SUMMARY
The IT ministry said the privacy policy fails to specify the types of sensitive user data being collected and violates other sections of the IT Rules, 2011
The affidavit was filed in response to a case filed by advocate Chaitanya Rohilla in January
The affidavit comes after the Delhi HC dismissed a petition by Facebook and WhatsApp this week, seeking a stay on a CCI probe
India’s Ministry of Electronics and Information Technology (MeitY) on Friday (April 24) filed an affidavit in the Delhi High Court reiterating that WhatsApp’s privacy policy violated the Information Technology Rules (IT Rules), 2011 on five counts.
The affidavit, a copy of which has been seen and reviewed by Inc42, says that the privacy policy fails to specify the types of sensitive user data being collected, fails to notify users of such collection, does not let them review or amend the information, withdraw consent later, or provide a guarantee against non-disclosure to third parties.
The affidavit was filed in response to a case filed by advocate Chaitanya Rohilla in January, which alleged that the new policy, which is mandatory for the users to accept by May 15, 2021, jeopardises the national security of the country by sharing, transmitting and storing the users’ data in some other country. The petitioner alleged that WhatsApp is integrating people into Facebook so that Facebook, WhatsApp and Instagram (another subsidiary of Facebook) all become part of one package.
The MeitY urged WhatsApp to withdraw the proposed changes and highlighted that the new privacy policy demonstrated a ‘differential treatment’ to Indian users from their European counterparts. However, the authorities noted that WhatsApp did not accede to such requests and defended the new policies by claiming them to “enhance user experience”.
The affidavit comes after the Delhi High Court dismissed a petition by Facebook and WhatsApp on April 22 regarding the Competition Commission of India (CCI) probe into the new privacy policy and the alleged abuse of dominance by WhatsApp.
WhatsApp had argued on April 13 that the CCI probe was nothing but a “headline-grabbing endeavour”, while Facebook had said that it is not related to the privacy policy in any way since it is a separate company.
Both had petitioned the apex court to block the CCI probe as several cases relating to the privacy policy were already pending. However, Justice Navin Chawla dismissed the argument and said that the CCI cannot be bound by the outcome of those cases to commence its own investigation. “Maybe, it would have been prudent for the respondent no.1 (CCI) to have awaited the outcome of the petitions before the Supreme Court and before this Court, however, merely for its decision not to wait, the Impugned Order cannot be said to be without jurisdiction”
MeitY had earlier filed a counter-affidavit in March in the Supreme Court against WhatsApp to restrain it from rolling out its controversial privacy policy update after being directed by the court to explain its position. The government detailed various counts of violation of the IT Rules, 2011, by WhatsApp and claimed that the policy failed to specify the types of sensitive personal data (SPD) being collected and has used very generic terms to describe the kinds of data collected.
The messaging platform had announced changes to its privacy policy on January 4 this year. And since then, it has been under fire for abusing its market dominance as the latest changes to terms governing data sharing with Facebook over some chats and does not offer an opt-out option for users.
Under the new terms and conditions, WhatsApp would share transaction data, mobile device information, IP addresses, and other data on how users interact with businesses on WhatsApp and with Facebook group companies, including Instagram. WhatsApp however, has maintained that data sharing has been part of its policy since 2016 to provide safe and reliable services and enhance user experience.
After facing a massive backlash over the update, WhatsApp clarified that the update included new features and provided further transparency about how it collected and used data. It also extended its deadline for accepting the new policy to May 15, 2021, but despite the protests and the cases, has claimed that it will not revoke the policy.
