Cyber LawResearch Article

WhatsApp’s Updated Privacy Policies and India’s Data Protection Laws

Author: Susan Joshy, a second year BLS LL.B. student at the University of Mumbai. 


The world today is a global village, connected and networked by the string, called “the internet”. In this world where our activities, be it learning, working, shopping, networking or communicating, is directly or indirectly connected with the internet. Data becomes the kernel of this virtual sphere, and its protection poses to be of prime importance to the user. With increasing digitalisation of the economy, data protection becomes even more imperative. What happens when this data privacy is breached and data sold or misused by an app used by billions across the globe? The recent update of WhatsApp’s privacy policy has received contempt by users all around the world. This paper aims to study minutely WhatsApp’s new set of privacy policies; how the user’s data could be used or misused and how it tends to affect the user’s privacy. Also, would scrutinize its terms and set out updates differently for Europe in comparison to the rest of the world, and the reason behind this distinction. Further, this piece would look into data protection legislations, through the Indian and global lens and their perspective regarding a person’s virtual privacy. The main questions that this paper will try to answer is, whether WhatsApp is really safe and how does WhatsApp tend to impugn a user’s data. It further studies the alternatives to WhatsApp, suggestions, and guidelines and the need to protect one’s data.


A technological world, a world where not having our smartphones in one hand while our toothbrushes in the other, early in the morning, to anxiously and eagerly check on the news, gossips and fun conversations we missed out during the 8-hour long nap we had, would leave us a little restless. That is how ingrained WhatsApp is in our daily lives. In the past few years WhatsApp has arguably become the most used, convenient and entertaining instrument of networking. WhatsApp has been a loyal digital medium of connecting people of varying age groups all around the world. However, this image of WhatsApp got tarnished with the new policy set out. Users globally criticized the policies and even opted for an alternate medium of instant messaging. What caused the huge outcry was the raging rumour that “WhatsApp will now share all its data with its parent company, Facebook”. “Facebook can now read all your chats and have access to everything you share on WhatsApp”. Although, the former part of the news being true, it is just a fraction of the whole truth and many baseless rumours stayed unclarified.


To delve into the reality of the policy, one needs to look into how WhatsApp works, generates revenue and its connection to the updated policies. WhatsApp began its venture with the tagline “no ads, no games, no gimmicks” and even today, after 10 years of exhilarating popularity and growth in the mobile communication sector, stands proud of its non-deviating principles and services. It boasts of being the same ad-free, game-free, only messaging platform it used to be in its initial days. So, the question remains, how did it make ends meet, or how did it generate revenue. The makers of the app Initially charged its users a nominal subscription fee of $1, and additionally received funding from Sequoia capital and few friends. However, things took a turn when Facebook acquired WhatsApp for a sum of $19 billion. Post Facebook, an advertisement-based platform having acquired an app collects millions of users’ data, had plans curated to gratify or even up the expenses. FOW (Facebook owned WhatsApp) added a feature to it, which let users build their business profiles and thus directly letting them contact, and serve their clients, and garnered revenue from business profiles. With each update, WhatsApp had the sole intention to improvise itself and thus in 2016, introduced the end-to-end encrypted feature, which lets no third party, including WhatsApp, to read the messages, media or anything shared via WhatsApp. Despite messages being encrypted, there is an element of risk for the users who may send their sensitive or personal data to a business profile, not being aware of the number of employees designated to read and respond to them.

However, after the new privacy policy, WhatsApp has admitted that it would share the data collected by the users which includes information like the person’s name, contact number, status, contact list and their profile pictures. However, these are data which a user voluntarily gives, WhatsApp would also take information that isn’t given by the user, like the phone model, IP address, server, network and so on. Not just it, WhatsApp also agrees that it would now share all the collected data, not just with Facebook, but all Facebook companies, which includes Instagram, Onavo, Beluga, etc. this would help Facebook and connected third party apps to exploit and misuse a user’s data for commercial gains, by selling them to other businesses who commercialize their services according to the user’s needs. However, all these years WhatsApp did the same, but the difference is that the users had an option to opt out of this data sharing feature, the new policy leaves no scope for a disagreement. If users wish to continue using WhatsApp, they need to submit to the rules.

However, there is one thing which most of the users overlooked, and that is, WhatsApp elucidated that all the privacy policies, updated lately, would be impervious to the European users. WhatsApp users in Europe still have the choice to opt out of the data sharing feature of WhatsApp.


The most pertinent question raised would be, that what makes WhatsApp draw distinctions between the European regions and the rest of the world. The answer lies in the stringent data protection legislations of the European regions. The foremost thing that is to be noted is that the European commission bestows on its citizens, privacy and protection of privacy as a fundamental right. The General Data Protection Regulation is a well-defined law introduced in 2016 and implemented in 2018, applicable to all the European Union countries framed with the object that no business or organization intrudes a citizen’s privacy. The GDPR puts an obligation on all companies functioning in the EU, of processing the data only through lawful and fair means and only after due consent, and even after processing it, it requires businesses and sites to maintain transparency about the data’s usage. It holds the data collector accountable and expects their policies to be compliant with the GDPR. The GDPR makes provisions of hefty penalties which may amount to 20 million euros. It puts an obligation on businesses and service providers to collect only essential information which is absolutely necessary to provide services. The GDPR also makes it a compulsion to limit the access to personal data to only those employees in the business’ organization who need it. Thus, WhatsApp being aware of its policies’ incompliance with the GDPR, permits the European users to continue usage without agreeing to the new features.


The Indian constitution didn’t initially recognize privacy as a fundamental right. However, in 2017, the supreme court laid the historic judgement in K.S. Puttuswamy vs the Union Of India that the right to privacy is a fundamental right protected by the constitution which streams from the right to life and liberty under the 21st article and from the freedom of speech and expression under the 19th article. The judgment also declared informational privacy to be a subset of the right to privacy. But Even after 2 decades of rapid technological growth, Indian legislations have failed to frame a data protection regulation. There are just a few defined legislations which look into a person’s data protection. The IT act 2000 and a part of the Indian contract act 1872 are the only legislations that are relevant to data protection. The section 43A of the (Indian) Information Technology Act, 2000 states that a corporate body who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such corporate body may be held liable to pay damages to the affected person. Article 72A of the same act, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable. But again, these laws are almost unassailable to big platforms like WhatsApp and Facebook. So clearly a lack of proper defined data protection legislature in the country, leaves the users at the risk of data exploitation.

Importance of data protection

As mentioned above, India is in a phase of evolving into a digitally versed country. With initiatives like digital India, every activity is deeply influenced by technology. With technology influencing every facet of life around us, and the quantum of personal information being shared online or offline, it has become essential to guard personal data. Data protection has increased more than ever on the onset of the Chinese app bans. The government of India put a ban on 118 Chinese apps under section 69A of the IT act 2000, which permits the government to restrict any website, app or information site if it tends to threaten sovereignty, integrity and public order of the nation. A comprehensive legislature providing data security becomes the need of the hour. With the increase in user-generated data and the exponential industrial value of data, it’s becoming vital for the government bodies take necessary steps to protect the data rights of their citizens. However, there are no rules that govern companies and industries who collect and store data, and no provisions for consumers to complain against a breach in data.

Personal data protection bill 2019

However, an attempt has been to introduce data protection legislations to the country. The data protection bill was introduced in the Lok Sabha in December 2019, by the information and electronics minister Ravi Shankar Prasad which claims to protect the rights of the Indian citizens. This bill segregates data into three parts namely, personal data, which includes a person’s name, traits, characteristics through which people identify themselves; personal sensitive data which includes a person’s biometric data, caste, tribe, sexual orientation, political affiliations, etc, and lastly critical personal data which would include anything that the central government considers critical. The bill further makes provision for processing of data, only after having acquired the data principal’s consent. The bill also provides for rights that can be exercised by a data principal such as the right to seek information regarding the manner or processing activities undertaken by the data fiduciary with respect to the personal data. The bill also gives an opportunity to the data principal to correct and erasure any personal data. The bill also provides for the establishment of a data protection authority, a body that would protect the interest of data principals, prevent misuse of personal data, ensure compliance and promote awareness regarding data protection. However, one section that goes unnoticed and could prove to be lethal as the bill allows the central government to permit any government agency to process the data principal’s data without their consent, if it proves to be necessary for the sovereignty, integrity, security and public order of the country . This provision is left poorly defined and thus it leaves a broad scope for misuse and breach of data, which ironically violates the very purpose of this bill. This, though might shield data principals from businesses and sites, they ultimately fall prey to the government’s unconsented authority.


All these provisions discussed currently are incompetent and thus fail to actually secure a user’s digital/informational privacy, from big platforms and the government itself. This leaves the Indian users unshielded from such policies like that of WhatsApp. This event especially calls for a rigid and ruled data protection laws which unfortunately hasn’t even taken form in India. If asked whether WhatsApp’s new policy is safe or not, we could say, that as long as there isn’t any shield from the government, it is unsafe. One data of minute and unrecognized importance to the data principal, could be of great value to businesses. We usually tend to overlook the importance of privacy of data, even when WhatsApp published its new policies, I could be certain that most of us, blithely without even having a glance at it, headed to hit the agree button, most of them realized the problem only after it received a backlash. That is where the problem begins, citizens must, first take vehement interest in matters regarding their digital safety and privacy. As per a report published by Digital Empowerment Foundation in 2018, nearly 90% of Indian citizens are digitally illiterate. This could change only with awareness. They must be made aware of this virtual web and its importance in our daily lives, through schemes, workshops, rallies or any effective medium. But as of now, WhatsApp has given it users a space for 8 month to accept and think about their policies. WhatsApp has made ardent efforts to convey that it is still reliable and the users shouldn’t switch to other apps. But with the above explanation, what one could do is, switch to alternative messaging options. Telegram, WeChat or Signal could be conveniently opted for.


1. Aashish Pahwa, How Does WhatsApp Make Money? WhatsApp’s Revenue Model, May 18, 2020, freedough, How Does WhatsApp Make Money? | WhatsApp’s Revenue Model (
2. GDPR.EU, What is GDPR, the EU’s new data protection law? –
3. Vijay Pal Dalmia, India: Data Protection Laws In India – Everything You Must Know, 13th Dec 2017, MONDAQ, Data Protection Laws In India – Everything You Must Know – Privacy – India (
4. Poornima Advani, China app ban is not enough: Protecting the data of Indian citizens needs a modern data privacy law, 17th October 2020, TOI, China app ban is not enough: Protecting the data of Indian citizens needs a modern data privacy law (
5. THE PERSONAL DATA PROTECTION BILL, Section 11, Bill No. 373 of 2019, 2019
6. THE PERSONAL DATA PROTECTION BILL, section 17, Bill No. 373 of 2019, 2019
7. THE PERSONAL DATA PROTECTION BILL, section 41, Bill No. 373 of 2019, 2019
8. THE PERSONAL DATA PROTECTION BILL, section 35, Bill No. 373 of 2019, 2019
9. Sumeyesh Srivastava, International Literacy Day: Bridging India’s Digital Divide, 8th September 2020, BLOOMBERG QUINT,

What's your reaction?

In Love
Not Sure

You may also like

4 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

More in:Cyber Law