WhatsApp vs Govt: in two cases in HC, each side contradicts itself

Two cases in Delhi High Court, both Centre vs WhatsApp, have user privacy at their heart. However, in each of these cases, both sides have made arguments that are diametrically opposite to what they have argued in the other case, throwing up inherent contradictions in the positions they have taken.

In the first case, WhatsApp is defending its privacy policy update of 2021, which asks users to sign up to its data-sharing policy with Facebook group companies, while the Centre is opposing the policy update on grounds including “violation of informational privacy”.

The Centre has argued that WhatsApp is indulging in anti-user practices by obtaining “trick-consent”, and alleged that its entire existing user base is being made to accept the terms and conditions before the pending Personal Data Protection Bill becomes law.

In the second case, WhatsApp has argued that the Centre’s new IT intermediary guidelines that require significant social media platforms to provide traceability of first originator of unlawful messages is a “dangerous invasion of privacy”, and poses “a threat to free speech”.

While WhatsApp wants the new rules quashed, the Centre has argued that the rules pertaining to tracking the first originator are an example of “reasonable restriction” to which the “fundamental right to privacy is subject”.

The Centre’s stand in at least one of the cases seems “driven more by convenience than conviction”, given that the arguments in the other case “runs contrary to, or even materially dilute” the stance taken in the other, something that applies equally to the other side (WhatsApp) as well, a legal expert said.

What can potentially queer the pitch for the two parties is that both cases are before the same court, and arguments are likely to run parallelly.

On May 25, WhatsApp moved Delhi High Court against the Intermediary Rules, which became effective on May 26. While the Union Government is yet to file its response to the lawsuit, it has put out a press release, which says traceability is essential to “curb the menace of fake news”.

WhatsApp in its challenge in court has argued that breaking of encryption could put at risk groups such as journalists and civil or political activists.

Earlier, in January, Noida resident Seema Singh had filed public interest litigation in Delhi High Court against WhatsApp’s privacy policy, arguing that fissures in law with regard to data are “quite conspicuous”, and a framework to regulate is required. The PIL challenged WhatsApp’s new privacy policy released on January 4, 2021 as being “violative of the fundamental right to privacy under Article 21”, as it did not offer users any option to protect their personal data by opting out of the policy.

Responding to this PIL, the Centre had explicitly sought that WhatsApp “be restrained” from implementing its new privacy policy and terms of service pending adjudication by the court, citing “concerns over users ability to control the sharing of their personal data”.

In arguing against WhatsApp’s privacy policy, the Centre cited “discriminatory treatment” of Indian users compared with European users, given that the new policy was not applicable in Europe.

However, WhatsApp’s decision to not implement the new privacy policy in Europe was driven by the EU’s General Data Protection Regulation. This, in fact, had put the focus on India’s Personal Data Protection Bill, which has been pending before a Joint Parliamentary Committee since January 2020.

Further, in its stand against WhatsApp’s new privacy policy, the Ministry of Electronics & IT said that the changes to the policy and the manner in which it was communicated “undermines the sacrosanct values of informational privacy, data security and user choice for Indian users…”.

Contrarily, in asking messaging apps with more than 50 lakh users to introduce traceability, the government itself could be at odds with protection of informational privacy. — the Delhi High Court decision could mark the first real-world test of the fundamental right to privacy upheld by the Supreme Court in its 2018 Puttaswamy (privacy) judgment.

In that judgment, the Supreme Court identified informational privacy as the one of the nine fundamental privacies, and that “which reflects an interest in preventing information about the self from being disseminated and controlling the extent of access to information”.

While the government argues that Section 4(2) of the Intermediary Guidelines, which lays down the provision for mandating traceability, has been “developed as a last resort measure, only in scenarios where other remedies have proven to be ineffective”, it leaves open the enforcement or provision of proof of less intrusive means used prior to seeking messaging traceability.

WhatsApp has said there is no way to predict which message a government would want to investigate in the future. “In doing so, a government that chooses to mandate traceability is effectively mandating a new form of mass surveillance. To comply, messaging services would have to keep giant databases of every message you send, or add a permanent identity stamp — like a fingerprint — to private messages with friends, family, colleagues, doctors, and businesses,” it said.

The Facebook-owned messaging app, in its filing to court, also said that it defines “end-to-end encryption as communications that remain encrypted from a device controlled by the sender to one controlled by the recipient, where no third parties, not even WhatsApp or our parent company Facebook, can access the content in between. A third party in this context means any organization that is not the sender or recipient user directly participating in the conversation”.

However, even as it defends end-to-end encryption from the new IT rules, WhatsApp’s new privacy policy details how the company allows sharing of user data with Facebook. Even as the content of messages being shared by users remains encrypted, there is no restriction on sharing of metadata to enable various business communication features brought out by WhatsApp over the years. Back in 2016, WhatsApp announced a change to its terms of service, where it gave users a 30-day window to opt out of sharing their data with Facebook. Almost five years later, the messaging platform detailed how it was doing so.

While WhatsApp has argued that the updated policy is applicable only for business messages, the provision for sharing data with Facebook undermines the encryption policy since WhatsApp “considers chats with businesses that use the WhatsApp Business app or manage and store customer messages themselves to be end-to-end encrypted”.

It also gives businesses the ability to choose Facebook to securely store messages and respond to customers.

In response to a query, WhatsApp said in a statement: “We will not limit the functionality of how WhatsApp works in the coming weeks. Instead, we will continue to remind users from time to time about the update as well as when people choose to use relevant optional features, like communicating with a business that is receiving support from Facebook. We hope this approach reinforces the choice that all users have whether or not they want to interact with a business. We will maintain this approach until at least the forthcoming PDP (Personal Data Protection) law comes into effect”.

The Ministry of Electronics & IT did not respond to an e-mail query.