WhatsApp privacy policy violates IT Rules, restrain its implementation, Centre tells HC
[ad_1]
Read More/Less
The Centre on Friday told the Delhi High Court that the new privacy policy announced by WhatsApp in January violates the 2011 IT Rules on five counts, and urged it to restrain the messaging app from implementing it pending adjudication of the case by the court.
WhatsApp put the policy on hold after widespread criticism, but plans to implement it from May.
In its written response to a petition challenging the privacy policy, the Ministry of Electronics & Information Technology told the court that the policy fails to specify which types of sensitive personal data was being collected, notify the details of personal information collected to the user, provide an option to review or amend information and withdraw consent retrospectively, and guarantee further non-disclosure by third parties including other Facebook companies.
WhatsApp has used “extremely general terms” to list the kinds of data collected, with no distinction between personal data or sensitive personal data being collected, the government said.
The policy mentions the involvement of third-party service providers who may have access to the data, but does not provide the names and associated details of those service providers, it said.
“This is also the case for other Facebook companies, who are allowed to review and share information about the user from and with WhatsApp,” the Ministry said.
The policy is completely silent on correction or amendment of the information, the government said – for it to be compliant with the rules, it “must allow users to exercise this option for all kinds of data collected” which are mentioned in the policy.
While WhatsApp complies with the requirement of giving a user the choice of not providing their data, there is a “clear failure” in complying with the requirement of deletion of data if the user withdraws the consent for collection of data given earlier.
“WhatsApp has only provided the user with “Deleting Your WhatsApp Account” option in its privacy policy. If a user exercises this option, the policy clearly mentions that “your undelivered messages are deleted from our servers as well as any of other information we no longer need to operate and provide our Services”, the government said, adding that the “substantial corpus” of data may be retained even after the user deletes the account.
The government has pointed out that Rule 6(4) prohibits the disclosure of data received by a third party from a body corporate – WhatsApp in this case – and any policy that provides the scope for such further disclosure is to be seen as non-compliant. When WhatsApp shares data with a third party service, no further disclosure is permitted. However, the privacy policy explicitly “abdicates” the obligation.
“In the impugned policy, WhatsApp has stated that data and information will be freely shared with and received from other Facebook companies. Since the contract of the user is only with WhatsApp, all other Facebook companies are ‘third parties’ within the meaning of Rule 6(4), and any inter-sharing of data obtained from WhatsApp by these companies will amount to a violation of the restriction on further disclosure,” the government said in its reply.
The PIL pending before the court has sought the framing of guidelines to protect the privacy and data of users from being collected by various social media sites and messaging apps. The petition, filed by Noida resident Dr Seema Singh along with Delhi residents Meghan and Vikram Singh, has argued that the fissures in law with regard to the data are “quite conspicuous”, and a framework to regulate the same is the need of the hour.
In its reply, the government also said that the Centre has introduced the Personal Data Protection Bill, 2019 in Lok Sabha, which, upon becoming law, will provide a robust regime on data protection “which will limit the ability of the entities such as WhatsApp issuing privacy policies which do not align with appropriate standards of security and data protection”.
“Pending the passage of this Bill, the Information Technology Act, 2000 and the Rules made thereunder forms the extant regime on data protection, any privacy policy issued by a ‘body corporate’ such as WhatsApp must comply with the requirements specified in the Act and the accompanying Rules,” it said.
The hearing in the case was adjourned to April 20 on Friday. The government had earlier sought a clarification from WhatsApp regarding the privacy policy.
[ad_2]