Data localization is not the only approach towards protecting data privacy
Following an exodus of its users from its messaging service, WhatsApp, to apps such as Signal and Telegram, which promise more privacy options, the Facebook-owned service might have been forced to postpone the date for users to accept its new privacy policy terms to May 15. In just days after the earlier announcement by WhatsApp, Signal has emerged as the leading app on “app-stores” as Indian users signaled their discomfort with the former’s data sharing policies. WhatsApp, with 459 million users, had emerged as the leading communications application for most Indians. What has caused patrons discomfort is WhatsApp’s ability to seamlessly share user metadata and mobile information with its parent company and social media behemoth, Facebook. Facebook Inc., which also owns Instagram, has sought to integrate the offerings from WhatsApp, Instagram and Facebook, with the former acting also as a tool that secures payments for services and ads posted on the latter two applications, beyond its primary use as a messaging service.
This integration of three large consumption products is a means to monetize their everyday use by consumers and considering the fact that Facebook’s revenue model uses data on its platform to allow advertisers to target ads towards users, the algorithms would benefit from the WhatsApp data as well. Such data transfer from WhatsApp to Facebook is not possible in regions such as the EU, where data protection laws have stringent restrictions on storage and transfer of user data. This regionally differential treatment has attracted the attention of the Ministry of Electronics and IT, which has sent WhatsApp a series of queries, including on why Indian users would be sharing information with Facebook, unlike in Europe. The onus is also on the Indian government to quickly take up the legislation for robust data protection, that aligns with the recommendations of the Srikrishna Committee, which tried to address concerns about online data privacy in line with the 2018 Puttaswamy judgment. The draft Bill proposed by the government in 2019 diluted some of the provisos, for example, by limiting data localization in proposing that only sensitive personal data needed to be mirrored in the country, and not all personal data as mandated by the committee. But data localization as proposed by the committee may not necessarily lead to better data privacy, as it carries the possibility of domestic surveillance over Indian citizens. Privacy is better addressed by stronger contractual conditions on data sharing and better security tools being adopted by the applications that secure user data. The proposed Bill has some of these features, similar to Europe’s General Data Protection Regulation, but it also requires stronger checks on state surveillance before it is passed.