• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
BW Businessworld

Why India’s Data Protection Bill Is Worrying The Messaging Giant

The Meta-owned Messaging app was fined $267M for violating Europe’s General Data Protection Regulation (GDPR).

Photo Credit :



Recently, WhatsApp updated its privacy policy for European users after the backlash of Ireland’s Data Protection Commission (DPC). The Meta-owned Messaging app was fined $267M for violating Europe’s General Data Protection Regulation (GDPR).

Moreover, WhatsApp has been ordered to modify its privacy policy according to GDPR standards and communicate the updated policy to users and non-users in the simplest language so that even a school-going student can understand. The messaging platform has to implement all orders within three months.

What Went Wrong?

Since 2018, Ireland's DPC was receiving many complaints from WhatsApp users, non-users, and the German Federal Data Protection Authority, about handling the personal data of its users between WhatsApp and parent company Meta (formerly Facebook).

After getting lots of complaints, DPC decided to start an investigation on the ground of lack of transparency by WhatsApp.

The consumer’s complaints allege that WhatsApp frequently messages users about accepting privacy updates, and uses unclear and vague terms to describe how the data will be shared with its parent company. For the past few months, the messaging app has been forcing users with pop-up requests to accept privacy updates and it also threatens to cut off access to the app if it doesn't accept the update.

WhatsApp Violations

In Europe, GDPR provides citizens with a fundamental right to protect their personal sensitive data. Moreover, it also grants the right to share or delete their personal data on the internet. According to DPC, WhatsApp has violated the obligations under Articles 12, 13 and 14 of the GDPR.

In short, these breaches mean that WhatsApp failed to be completely transparent with users about how it shares users’ data with its parent company and its subseries. Furthermore, non-users (third parties on other apps) were also not made aware that their information could be shared by WhatsApp, thereby denying them the ability and right to control their personal data. The DPC stated that, Messaging platform provided only 41% of the required information to users, while non-users received none.

The Response

Clearing its stance on the latest development, a spokesperson for WhatsApp said: "As ordered by the Irish DPC, we have reorganised and added more detail to our Privacy Policy for people in the European Region.

Moreover, WhatsApp said it disagreed with the decision, but it has to comply by updating its policy." We disagree with the decision and are appealing because we believe we already provided the required information to all our users," the spokesperson added.

Assuring users for safety, WhatsApp spokesperson said, "This update does not change our commitment to user privacy or the way we operate our service, including how we process, use or share your data with anyone, including Meta. Wherever you are in the world, we protect all personal messages with end-to-end encryption, which means no one, not even WhatsApp, can read or listen to them”.

Indian Policies & WhatsApp

In January 2021, WhatsApp tried to push an update to force users to allow users to share data with Facebook. This data includes personal sensitive data such as phone numbers, activity on WhatsApp, logs, location information, device identifiers, transaction and payment history, IP addresses, and cookies.

WhatsApp has been sending data to Meta anyway since 2016 (without user consent), but only this year they acknowledged the fact and tried to legitimize the arrangement. The move sparked a backlash that only made it legally difficult for WhatsApp.

In India, WhatsApp's plan to update its privacy policy drew a massive backlash in the country and many users migrated to alternative chat services like Telegram and Signal for better privacy options. Apart from the obvious privacy issue, another aspect of trouble for WhatsApp was that it was complying with EU data protection rules, but not with Indian laws.

To set the context, India has not yet enacted any specific law on data protection. However, the Indian legislature amended the Information Technology Act (2000) to include Section 43A and Section 72A, which authorizes compensation for improper disclosure of personal sensitive data. Currently, India is working on the Data Protection Bill and the appointed committee has sought more time to prepare a report on the Data Protection Bill in the ongoing winter session.