Menu

India Asks WhatsApp To Withdraw Privacy Policy Changes

The government has “grave concerns” over potential data-sharing with WhatsApp owner Facebook.

MUMBAI, India — India’s government is asking WhatsApp to withdraw recent changes to its privacy policy, citing “grave concerns” over the “implications for the choice and autonomy of Indian citizens” in potential data-sharing with Facebook.

In a strongly worded email to WhatsApp head Will Cathcart on Jan. 18, the Ministry of Electronics and Information Technology raised concerns about users’ information security as the messaging app’s new policy proposes to share metadata of users’ chats with business accounts with other Facebook companies, according to media reports. Personal chats between users would not be shared with Facebook.

India is WhatsApp’s largest market, with nearly 400 million users. But over the past month, many users have become increasingly worried about how WhatsApp might be sharing their data with parent company Facebook and have moved to alternatives such as Signal and Telegram.

Ravi Shankar Prasad, minister for information technology and electronics, in a tweet on Jan. 19, said that WhatsApp and Facebook should not be “impinging upon the rights” of Indian users.

“The sanctity of personal communications needs to be maintained,” he wrote.

The government sent 14 questions to WhatsApp, including queries about what data will be shared, which server houses Indian data, and any differences in the app permissions based on geography.

WhatsApp has postponed implementing the privacy update by three months to May 15. It has also clarified that private conversations of users will remain encrypted.

“Neither WhatsApp nor Facebook can read your messages or hear your calls with your friends, family, and co-workers on WhatsApp. Whatever you share, it stays between you. That’s because your personal messages are protected by end-to-end encryption,” WhatsApp’s statement on its privacy policy says. “This update does not expand our ability to share data with Facebook.”

Some users and legal analysts are critical of the proposed changes to the privacy policy.

“WhatsApp has potentially sought to create an experiment to target one of its biggest markets, knowing fully well that India has a massive policy vacuum,” Indian cyberlaw specialist Pavan Duggal told Zenger News. “As of now, India does not have a dedicated data protection law or data privacy law.

“As WhatsApp will be sharing data with its business affiliates, these businesses can target its customers effectively. But they have to be mindful that this advantage may be in violation of Indian laws.”

WhatsApp’s online statement says: “The changes are related to optional business features on WhatsApp, and provides further transparency about how we collect and use data. Learn more about new business features and WhatsApp’s Privacy Policy update here.”

The Indian government has noted that WhatsApp offers a different set of rules for users in Europe.

The EU has a General Data Protection Regulation (GDPR), which went into effect in May 2018. It governs how personal data of individuals in the EU may be processed and transferred.

WhatsApp’s Niamh Sweeney, director of policy for Europe, Middle East and Africa, said In a series of tweets that the WhatsApp policy changes would not be applicable for users in Europe.

“There are no changes to WhatsApp’s data-sharing practices in the Europe [region] arising from this update,” he wrote on Jan. 7. “The latest update to our Privacy Policy is about providing clearer, more detailed information to our users on how and why we use data.

“It’s also about improving how businesses use WhatsApp to connect with customers. The updated Policy provides info on how businesses using the WhatsApp API to talk to customers can now do so using a Facebook-provided service to help them manage their chats with customers,” she wrote.

When WhatsApp updated its policy in 2016, after the GDPR was adopted —though not yet implemented — in regard to data sharing with Facebook, only users in the European region could opt-out of it without any deadline.

Jana Gooth, legal policy adviser at the European Parliament, told Zenger News that under the GDPR, any data processing activity needs a legal basis, as per the list in Article 6.

“In this case, the only appropriate legal basis for the sharing of user data with Facebook would be a user’s consent. There are strict criteria that need to be fulfilled when it comes to consent,” said Gooth.

Article 7, paragraph 4 of the GDPR, regarding users’ consent to data sharing, states: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” 

This Article, according to Gooth, prevents companies from forcing users to consent to data practices that aren’t necessary for the services they offer.

Duggal said that GDPR is considered the gold standard when it comes to user data privacy.

“Ideally, WhatsApp should have extended the same policies to the rest of the world, but they are not doing that because Facebook wants to monetize your data.

“The fundamental question facing Indians is: Do they want to mortgage their personal privacy, their sensitive personal data in the hands of an organization whose only motto is to monetize and earn from your data?” said Duggal.

WhatsApp is expected to respond to the questions by Jan. 25.

(Edited by Uttaran Das Gupta and Judith Isacoff.)