The government can, and must, stand for privacy

The clarion call for protection can provide succour not only against WhatsApp and its discriminatory data-sharing policy, but also against all digital platforms
It’s a good thing that WhatsApp created more than a ripple with its proposed privacy policy change, now deferred till May. It indeed is a good thing, as it finally lit a fire under dormant privacy concerns – with users, government, even courts.

This clarion call will likely provide succour not only against WhatsApp and its discriminatory data-sharing policy but also against all digital platforms, including social media and e-commerce sites. It will also hopefully result in further review of profiling provisions under India’s proposed Personal Data Protection (PDP) legislation to ensure actual protection against the same for users.

The reaction to what WhatsApp believed it could do with impunity is probably going to be the best thing to happen to Indians, who have patiently waited for the PDP legislation, which is technically two decades late and certainly languishing for the last three years. With a PDP Bill draft doing multiple rounds since 2018, there is also misapprehension in the minds of users that India lacks legal frameworks for data protection. This misconception appears to have permeated many debates, emphasising the need for urgent parliamentary action.

Two aspects of WhatsApp’s actions negate its claims — its ultimatum to users, including individual users, to allow sharing of data with Facebook or exit the app and that it is doing so in a discriminatory fashion. The same WhatsApp gives actual choice to users in the EU to either allow or deny such permission without the demand for exit. This is clearly warranted due to GDPR’s stringent provisions. We do, therefore, need the PDP Bill to become law and quickly to combat such ultimatums that reduce the construct of “consent” to a mere joke.

Framing rules under the IT Act is permitted under the IT Act provisions. The government, using this delegated rule-making power, formulated the IT rules for protecting sensitive personal data. These rules can be expeditiously tweaked to include protections similar to those under GDPR to protect against violation of the “consent framework”. The rules could also be expanded to assure transparency to categorically address personal/sensitive personal data collection purpose, use, retention and sharing.

The Intermediary Rules framed under Section 79 of the IT Act have been awaiting a change since 2018 also. This is another process through which effective protections can be extended to users of social media, chat apps and e-commerce platforms.

Whatever be the path that the government chooses, it will be most effective only if strict adherence is mandated under the rules to consent frameworks, which cannot be predicated on ultimatums. The government also ought to call for transparency and accountability in data use and sharing, for without these, platforms resort to mere platitudes.