WhatsApp Updates Its Privacy Policy Authorising Use of Your Personal Data With Other Facebook-owned Companies

WhatsApp's new update to its privacy policy on Thursday received flak from Twitter users. Elon Musk was quick to tweet and tell everyone to use the open-source messaging app ‘Signal’ right after the Facebook-owned messaging released the controversial update.

So what has caused the debate around user data to reignite? Well, a glance at the company's previous privacy policy modified on December 19, 2020, tells us that the company’s foundation was based on data privacy principles. In the previous policy, the company even asserted that respect for user data is ingrained in its DNA.

Here is the relevant excerpt for you.

However, the latest policy update appears to have redacted from its promise.

The big catch here is that if you don't accept the new terms, you won't be able to use WhatsApp after February 8, 2021.

Before dwelling on the implications of the new privacy changes, here is a break up of the data that WhatsApp collects from its users.

• Device ID

• User ID

• Advertising Data

• Purchase History

• Coarse Location

• Phone Number

• Email Address

• Contacts

• Product Interaction

• Crash Data

• Performance Data

• Other Diagnostic Data

• Payment Info

• Customer Support

• Product Interaction

• Other User Content

If WhatsApp has access to so much of user information, what does the new update mean for its millions of active subscribers? The update authorises Whatsapp to use your personal data with other Facebook-owned companies. Lack of clarity over how your data is going to be shared further accentuates the situation. 

Facebook can use the information for making money on your personal data

The Facebook revenue model is based on advertising. If you take into account that 78% of its ad revenue comes from mobile ads, the new policy change hints that Facebook might use the data for its commercial gain. These days, it has become common for users to see targeted ads based on their browsing activity and product link sharing. What if you start seeing targeted ads based on the financial information WhatsApp has access to. 

Such scenarios cant be disregarded when looking into the company’s bleak and notorious history with data leaks, especially at a time when the company is trying to get a foothold in the UPI and payment business in India. 

Another clause from the privacy policy that is worth mentioning is the one on third-party banner ads.

We still do not allow third-party banner ads on our Services. We have no intention to introduce them, but if we ever do, we will update this Privacy Policy. 

Although WhatsApp suggests that it has no intention of running third-party ads on its platform, it might become a possibility in the future. 

Your location information is not as secure as you think

WhatsApp collects and uses precise location information from your device with your permission. It's a great feature if you find sharing live locations beneficial. However, do you know that WhatsApp uses your IP addresses and other information like phone number area codes to estimate your general location even when you don't want to use location-related features? Quite alarming, isn't it?

WhatsApp's business Accounts and Personal data

When you message with a business on WhatsApp, consideration to the following pointers is a must.

• The content you share may be visible to several people in that business. 

• Some businesses might be working with third-party service providers (which may include Facebook) to help manage their communications with their customers. 

It makes you wonder whether the data you share with business accounts is as secure as it ought to be. 

There have been reports that people have started deleting their WhatsApp accounts. But usage of cross messaging platforms has become deeply integrated with our lifestyle. Switching to secure apps like Telegram and Signal is an option but strong and clear law on data protection and privacy is the long term solution.

What does this mean for Users' data privacy rights?

Privacy, in its simplest sense, allows each human being to be left alone in a core, which is inviolable. Privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution. However, Like other rights which form part of the fundamental freedoms protected by Part III, including the right to life and personal liberty under Article 21, privacy is not an absolute right. A law which encroaches upon privacy will have to withstand the touchstone of permissible restrictions on fundamental rights. In the context of Article 21, an invasion of privacy must be justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. The law must also be valid with reference to the encroachment on life and personal liberty under Article21. An invasion of life or personal liberty must meet the three-fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.

Does WhatsApp's privacy policy infringe on users' fundamental right to privacy as ruled by the Supreme Court in Puttuswamy v India (2017)?

To understand this better we asked the experts their views on this development in view of the global data privacy regulations. Here's what they say:

Mr Sonal Kumar Singh, Managing Partner, AKS Partners says, "the update to ToS (terms of service) and privacy policy of WhatsApp appears to be more of a mandate in supersession of the optional right that existed in the previous versions. If a consumer elects to refuse acceptance of the updated terms, such users, with effect from 8 February, will lose access to WhatsApp related services." 

He further adds, "this mandatory ‘my way or highway’ rule appears to contravene consumer's right to give / rescind consent freely with respect to the transfer of data. This will enable WhatsApp to share any amount of data with other Facebook group of companies. The sheer ambit of such data transfer will enable the social networking behemoth in targeting consumers in any manner as long as it results in commercial upside with no restrictions or boundaries." 

The current legal regime in India under the SPDI Rules provides for right to withdraw consent but also enables body corporates to cease provisioning of services if the consent is withdrawn.

Speaking on the global data privacy regulations, Singh adds, "as per GDPR and the proposed PDP Bill—consent must be freely given and must be specific. The consent mandated in the recent update is neither free nor specific. The current legal regime in India under the SPDI Rules provides for the right to withdraw consent but also enables body corporates to cease provisioning of services if the consent is withdrawn. However, there needs to be a necessary interdependence of the services being provisioned and information for which consent was provided. As a result, if a consumer of WhatsApp remains disinterested in receiving a more personalised / customised services on other Facebook platforms then a withdrawal of consent should not result in cessation of WhatsApp specific services."

Speaking on the Big Tech's decision to change the policy, international cyber law expert, Ms Puneet Bhasin adds to the point of 'Consent' in the matter. She explains how it is up to the users to share their data. "90% of the applications you use are collecting your data. Some of these apps are screening everything. So long as an App is taking your permission and a valid consent thereby informing you what is going on, they are not in breach. Despite knowing everything if you consent to use that particular app, it is a personal decision," says Bhasin.

Shedding light on the EU General Data Protection Regulation, Bhasin states how because of the robust law, Facebook cannot ask for consent or access to more than the requisite data. For providing a messenger service the information that is essentially required the App may collect from the users; however, the App will have to restrain from taking any extra information because of the regulations in the European region.

It thus remains to be if India's PDP Bill will have a similar impact on the Big Tech in India once the regulations see the light of the day.