In this article on data privacy in India, the authors Shohom Roy and Bhavyika Jain discuss the laws and issues revolving around it.
The unfeasibility of social interactions physically, due to the COVID-19 pandemic, changed life as we knew it. The usage of social media platforms grew by leaps and bounds, as many people turned to social media websites and other apps to surpass geographical and material barriers. It is no longer a secret that social media platforms such as Facebook, TikTok, Twitter, and WhatsApp have witnessed an enormous surge in active users. The world has become more virtualized, digitalized and globalized than ever before.
WhatsApp which has its largest market in India with more than 400 million users has become the most popular means of instantaneous communication. However, the users of WhatsApp are facing severe problems as they are receiving certain pop-ups if the user has not yet complied with their revamped terms and services.
Changes in the Policy of Whatsapp and the Reaction of Different Countries
Facebook has been experimenting with ways to monetize WhatsApp since purchasing it for US$19 billion (£13.5 billion) in 2014. In order to avoid introducing third-party banner adverts, WhatsApp created WhatsApp Business and Business API in 2018 to allow users and businesses to communicate and make payments in real-time, with the latter paying WhatsApp for access to the platform’s users.
The new terms and conditions is an attempt to make money from WhatsApp because the users who will consent to it will also agree to share their information with WhatsApp business and Facebook. It was earlier stated by WhatsApp that the terms and conditions will only be affected for the users of WhatsApp business.
Even still, when WhatsApp’s privacy update was first announced, India’s Competition Commission demanded a probe, citing the update’s mandatory nature as a reason. The panel also chastised WhatsApp and Facebook for abusing their network effects in India, which uses the consumers’ restricted options for switching platforms to its advantage.
Indian citizens along with UK and Europe also demanded the withdrawal of the new conditions. A rage of protests led to the downloading of other social media apps such as Telegram, Signal etc. in record-breaking numbers. However, unlike Europeans, who are protected by EU privacy rules and aggressive authorities willing to outright ban the upgrade, Indian users are protected by fewer privacy rules. Because India’s Personal Data Protection Bill has yet to be implemented, WhatsApp’s opportunity to monetize the data of its Indian users is rapidly closing.
Status of Data Privacy in India
“#ItsBetweenYou”, the campaign which was initiated by WhatsApp in India, when the government targets its critics for surveillance on the app when private health data is shared on neighbourhood WhatsApp groups during the pandemic, and when police routinely take handsets to examine their WhatsApp chat history, the platform feels anything but private.
Critics claim that such actions amount to “digital authoritarianism”, and that while India’s upcoming data privacy legislation may provide better digital privacy, they may also allow the government to exploit people’ data even more, as we have seen in China.
The Focus on Law in India
There is an ongoing case between the Indian government and WhatsApp wherein recently WhatsApp sued the Indian government in Delhi High Court when the government constantly pressurized them to withdraw from their policy. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules replaced The Information Technology (Intermediaries Guidelines) Rules of 2001 and are supplementary to the Information Technology Act, 2000.
New IT rules announced by the government clearly states to impose a code of conduct on social media intermediaries and mandate a three-tier grievance redressal mechanism, among other things.
WhatsApp claims that the requirement fails to pass the tests enshrined in article 21, is manifestly arbitrary in violation of article 14, is in violation of the Right to Freedom of Speech and Expression, and violates sections 79 and 69A of the Information Technology Act, relying heavily on the KS Puttuswamy v. Union of India decision.
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 is an executive notification replacing the Intermediary Guidelines Rules 2011, issued by the Central Government. The delegated legislation imposes certain restrictions and guidelines on Social Media platforms, Over the Top (OTT) streaming platforms and digital news agencies. The basic propensity of Indian internet users is to avail services provided by the aforementioned platforms thereby causing widespread concern for privacy.
The issue of privacy is essential for “intermediaries” which rely on end to end encryption facilities thereby acting as a pipeline for the transmission of information from consumers. The IT Rules specify a 16 step diligence procedure to be followed by Intermediaries including Grievance Redressal Mechanisms, Appointment of Local Personnel, etc. However, the issue arises with the requirement of identification of the “first originator of the information” which might aid in the restriction of malicious information circulating on such platforms.
For social media giants like WhatsApp, the idea of identifying the first originator of information without breaking the end to end encryption facility is unfeasible. The concept of adding a digital signature to each message is flawed and might fail to achieve its objective due to technical manipulation or errors in the underlying design. Hence the subsidiary legislation has been challenged in the High Court of Delhi.
While The Ministry of Electronics and Information Technology has set the deadline for compliance with the subsidiary legislation till 25th May 2021, the issues of proportionality, traceability and a threat to privacy through undemocratic means are a source of serious concern. Several independent think tanks like the Internet Freedom Foundation have claimed that the IT Rules, 2021 are ultra vires.
Consequences of Non-Compliance
The cliff-edge deadline for users to accept these new rules had been set for Saturday, May 15, with WhatsApp announcing that anybody who failed to do so would lose app functionality. That deadline was just pushed out by “a few weeks.”
This extension comes after WhatsApp was forced to postpone its original February deadline due to widespread criticism of its take-it-or-leave-it policy shift. Since then, WhatsApp has tried to ameliorate the situation by asserting that it is still committed to end-to-end encryption and user privacy. That means the messaging app’s privacy reforms, which are centred on the launch of WhatsApp Business, are anticipated to be especially profitable in India, where WhatsApp recently placed front-page advertisements in prominent newspapers in a bid to appease irate users.
WhatsApp’s steadfastness in pushing for modifications to its terms, despite public criticism, can be explained by looking at the possibility for development that big internet companies see in India’s rapidly growing, less-regulated digital economy.
One of the most important questions might be “What are the legal consequences of not conforming to the IT Rules 2021?” The imposition of criminal liabilities can only be constructed by a framework of primary legislation passed by the Parliament. However, if the Intermediaries continued to operate without abiding by the guidelines of the Central Government, then the Safe Harbour provisions that protect these platforms from suits under Section 74 of the Information Technology Act 2000 will be taken away.
This would lead in numerous litigations for the Intermediaries as they can be held accountable for publications and information created for fraudulent and malicious purposes. The removal of Safe Harbour provisions would therefore lead to the unsustainability of continuing operations in India and subsequent exit from the Indian market much like the IBM exit in 1978.
The Dire Situation in India
India’s massive population and the scope of exponential growth make it a lucrative market for various corporations. However, the lack of awareness and judicial safeguards for the privacy of its citizens is a source of concern. The proposed Data Protection Bill is a step towards the creation of legislation protecting the privacy of individuals. However, the Bill suffers from certain flaws and might undergo several amendments before creating a sustainable framework for the preservation of privacy.
The IT Rules 2021 indicate the disregard for the freedom of speech and the protection of privacy of individuals by creating restrictions that might lead to mass surveillance in India. On the other hand of the spectrum, social media platforms have been interested in achieving their corporate goals at the cost of their subscriber’s privacy.
Intermediaries, like WhatsApp, store meta-data which includes contact lists, dates and timings of messages which might be shared with third parties for the ostensible benefit of the subscribers. Although the feature of end to end encryption ensures the anonymity of the message contents, which is the reason behind its popularity in the Indian instant messaging market. The solution to such threats to our privacy might be mitigated through increased digital awareness and the demand for sustainable legislation through NGOs and humanitarian agencies.
 Philippa Williams & Lipika Kamra, “WhatsApp’s controversial privacy update may be banned in the EU- but the app’s sights are fixed on India”, THE CONVERSATION, (June 1, 2021, 10:02 AM), Available Here
 The Information Technology Act, 2000, Section 69A, 74 & 79, Acts of Parliament , 2000 ( India).
 Justice K.S Puttaswamy (Retd.) & Anr. vs. Union of India & Ors, (2017) 10 SCC 1