification, however, WhatsApp said that its service is end-to-end encrypted and neither it or Facebook can see messages. It further emphasised that it does not share contacts with Facebook, that location shared on chat and group chats remains private, that users can set messages to disappear, and can download their data.
Further, per the updated terms, messages to business accounts on WhatsApp can be shared with third-party service providers, which may include Facebook itself. For example, Facebook (as the third-party service provider) could store, read and “manage” messages sent to businesses by users. This only becomes clearer in the WhatsApp’s clarification posted on Tuesday:
Essentially, there is freer flow of data between WhatsApp, Facebook, and Instagram. While nobody can peek into your texts, thanks to end-to-end encryption, data points about users, and how they use WhatsApp’s business services, and their broader interaction with the Facebook group of products (Messenger, Facebook, Instagram, WhatsApp, Onavo) can be combined. The theoretical use cases of this could be multiple: see ads for a product being sold on WhatsApp Business on Facebook, buy the product via WhatsApp Business, and that interaction is used to show you more ads and relevant content.
Competition Commission Probe
According to the CCI, the purpose of data sharing “seems to be beyond users’ reasonable and legitimate expectations regarding quality, security and other relevant aspects” for which users come on WhatsApp. Both Facebook and WhatsApp challenged this order before the Delhi High Court, seeking quashing of the CCI probe. While its legal representatives argued that the CCI was examining privacy related issues without jurisdiction as the right to privacy is a constitutional matter, whereas the CCI said their probe concerns the creation of a monopolistic market due to sharing of excessive data.
On April 22, the Delhi High Court dismissed the petitions filed by WhatsApp and Facebook.
Impact of IT Rules 2021
Traceability and Encryption:Under the rules, social-media intermediaries like WhatsApp that have a large user base will have to enable identification of the “first originator of the information” as required by a judicial order passed by “a court of competent jurisdiction” or an order passed under Section 69A of the IT Act. This essentially challenges the ability of platforms and intermediaries from providing their users with end-to-end encyrption. However, WhatsApp’s CEO Will Cathart said that they will try to enable tracebability through solutions “that don’t touch encryption”.
Grievance Redressal Mechanism: Significant social media intermediaries will have to appoint a Chief Compliance Officer and Resident grievance officer in India and of Indian origin who will hold key positions for complying the IT Rules 2021. It will also need to appoint a nodal person of contact for 24X7 coordination with law enforcement agencies. Through the grievance redressal mechanism, WhatsApp will need to respond to user complaints within a specific timeline and if, the matter is escalated to the goverment or a self-regulatory body it would need to take-down, disable and trace messages in some cases.
When content has been taken down or disabled, significant social media intermediaries need to provide a notice explaining the action to the user who “created, uploaded, shared, disseminated or modified”, the rules said. Additionally, intermediaries have to provide information for verification of identify, or assist any government agency for crime prevention and investigations no later than 72 hours of receiving a lawful order.
Voluntary takedowns: All intermediaries will have to take down content that violates any law; defamatory, obscene, pornographic, paedophilic, invasive of privacy, insulting or harassing on gender; content related to money laundering or gambling; or “otherwise inconsistent with or contrary to the laws of India”.
Disabling content within 24 hours of user complaint: All intermediaries will have to take down content that exposes a person’s private parties (partial and full nudity); shows any sexual act; is impersonation; is morphed images within 24 hours of individuals (users or victims) reporting it.
Transparency reports: Significant social media intermediaries are required to publish periodic compliance reports every month, with details of complaints received and action taken and “other relevant information”. These reports will also content the number of links or information that it has removed using proactive monitoring by automated tools
- WhatsApp says it won’t delete accounts that don’t accept new terms by May 15
Update, May 29: In the fifth paragraph of the story, a sentence began “As as WhatsApp head…” The error has been rectified.