WhatsApp’s 2021 Privacy Policy – Update 2.0 from India

CPI COLUMNS South Asia cover

By G.R. Bhatia and Manav Gupta1


Despite several significant developments in the past few months, there seems to be no end in sight in the WhatsApp privacy policy saga in India.

The uncertainty surrounding the policy was recently compounded as the long-awaited Personal Data Protection Bill (“PDP Bill”) was unexpectedly withdrawn on 3rd August 2022, before it could be tabled before the Parliament. The Parliament was informed that certain amendments suggested by the Joint Parliamentary Committee in its report on the Bill were being considered and a new Bill having a comprehensive legal framework will be soon introduced.2

In 2021, WhatsApp undertook that it will not compel users to agree to its updated Privacy Policy and Terms of Service 2021 (“2021 Privacy Policy”) until the proposed PDP Act comes into force. WhatsApp’s Counsel had submitted before the Delhi High Court (“DHC”) – “Commitment is that I will do nothing till the Parliament’s law comes in. If Parliament allows it, I will have it. If it doesn’t, bad luck… I’ve taken it off till the Parliament makes a law. Either we fit in or we don’t“.3

The PDP Bill, had it turned into an Act, would have addressed several issues pertaining to the 2021 Privacy Policy. For instance, Section 11 of the Bill would have required WhatsApp to obtain “free, informed, specific and clear” consent (with liberty to withdraw consent subsequently by the user) as a condition precedent to  sharing any personal data obtained from the users. The Bill would have also restricted the transfer of “critical personal data” outside India and would have made it mandatory for companies such as WhatsApp to store all personal data in servers located in India. However, the Bill reportedly suffered from several infirmities and inconsistencies, and therefore the government in its wisdom decided to withdraw the Bill.

The significance of enacting a Data Protection legislation has become all the more apparent in current scenario as WhatsApp had to introduce a separate privacy policy for the European Economic Area4 (“EEA”) in order to comply with the European General Data Protection Regulation (“GDPR”). As per the policy in EEA countries, “WhatsApp does not share user data with Facebook” which is in clear contrast with the policy introduced elsewhere, including in India.5

Interestingly, despite tailoring a separate privacy policy for EEA, WhatsApp received warnings by data protection agencies in several EU countries, including Germany6 and Italy7 after it introduced the new policy. In September 2021, WhatsApp Ireland (the sole establishment of WhatsApp in EU) also handed down a massive €225 million fine8 by the Irish Data Protection Commission (“DPC”) for breach of the GDPR. The DPC found that WhatsApp’s data sharing policy was in breach of several provisions of the GDPR since 25 May 2018.9

In India, various legal challenges were instituted when the 2016 privacy policy was released by WhatsApp in 2016; most notably before the Delhi High Court (“DHC”) in Karmanya Singh Sareen v. Union Of India10 (“Karmanya Singh Sareen”) and before the Competition Commission of India (“CCI”) in Vinod Kumar Gupta v. CCI.11

In Karmanya Singh Sareen case, the DHC noted in its judgment dated 23.09.2016 that a petition challenging the WhatsApp terms of service was not amenable to the writ jurisdiction under Article 226 of the Constitution (especially since the Right to Privacy had not been affirmed by the Supreme Court of India at that time). In August 2017, the Hon’ble Supreme Court of India (“SC”), vide a landmark judgment in K.S. Puttaswamy v. Union of India12 clarified that the Right to Privacy is a fundamental right guaranteed under the Constitution of India.

Consequently, DHC’s judgment in Karmanya Singh Sareen was appealed before the Hon’ble SC. The challenge against 2021 Privacy Policy was also clubbed along with Karmanya Singh Sareen and it is pending adjudication before a Constitution Bench of the Hon’ble SC. On 29th September, after noting that the Central Government plans to table a fresh Data Protection Bill in the upcoming Winter Session of the Parliament, the SC adjourned the matter to 17th January 2023 for final hearing.13

The CCI, on the other hand, had originally refused to delve into privacy related issues under the 2016 Privacy Policy and had dismissed allegations of abuse of dominance.14 However, as regards the 2021 Privacy Policy, the CCI initiated suo-moto proceedings and formed a prima facie opinion that WhatsApp abused its dominance by forcing users to compulsorily agree to share their data with Facebook companies if they wanted to continue using the app.15 Consequently, CCI issues a direction to the Director General (an investigation arm of CCI) to investigate the conduct of Whatsapp/Facebook and submit a report to the CCI for its consideration.

WhatsApp and Facebook challenged the said order of the CCI before the DHC but the Single Judge bench as well as a Division Bench dismissed the appeals and upheld the CCI’s jurisdiction to investigate possible anti-trust concerns emanating from the 2021 privacy policy. A further appeal was filed before the Hon’ble SC but on 14.10.2022, even the Hon’ble SC dismissed the appeal and refused to interfere with the CCI’s order.16

The issue, therefore, remains embroiled in litigation before numerous forums and thus, it is often argued that a more appropriate approach to deal with such issues concerning data-sharing and user’s online privacy would be to set up a “Data Protection Authority” by enactment of a law.

Nevertheless, the role of anti-trust authorities in privacy related cases and for regulating such data sharing practices of the big-tech companies remains utmost important. For instance, it is pertinent to note that mere initiation of enquiry by the CCI has sent a positive signal and WhatsApp has undertaken to defer its 2021 Privacy Policy till a Data Protection law comes into force. Further, the concerns flagged by the CCI pertaining to use of data by WhatsApp/Facebook to leverage their position to enter related/ non-related markets and deny market access to smaller competitors may genuinely warrant anti-trust scrutiny. This is highlighted by the fact that anti-trust authorities in several countries such as Germany,17 Turkey,18 South Africa,19 have acted against WhatsApp’s data sharing policies despite there being a comprehensive law on Data Protection in place in all these countries.

While CCI’s decision to analyse the issue from a “Competition Lens” is a welcome step, it is also important for the DG and later the CCI to take a holistic view of the case and not get swayed by the negative perception surrounding the policy. It must be kept in mind that most of the “big-tech” companies such as WhatsApp, Facebook, Google etc. which offer “free services” to users without discrimination, rely upon such data sharing to generate revenue and improve their services. The user-friendly services and continuous/ constant effort to innovate and improve the standard of services needs to be given due recognition. A balanced approach must be taken as discouraging innovation in any way and manner would have a chilling effect on Competition. Therefore, the DG and the CCI, ought to bear in mind the potential far-reaching implications of this case before making any conclusions.

The only thing which can be said with certainty, for now, is that this saga is far from over and a long-drawn battle before the CCI and the Appellate tribunal/ SC awaits. Thus, prudence suggests that a fresh Data Protection Bill be introduced, enacted and brought in force as soon as possible.

Click here for a PDF version of the article

1 G.R. Bhatia is Partner & Head of Competition Law Practice at Luthra & Luthra Law Offices India. He is former Additional Director General at the Competition Commission of India and the MRTP Commission. He is assisted by Manav Gupta, Associate at Luthra & Luthra Law Offices India. The views expressed herein are personal and the author can be contacted at gbhatia@luthra.com.

2 https://www.livelaw.in/top-stories/centre-withdraws-data-protection-bill-from-lok-sabha-205603?infinitescroll=1.

3 https://www.hindustantimes.com/india-news/someone-needs-to-look-into-it-delhi-hc-on-concern-over-sharing-citizen-data-101648669546440.html.

4 The European Economic Area comprises of the EU countries and Iceland, Liechtenstein and Norway.

5 https://www.bgr.in/news/whatsapps-new-privacy-policy-european-users-will-not-need-to-share-data-with-facebook-933273/.

6 https://techcrunch.com/2021/05/11/facebook-ordered-not-to-apply-controversial-whatsapp-tcs-in-germany/.

7 https://techcrunch.com/2021/01/14/confusion-over-whatsapps-new-tcs-triggers-privacy-warning-from-italy/.

8 It is the second largest fine ever imposed under the GDPR.

9 https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-whatsapp-inquiry.

10 Karmanya Singh Sareen & Anr v. Union of India & Ors., (2016) 233 DLT 436 (DB).

11 Vinod Kumar Gupta v. CCI, CCI Case no. 99 of 2016.

12 K.S. Puttaswamy v. Union of India, 2017 (10) SCC 1.

13 WhatsApp privacy policy: Government tells SC it will bring new data protection bill to safeguard citizens’ rights – BusinessToday.

14 The CCI’s decision not to investigate the 2016 privacy policy was appealed before the National Company Law Appellate Tribunal (“NCLAT”) by the informant. The NCLAT, however, recently dismissed the appeal vide an order dated 02nd August 2022.

15 Suo moto case no. 1 of 2021, In re Updated Terms of Service and Privacy Policy for WhatsApp users, available here.

16 Supreme Court Dismisses Pleas Of WhatsApp-Meta Against CCI Probe Into Privacy Policy (livelaw.in).

17 https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook.html.

18 https://www.mondaq.com/turkey/antitrust-eu-competition-/1073820/whatsappocalypse-saga-resolved-whatsapp-waves-white-flag-in-turkey.

19 https://www.sanews.gov.za/south-africa/call-whatsapp-revise-privacy-policy-sa.