The Centre said WhatsApp's new privacy policy violates the law as envisioned in the Information and Technology Act, 2011 and sought a stay on the implementation of the same till the matter is not decided by the Delhi High Court.
In its counter-affidavit— filed in response to a plea that challenged the messaging app's new privacy policy—the Centre has flagged five violations of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. WhatsApp has failed to specify the types of personal data being collected; notify user details of the collection of sensitive personal information; provide an option to review or amend the information; provide an option to withdraw consent retrospectively; and guarantee further non-disclosure by third parties.
The Centre's counter was filed in reply to a plea filed by a batch of petitioners who argued that the "fundamental shift" in WhatsApp's new privacy policy provided the users of the platform with a choice of sharing WhatsApp account information but does not provide the users with the option of protecting their personal data by opting out of the policy.
A similar matter is pending in the Supreme Court where notice was issued on a plea that sought directions to refrain WhatsApp from not applying lower standards of its new privacy policy for Indian users as against users in Europe.
In its counter, the Centre submitted that the Supreme Court "placed a responsibility" on it to introduce a regime on data protection and privacy following which the Personal Data Protection Bill, 2019 was introduced in the Lok Sabha. "Upon enactment, this law will provide a robust regime on data protection which will limit the ability of such entities issuing privacy policies which do not align with appropriate standards of security and data protection," the Centre said while seeking a stay on the implementation of the new privacy policy.
Earlier this year on January 4, WhatsApp rolled out a new privacy policy that has seen intense backlash. In light of the criticism, Facebook-owned WhatsApp has delayed the implementation of the same.
Also read: WhatsApp Delays New Privacy Policy To May 2021 After Backlash
Centre flags five violations by WhatsApp
The pending passage of the PDP Bill will regulate data protection in this country and any privacy policy issued by entities or corporate bodies must adhere to the requirements specified under the act, the Centre said in its counter-affidavit.
WhatsApp has failed to comply with the existing law on five counts, it further added.
WhatsApp has failed to specify the types of sensitive personal data being collected. It has used "extremely" general terms to enlist the kinds of data collected. Crucially, there is no difference between personal data or sensitive data which is being collected, the centre said.
WhatsApp has further failed to notify the users about details on the collection of sensitive personal data which is in violation of the law. "For instance, WhatsApp's privacy policy mentions the involvement of third-party service providers who may have access to the data, but the names of these service providers and other associated details have not been provided. This is also the case for other Facebook companies, who are allowed to receive and share info about users from WhatsApp," it added.
The new privacy policy fails to provide an option to review or amend the information. The policy also fails to provide an option to withdraw consent retrospectively, the Centre added. The Centre further submitted that upon a close perusal of the policy, it appears that WhatsApp has failed to give users the option of withdrawing consent given earlier.
According to the law, if a user withdraws consent, the data collected must be deleted by the corporate body. However, the Centre said that in WhatsApp's case it only offers the user the option to delete their account. If a user exercises this option, the policy clearly mentions that the undelivered messages will be deleted along with information it no longer needs. This means, that a substantial corpus of data may be retained even after the user has deleted their account.
Lastly, WhatsApp also failed to guarantee further non-disclosure by third parties, the counter affidavit filed by a secretary in the Ministry of Electronics and Information Technology read.
"The three rights prayed before the court to be declared authoritatively have not been talked about in the counter affidavit. Furthermore, even the mechanism to protect the citizen's privacy in the interim has also not been heeded in the counter affidavit," advocate Meghan Pal said responding to the affidavit. Pal represents one of the petitioners who has challenged the new privacy policy.
Also Read: WhatsApp's Privacy Policy: Data Protection Law Needed, Say Experts