This principle requires that users know and fully understand a company’s information practices before consenting to them. It includes informing users if and when there is a change to the policy and notification in the event of a data breach.
- Choice and Consent
Wherever reasonably possible, users must have a choice regarding providing some or all of their personal information. The collection, use or disclosure of information must be pursuant to consent from users.
The policy contains nothing about the choices available to users to share their information with WhatsApp. Under the section ‘Managing Your Information’, it is stated that users can control how much of their information will be visible to others on the platform. However, it does not specify how users can effect these changes. Under Settings -> Account -> Privacy, users can customize their settings for ‘Last Seen’, profile picture and status updates. However, the choice is limited to sharing information with other users, and not with WhatsApp itself.
The policy does not mention the permissions required by the WhatsApp application to run on one’s device. These are extensive and include access to one’s camera, contacts, location, SMS and microphone amongst others.
- Collection Limitation
This principle states that only personal information which is necessary for the identified purpose should be collected. Collection must be lawful and fair.
Broadly, WhatsApp specifies three kinds of information collected by it. First, it collects information that is directly provided by users. This includes a user’s phone number, a profile picture as well as access to all contacts. Notably, WhatsApp not only collects the phone numbers of existing users, but also of those contacts who do not use the application. As per the policy, sharing such numbers amounts to an acknowledgement that a user has the authority to do so. This is legally dubious as it gives WhatsApp access to an individual’s personal information without their consent or knowledge.
Messages are ordinarily stored on a user’s device. Only if a message is undelivered is it stored on the company’s servers for a period of 30 days. The messages are end-to-end encrypted, meaning that no one (including WhatsApp) can read them. Recently, it was discovered that a technical vulnerability made it possible for WhatsApp to intercept some messages, if a device was offline. WhatsApp allows users to change their settings to receive notifications when another user’s security key changes and a chance to verify keys. However, the policy is silent about both – the existence of this vulnerability as well as the means to verify if such an interception has taken place.
Secondly, WhatsApp automatically collects certain information related to one’s activity on the platform including log files and information about one’s device. It also places cookies on the device to remember preferences.
Thirdly, WhatsApp collects information about users through several third parties. These can include other users. This allows WhatsApp to gather information about who we talk to, and what groups are common between users. Additionally, the company works with certain ‘third party providers’ to improve and market its services and collects personal information from them as well. This clause is vaguely drafted and there is no way to tell which information collection is legitimate and which is not.
The failure to identify any third party and limit avenues for collection of information raises concerns. There is also uncertainty with respect to how long information is stored. If a user deletes their WhatsApp account, the company deletes their undelivered messages ‘as well as any…other information we no longer need to operate and provide our Services’. The failure to specify what information is retained and for how long is problematic.
Pertinently, this deletion clause is also in contravention of the Delhi High Court’s judgment in the WhatsApp case, which held that for users who chose to delete their accounts (before the updated policy came into force), all information must be deleted.
- Purpose Limitation
Personal information must only be collected and used for specific and explicitly stated purposes. This principle prohibits the recycling of personal information for different purposes.
The policy states several uses for the information collected. WhatsApp uses user information to provide services such as customer support and to test new features. It is also verifies accounts and investigates suspicious activity. The policy is vague when it describes other uses for users’ personal information. WhatsApp ‘may’ use personal information for marketing its services and that of the Facebook family of companies (‘affiliated companies’), of which there are 11. It also uses this information to allow third party businesses to contact users through WhatsApp. There is no fixed purpose for this – these third parties can contact users for anything from ongoing transactions to marketing.
As a general remark, the policy states that it may use the information it receives from other affiliated companies and vice-versa. This recycling of information by different entities and for different purposes is exactly what this principle seeks to avoid. These clauses are vague, allowing WhatsApp to scale up its use of users’ personal information without actually having to inform them or seek consent again.
- Access and Correction
Users should have the right to access their personal information and amend or delete it if inaccurate. This right extends to obtaining a copy of their personal information.
Users are free to amend their personal information, including their phone numbers. However, there is no provision to obtain a copy of one’s information held by WhatsApp.
- Disclosure of Information
WhatsApp discloses personal information to certain unidentified third parties. These third parties can be anyone who WhatsApp contracts with to operate, promote or market its services. This information is shared ‘in accordance with [WhatsApp’s] instructions…or with express permission from [the user]’. Therefore, a user’s consent is merely optional and one has little knowledge about the terms on which such information has been disclosed.
If a user uses third party services such as Google Drive or iCloud to back up their WhatsApp data, information received by them will be shared in accordance with their respective privacy policies.
This principle requires companies to adopt reasonable security safeguards to protect against loss, unauthorised access, destruction, use or disclosure of personal information.
The policy only mentions that the platform supports end-to-end encryption for messages and ‘other security features’. There is no general description of what these are.
Information and security practices must be transparent and easily accessible.
The vague language of the policy makes it difficult to understand how information is used and the parties it is disclosed to.
Companies must be held accountable for compliance with data protection principles. An important aspect of accountability is appointing a grievance redressal officer for addressing privacy concerns.
The policy only lists a physical address for raising privacy concerns. A separate ‘contact us’ link redirects users to a form with pre-set questions. The questions are far from exhaustive – important questions related to choice and security practices are visibly absent. Ironically, for business inquiries and product support, a direct email is provided. A similar provision for privacy concerns is noticeably absent.