WhatsApp relegates India to the Third World of Privacy Regulation

The revision of WhatsApp Privacy Policy and Terms has brought to light why an organization which is working in a multinational environment need adopt the approach taken by PDPSI (Personal Data Protection Standard of India)  for compliance.

The first thing we look forward in a Privacy policy or the Associated Terms of service is who is the service provider? Indian law clearly defines the Privacy Consent as a “Contract” and the essential part of a contract is to identify who is entering into a contract, what kind of commitments are being given and expected, whether the contract is a “dotted line contract” , whether the contract is “Unconscionable”, what is the dispute resolution associated with the contract, what is the liability clause and what is the exit clause etc.

In terms of compliance of the data protection law we also examine if all the required points to be notified (eg Section 7 of PDPB 2019) are covered.

As we observe, WhatsApp has indicated only two versions of their Terms of Service and Privacy Policy, one applicable for EU region and another for the rest of the world. The “Rest of the World” policy is tuned to the US requirements and hence all other countries are in the third world need to follow the WhatsApp policy for the US.

There is Privacy Law already in India

It is to be noted that WhatsApp has not provided an India specific policy at present. Probably WhatsApp thinks that India does not have a Privacy law at present and they want to introduce the new policies before the Act may be passed in India so that they can take some time to implement the new laws.

We would like to point out however that India presently has “Privacy” protection obligation because the Supreme Court has recognized it as a “Fundamental Right” and some Courts (eg Kerala) has indicated that the obligation extends to private companies as well.

More importantly Section 43A, Section 72A and other sections of ITA 2000/8 already determine the data protection regulations in India and it is in operation for a long time. Though there is no Data Protection Authority with an independent mandate to monitor, affected persons (including a group of persons represented by a public interest) can approach any of the Adjudicators or any adjudicator can take up a suomoto investigation of any perceived damage to a data principal.

Since the draft PDPB represents the legislative intent in the near future, it also doubles up as “Due Diligence” and “Reasonable Security Practice” under Section 43A of IITA 2000/8 and hence WhatsApp cannot escape compliance of PDPB 2019 even if the Act is yet to be passed and there could be 89+ amendments to the original draft.

Lack of Transparency on the Entity signing the Consent

The parent company of WhatsApp service is WhatsApp Inc, 1601, Willow Road, Menlo Park, California 940025, USA. WhatsApp Ireland Limited provides the services of WhatsApp to persons who live in the EU territory. WhatsApp LLC provides the services if the user lives in any country other than EU region. WhatsApp business services are also provided by WhatsApp LLC (Refer to the separate terms here).

WhatsApp LLC is located at 1601, willow Road office while the WhatsApp Ireland limited is located at No 4, Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

It has six locations, including two in India at Hyderabad and Gurugram, one in Dublin, Ireland, one in London besides two in USA (Menlo park and Austin).

There are registered companies like WhatsApp Africa LLC also registered in USA. In payment services, WhatsApp may use the services of Facebook companies making the maze of companies more complex.

As is common with Facebook, it is not easy to find out the physical location of Whats App offices and the “Transparency” aspect of Privacy compliance fails miserably at this stage itself.

It is not clear if WhatsApp’s two offices in India are considered only “Development” or “Marketing offices” and have legal divisions or Data Protection Officers or the Grievance Officer under ITA 2000/8. It is a reasonable presumption that there is no designated “Grievance Redressal Officer” and the company is not presently in compliance with ITA 2000/8. 

India Specific Privacy Policy/Terms are absent

It is natural that WhatsApp has to adopt policies to be in compliance with US laws where it is the group head quarters . As regards the EU region, it is fine to adopt the policies from the Ireland office.  But not adopting policies relevant to India is a show of arrogance.

Considering that WhatsApp wants to expand its business in India, and is fully aware of the JPC’s views when they met them recently, it appears that WhatsApp did not give too much of value to the Data Sovereignty rights of India and thought it reasonable to ignore India reference in its new policies.

Presently WhatsApp has plans of expanding its operations in India with health insurance and micro-pension products through tie ups with licensed financial services players. It is presently set to partner SBI General to launch health insurance and HDFC Pension to make available NPS products on the App platform. The company is already live on the UPI platform with 4 Banks (SBI,HDFC Bank, ICICI Bank and Axis Bank) and 20 million users.

This partnership provides enough opportunity for WhatsApp to get the benefits of the service with the legal obligations being borne by the Indian banks.

Given these expansion plans, India expected WhatsApp to recognize the existence of our sovereign rights in terms of Privacy or Cyber Security when it thought of revising its Privacy policies with effect from 8th February 2021 which could be after or a few days before the Personal Data Protection Bill in its final form would be presented to the Parliament.

A question therefore arises whether these policies will be compliant with the proposed Indian laws or is set to become operative just before the Act comes into effect so that they can claim some privileges as a legacy policy before the Act came into existence.

A question therefore arises whether these policies should be compliant with the proposed Indian laws and if not should the licensing authorities like RBI and IRDAI withdraw their provisional approvals.

Dispute Resolution

We did briefly discuss the Dispute Resolution Clause yesterday and we can add some additional points today.

The dispute resolution issues are covered in Terms of service and not directly in the Privacy Policy.

The clause mentions the following:

Forum And Venue. If you are a WhatsApp user located in the United States or Canada, the “Special Arbitration Provision For United States Or Canada Users” section below applies to you. Please also read that section carefully and completely.

If you are not subject to the “Special Arbitration Provision For United States Or Canada Users” section below, you agree that any claim or cause of action you have against WhatsApp relating to, arising out of, or in any way in connection with our Terms or our Services, and for any claim or cause of action that WhatsApp files against you, you and WhatsApp agree that any such claim or cause of action (each, a “Dispute,” and together, “Disputes”) will be resolved exclusively in the United States District Court for the Northern District of California or a state court located in San Mateo County in California, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claim or cause of action, and the laws of the State of California will govern any such claim or cause of action without regard to conflict of law provisions. Without prejudice to the foregoing, you agree that, in our sole discretion, we may elect to resolve any Dispute we have with you that is not subject to arbitration in any competent court in the country in which you reside that has jurisdiction over the Dispute.

Governing Law. The laws of the State of California govern our Terms, as well as any Disputes, whether in court or arbitration, which might arise between WhatsApp and you, without regard to conflict of law provisions.

Time Limit To Bring A Claim Or Dispute. THESE TERMS ALSO LIMIT THE TIME YOU HAVE TO BRING A CLAIM OR DISPUTE, INCLUDING THE TIME TO START AN ARBITRATION OR, IF PERMISSIBLE, A COURT ACTION OR SMALL CLAIMS PROCEEDING TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. We and you agree that for any Dispute (except for the Excluded Disputes defined below) we and you must bring Claims (including commencing an arbitration proceeding) within one year after the Dispute first arose; otherwise, such Dispute is permanently barred. This means that if we or you do not bring a Claim (including commencing an arbitration) within one year after the Dispute first arose, then the arbitration will be dismissed because it was started too late.

As regards the US and Canada users, the Arbitration shall be “Binding” and unless they opt out they would be waiving any right to have the disputes decided by other means.

Though the consent is obtained on the basis of “Click Wrap” acceptance which has no legal validity in India except as a “Deemed Acceptance”  and the terms are part of a “Standard form/dotted line form” of contract which can be considered voidable in respect of unconscionable aspects of the contract, it is better if we avoid any defense being available to WhatsApp to avoid any legal scrutiny in India.

In case  WhatsApp launches a legal proceeding in US either against an individual user or against the Indian Government, it is difficult to defend in such forums that the jurisdiction is not acceptable. We may therefore end up facing an Arbitration notice or Court notice from the US jurisdiction and spending time, money and effort in filing petitions in Indian courts to counter such cross border litigation notices.

In India, the disputes with WhatsApp may arise out of ITA 2000/8 or PDPA (Proposed). Both of the statutes provide for “Adjudication” and “Appellate Tribunals”. Hence “Binding” arbitrations will not be compatible with the law.

[It may be noted that DDMAC (Data Disputes Mediation and Arbitration Center of FDPPI) as a specialized ODR center for data related disputes has adopted only Mediation and Non Binding Arbitration and avoided binding arbitrations. ]

The terms indicate that WhatsApp can do forum shopping at its discretion and not the other contracting party. This is a typical characteristic of a dominating party to the contract imposing an one sided term on the weaker party and would be considered by Courts in India as a determining factor to adjudicate if this is an “Unconscionable” contract or not.

The other point to note in the dispute resolution clause is that it attempts to over ride the “Limitation Act” of India. This may also be considered “Ultravires” the Indian law.

In view of the above, WhatsApp contract is not an admissible contract and an admissible consent under the Indian law.

It would have been better if WhatsApp had consulted organizations like FDPPI before such a major step is taken which could result in flight of many users to alternate messaging apps including some which may come up from India itself. 

The PDPSI Approach

Had WhatsApp adopted the PDPSI approach , it would have realized that the compliance program and the Privacy Policy has to be developed separately for different applicable law. In that case, there would have been a different Privacy Policy and the Associated Dispute Resolution Policy. By adopting a policy which may be in compliance with GDPR or the US law and assuming that it would automatically accepted under the Indian data protection law, WhatsApp has made a mistake.

Hopefully WhatsApp would correct the same. Otherwise the call from Privacy Professionals in India would be to “Switch From WhatsApp”.

Naavi

Previous Article: WhatsApp needs to change its jurisdiction clause

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

One Response to WhatsApp relegates India to the Third World of Privacy Regulation

  1. WhatsApp has announced that the change of policy is postponed till May

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.