WhatsApp privacy policy violates IT Rules, restrain its implementation, Centre tells HC


The Centre on Friday informed Delhi High Court that the brand new privacy policy introduced by WhatsApp in January violates the 2011 IT Rules on 5 counts, and urged it to restrain the messaging app from implementing it pending adjudication of the case by the courtroom.

WhatsApp put the policy on maintain after widespread criticism, however plans to implement it from May.

In its written response to a petition difficult the privacy policy, the Ministry of Electronics & Information Technology informed the courtroom that the policy fails to specify which forms of delicate private knowledge was being collected, notify the main points of non-public info collected to the consumer, present an choice to overview or amend info and withdraw consent retrospectively, and assure additional non-disclosure by third events together with different Facebook firms.

WhatsApp has used “extremely general terms” to checklist the sorts of knowledge collected, with no distinction between private knowledge or delicate private knowledge being collected, the federal government stated.

The policy mentions the involvement of third-party service suppliers who might have entry to the info, however doesn’t present the names and related particulars of these service suppliers, it stated.

“This is also the case for other Facebook companies, who are allowed to review and share information about the user from and with WhatsApp,” the Ministry stated.

The policy is totally silent on correction or modification of the knowledge, the federal government stated – for it to be compliant with the foundations, it “must allow users to exercise this option for all kinds of data collected” that are talked about within the policy.

While WhatsApp complies with the requirement of giving a consumer the selection of not offering their knowledge, there’s a “clear failure” in complying with the requirement of deletion of knowledge if the consumer withdraws the consent for assortment of knowledge given earlier.

“WhatsApp has only provided the user with “Deleting Your WhatsApp Account” choice in its privacy policy. If a consumer workout routines this selection, the policy clearly mentions that “your undelivered messages are deletedfrom our servers as well as any of other information we no longer need to operate and provide our Services”, the federal government stated, including that the “substantial corpus” of knowledge could also be retained even after the consumer deletes the account.

The authorities has identified that Rule 6(4) prohibits the disclosure of knowledge acquired by a 3rd get together from a physique company – WhatsApp on this case – and any policy that gives the scope for such additional disclosure is to be seen as non-compliant. When WhatsApp shares knowledge with a 3rd get together service, no additional disclosure is permitted. However, the privacy policy explicitly “abdicates” the duty.

“In the impugned policy, WhatsApp has stated that data and information will be freely shared with and received from other Facebook companies. Since the contract of the user is only with WhatsApp, all other Facebook companies are ‘third parties’ within the meaning of Rule 6(4), and any inter-sharing of data obtained from WhatsApp by these companies will amount to a violation of the restriction on further disclosure,” the federal government stated in its reply.

The PIL pending earlier than the courtroom has sought the framing of pointers to guard the privacy and knowledge of customers from being collected by numerous social media websites and messaging apps. The petition, filed by Noida resident Dr Seema Singh together with Delhi residents Meghan and Vikram Singh, has argued that the fissures in regulation with regard to the info are “quite conspicuous”, and a framework to manage the identical is the necessity of the hour.

In its reply, the federal government additionally stated that the Centre has launched the Personal Data Protection Bill, 2019 in Lok Sabha, which, upon turning into regulation, will present a strong regime on knowledge safety “which will limit the ability of the entities such as WhatsApp issuing privacy policies which do not align with appropriate standards of security and data protection”.

“Pending the passage of this Bill, the Information Technology Act, 2000 and the Rules made thereunder forms the extant regime on data protection, any privacy policy issued by a ‘body corporate’ such as WhatsApp must comply with the requirements specified in the Act and the accompanying Rules,” it stated.

The listening to within the case was adjourned to April 20 on Friday. The authorities had earlier sought a clarification from WhatsApp concerning the privacy policy.


Please enter your comment!
Please enter your name here