This article has been written by Divya Dwivedi, pursuing the Diploma Programme in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Table of Contents
Introduction
A mass exodus took place when WhatsApp announced the news of updating its privacy policy. It was a backlash that was not possibly expected by the officials at WhatsApp HQ while making the decision of infringing the privacy of more than 2 Billion users on the globe (as of the details provided till February 2020). Whether the user accepts it or not, it will be anyway enforced from February 8, 2021, as mentioned by the chat provider app. Millions of users received the notification of accepting the Terms of Service and Privacy Policy or their accounts would be deleted. So, the most pertinent question that comes to mind is what are the users signing up for if they hit the “agree” button?
There have been many movies, but “The Social Dilemma” which is an American docudrama released in 2020 (a must watch) that examines the serious issue of social media’s effect over mental health (including the issues related to rising teen suicides and mental health of adolescents). This docudrama primarily explains more social media platforms and big tech companies and how they have been instrumental in providing positive change in the society and alongside it also notes that such platforms have caused issues that when not addressed properly affect the society at large, and has political and cultural consequences as well.
This documentary also explains the way in which an extended amount of media consumption is slowly and subtly inculcating a plethora of negative impacts on individuals who are using it on a regular basis. This is how social engineering on a large scale takes place. And with WhatsApp updating their privacy policy to share data with Facebook, it’s quite evident to see which way we are moving forward.
How is the information shared by Users being used by WhatsApp?
WhatsApp uses information provided by the user (it is subject to the choices an individual makes and also about the applicable law) in order to provide, operate, understand, improve, customize, support, and market their Services.
It uses the information to operate and provide the services, which include customer support systems; help in purchases or transactions while improving, fixing, and also customizing their Services; and connecting those Services with Facebook Company Products that users may use. The company also uses the information to understand how people use the messenger services; evaluate and improve services accordingly; and also, to do research, develop, as well as test the new services along with new features; it also conducts proper troubleshooting activities. They also use customer information to respond when users contact the company.
The company uses the information for verification of the accounts and activities; used to combat harmful conduct by any entity; it also protects the users against the bad experiences and spam that they may see while using the application; and it promote safety with security and integrity on and off the services, such as by investigating suspicious activity or violations of the company’s terms and policies, and to ensure that the services are being used legally.
Communications About WhatsApp Services and Facebook Companies. No Third-Party Banner Ads are allowed unless there is an update made to the Privacy Policy of the company.
Business Interactions enables the user and the third party, for example, businesses, in communicating and interacting with each other by the proper use of the said services, such as Catalogs for businesses on WhatsApp through which one can browse products and services and place orders.
What is Third-party information?
While talking in terms of Commerce, a “third-party source” means a supplier or a service provider who is not directly controlled by the seller, the first party or the customer/buyer, the second party when checking the business transaction. It is considered that the third party is independent from all others, even if he/she is being hired by them itself, as all control is already vested in that connection.
In terms of understanding with regard to Information Technology, a “third-party source” will be a supplier of a computer accessory or software for that matter who is independent of the supplier and the customer of the major computer product or products.
To understand the term in relation to E-commerce, “third-party source” explains that it is a seller who publishes the said product in a marketplace, or without this marketplace to own or to physically carry on those products. When an order is placed, the third-party seller has the item and fulfils it requirement. According to WhatsApp, it is fully encrypted, but that does not mean it cannot be hacked. For example, the individual may choose to use the third-party data backup services (for example – iCloud or Google Drive) which are integrated with the services by the provider or it also interacts with the share button over the third party’s website which enables the individual to send the information on to other individuals WhatsApp contacts.
WhatsApp works along with the third-party service providers and also with the other Facebook Companies in order to help them provide, operate, understand, customize, improve, support, and also do the marketing of the services. Please do note that when the individual uses these third-party services or Facebook Company Products, it is their own terms and privacy policies that will govern the individual’s use of those services and products.
Are user’s privacy rights protected? And how will it affect global business?
A report by an internet security researcher has recently claimed about the application that more than 1,700 private WhatsApp group links were made visible on Google via web search. WhatsApp has clarified that if the users choose to utilise the services like “Shops” (Facebook-branded commerce feature), then their shopping activity may be used by the application to personalise the user’s experience and there can be individual target ads be seen on Facebook and Instagram. Claims that these features are optional.
Many business leaders like Elon Musk (he is now the richest person in the world, so he must be right about something, it seems), Paytm founder Vijay Shekhar Sharma, Mahindra Group Chairman Anand Mahindra and very recently PhonePe CEO Sameer Nigam have already spoken about moving to rival platforms.
Presence of WhatsApp Globally
The top 10 list of countries with the highest number of users in 2019:
- India – 340 million
- Brazil – 99 million
- United States – 68 million
- Indonesia – 60 million
- Mexico – 57 million
- Russia – 54 million
- Germany – 44 million
- Italy – 33 million
- Spain – 30 million
- United Kingdom – 27.6 million.
Existing Laws in the top 10 Countries
According to the UNCTAD (United Nations Conference on Trade and Development) website, 66% countries are equipped with Data Protection and Privacy Legislation, one of them is India that has the Information Technology Act, 2000. And, 10% of the countries have Draft Legislation as well, with 19% countries having no Legislation and the remaining 5% countries information is not available.
India – Basically, India does not have any special legislation for Privacy and Data Protection yet. It has a mix of a couple of legislations to take care of the problem. Currently, Information Technology Act (No. 21 of 2000) in combination with other suitable legislation are used for targeting the issues related to Data Privacy. India is trying to spearhead the problem by bringing in a comprehensive legislation called Indian Personal Data Protection Bill, 2018, which is currently being discussed and several amendments have been suggested to it.
Brazil – A patchwork has been tried by combining several individual legislations and frameworks together. While Brazil’s Consumer Protection Code 1990 targets the topics of collection of data, storage of the said data, processing of data and usage of the personal data, the Brazilian Internet Act 2014 regulates all the details regarding privacy and personal data online.
United States of America – The US mostly relies on a compilation of legislation, regulations being imposed by law and also by means of self-regulation. Almost 20 industry-specific laws are in place at the national level, while there are more than 100 individual state-specific Privacy Laws. Of all the states, the most vigilant is California as it has more than 25 Privacy Laws in place to govern. California Consumer Privacy Act (CCPA) governs privacy rights by giving residents four most important rights, namely, right to notice, right to opt-in or opt out of any service, right to equal services provided by the entity and right to access.
If an organization is collecting personal data whether the place of business is in California or not, they have to comply with CCPA. Pertinent privacy laws include the Privacy Protection Act 1980, the Privacy Act 1974, the Health Insurance Portability, Accountability Act 1996, the Gramm-Leach-Bliley Act 1999 and Fair Credit Reporting Act 2018.
The USA also enjoys power with a special “privacy shield” agreement that it has with both the EU and Switzerland.
Indonesia – Indonesia has tried to piece together the Data Privacy law by combining the Electronic Information and Transactions (EIT) Law (2008) along with the Amendment No. 19 of 2016 and Regulation No. 82 of 2012 along with the Regulation No. 20 of 2016 (the MOCI Regulation). The country is at present trying to put together a draft Bill that is mostly inspired by the provisions of the European Union Law.
Mexico – There is a Federal Law that governs the Processing of Personal Data with regard to a private entity called Private Properties 2010. In it, the word “processing” is defined to include collection, disclosure, usage, access, storage, disposal of data, transfer of data as well as management of data. The private sector is also in a way controlled by other legislations in Mexico, including the Privacy Notice Guidelines 2013, the Protection of Personal Data held by Private Parties 2011 and also the Parameters for Self-Regulation 2014. The Federal Institute for Access to Information and Data Protection (IFAI) is also assigned with the duty to take care of enforcement in Mexico.
Russia – Primarily, through Federal Law on Personal Data 2006 (Act No. 152 FZ) and Information Technologies and Information Protection Act 2006, Russia enforces the processing and collection of personal data. There are also a number of sector-specific and general laws in place to take care of the matters related to Data protection, like the Russian Air Code 1997, Russian Labor Code 2001 and Articles 23-24 in the Russian Constitution of 1993. Any law related to Data protection applies to all the entities that organize, process, determine the purpose of data collection and content of data that is related to the operations.
Germany – Germany is the best example to follow when it comes to Data Privacy laws. It adheres to all the GDPR obligations to the core. The country has Federal Data Protection Act, 2017 (called BDSG) for taking care of the personal data collectors and processors. The law includes subject rights, informed consent, transfer of personal data, among many more things.
Italy – Though the Constitution of Italy does not have any specific provision for Right to Privacy, but after 1973 they included it in the Constitutional Court after which it was added by the Court of Cassation almost two years later. In the primitive stages, the right to privacy protected the person’s private life as well as a domicile. Later, as and when technology evolved, this right was also extended to protect the ability of Individuals through which they could decide for themselves about the kind of information being collected or how that information was to be used. In 1996, the first law came into existence to deal with the privacy issue, but it was later repealed in the year 2003 by Codice in Materia di Protezione dei Dati Personali (Personal Data Protection Code). It included almost all the principles of EU Directive that were related to Data Protection and Directive on privacy and Electronic Communications. This Code in express manner recognizes Right to Personal Data Protection.
Spain – On December 6, 2018, the Official Gazette of Spain published the Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights. The date of the publication of the law is significant as the Constitution Day marks the anniversary of a referendum held in Spain on December 6, 1978. There are five key issues: The object of the law, data subject rights, the data protection officer, the processing of personal data by political parties, and digital rights in the labour field.
United Kingdom – The Data Protection Act, 2018 is the one that incorporates the EU GDPR as supplementary provision for the UK. It focuses significantly on the Data Subject Rights, Data Protection Fees, Offences related to Data Protection, Consent from Children, Special Category Personal Data and enforcement. Since March 29, 2019, the UK is not a member state of the EU. However, the UK has not cleared the doubt about changing the Data Privacy Laws.
Is accepting the policy the only option for Users?
There will be a requirement to give the consent by the user so that Facebook can access their data, it will also include the phone numbers and other related information about how the user virtually interacts with others for continuous use of the application. In essence, all it means is that it will be possible for Facebook to access the account information which will include the phone number of the user, any information on how the interaction with other users take place, along with the data related to the logs how long the individual is using WhatsApp and also how often this process takes place between the said parties.
Any other kind of data which will be shared with Facebook will include the IP address of the user along with the browsing details then what language the user is using and the time zone the user is present.
When using WhatsApp for businesses, the messages may be stored now and managed by Facebook (if the business is run through it). It is known that WhatsApp is encrypted by default and that means Facebook will not see the contents of the users’ messages. The notification which was sent out by WhatsApp to inform the users basically was about the new privacy policy and insisting them to “Agree” with the conditions laid down by the company.
WhatsApp Privacy Policy dated 04 January 2021. In a recent tweet WhatsApp tried to explain its privacy policy after watching its users moving to new and privacy-oriented applications.
Conclusion
The update, that is supposed to be released on February 8 will affect millions of WhatsApp users all over the globe except Europe and the UK (keeping in mind that Facebook has to follow the strict laws that are in place in European Union and UK). Addressing the concerns of the users’ over the privacy issue, WhatsApp head Will Cathcart tried to clarify that the update will affect the business communication only and not the private ones.
Even WhatsApp’s privacy policy that was updated in 2019 also talked about sharing of information with Facebook. But there seems to be no option not to share info. His tweets did not address the issue of how it is that the updated privacy policy which will soon be coming into effect lacks a section about the rights of the users in relation to the choice that their data of WhatsApp not be shared with Facebook. This option however, was provided in WhatsApp privacy policy in the earlier versions that were released in December 2019 and the July 2020 version also which is in use currently.
It is an individual decision whether one wants to use or not use the app, but it is advisable that you keep a back-up chat option in your kitty so that if change happens, you are ready to move on. Most important thing is to make an informed choice, but it is not possible for every one of us to read the terms of services and privacy policy in totality, but we can at least take a breath and decide for ourselves if we want to “Agree”.
Not that the writer here wants to promote, but the most feasible option proposed by successful and known personalities seems to be Signal or Telegram for now. The most recent news is that WhatsApp is considering deferring the implementation of the new privacy policy for another 3 months due to the widespread backlash it has received. At this juncture, we can only wait and watch what ultimately happens.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: