In early 2014 when messaging application WhatsApp was taken over by social networking giant Facebook, the question was not if WhatsApp will share user data with Facebook, the question was when it will share the data. It was answered earlier last month when WhatsApp users were nudged to opt in for such a data share. Most of us allowed WhatsApp to collect and share information with Facebook and all its group companies for the purpose of commercial advertising and marketing on its platform. Almost immediately a group of students filed a PIL in the Delhi High Court alleging violation of Article 21 of the Indian Constitution, claiming that ‘Right to Privacy’ was an integral part of the ‘Right to Life’ as enshrined in our constitution.
In defense of its new policy, WhatsApp informed the court that they are not forcing any user to use their app as users always have the option not to use the messaging service. The High Court on its part asked WhatsApp to ensure that it will completely delete data/information of those users who deleted their WhatsApp account before the new policy comes into force and if users chose to remain on the messaging service, it will only share data collected after the new policy comes into effect. The court also asked the Central government and the Telecom Regulatory Authority of India (TRAI) to come up with regulations for applications like WhatsApp, something that TRAI has been trying to put in place for the past two years. It is worth highlighting here that there is no mechanism laid down by the court to verify that WhatsApp does as it has been asked by the Court.
Meanwhile, in Germany, the Hamburg Commissioner for Data Protection and Freedom of Information issued an order to Facebook to cease collecting information of German WhatsApp users and ordered the company to delete all data which was forwarded. It went on to state that Facebook and WhatsApp should act as independent companies and process user’s data as on separate and not similar terms and conditions. If we were to highlight main difference in the way the same issue was tackled by two different institutions, then it is clear that the order of the German authority is primarily focused on the entity that will be collecting the data, in this case, Facebook and completely protects the user interests. On the other hand the last option for an Indian user who does not wish to share his information is – to not use WhatsApp’s service.
It is this differentiating treatment towards the same solution that warrants a close look at the data privacy laws in our country. In their present form legislations that try to address privacy concerns are piecemeal in nature. Most of these provisions are found in the Information Technology Act 2000 and its subsequent amendments. Section 72 of the Information Technology Act 2000 in its original form penalized the breaches of confidentiality and privacy of data. It was later amended to include Section 72A to penalize “any person” (including an intermediary) who has obtained personal information while providing services under a lawful contract and discloses the personal information without consent of the person, with the intent to benefit from such a disclosure.
When this clause is read together with Section 69B of the Act, it squarely puts the responsibility of securing personal data on the intermediary, which in this case could be a wide spectrum of actors including cyber cafes, telecom companies or even over the top (OTT) applications like WhatsApp. This also makes Government agencies like the Unique Identification Authority of India (UIDAI) which is tasked with collection of biometric data, accountable for maintaining privacy of such data collected by it.
Another set of amendments came into force by the addition of Section 43A which obliges corporate bodies which possess, deal or handle any sensitive personal data to implement and maintain “reasonable security practices,” failing which they would be liable to pay damages. The Act defines “corporate bodies” as those involved in “commercial or professional activities” only. The definitions of “sensitive personal data” and “reasonable security practices” are narrow and hence prevent courts from interpreting a contextual definition. It is only in the Section 66E (Violation of Privacy) that we find privacy concerns addressed. However the section only covers electronic voyeurism and penalizes acts of capturing, publishing and transmission of images of the “private area” of any person without their consent, “under circumstances violating the privacy” of that person. It falls short of acknowledging the importance of protecting personally identifiable information (name, passport number, date of birth, biometric information, etc.) and deals only with disclosure of potentially compromising photographs.
A 2012 report by the Justice Shah Commission mentions 57 existing legislations and policy guidelines that need to be amended to include the privacy implications arising in future. This list includes some old laws like The Negotiable Instruments Act, (1881) as well as recent ones like the Right to Information Act, (2005). The recently passed Aadhaar Bill is infact among the first to give user data privacy a serious thought and it would be apt to amend the IT Act on the same lines at the earliest. But laws in India have always been playing catch up with technology and expecting privacy legislation any time soon would be no different. What is more important now is to have vibrant public debates to define the principles on which our privacy legislation will be shaped upon.
Worth a mention here is the concept of “Datensparsamkeit” (roughly translates to data minimization) from the German privacy legislation. It advocates the idea of storing as much personal information as is absolutely required for the business or applicable laws. Following datensparsamkeit techniques even in jurisdictions where it is not legally mandated, can allow service providers to reduce the information they store. If they never store the information, they don’t need to worry about someone stealing or misusing it. It is concepts like these that need to find a voice in public domain if we are to look at before we set the contours of our laws.
At the same time using services like those offered by WhatsApp should not turned into a trade-off between convenience and data privacy. End user agreements need to be simplified, more specific and available in human-readable terms, one way is to highlight exclusions (all data except for that mentioned in the exclusion list will be shared). Users should be given the option to opt out of specific features instead of a singular “I Agree” button. Deletion of user data should be real time and not after a predefined timeline as seen with most messaging applications today.
While it is a far off expectation to see a privacy legislation coming anytime soon from a government that is defending a case in the Supreme Court to not include ‘Right to Privacy’ under the ‘Right to Life’ of our constitution. It would do good to change its stance and focus on bringing in a fundamental right to privacy backed by principled privacy legislation, least it wants its citizens to leave their personal data in the hands of multinational corporations that not only change the rules of the game but the game itself to suit their interests.