WhatsApp has announced a new Privacy Policy and Terms of use effective from 8th February 2021. Since then there have been a series of debates in the media about the impact of the change and how should users react. Most of these discussions are on the “Privacy Policy” and not on the “Terms of use”.
The objections have been on whether WhatsApp will have access to the User’s content and share it with Face Book.
A brief review of the policies is attempted here for opening up more discussions. It is not easy to decipher the privacy policies of any large MNC like WhatsApp or even Google or Twitter since there could be many subtle wordings which can be technically and legally interpreted in different ways.
We also have to recognize that WhatsApp has created two different sets of policies, one offered by WhatsApp Ireland Ltd to the EU region and the other by WhatsApp LLC to other countries . Except for the ownership of the service, there does not appear to be any difference between the two policies. This is either a mistake or perhaps WhatsApp thinks that the world outside EU has no importance and hence any policy will do.
Perhaps WhatsApp will realize that countries like India are conscious of the data sovereignty principle and will not tolerate this arrogance.
The Privacy Policy and the Terms of Service have to be read together. There appears to be more contentious issues in the terms of service rather than the Privacy Policy as explained below.
A: Privacy Policy
The Privacy Policy consists of the following 12 sections.
1 Information We Collect
2. How we use Information
3.Information you and we share
4.How we work with other Facebook companies
5. Our legal basis for processing data
6. How we process your information
7. How you exercise your rights
8.Managing and retaining your information
9.Law, our rights and protection
10.Our Global operations
11.Updates to our policy
12.Contact Us
The policy appears to cover most of the requirements of a Law Compliant Privacy Policy though we cannot say that it is in “Clear and Precise ” format.
A couple of key points of the privacy policy are discussed below.
- Is there a Discrimination in refusing the service if permissions are not given?
In analyzing the Privacy Policy and commenting if it is acceptable or not, we must appreciate that WhatsApp is a private business of FaceBook and its commercial interests cannot be wished away. We can only comment on whether there is transparency in the Privacy Policy as notified and the company does not deviate from what is stated in the policy. The right of the company to modify the policy need to be also recognized though we can expect a reasonable notice whenever major change occurs in the policy. Presently a notice of one month has been given and this need to be maintained in the future also.
In order to recognize the rights of WhatsApp to set pre-conditions with a right to reject the service if a certain information is not provided, we must recognize the nature of the WhatsApp service and the “legitimate Interest” built into it. According to its mission statement, WhatsApp started as an alternative to SMS and it now supports sending and receiving a variety of media: text, photos, videos, documents, and location, as well as voice calls.
As we understand, WhatsApp is a “Platform”. It enables a person to send a message to another provided they have downloaded the App in their device and subscribed to the service. Additionally in a “Group Communication”, one to many messages are sent to the WhatsApp server which distributes it one by one to all the members of the closed group. In this context, WhatsApp server is an agent to hold the content until it is downloaded by all the members within 30 days etc. The members of the group are collectively responsible as owners of the group. At present the “Admin” has only limited powers of admission or removal of members but has no powers to delete content posted. The member who posts the content to the group is the sole owner of the message and make it disappear or remove it within a certain time. This reiterates the status of the service that WhatsApp is a messaging service from the sender of the message to the receiver. The server provides certain intermediary services. The Admin has no role in the transmission of the message.
Hence it is the WhatsApp subscriber who has a contract with WhatsApp both for sending individual messages as well as to to form and participate in a group messaging activity. The Privacy Policy and the Terms of service are parts of this contract formation.
If therefore the terms of the contract is not acceptable to either of the two parties, there is nothing wrong in the service being not made available. Whether this can be brought under “competition Act” can be debated. But since there are multiple other services of similar nature, it is unfair to bring the service within the provisions of the Competition act and call the right of WhatsApp not to provide a service if the Privacy policy is not accepted, as “Discriminatory” in terms of the Data Protection laws.
2. Information Collection and Storage
The information collected by WhatsApp is declared as specific to the “Options” used by the user. Hence it is declared as purpose specific. The mobile number and maintenance of log records of the use of the App therefore is directly related to the messaging service and hence within the rights of WhatsApp.
The “Storing” of the information in the servers for the intermediary period when it is yet to be downloaded by the receiver does not mean that the server is reading the information though technically this is possible even if it is in encrypted form. Encryption will prevent third party access but if Whats App really intends to read the message, they can always simulate either the sender’s phone or the receiver’s phone and use the keys to decrypt it. However this is an unreasonable suspicion and unless there is any evidence of the same, should not be considered as a possibility.
From the policy it appears that WhatsApp has two storage policies one for the Media and the other for the text message sent. The text part gets deleted from the server after delivery but the media remains in storage in an encrypted form to enable forwarding of the same. The company has a justification for this storage from the technical point of facilitating the forwards. When a forward occurs, this prevents the entire data related to the media travel again from the forwarder to the server. If the forward is to multiple persons, it will save on data transfer substantially. The media is held in the WhatsApp server not permanently but for a certain time so that forwards within this time span would save on data transfer.
Hence storage both from the point of view of maintenance of encryption and temporary storage can be considered legitimate. Criticisms in this regard is not sustainable.
3. Sharing of Information
The policy suggests that WhatsApp access, preserve and share certain information. This however refers to the information that is collected from the account holder such as the account information., messages (in encrypted form ) during the interim period when it is being held for deferred delivery, and meta data associated with the use of the services.
There is nothing in the policy to suggest that the message content will be read by WhatsApp and used for profiling etc.
In case the WhatsApp payment system or Contact upload feature, the users may be sharing more information related to the specific service.
4. Legitimate Interests
The policy declares that legitimate interest relied upon includes provision of accurate and reliable aggregated reporting to business and other partners and statistics on performance, need to demonstrate the value the partners realize etc.
It also states that Facebook products may be marketed to the users for direct marketing. This indicates that there could be “Advertising” messages sent to the users similar to Twitter inserting advertising in between messages.
Prevention of fraud, securing against spam, abuse etc are also stated as a reason to use information under legitimate interest.
Policy indicates that Pubic interest could also be a legitimate interest.
B. Summary views on Privacy Policy
At first glance therefore the policy does not seem to raise grave concern. It is possible that the company may draw a profile and use it for advertising but that is only to be expected as a revenue generation method unless the service becomes a paid service.
Since India is coming up with its Data Protection Law shortly, once the final version of the law is ready, we may review the Privacy policy to check if it is in tune with the requirements.
The Privacy policy appears to concede the requirements envisaged in the Indian law regarding providing tracking information when required by the law enforcement.
Perhaps remaining compliant with the Indian law could be one of the reasons for which the Privacy Policy was revised before the Indian Act is likely to be effective.
However, the policy is to large to be considered as easily comprehensible by an ordinary user of the service. Businesses should find a way to simplify their Privacy Notice to the public while keeping a more legalistic and verbose policy for internal use. Otherwise public will need expert interpreters to certify if a Privacy Policy is compliant with the requirement of law and meets the principles of Privacy protection.
Terms of License
The terms of use however has some aspects which may cause some doubts in the minds of the users.
Fore example in the paragraph “Your license to WhatsApp”, it is stated as follows:
Your License To WhatsApp. In order to operate and provide our Services, you grant WhatsApp a worldwide, non-exclusive, royalty-free, sublicensable, and transferable license to use, reproduce, distribute, create derivative works of, display, and perform the information (including the content) that you upload, submit, store, send, or receive on or through our Services. The rights you grant in this license are for the limited purpose of operating and providing our Services (such as to allow us to display your profile picture and status message, transmit your messages, and store your undelivered messages on our servers for up to 30 days as we try to deliver them).
Though at first glance this appears to indicate that WhatsApp may use the content for its own purpose, the issue is more related to IPR rather than Privacy. Also if the content is encrypted before it is shared by the user with the company, unless it is decrypted, it cannot be used in raw form by WhatsApp. The mention of “Limited purpose” indicates that there is no intention of creating “Derivative Works” from the user’s content and use it commercially though an “Enabling feature” has been wrote in.
Probably WhatsApp will be answerable for IPR violation if the user content is used for creating revenue generating product.
The statement that “WhatsApp does not claim ownership of the information” further corroborates the status that the content is owned by the user.
If WhatsApp tries to make derivative works out of the user’s content, they will also lose the status of an “Intermediary” under ITA 2000 and hence cannot claim any immunity for crimes that are committed with the service.
If WhatsApp claims absolute rights to use the content, then they will have to admit knowledge of the content which will make themselves liable for any drug related conversation or other offences using the WhatsApp messages.
It would therefore be advantageous for WhatsApp to claim that they are not aware of the encrypted content and they don’t use them for any of their purposes. This is evident in the terms also.
The terms of use also take into account the disclaimers expected under the ITA 2000, Section 79, Intermediary rules.
As can be expected there is a disclaimer that “WhatsApp does not accept responsibility for losses” if they have exercised due diligence.
The Dispute resolution clause is not properly constructed in the policy since the both the policy applicable to EU and other countries seem to state that in countries outside EU, the applicable law is that of Ireland.
This will not be acceptable in India. The amendment to the ITA 2000 intermediary rules as well as PDPB will ensure that WhatsApp is declared as requiring to open a separate Indian office and be considered as a Significant Data Fiduciary. At that time, WhatsApp will need to get itself licensed from the regulator and it may be refused a license to carry on its business unless the applicable law of India and jurisdiction of Indian Courts along with ODR usage is brought into the terms.
Even the RBI needs to take a look at this since it is responsible for letting WhatsApp to handle payments.
This will happen to be the most contentious issue of the terms of service/Privacy policy which needs to be addressed by WhatsApp. We may recall here that the Kerala High Court did pass adverse remarks in the Sprinklr case that the Kerala Government had accepted the New York Jurisdiction without proper evaluation of the terms of service.
Summary Views on the Terms of Service
The applicable law and Jurisdiction clause of the Terms are not compatible to Indian legal environment.
The RBI should take steps to withdraw the permission given to WhatsApp for running the payment services unless this clause is changed immediately.
Meity has to issue a notice to WhatsApp under Section 79, that the Jurisdiction clause which is part of this “Implied Contract” between the user and the WhatsApp is not valid in India and it shall accept the jurisdiction of the Courts of India at the residential place of the user as evidenced by the SIM card information.
Also under the PDPB, WhatsApp needs to provide a grievance redressal system which is more data principal friendly by incorporating an ODR facility to resolve grievances. The DPA is yet to come into existence and until that time, Section 43A , 43, 72A, 67C, 69,69A,69B, 70B and other provisions of ITA 2000 will be applicable to WhatsApp and compliance of ITA 2000/8 is necessary to be demonstrated by WhatsApp.
CERT In should issue a notice to WhatsApp for an assurance that it is ITA 2008 compliant.
It is open to any interested parties to file a PIL to force WhatsApp to change the Jurisdiction clause if it has to maintain the payment services and operate in India.
It is also a great opportunity for an indigenous messaging app developer to introduce an equally efficient app and there will be lot of support from India.
(Comments Welcome)
Naavi
Is there any option available to a WhatsApp user in India to withdraw his consent after having clicked on “Accepted”?
Option is only not to use WhatsApp and shift to other messaging services
It should be in line with Indian Law and Arbitration should be In Indian court.
Secondly it should have an uniform terms across globe.
Indian equivalent app Arattai available.