Rematerialising the Caveat Emptor doctrine: Tackling WhatsApp’s privacy policy

In January 2021, WhatsApp rolled out a new Privacy Policy and Terms of Service. While it is undeniable that WhatsApp has broadened the use of its users’ personal information, the legal challenges do not seem well founded. This article attempts to supplant hysteria with an objective analysis of current data protection regulations. Rather than vilify a company for following the letter of the law, India should focus on why there isn’t a better one.

Where does the law stand?

As compared to the Personal Data Protection Bill, 2019 (“PDP Bill”), the law as it stands is much less demanding of companies in the business of collecting and using their users’ data. Under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), the only data collected by WhatsApp that may be classified as sensitive personal data (“SPD”) is that relating to “financial information such as Bank account or credit card or debit card or other payment instrument details”. Account information, contact list details, usage and log information, and network connection and other location-based information are classified as ‘personal information’ rather than SPD, and do not warrant the application of provisions detailed below.

Please click here to read the full article by Probir Roy Chowdhury published in ET Telecom.