The Issue of WhatsApp Privacy Update

WhatsApp updated its terms of service and privacy policy in the first week of January and gave the users time till 8 February to accept the same in to continue using the messaging platform and gave the option of deleting the account in case the user does not want to accept new terms. The new updates impact user interactions with business accounts, inform users of the way businesses use Facebook hosted services to store and manage their WhatsApp chats, and also explain the way WhatsApp partners with Facebook to offer integrations across the Facebook Company. But due to privacy issues, many users switched to other messaging apps namely Signal and Telegram. It was also reported that several Indian and Multinational companies issued advisories to their staff asking them to refrain from sharing sensitive company information and making critical business calls on WhatsApp.Due to the exodus of its users from its messaging services, WhatsApp postponed the date for its users to accept new policy terms to May 15.

Why WhatsApp faced backlash?

When WhatsApp was launched in 2009, it had made commitments that it will not sell user data to any third party but this changed after Facebook acquired it in 2014and it started sharing data with its parent company in 2017. But users were given a choice to not opt for this in 2017. Now, this has changed into a ‘take it or leave it’ policy which means eradicating the choice of users to share their data with Facebook and other apps. It is also a breach of the expectations of users with which they signed up for WhatsApp. Just a few days after the announcement by WhatsApp of its new privacy policy, Signal emerged as the leading app on “app-stores” in India. Users were unhappy with the ‘accept or leave’ conditions that WhatsApp added in the terms and conditions. Numerous media reports highlighting the addition of new provisions, broad language in the privacy policy, a lot of misinformationabout the app conveyed that it shares private messages, hears user calls, maintains a log of who one is messaging or calling, shares location data, contacts and group data with Facebook. Also, users jumping to conclusions and then participating in scaremongering on social media led to backlash faced by WhatsApp. Trust deficit against Facebook due to years of bad faith privacy pledges from it and complex terms of service, unable of being comprehended by a common user made users sceptical of WhatsApp and made them shift to alternate messaging apps.

What are the changes proposed in Privacy Update?

The data being shared between WhatsApp and Facebook is primarily metadatato offer integrations across the social media giant’s products. Metadata is not messages, calls, it is different. For instance, it collects mobile device information like the operating system(Android, iOS others), phone model, screen resolution, IP addresses, language, coarse location (which means they can track the city you are in but not your actual location). WhatsApp can’t read user’s messages as they are end-to-end encrypted and also it doesn’t keep logs of who a person messages or calls. Neither can WhatsApp see the shared location nor can it share users’ contacts with Facebook.
But the privacy policy does come with some important updates for chats with business accounts and in select cases, data may be shared with Facebook. The reasoning given by WhatsApp for these differential rules is that messaging a business is not the same as one-on-one chat with one’s friends and family as a business may use a third-party service to manage and host chats.This is how your chat with a business account looks like:

This is what the privacy policy says about interaction with businesses on WhatsApp:

Businesses you interact with using our Services may provide us with information about their interactions with you. We require each of these businesses to act in accordance with applicable law when providing any information to us.
When you message with a business on WhatsApp, keep in mind that the content you share may be visible to several people in that business. In addition, some businesses might be working with third-party service providers (which may include Facebook) to help manage their communications with their customers. For example, a business may give such third-party service providers access to its communications to send, store, read, manage, or otherwise process them for the business. To understand how a business processes your information, including how it might share your information with third parties or Facebook, you should review that business’ privacy policy or contact the business directly.

So, the major changes brought by this privacy update are:

✓ Some businesses might use “hosting services” from Facebook that are used to manage chats with customers, answer their questions, send helpful information. WhatsApp can see and store these chats with the business account and also share them with Facebook.
✓WhatsApp can also use this collected information for its marketing purposes, which might include advertising on Facebook. This simply means that you might talk to a business about purchasing something from themand later you see an ad for the same on Facebook. WhatsApp has assured that it will clearly label conversations with businesses that choose Facebook’s hosting services.
✓WhatsApp also has features like Shops, where businesses can display their goods right within the app and WhatsApp can use user’s shopping activity to personalize his/her shops experience and ads on Facebook and Instagram.
✓ Users may also see an ad on Facebook with a button to message the business using WhatsApp. And if users interact with these ads then Facebook may use this information to personalize the ads that users see on the social network.
Hence, for a user,the most likely effect via the new policy update will be more targeted ads across Facebook-owned platforms such as Messenger, Instagram, and Facebook. Moreover, if a user doesn’t want to talk to any business account on WhatsApp, he/she has the option of blocking it straight on the app. Also, when one is ordering products from websites, some might ask for updates on WhatsApp which can be denied by the user. WhatsApp also offers the feature of “disappearing messages” or downloading one’s data which can ensure extra privacy to users.

Why WhatsApp brought these changes in its privacy policy?

Facebook is a for-profit enterprise that tries to provide more value to its consumers, partners, and shareholders. CEO of Facebook, Mark Zuckerberg has often spoken about his vision of making the three platforms namely Facebook Messenger, Instagram, and WhatsApp interoperable and the new privacy update is a step towards that only. WhatsApp brought these changes to help operate and improve its offerings. Almost all of the $21.5 billion revenue that Facebook generated in the third quarter of 2020 came from adsand there are no ads in WhatsApp. The company wants to serve more targeted ads to people on Facebook and Instagram and this can be done by knowing their usage habits on WhatsApp. It also wants to let businesses take payments in WhatsApp for items thatwere clicked on in Instagram or Facebook ads.The new privacy policy mainly benefits businesses as companies will be able to use new tools to communicate withand sell tocustomers on Facebook’s platform.This integration of three large consumption products is a means to monetize their everyday use by consumers and because Facebook’s revenue model uses data on its platform to allow advertisers to target ads towards users, the algorithms would benefit from the WhatsApp data as well.

International Scenario

European Union (EU) has a different privacy policy than the rest of the world which gives users there more control over their data. This difference is because of EU’s strict General Data Protection Regulation (GDPR) that ensures that users have full right over their data, its processing and can even demand erasure of their data. Under EU’s strict privacy laws, European data protection authorities are empowered to fine companiesas much as 4% of their global revenue if they breach the rules. The EU is also investigating Facebook over claims that it trampled competition with the help of the vast troves of user data. The company has resisted EU’s demands for several documents and filed a lawsuit against this last year as well.
Even in 2017, EU authorities fined Facebook 110 million euros ($133 million) for misleading regulators during a 2014 review of its takeover of WhatsApp.
WhatsApp’s EU policy gives users there the right to access, rectify, port, and erase their information as well as the right to restrict and object to the processing of their information. WhatsApp shares user’s data with Facebook even in EU nations but users there get a special settingthat is not available anywhere else, called “Managing and Retaining Your Information” which allows them to rectify, update or erase information controlled by WhatsApp. Because of GDPR users in EU can even withdraw their consent to WhatsApp for processing their data.
Federal Trade Commission (FTC) of US has also filed a lawsuit against Facebook for its anti-trust and anti-competitive policies. It has also raised questions on Facebook’s acquisition of WhatsApp and Instagram which made Facebook to dominate social media in the last five years. FTC wants Facebook to sell off both WhatsApp and Instagram in case it wins the cases.
Recently, Turkish President Recep Tayyip Erdogan’s media office and his country’s defence ministry talked about dropping WhatsApp. Billionaire Elon Musk also endorsed WhatsApp’s rival app Signal to his Twitter followers.

Provisions in India and Data Protection Bill

Right to Privacy was held to be a fundamental right in the landmark Justice K.S.Puttaswamy(Retd) v. Union of India, judgment but still there is very limited protection available to Indian users under the Information Technology Act as it remains ordinarily unenforceable, also it does not provide any credible remedy. India’s dearth of a data protection law means that there is no relief that a user can get in case of a breach or misuse of data. The metadata being collected by Facebook gives a 360-degree profile of a person’s online activity and this level of insight into user’s activities is done without any regulatory provisions in India. Moreover, without any data protection authority, the users are left with a company’s assurances and privacy policies.
In December 2019, the government introduced a Personal Data Protection Bill in Parliament. The Bill is currently being analysed by a Joint Parliamentary Committee. The billmandates setting up of an independent body named Data Protection Authority (DPA) to take up matters relating to privacy and to redress consumer grievances. Even the method of data classification into sensitive personal data and critical data has been defined and their processing possibilities mentioned in the bill.

The Bill obligates organizations to:

a) act transparently in its processing of data
b) implement appropriate security measures
c) promptly notify the authority about any data breaches and keep accurate
And gives users the right to:
a) determine what personal information is being processed in the organization’s possession
b) request correction of any inaccurate information
WhatsApp would not have been able to introduce this privacy update in India like in EU if India had a data protection law. As ‘Section 5’ of the Personal Data Protection Bill, introduced in the Parliament, proposes that companies can only use the information for purposes reasonably linked to the purpose for which information was given which signifies that if a user is giving data to WhatsApp for interacting with friends and family then that data can’t be used or shared with people to run their businesses. Hence, if this section was there in India, WhatsApp’s new privacy update would have been illegal and as in the case of EU, WhatsApp would have been obligated to make a differential policy for India.


WhatsApp’s new privacy update brings major changes in interaction with business accounts only and doesn’t affect personal chats. But it doesn’t mean that WhatsApp doesn’t share user’s data with Facebook and can be relied upon.WhatsApp’s end-to-end encryption clause remains intact but this only ensures that it can’t see user’s messagesor share them with anyone but it can share one’s metadatawhich is essentially everything beyond the actual text of the conversation with Facebook and other apps.
It is also a fact that Facebook does not have a stellar record of data protection of its users, as evident by the Cambridge Analytica data scam during the 2016 US elections. In order to ensure a safer digital space for Indian users, the tech giants needa more legal and regulatory watch. Hence, India should do no more delay and come up with a Data Protection lawto regulate the private sector’s ever-increasing appetite for personal data and also thwart the monopolization of certain companies. India’s data bill should emphasize on GDPR’s core principles of storage and purpose limitation and data use accountability. Tighter wording of the bill is essential to safeguard against abuse.


• Chatting with a business account on WhatsApp? Here’s what you need to keep in mind, WhatsApp Privacy Update and business account, The Indian Express, (January 13, 2021, 11:10:09 am),

• WhatsApp privacy policy update delayed: Everything that has happened so far, WhatsApp Privacy Policy, The Indian Express, (January 16, 2021, 12:50:18 pm),

• Privacy and surveillance: On WhatsApp user policy change, WhatsApp policy change, The Hindu, (January 22, 2021, 11:54 pm),

• After backlash, WhatsApp clarifies its new privacy policy, WhatsApp New Privacy Policy, The Economic Times,(January 14, 2021, 10:25 am),

• NandagopalRajan& Shruti Dhapola, How private is WhatsApp, what can FB see, and should you look at alternatives?,WhatsApp Privacy Policy, TheIndian Express, (January 22, 2021, 2:33:51 pm),

• Salman Waris, Personal Data Protection Bill-Status of The Legislation And Data Regulation Regime In India, Data Protection Bill India, mondaq(January 26,2021),

• Rohin Dubey, The Great Data Protection Debate: India’s new Data Protection Bill,Data Protection Bill India, BarandBench, (December29,2020,8.35am)

• Divya J Shekhar, Data Protection Bill: Can it ensure your privacy online?, Data Protection Bill, Forbes India, (January 19, 2021, 4:23:30 pm),

• Subimal Bhattacharjee, The WhatsApp Fix, Data Protection Bill and WhatsApp Privacy Update, The Indian Express, (January 23, 2021, 8:38:19 am),

Author :

Kritika Oberoi (Army Institute of Law Mohali)