CyviaJuris

What’s Up with WhatsApp’s New Privacy Policy?

Introduction

On the 4th of January, 2021, WhatsApp sent out an announcement to all its users regarding the new changes in its policy. It also informed the users that they would be required to accept these new terms by February 8, 2021, failing which their accounts would be deleted.

The updated privacy policy grants WhatsApp the power to collect more data than it had been collecting so far, and share it with third parties, such as Facebook. This particular update has since been embroiled in widespread controversy, with several cases being filed against WhatsApp. The company had created its name on ensuring the privacy of all its users with the fact that all messages, sent and received, are protected with end-to-end encryption. Meanwhile, Facebook has already drawn fire multiple times for undermining the privacy and jeopardising the data security of its users. The fear of possible infringement of the right to privacy of all users is completely understandable, and not entirely baseless.

To understand the issues surrounding WhatsApp’s new privacy policy, let’s look through the changes brought about in the update.

WhatsApp Privacy Policy

When perusing the privacy policy on the official website of WhatsApp, it is instantly clear that the company has two sets of privacy policies – one for the European region, provided for by WhatsApp Ireland Ltd., and the other for all places outside the European region, where the services are provided for by WhatsApp LLC.

Under WhatsApp Ireland Ltd., users have the option to opt out of sharing data and restricting the use of such data, while users under WhatsApp LLC have not been extended the same courtesy. Instead, the privacy policy tells users that if they do not wish to give consent to the terms laid out and the data being collected, then they can simply delete their account. In essence, the new update was mandatory for everyone outside the European Union (EU). If users refused to accept it, they could not use WhatsApp any longer. The choice seemed to be limited between privacy or convenience.

It is important to realise that a fair amount of misinformation has been spread with regards to how much more data WhatsApp LLC is collecting. It is certainly not true that WhatsApp and, by extension, Facebook, can now access any message that is sent or received. When it comes to private messages between individuals, that communication is still encrypted by WhatsApp’s famous end-to-end encryption, and is beyond the scope of data that is collected for Facebook. The communications with a business account, however, is a whole other story.

Apart from the regular data already being collected (account and profile information, mobile device information, contact details, etc.), the new policy states that any content being shared with a business would be visible to several people in that business. While that can still be logically forgiven, the very next sentence states that any such business can work with third party service providers, including their parent company – Facebook – and such third parties can send, read, store, manage, or otherwise process the communication for the business. This is the crux of the matter – the reason for the panic of our apparent violation of privacy. Besides, the strict data protection laws in the EU prohibit WhatsApp from sharing data with third parties, leading to the use of the word “discriminatory” in many complaints against this new policy.

When we use any site on the internet, more often than not, we are also implying our agreement for that site to collect our data and customise our online experience. This is why when we search for a particular product on some shopping site, we are met with advertisements on other sites which are similar to that product. Strictly speaking, with the advance in smart technology, privacy is not sufficiently secured at all. On the other hand, it is understandable that a company we use specifically for privacy (WhatsApp), and trust them to protect our data, is now joining the majority to collect information which we might not be willing to give.

Issues with the Policy

WhatsApp’s initial deadline of February 8th to accept the policy was met with strong resistance, and so, on January 15th, the deadline was extended to May 15th, in order to clear up all the misinformation being spread. At first, the ultimatum of accepting the policy or facing deletion of our accounts was still in place.

The Ministry of Electronics and Information Technology (MeitY) sent a letter to the global Chief Executive Officer of WhatsApp, asking the company to withdraw the privacy policy as it invaded the privacy of its users. Along with that, 14 questions had also been framed and sent, seeking answers about the working of the new policy and the process of data collection. In March, the Ministry told the Delhi High Court that the new policy violates the Information Technology Rules, 2011, on several counts, and advised it to prevent the company from enforcing the policy.

The MeitY points out the following issues with the updated privacy policy of WhatsApp in a written response to the Delhi High Court –

  1. The policy does not clarify or specify the types of personal data to be collected. Extremely general, and therefore  vague, terms have been used when talking about data collection. The policy also makes no mention of any provisions which notify the users of the details of the personal information, when collected.
  2. While the involvement of third-party service providers has been mentioned, there are no other details given, such as their name. There is also no guarantee provided against further disclosure of the data collected by these third parties. Rule 6(4) of the IT Rules prohibits further disclosure of information by a third-party from a body corporate. However, under the new policy, WhatsApp simply does away with their responsibility by telling their users to refer to the third party’s terms for any further questions of the data collection process.
  3. There does not seem to be an option given to the users to withdraw consent to such data collection at a later stage. The only option given is to delete the account. It also makes no mention of any method for users to amend information given, which is violative of the IT Rules, 2011, under which it states that the option of correcting or amending information provided should be exercisable for all data collected.
  4. If any user does decide to exercise the option of deleting their account, the policy states that the undelivered messages will be deleted from the servers, and any other information which is not required by WhatsApp to operate and provide their services to other users will also be deleted. This means that even after a user deletes their account, there may be certain data saved by WhatsApp under the reasoning of operating and providing services.

Following this, WhatsApp announced that they would not be deleting any accounts on May 15th if people failed to accept the updated policy. Instead, the company will progressively disable features of the application to limit its functionality, while sending persistent reminders to the users to accept the policy. To start with, while chat lists will not be visible, users will be able to receive incoming calls, both voice and video. If notifications are enabled in the device, the user can click on them to reply to messages, and can also call back in the case of missed calls. However, if the user still has not accepted the privacy policy after a few weeks, then they will lose access to all notifications, essentially making the account useless. WhatsApp has a rule wherein they delete any account after 120 days of inactivity. Thus, since the user can no longer actually use the app, it will be deleted after that time period.

On May 18th, the MeitY sent a new notice to WhatsApp asking them to revoke the privacy policy update again. This time, the Centre also threatened legal action to be taken against WhatsApp if they did not give a satisfactory reply to the notice by May 25th. After the May 15th deadline however, several users who had not accepted the policy started losing functionality in the app, in keeping with WhatsApp’s latest announcement. Users began to question the legality of this action, considering the Centre’s notice to WhatsApp to roll back their update.

Conclusion

The latest update, fortunately, is that WhatsApp will not be limiting the functionality or deleting the accounts of those users who have not accepted the new privacy policy. While these users will continue to receive notifications about the update, these reminders will not be persistent. This update came at the end of May, and this plan will continue indefinitely.

There are multiple communication and social media applications that are in use throughout the world, but none quite as dominant as Facebook and WhatsApp, so much so that many did not even think of any alternatives, until now. There has been a substantial increase in downloads of other communications apps such as Telegram or Signal. This is an entirely new threat to WhatsApp since it has enjoyed a monopoly so far. However, it does not seem like WhatsApp will fall out of popularity despite these new issues anytime in the near future.

Whether people were seriously in danger of having their privacy violated, or whether it was exaggerated, it is still important to check all the facts for ourselves before making any decisions. In this technological era, it is easy for misinformation to spread. At the end of May, another fake message was shared multiple times across WhatsApp claiming that people will now begin to see red tick marks on their messages, indicating Government control. It is obvious that this is a fake message, seemingly intended to scare people away from using WhatsApp, and it is interesting that it came into circulation at a time when WhatsApp and the Government are at odds over India’s IT Rules and WhatsApp’s updated privacy policy.

References

  1. [The Viewpoint] Facebook and Whatsapp: Crossing of the thin line of Data Privacy”, January 2021, https://www.barandbench.com/view-point/viewpoint-facebook-whatsapp-crossing-thin-line-data-privacy
  2. The buzz around the WhatsApp privacy policy and a possible antidote”, January 2021, https://www.barandbench.com/columns/the-buzz-around-the-whatsapp-privacy-policy-and-a-possible-antidote
  3. WhatsApp updates privacy policy, makes data-sharing with Facebook mandatory”, January 2021, https://economictimes.indiatimes.com/magazines/panache/whatsapp-updates-privacy-policy-makes-data-sharing-with-facebook-mandatory/articleshow/80135267.cms
  4. WhatsApp defers May 15 deadline on privacy policy”, May 2021, https://indianexpress.com/article/technology/social/whatsapp-scraps-may-15-deadline-for-accepting-new-privacy-policy-terms-7306026/
  5. WhatsApp’s New Privacy Policy: Should You Accept It?”, May 2021, https://gadgets.ndtv.com/apps/features/whatsapp-privacy-policy-update-facebook-chats-may-15-2441943
  6. Govt vs WhatsApp on privacy policy: what now”, May 2021, https://indianexpress.com/article/explained/govt-vs-whatsapp-on-privacy-policy-7325019/
  7. WhatsApp privacy policy: Why it won’t limit functionality anymore”, May 2021, https://indianexpress.com/article/technology/social/whatsapp-privacy-policy-why-it-wont-limit-functionality-anymore-7335214/

Leave a comment