Clasis Law Shares a Quick Byte on the WhatsApp Privacy Update

The law governing data protection in India is prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. (“Rules”). The Rules broadly regulate (a) the collection, receipt, possession, use, storage, dealing in and handling of sensitive personal data or information (SPDI); (b) the transferor disclosure of SPDI; and (c) the security procedures to be adopted for protecting SPDI. SPDI or personal information is defined as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person and inter-alia includes (i) password; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information. In terms of the Rules, in India, a body corporate (such as Whatsapp in this case) is required to obtain prior consent in writing from the provider of the sensitive personal data or information (in this case its users) regarding the purpose of usage before collection or transfer of such information which we understand is being obtained by clickwrap agreement by Whatsapp. In the present case, the data privacy rights of the Users is not being compromised (by Whatsapp) so long as the other body corporate / Facebook company (whether located in India or outside) to which the data is proposed to be shared/transferred by Whatsapp maintains the 2 same level of data protection as provided in these Rules, and where such User has consented to data transfer. Having said that, it is incumbent on each User to check what the revised privacy policy of Whatsapp encapsulates and what kind of data (of its Users) is Whatsapp proposing to share / transfer with other Facebook companies. In the event the User is not agreeable to the sharing of its data, he/she is free to delete the account by using the “in-app delete account” feature ensuring that all saved data is also deleted thereby withdrawing consent to use/ process/transfer such Users’ data. So long as Whatsapp is in compliance of the Rules, the rights of the Users are being safeguarded within the ambit of the legislation of data protection in India. Prima facie, in India, there is no embargo on transfer/ disclosure of personal data of an individual so long as consent is obtained for the same and the processes mentioned in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 are adhered to by Whatsapp. However, we are not in a position to comment on this aspect vis-à-vis global privacy and data policy regulations. While India presently does not have any express legislation governing data protection or privacy, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules. However, the ever-changing legal and regulatory landscape within India has given rise to the need for having a robust law for the protection of personal data in India. This has paved the way for the birth of the Personal Data Protection Bill, 2019 (“Bill”) which emphasises on the need for increased safeguards vis-à-vis personal data along with stringent penalties. In terms of the Bill, there is increased accountability on the part of the person processing, collecting or using the data, which in turn, increases its risk and exposure to liability unless complied with the provisions of this upcoming law. The Bill is yet to be passed by the Parliament and become a law and it is to be seen in what form and shape it will be enacted.