The Union IT and Law Minister Ravi Shankar Prasad, in a recent meeting with the Whatsapp CEO Chris Daniels, has requested Whatsapp to comply with certain requirements. As per this report, this includes the following:
• That a grievance officer be appointed in India to deal with fake news
• To set up a corporate entity and a local head in India
• To follow the law of the land or face charges of abetment
• To store data of Indians locally in order to start payment operations in India
• Ensure traceability of messages which are being circulated at a mass level in an area at a particular time
This article looks at the impact these requirements will have on Whatsapp. On the one hand, the requirements have been imposed in relation to the increasing fake news menace, and on the other, in relation to Whatsapp’s proposed payment service.
Corporate entity in India and compliance with Indian laws
The requirement to set up a corporate entity in India arises in relation to Whatsapp’s proposed payment service. Based on publicly available information, Whatsapp Payments is a payment service founded on UPI payments. As per the NPCI’s Procedural Guidelines, to be a payment service provider providing UPI-related payment services, the entity must be a regulated entity under the RBI, as per the Banking Regulation Act. However, it isn’t clear what form of a regulated entity Whatsapp will be required to take. For instance, payment banks and pre-paid payment instruments (mobile wallets) are both required to be companies incorporated in India. The government has, along the same lines, thus required Whatsapp also to establish a corporate entity in India
Having a local presence in India is likely to bring about other changes in the laws applicable to Whatsapp as well. For example, Section 43A of the Information Technology Act, 2000, which awards compensation for failure to protect data, applies only to body corporates present in India. The new Draft Personal Data Protection Bill, 2018 (the PDP Bill) does change this through its vast extra-territorial jurisdiction.
Another issue that arises with companies located abroad is with holding them accountable for violations of laws in India. The terms and conditions of such companies often select foreign laws as well as foreign venues for filing suits. For instance, under Whatsapp’s current T&Cs, courts in California will have jurisdiction over any dispute that arises. Greater compliance with Indian laws will certainly be necessitated through a local presence in India. It will have to be seen if this will also necessitate changes in the jurisdiction clauses in the T&Cs.
Data localisation norms
In relation to privacy, another issue that arises is the data localisation norms that have been imposed in relation to the payment data. The provisions of the PDP Bill immediately come to mind, and the requirement imposed on WhatsApp is among the first clear signs of how the government plans to impose the proposed data localization requirements for ‘critical personal data’ under the Bill. At this stage, it isn’t clear if the government is prohibiting WhatsApp from taking the data outside the country, or if only the data mirroring requirements, i.e., to store at least one live copy of the data in a server within India, have been imposed.
Compliance with Indian privacy laws
In relation to fake news and from the perspective of privacy, the need to comply with Indian laws will mean that Whatsapp’s services will have to be compliant with a number of laws, including those on enabling decryption, monitoring and interception by the government. This is in addition to the direct requirement of traceability of fake news messages. These, together, will have an impact on the level of privacy to the users, both in terms of the end-to-end encryption as well as the extent of governmental access. Similar attempts can be seen by governments elsewhere as well, be it the FBI’s attempt to gain a backdoor to the iPhone, or the recent reports of the US Government attempting to force Facebook to allow it to wiretap Facebook messenger.
The lack of access to data in the hands of companies like Facebook, Google, and Whatsapp implies that many a time, Indian governmental requests for data were turned down. The lack of adequate international cooperation for investigation, be it through inadequate Mutual Legal Assistance Treaties or the failure to ratify the Budapest Treaty, are among the issues faced with investigations.
These requirements will enable easier access to the data. Investigations have been hampered in the past through the refusal of such companies to provide data on users suspected to be involved. At the same time, the issue of government surveillance is such that the privacy offered by these companies has become an important layer of protection for the people.
Do these requirements solve fake news?
Ensuring the traceability of fake news messages via Whatsapp may or may not lead to the originator of the message. The data localisation norms relate to payment data only and so will have no impact on fake news. The requirement to comply with laws will ensure more access to data, but may or may not resolve the issue of fake news. Yet another issue here is how Whatsapp will be required to comply with laws in relation to the lynching itself when India has no clear laws on lynching. The government has, here, threatened to charge Whatsapp with abetment if it fails to fix the fake news problem.
Impact of the requirements
On the whole, the extent to which new requirements are imposed may or may not actually help tackle fake news or enable better investigations. One thing that is certain is that these requirements tighten governmental control over such entities while simultaneously ensuring easier accessibility of data to the government. Privacy concerns, naturally, follow. As discussed here, singling out Whatsapp for the fake news menace is unlikely to solve the problem, and the government needs to resort to more collective measures to solve the problem at hand.
The author is a lawyer specializing in technology, privacy and cyber laws.