UPDATED: January 14, 2021 10:46 IST
WhatsApp’s policy of rolling out separate privacy and data sharing policies for Europe and India has raised fresh demands for a stringent data protection law in India from legal and privacy rights experts. While WhatsApp users in India will soon have no other option than sharing their data with Facebook and other group platforms, the messaging app has clarified that its policies on data-sharing remain unchanged for users in Europe. Niamh Sweeney, Director of Policy for WhatsApp, Europe said “there are no changes to WhatsApp’s data-sharing practices in Europe arising from this update. It remains the case that WhatsApp does not share European Region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or ads”.
“Residents of the EU have GDPR and therefore, have a higher level of data protection unlike citizens of India” concurs Prasanth Sugathan, Legal Director, Software Freedom Law Centre, India (SFLC). “There is currently a regulatory vacuum with respect to data privacy and protection legislation in India. The Data Protection legislation has been in limbo for a while now resulting in Indian citizens being vulnerable to misuse of their data” Sugathan tells India Today. However, there could be a possible historical explanation behind the difference in WhatsApp’s strategy in the two regions. “In 2017, Facebook was fined 110m by the European Commission for misleading it about 2014 takeover of WhatsApp. This was a result of an investigation by the European Commission wherein it discovered that Facebook staff was aware in 2014 that it was possible to link WhatsApp phone numbers with Facebook users’ identities” Sugathan explains.
There is also a sharp difference between GDPR and Indian laws in terms of provisions. “In GDPR, the punishment is to extent of fine of Euros 20 million or 4% of the annual global turnover of the company whereas, in India, compensation is claimed under Section 43A of IT Act,2000 on a complaint lodged with the adjudicating authority, where user has to prove that their data has been collected without due permission and misused”. In India, users often end up failing to obtain suitable legal redressal of their rights.
Privacy advocacy groups and legal expertss have been raising the voice for a better mechanism. “To begin with, we definitely need stringent data protection legislation in place in order to be able to regulate technology companies” says Sugathan. Government of India introduced the Personal Data Protection Bill 2019 (PDP Bill) in December 2019, which has been pending with the Joint Parliamentary Committee (JPC). The new act has stringent mechanisms, including Data Protection Authority which will be responsible for enforcement of the data protection requirements. It also has the provision for punishment of up to 15 crore Rs. “It will act as deterrent law to safeguard citizen’s data and privacy and institutionalize mechanisms to lead to better enforcement of laws” Seth opines. Connoisseurs also believe that the businesses collecting the data should have the onus to prove that the collected data was used in the fairest way possible and is not transferred without explicit user consent.