Two seemingly unrelated events that took place in the first week of the new year might have a critical, seminal impact on our lives if put together. One was messaging service WhatsApp asking users to agree to its privacy update, giving time till February 8 to agree to conditions that included sharing data with its parent company, Facebook, or stop using the messaging service. Though the rollout of the update was quiet, as a pop-up on the chat window, it did not go unnoticed. With one in every four Indians using the messaging service, it soon sparked off seething discontent and criticism.
The other was the BJP’s Lok Sabha member Meenakshi Lekhi announcing that the Joint Parliamentary Committee she was heading had finished its deliberations on the Personal Data Protection Bill (PDP Bill) and that it was ready to be tabled in the budget session of Parliament.
The common link between the two? The vexing issue of personal data and privacy.
While WhatsApp and its alternatives became the topic of debate from Twitter trends to family conversations (many, ironically, on WhatsApp itself), the PDP Bill barely got newsprint, despite India’s chequered past in protecting data privacy. The bill itself has been shifting form, reach and substance right through. As Lekhi hinted a week ago, the very name of the bill is to be changed, besides 89 other changes, one new clause and two new amendments.
But, is the indignant Indian WhatsApp user missing the forest for the trees?
The new terms of service integrate WhatsApp with Facebook, though the company claims only conversations with business accounts will be impacted. “Messages between loved ones and friends remain encrypted. That’s not changing,” reiterated WhatsApp’s global head Will Cathcart.
But not many are convinced. “Big Tech has always been clandestinely collecting personal data, but new WhatsApp rules show that they are now in loot mode,” said Virag Gupta, cyber security lawyer. “WhatsApp has the closest involvement with a person’s life, and naturally, the public is concerned over the new data sharing mechanism.”
Interestingly, all the metadata sharing (like phone number, contacts and group info) in the new update is already being done, at least since 2016. “There are no material differences between the current privacy policy update and the existing data collection and processing policies of WhatsApp other than the bid to integrate the Facebook family of apps,” said Kazim Rizvi, founder, The Dialogue, a tech policy think tank. “The major change is in relation to messaging that takes place with a business that uses the WhatsApp API (a separate Facebook offering for big businesses to handle large-scale customer interactions). User chat with a business account may be analysed, and if the business entity uses third party infra, they may be shared with such third party service providers. In these cases, the end-to-end encryption label will not be shown on the chat.”
Deeper integration of Facebook, WhatsApp and Instagram serves many purposes. More data means better profiling—all the better for its core targeted advertisement-revenue model. But it gains added significance considering Mark Zuckerberg’s planned foray into e-commerce and the mainstream launch of WhatsApp Pay digital payment gateway. The Facebook founder shelled out 040,000 crore for a slice of the Reliance Jio pie last year. Getting policy permissions from customers also preempts any future government regulation, ranging from antitrust cases in the US to the PDP Bill in India.
WhatsApp apart, Indian privacy interests could be better served by an equal, or more, vigil on the PDP Bill. An outcome of the Supreme Court’s epochal ‘Right to Privacy’ judgment, this bill has seen a great game of invisible powers at play, throwing hurdles at every step. Though supposed to be based on the recommendations of the Sri Krishna Committee, the bill that was tabled in Parliament in the winter of 2019 had major deviations. So much so that fears of data guzzling Big Tech pale in comparison with the free hand the government machinery gets in the draft bill. An uproar in Parliament saw the bill going to Lekhi’s JPC, curiously bypassing Parliament’s Standing Committee on IT, headed by the Congress’s Lok Sabha member Shashi Tharoor.
The final provisions of this bill that are passed as law could well define the future course of privacy in India. “This bill will govern the collection, processing, storage, usage and protection of the personal data of all Indian residents,” said Vaibhav Lall, founder of Khojdeal and a digital marketing expert.
In fact, the delay has cost Indians dear. For instance, WhatsApp’s new privacy update is not applicable to users in Europe, as the EU has a strict data protection rule prohibiting such kinds of data sharing. If the bill had been passed into law, the Data Protection Authority, to be set up as per its provisions, would have had jurisdiction over the WhatsApp rules and could have decided whether it is legally permissible.
After Aadhaar and Aarogya Setu, the data protection bill could well be the next battleground for privacy in India. “We hope it will bring in strong checks and balances for data fiduciaries to collect and process user data,” said Rizvi. “There is a constant tug of war between national security and privacy.” Big Brother could well be a scarier prospect than Big Tech, for all you know.