By Asheeta Regidi
The Supreme Court of India has sought a response from WhatsApp and the Centre regarding the protection of WhatsApp user data. This notice was issued in an appeal against the Delhi High Court judgment last year in Karmanya Singh Sareen vs Union of India, against WhatsApp’s sharing of user data with Facebook.
The Delhi High Court had granted limited relief to the petitioners in the previous petition. It ruled that the data of users who deleted their WhatsApp profiles must also be deleted from WhatsApp servers, and that no user data prior to 29 September 2016, could be shared by WhatsApp.
The current petition reportedly argues that even existing and future users are entitled to the same level of privacy. The petition argues that an artificial distinction is being created between users who continue to use WhatsApp after September 2016, and those who do not. Reports also state that the petition has asked WhatsApp to be classified as a public utility service, and privacy requirements similar to those imposed on TSPs by Trai be imposed on it (Note: the original petition is as yet unavailable).
What is a public utility service?
Indian laws do not define a ‘public utility service’ except for limited purposes, such as under the Legal Services Authority Act or under the Industrial Disputes Act. Generally, it refers to any service or business that is consumed by a large number of people. For example, under the Legal Services Authority Act, 1987, a ‘public utility service’ refers to a limited list of services such as transport services, postal and telephone services, power supply, medical services, etc. The Central and State governments have the power to add more services to the list. Since these services are essential, and used by a significant number of people, these are subject to detailed regulation under Indian laws.
While the internet and internet-related services are traditionally not considered a public utility service, it is being argued that these ought to be included. As such, so far dedicated laws on services like WhatsApp are missing.
Privacy obligations imposed on TSPs by Trai
In the case of public communication services like those provided by TSPs, the licenses issued by Trai impose obligations on them to safeguard privacy. Breach of any of these terms can result in the license of the TSPs being suspended or terminated.
For example, clause 39.2 of the Unified Access Service License, and Clause 42.2 of the Cellular Mobile Telephone Service License, provide that the licensees must take all necessary steps to safeguard privacy and confidentiality of the third parties (the users). In addition, the TSPs cannot divulge such information unless it is necessary for providing the service to the third party. The TSPs must also ensure that no unauthorised interception of the communication takes place.
Trai may impose similar privacy obligations on OTTs
The TSPs have over 1,074 million users in India. WhatsApp, in comparison, has only over 70 million users in India. Due to the significantly lower numbers, putting WhatsApp as a public utility service on par with the TSP services may not be fair.
However, despite this, WhatsApp still has control over the personal data of over 70 million Indians. The personal data of these 70 million Indians, and millions of others, has almost no safeguards under Indian laws, and no recourse for their protection. Whether by WhatsApp, Facebook, or any of the numerous such companies collecting Indian’s personal data, these are only subject to a bare minimum regulation under Indian laws. As seen in the Delhi High Court judgment, in the absence of adequate laws, there isn’t much that can be done protect user privacy in the courts. This is definitely a public concern.
It is for this reason perhaps, Trai in its Consultation Paper on Over-the-Top Services like WhatsApp, had noted that OTTs need to have privacy obligations similar to those imposed on TSPs. The paper also comments on the increasing risk to individual privacy on account of the Big Data activities of such companies.
Why the Delhi HC judgement didn’t have much effect
Indian privacy laws contain almost no safeguards for the data in the possession of such companies. India’s privacy law is contained in Section 43A of the Information Technology Act, 2000 and the rules issued thereunder. This, however, applies only to sensitive personal data, such as name, financial information, etc. With regard to the range of data in possession of companies like WhatsApp, such as private messages, conversations, videos, etc., there is no protection.
The result of this is that there is no adequate recourse for concerned users under the law. Additionally, the right to privacy is also not a guaranteed fundamental right, as the issue is currently pending before a constitutional bench of the Supreme Court in KS Puttaswamy vs Union of India.
Further, in the absence of laws, the main instrument governing user privacy is WhatsApp’s Terms and Conditions, which are subject to change at any time. This is why much as WhatsApp’s move was an about-turn on its privacy promises, the move was legal under Indian laws.
This was the reason why the Delhi High Court could not take much action, and granted such limited relief. While India failed to prevent WhatsApp’s move, UK and Germany, and thereafter the EU, succeeded in getting WhatsApp to pause sharing data with Facebook. The reason for this is not only the detailed privacy laws but also due to the establishment of dedicated privacy watchdogs like UK’s Information Commissioner’s Office.
Recognise the urgency for privacy laws
In the absence of proper laws, and since the fundamental right to privacy is still in question, the Supreme Court may just reach the same conclusion as the Delhi High Court on these issues. However, there is no question that the privacy of millions of Indians is at stake due to the lack of laws. The risk is not limited to WhatsApp but exists in any and every company that collects data from Indians. This is a public concern that has remained unaddressed for far too long. It is hoped that the Supreme Court will recognise this, and direct immediate measures to safeguard privacy.
The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.