Whatsapp’s Move Reinforces Need To Assert Indian Users Right To Data Privacy

Commission for Women.The decision of messaging app Whatsapp’s decision to share commercial user data with parent

Facebook has raised concerns about privacy amongst users worldwide, but in India has acquired particular sensitivity with the long-awaited data privacy legislation still in the works.

The messaging app has become almost ubiquitous in India, with around 400 million users. It has become popular for everything – from sharing information on projects among team members of a corporation to exchanging banter among your friends dating back from school.

The guardrails to even sharing sensitive information have been dropped in most instances though it is hazy to what extent it becomes public information and who all can have access. The realization has now dawned on many users about this who have started migrating to alternate platforms.

While Whatsapp has assured users that they can continue to use their platform as they have always been doing, the larger question remains on who has ownership of India’s data and what protection does the law offer, if at all, to users within the country.

Expedite long-awaited Data Protection Law

India’s data protection law, which was on the verge of being finalized and expected during the upcoming budget session of parliament in February, has indicated that companies including social media platforms will be strictly required to respect the local law and not just governed by their country of origin.

There are now indications that the guidelines on social media platforms are being redrafted to guard against such practices given the latest development over Whatsapp’s move. Such platforms have been treated as intermediaries; which means that they are not the owners of any information and merely a host or a platform.

Such a stance has prevented any liability on such platforms if any suspicious activity including fake news is detected on them, whereby they would be only required to remove any objectionable content. But this position may no longer be tenable as any move to share users’ data – whether it be with a parent company or another entity – clearly points to ownership.

India’s draft law has raised concerns among private companies, especially international players, as there are indications that there would be restrictions placed on data collection and processing. The proposed law may also require companies to collect minimum data on individuals and how many days it can be held and to whom the information can be passed on.

Until now, contractual obligations between the individual and corporations, including social media companies, have governed such data. The reality is that most users in India are not even aware of their rights to such data and more often than not blindly give their consent on such contracts.

Undoubtedly, a far greater measure of protection will be offered regarding individuals' data, once the Personal Data Protection Bill becomes a law in the country. While that would indeed be a welcome step, it is also essential to ensure that data that demands privacy parameters does not merely shift to the government.

After all the Right to Privacy under the Indian Constitution is an integral part of Right to Life and Personal Liberty guaranteed in Article 21. The Supreme Court has said that the Right to Privacy is intrinsic to the entire fundamental rights dialogue.

Empower the Indian citizen by building awareness

Clearly, by extension, the Right to Privacy should empower the Indian citizen over the right to access and control such data, except under certain circumstances where the parliament may decide to exercise its prerogative in the nation's more extensive interests.

The new law must also leave no scope for ambiguity on what will qualify as personal data and what will be treated as non-personal data before the questions relating to Right to Privacy will even come up before the judiciary.

For example, the health records of an individual may either be treated as personal data because of their sensitive nature, but where they are required to be monitored as part of a broader set of data—such as the percentage of the population who might have got infected by covid—might be treated as non-personal data as authorities would need the information in the broader interest of checking the disease.

There are bound to be grey areas in such information as to whether specific details of individual cases can be obtained. If so, to what extent and whether such information can be passed on to another entity.

This will, of course, depend on whether this is driven by national interest or commercial.

Europe’s GDPR fundamentally protects citizens' right to their data, and the awareness level among citizens is also higher on what exactly are their rights. This may not be such an easy proposition in India, given its high illiteracy levels, which is the more reason why an awareness campaign will have to be initiated sooner than later.

Data has often been called the new oil worldwide, which implies a valuable commodity that the international community would embrace. Such a definition may not be accurate as data is not a physical resource, and it is only the right to privacy of such data that is under question. Still, there is no getting away from the fact that this is valuable information at the core of business in coming months and years as we increasingly embrace digital transactions.

For example, analyzing such data through increasingly sophisticated analytic tools will show up consumer behaviour patterns that will indicate say what kind of furniture or automobile should be sold in a particular market, their affordability range and other preferences.

Suppose you are a large online market platform, whether Amazon or Reliance, this is invaluable
information that can give you a clear lead over competitors. However, such user data belongs to that individual and whether or how much they choose to share the information.

It is in this grey zone that the debate over Whatsapp’s move has generated. While it is prudent for policymakers to build in as many safeguards before introducing the Data Protection Bill in parliament, endlessly agonizing over it won’t serve much purpose because the breathtaking pace of technological change may always introduce new elements that are unanticipated.

Endless debate serves no purpose

India will need to move ahead as with any law simply the scope may be tuned and re-tuned as and when cases come up before the judiciary. The GDPR has now been in existence for three years. It will only hurt the nation’s interests if international players are shy of business transactions in India because of this uncertainty zone.

The country’s prowess in information technology also means that it can become a hub of the data analytics business that will be at the core of business operations. It is estimated that the data analytics business is poised to double in the country.

Therefore, we as a country need to push ahead, with the caveat being that the citizen’s rights to data must be seen at the top of a pyramid – not that of a corporation or even the government. The country’s well-established democracy will help lay down these tenets as we move forward.