WhatsApp’s separate privacy policies for Europe and India raise concerns
While WhatsApp users in India will soon have no other option than sharing their data with Facebook and other group platforms, the messaging app has clarified that its policies on data-sharing remain unchanged for users in Europe.
HIGHLIGHTS
- WhatsApp rolling out separate privacy and data sharing policies for Europe and India has raised fresh demands for stringent data protection law.
- WhatsApp has clarified that its policies on data-sharing remain unchanged for users in Europe.
- WhatsApp does not share European Region user data with Facebook for the purpose of the latter using this data to improve its products or ads.
- WhatsApp’s policy of rolling out separate privacy and data sharing policies for Europe and India has raised fresh demands for a stringent data protection law in India from legal and privacy rights experts. While WhatsApp users in India will soon have no other option than sharing their data with Facebook and other group platforms, the messaging app has clarified that its policies on data-sharing remain unchanged for users in Europe. Niamh Sweeney, Director of Policy for WhatsApp, Europe said “there are no changes to WhatsApp's data-sharing practices in Europe arising from this update. It remains the case that WhatsApp does not share European Region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or ads”.
The same was also updated on WhatsApp Europe’s FAQ webpage. WhatsApp official further said that its terms of service and privacy policy update did not require users in the European Region to agree to the sharing of data with Facebook in order to continue using the service. So, what forces WhatsApp to give concession to European citizens and what allows it to get away with a more stringent policy in India?
“The General Data Protection Regulation (GDPR) in Europe is a stringent and robust law protecting privacy and data of its people, unlike India where Personal Data Protection bill is yet to be enacted into a law” Dr. Karnika Seth, Cyber law expert and Founding Partner at Seth Associates tells India Today. GDPR is a well-defined law with provisions of hefty penalties which puts an obligation on businesses and service providers to collect only essential information which is absolutely necessary to provide services, whereas in India current laws lack clarity and enforcement mechanism. “Section 43A of the IT Act, 2000 puts an obligation on businesses to adopt reasonable security practices to protect user’s personal data and adopt clear privacy policy in this regard” says Seth. This includes- what information is collected, how it is being collected, for which lawful purpose, and requires express consent of a user for any transfer, declaration of who are intended recipients of information and how it will be used. “However, enforcement is a challenge, user often cannot discharge burden of proving their data has been collected illegally or for unlawful purpose, or based on ambiguous terms and cannot prove such data's misuse to claim compensation” explains Seth.
“Residents of the EU have GDPR and therefore, have a higher level of data protection unlike citizens of India” concurs Prasanth Sugathan, Legal Director, Software Freedom Law Centre, India (SFLC). “There is currently a regulatory vacuum with respect to data privacy and protection legislation in India. The Data Protection legislation has been in limbo for a while now resulting in Indian citizens being vulnerable to misuse of their data” Sugathan tells India Today. However, there could be a possible historical explanation behind the difference in WhatsApp’s strategy in the two regions. “In 2017, Facebook was fined 110m by the European Commission for misleading it about 2014 takeover of WhatsApp. This was a result of an investigation by the European Commission wherein it discovered that Facebook staff was aware in 2014 that it was possible to link WhatsApp phone numbers with Facebook users’ identities” Sugathan explains.
There is also a sharp difference between GDPR and Indian laws in terms of provisions. “In GDPR, the punishment is to extent of fine of Euros 20 million or 4% of the annual global turnover of the company whereas, in India, compensation is claimed under Section 43A of IT Act,2000 on a complaint lodged with the adjudicating authority, where user has to prove that their data has been collected without due permission and misused”. In India, users often end up failing to obtain suitable legal redressal of their rights.
Privacy advocacy groups and legal expertss have been raising the voice for a better mechanism. “To begin with, we definitely need stringent data protection legislation in place in order to be able to regulate technology companies” says Sugathan. Government of India introduced the Personal Data Protection Bill 2019 (PDP Bill) in December 2019, which has been pending with the Joint Parliamentary Committee (JPC). The new act has stringent mechanisms, including Data Protection Authority which will be responsible for enforcement of the data protection requirements. It also has the provision for punishment of up to 15 crore Rs. “It will act as deterrent law to safeguard citizen's data and privacy and institutionalize mechanisms to lead to better enforcement of laws” Seth opines. Connoisseurs also believe that the businesses collecting the data should have the onus to prove that the collected data was used in the fairest way possible and is not transferred without explicit user consent.
Comments
Post a Comment