Right to Privacy is guaranteed under Article 21 by the Constitution of India which is regarded as the supreme Law of the Land. Right to “informational privacy” has also been recognized and established in law by the Supreme Court as well. Yet the application and interpretation of the said Fundamental Right continue to be a subject of heated debates. The new WhatsApp case is a testimony to these continuing disputes.
The lacuna of proper Data Protection Laws in India despite the new amended IT rules persists, Personal Data Protection Bill 2019 poses as the main problem in the current issue. In January 2021, WhatsApp introduced a new update privacy policy that faced much heat in India. The issue focused around the protection of personal data and the right to privacy provided by the Indian Constitution, which was claimed to have been exploited by WhatsApp under the New Privacy Policy but WhatsApp refused to withdraw the policy in India. WhatsApp has clearly specified that the newly updated rules will not be applicable in the EU due to protective laws but will be strictly followed by users from all parts of the world. This clearly shows that the best method for protecting citizens’ privacy is through appropriate and relevant laws, like Europe’s GDPR.
Current Data Privacy Law and Its Issues
It is important to highlight that GDPR was enacted to provide citizens with absolute data privacy rather than partial data protection that is subject to government surveillance. The KS Puttaswamy decision is considered significant since it was the first time the Supreme Court recognized that protecting data from the government is also an important element of privacy.
New IT Rules, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, by the Indian Government, serve as ‘a surveillance under the garb of protection and national security while being sensitive to Data Privacy and Personal Privacy”. All contradicting factors clubbed in a single set of rules could never ensure the privacy of a person. The new rules require messaging intermediary/providers to track the source of certain messages, keep backup of chats for six months which should be provided to the government when demanded protection and security.
Under the New Rules, Social media intermediaries with more than 5 million users would be required to enable the identification of the original author of problematic content that may harm the country’s interests. Under this rule, the prospect of the first originator being located outside the territory of India is also included. Storing chats for ascertaining the originator will require the intermediaries to store data for a longer period and also go through several messages to ascertain the context and location of a single message. This is against the privacy right and breaks the cardinal rule of end-to-end encryption offered by WhatsApp to its user base.
WhatsApp’s Case
WhatsApp, which is owned by Facebook, has previously stated that it will not breach encryption because it jeopardizes its customers’ privacy. With over 400 million users, India is WhatsApp’s largest market.
The company has argued that ‘Traceability necessitates messaging providers storing information that can be used to determine the content of people’s messages, hence jeopardizing the end-to-end encryption guarantees.’Technology protection and control over intermediaries may only be exercised after a thorough examination of the technology at work in the application or website in question. Services would have to trace every message to trace even one single message. Additionally, the term “traceability” in itself infringes on the privacy of users by requiring private messaging services such as WhatsApp to keep track of who said what and who shared what in the billions of messages received every day.
The updated 2021 policy of Whatsapp has already faced a lot of anger and wrath of its users for its inherent need to share the data with the parent company irrespective of the consent of its users. This is already in dispute and the Apex Court, as well as the CCI, is looking into the matter. The concerns raised were that there would be an excessive amount of data collecting and that this data will be used and shared across the numerous companies that Facebook employs. WhatsApp and Facebook are two of them, yet they both want to capture a lot of your data, users have to make a choice prioritizing convenience over privacy.
Then why is the Government seeking to increase data collection at the end of these intermediaries when the very job of data collection and sharing is an absolute breach of privacy. Does sharing the data with the Government make it less of a breach and more of protection?
Recommendations
It is clear that the new IT Intermediary Guidelines and Digital Media Ethics Code Rules, 2021 have raised the obligations of an intermediary who previously had liability exemptions under section 79 of the IT Act. Failure to comply with the new rules would result in criminal liability under the IPC. The main source of concern for Watsapp is Rule 4(2), which requires the identification of the first originator by judicial order or order by an appropriate agency. Watsapp claims that this will be an invasion of privacy and will violate its end-to-end encryption policy. The lack of clear guidelines as to where such orders can be made is a matter of concern. Other social media platforms including Twitter, Facebook, and Instagram are yet to comply with the same.
For instance, identifying the information originator by locating the first originator is technologically inaccurate. Since people frequently copy and paste text from websites or social networking platforms into chats, it would also be impossible to comprehend the context in which it was first distributed. How are Intermediaries supposed to comply with such absurd guidelines?
Ideally, the government should focus on understanding the technology and drafting relevant laws to protect the privacy of its citizens. Asking the messaging services to break end-to-end encryption is giving them armor to protect themselves from any future breach of privacy disputes. Misinformation and false messaging should be protected by limiting the messaging service providers/intermediary from sharing data or even accessing data at their end through clear precise guidelines. The new rules also grant arbitrary power to the government and are nothing less than unnecessarily assailment of the right to privacy in the garb of protection. ‘Protection’ cannot come at the cost of privacy.