The point of contention is the ability of WhatsApp to share user metadata and mobile information with its parent company Facebook. WhatsApp was acquired by Facebook for $19 billion. Facebook Inc., which also owns Instagram, envisages integrating the data from WhatsApp, Instagram and Facebook. WhatsApp is seen as a medium to secure payments for services and ads posted on Facebook and Instagram, beyond its primary use as a messaging service. The triumvirate of Facebook, Instagram and WhatsApp is used by millions of people. Thus it provides a means to monetise this everyday use by consumers and what is to be noted here is that Facebook’s revenue model uses data on its platform to allow advertisers to target ads towards users. The algorithms would benefit from the WhatsApp data as well.
The data transfer from WhatsApp to Facebook is not possible in regions such as the European Union, where data protection laws place stringent restrictions on storage and transfer of user data. The different policy in India has caught the eye of the Ministry of Electronics and IT. WhatsApp has been sent a series of queries from the ministry, including on why Indian users would be sharing information with Facebook, unlike in Europe. What is prompting such efforts from Facebook is the absence of legislation in India that puts in place checks and balances in data sharing.
The Personal Data Protection Bill, 2019, proposed by the government diluted some of the privacy provisos, for example in proposing that only sensitive personal data needed to be localised in the country, and not all personal data as mandated by the Srikrishna committee. But data localisation as put forth by the Srikrishna committee may not necessarily pave way for better data privacy, as it carries the possibility of domestic surveillance over Indian citizens.
The General Data Protection Regulation (GDPR) is an EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Non-compliance could cost companies dearly. The GDPR sets a new standard for consumer rights regarding their data. GDPR protects privacy data like basic identity information such as name, address and ID number. Web data such as location, IP address, cookie data and RFID tags, health and genetic data, biometric data, racial or ethnic data, political opinions, sexual orientation is also protected. GDPR serves as a template on which Indian policymakers can work upon in drafting a Personal Data Protection legislation. Privacy will be better addressed by stringent contractual conditions on data sharing and better security tools being adopted by the applications that secure user data. The proposed Bill has some of these features, similar to Europe’s General Data Protection Regulation, but it also requires stronger checks on state surveillance before it takes the form of an Act.