Rematerialising购者自慎原则:解决WhatsApp的隐私政策
“WhatsApp,回应MEITY的注意,决心不限制其服务的功能,直到PDP法案生效。这将是有趣的,看看它的隐私政策现在持有反对该法案,誉为印度急需的数据保护解决方案,虽然自己的失望,集“Chowdhury亮点。
Tele-Talk新鲜的花,深入分析和观点从受人尊敬的行业领导者
Where does the law stand?<\/strong>
As compared to the Personal Data Protection Bill, 2019 (\u201cPDP Bill\u201d), the law as it stands is much less demanding of companies in the business of collecting and using their users\u2019 data. Under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (\u201cSPDI Rules\u201d), the only data collected by WhatsApp that may be classified as sensitive personal data (\u201cSPD\u201d) is that relating to \u201cfinancial information such as Bank account or credit card or debit card or other payment instrument details\u201d. Account information, contact list details, usage and log information, and network connection and other location-based information are classified as \u2018personal information\u2019 rather than SPD, and do not warrant the application of provisions detailed below.
To collect SPD, SPDI Rules contain obligations for corporates to obtain (1) receipt of express consent and adoption of reasonable measures to facilitate an informed choice as to collection and processing of SPD, (2) limitation on collection, use, and storage of data to that which is necessary for a lawful function or activity, (3) availability of a withdrawal mechanism, before or during collection of data and accompanying use of service, and (4) restriction upon disclosure of SPD to a third party, unless consented to.
Interestingly, Rule 5(7), providing for the existence of a withdrawal mechanism, empowers corporates \u201cnot to provide goods or services for which the said information was sought\u201d if the data subject does not provide the requisite information or withdraws consent subsequently. Notification requirements, in this respect, are restricted to type of data collected, the purpose of collection, the necessity and channels for disclosure to third parties, and the contact details of the intended recipients of such data.
The data protection map of India, however, does not end with the SPDI Rules. All legislation is also subject to interpretation by the judiciary which, over the years, has filled some gaps and opened others. The recognition of informational privacy and self-determination as a fundamental right was one such godsend which revolutionised the data protection landscape in India.
In the words of Justice Chandrachud, \u201cinformational control empowers the individual to use privacy as a shield to retain personal control over information pertaining to the person.\u201d In doing so, he also alluded at the \u2018mosaic theory of privacy\u2019, affirmed by the Supreme Court of the United States, which holds that long-term collection of unassuming or insignificant data or metadata may produce an aggregated mosaic which could reveal an obtrusive portrait of an individual (including \u201cnature of the personality: food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation\u201d). <\/em>
Interestingly, the Delhi High Court, hearing current challenges to WhatsApp\u2019s Privacy Policy, noted that users are not mandated to partake in such data sharing processes and may, just as easily, shift to other messaging networks if they are dissatisfied. Interactions with businesses can be restricted by each user by opting out from conversing with them over WhatsApp. Alternatively, users may seek independent platforms of businesses or utilize other hosting services contracted with by businesses to engage with them. In such cases, users may restrict data sharing with WhatsApp and other Facebook companies, unless provided for by the privacy policies of the respective businesses.
In 2016, too, the Delhi High Court, presiding over a challenge against WhatsApp\u2019s then revised policy, mandated the implementation of an opt-out mechanism to sharing data with Facebook which was only available for a period of thirty days. Thereafter, it was permissible for WhatsApp to restrict services to only those onboarding users (after September 25, 2016) who accepted its Privacy Policy. While the matter is currently pending adjudication before the Supreme Court, we can come to the conclusion that the mere absence of an opt-out clause cannot result in the invalidation of the policy in its entirely.
WhatsApp's new privacy policy and terms of service: An actual overreach or paranoid protectionism? <\/strong>
So, are WhatsApp\u2019s new Privacy Policy and Terms of Service incompatible with this framework? The key is to understand that the collection and processing strategies adopted by WhatsApp are not novel. WhatsApp collects account information (name and phone number, etc.), contacts in one\u2019s address book, transaction and payments data (for users of WhatsApp Pay), activity data (manner and duration of interaction with WhatsApp Services), and device and connection data (such as hardware information, ISP information, IP address, unique identifiers), etc.
The change in policy has been with respect to the collection and sharing of data associated with third-party services providers who choose Facebook\u2019s hosting services to manage customer-end communications through WhatsApp. It is only here that the promise of end-to-end encryption is not extended, and messages sent can be used by such businesses for marketing purposes.
An evaluation of the Privacy Policy reveals requisite compliance with all the requirements of the SPDI Rules. However, the criticism arising from an overzealous government may lead to incorrect and non-judicial compliance interpretations. For instance, the Privacy Policy allows users to withdraw consent by deleting their WhatsApp accounts, and thereby deleting data which is \u201cno longer need[ed] to operate and provide\u201d its services.
While WhatsApp clarifies the nature of data that shall be deleted (undelivered messages, message history, other account information, etc.), it does not clarify the nature of residual data that shall be retained (apart from log records). However, a grey area exists in determining the extent of information required for the constitution of \u2018informed consent\u2019.
As resonated by the General Data Protection Regulation, information provided must be granular to the extent that it is not \u201cunduly disruptive or confusing\u201d. The use of indicative terms which save users from hyper-technical language cannot necessarily be seen as non-compliance. Introducing such subjectivity within the standard for \u2018informed consent\u2019 may also open a floodgate which burdens corporates to discharge their burdens according to the degree of digital literacy exhibited by each class in their target audience and otherwise.
WhatsApp\u2019s policies also seem to be industry practice. The privacy policies of Discord, Viber, Truecaller, Zomato etc. also highlight that they collect data related to device information, IP address, interaction with websites and businesses, unique identifiers etc. They also notify users of their policies in a similar manner, with notifications appearing at the top of conversations, detailing the data collection activities of their respective platforms.
This is where the importance of informational autonomy empowers and expects users to not just possess a right of control, but to exercise the same by remaining vigilant as to the trajectory of their data. The foundational principle of caveat emptor \u2013 buyer beware, comes into play here. Governmental regulation \u2013 especially executive mandates, should not be reshaped to act as its dilutant.
The clickwrap method of obtaining consent, through a one-touch \u2018I Agree\u2019 button, has been posited as vitiating any possibility of the exercise of informed agency. Per se, such \u2018take-it-or-leave-it\u2019 contracts are not illegal, if they do not violate the doctrine of unconscionability, i.e., the imposition of unreasonable terms and conditions between unequal parties. In this regard, the Supreme Court, in 1995, held that \u2018dotted line\u2019 contracts do not afford an opportunity for negotiation, leading individuals to either accept the unreasonable terms or to forego the service entirely.
The mere lack of opportunity for negotiation do not make such contracts unreasonable since such a requirement would put an enormous burden upon corporates to open negotiation channels for each user. Unreasonableness may only include practices such as \u2018consent fatigue\u2019, by which data subjects are exhausted into assenting by being redirected to multiple webpages for the purpose of accessing basic terms of a service\u2019s privacy policy. Thus, the mere clickwrap nature of these contracts must not be exaggerated to imply unconscionability.
Lastly, the concern raised as to the enactment of different privacy policies for the European Economic Area and the rest of the world is a non-issue. Since WhatsApp and India are not privy to a \u2018most-favoured-nation\u2019 clause, WhatsApp is under no obligation to go above and beyond the requirements of India\u2019s privacy framework to provide GDPR-like safeguards. From a business and service providing perspective, WhatsApp, and like companies, cannot be expected to act as surrogates of the Government, ensuring more protections than are recognized for citizens. That is precisely why the more granular PDP Bill was formulated. Is the Government setting a precedent on the interpretation of the SPDI Rules, to compensate for its delay in passing the PDP Bill?
But something must be wrong, right?<\/strong>
That is not to say, however, that WhatsApp is completely in the clear. For instance, users are exposed to the mercy of other users who may force-add the former into group chats or on their broadcast lists without their permission or consent. Often, this feature is used by WhatsApp business accounts for pushing target marketing services by sending across bulk messages to profiled potential customers based on previous interaction and data provided by Facebook and other associated companies. Similarly, users who allow WhatsApp to access their contact directory also circumvent the consent of non-users into providing their contact details to a third party.
So, what now?<\/strong>
Report from the field? WhatsApp, as a response to MEITY\u2019s notice, is resolved to not limiting the functionality of its services until the PDP Bill comes into effect. It would be interesting to see whether its Privacy Policy now holds up against the Bill, heralded as India\u2019s much-needed data protection fix, albeit with its own sets of disappointment.","blog_img":"","posted_date":"2021-06-28 16:18:45","modified_date":"2021-06-28 16:22:25","featured":"0","status":"Y","seo_title":"Rematerialising the Caveat Emptor doctrine: Tackling WhatsApp's privacy policy","seo_url":"rematerialising-the-caveat-emptor-doctrine-tackling-whatsapp-s-privacy-policy","url":"\/\/www.iser-br.com\/tele-talk\/rematerialising-the-caveat-emptor-doctrine-tackling-whatsapp-s-privacy-policy\/4990","url_seo":"rematerialising-the-caveat-emptor-doctrine-tackling-whatsapp-s-privacy-policy"}">
2021年1月,WhatsApp推出了新的隐私政策和服务条款。虽然不可否认WhatsApp扩大了使用用户的个人信息,法律挑战似乎并不成立。本文试图取代歇斯底里的客观分析当前数据保护法规。而不是贬低公司法律条文后,印度应该关注为什么没有一个更好的人。
法律站在哪里?
相比个人数据保护法案,2019年(“PDP法案”),法律目前要求公司要少得多的收集和使用他们的用户的数据。规则3下的信息技术(合理的安全操作和规程和敏感的个人数据或信息)规则,2011年(“SPDI规则”),唯一WhatsApp收集的数据可能被列为敏感的个人数据(SPD)有关“金融信息,如银行账户或信用卡或借记卡或其他支付手段细节”。账户信息,联系人列表细节,使用和日志信息,和网络连接和其他基于位置信息被归类为“个人信息”,而不是社会民主党,和不需要的应用下面的详细规定。
收集SPD, SPDI规则包含义务为企业获得(1)收到明示同意和采取合理的措施,以促进一个知情的选择作为社民党的收集和处理,(2)限制收集、使用和存储的数据为一个合法的函数或活动是必要的,(3)提供一个退出机制,收集的数据和相应的使用之前或期间的服务,和(4)限制在社民党披露给第三方,除非同意。
规则5(7),有趣的是,提供一个退出机制的存在,使企业“不提供商品或服务的信息是寻求“如果数据主体不提供必要的信息或随后撤回同意。通知要求,在这方面,限制类型的数据收集,收集的目的、必要性和渠道披露给第三方,和预期的收件人的联系方式这样的数据。
印度的地图数据保护,然而,不能随着SPDI规则而结束。所有的立法也受到司法解释,多年来,填补了有些差距,打开。识别信息隐私和自决等基本权利是一个天赐良机,彻底改变了数据保护景观在印度。
在正义Chandrachud的话说,“信息控制授权个人使用隐私当作挡箭牌保留个人控制有关的信息的人。”在这一过程中,他还提到“隐私的马赛克理论”,由美国最高法院确认,认为长期收集的谦逊的或无关紧要的数据或元数据可能产生的聚合马赛克可以揭示一个突兀的肖像的个人(包括“自然的人格:饮食习惯、语言、健康、爱好、性偏好,友谊,衣服和政治立场的方式”)。
有趣的是,德里高等法院,听到WhatsApp当前挑战的隐私政策,指出,没有人强制用户参与这样的数据共享的过程和可能,很容易转向其他消息传递网络,如果他们不满意。与企业的互动可以限制每个用户选择从WhatsApp与他们交谈。另外,用户可能会寻求独立平台的企业或利用其他主机服务承包企业与人打交道。在这种情况下,用户可能会限制数据共享与WhatsApp和其他Facebook公司,除非提供的隐私政策各自的业务。
2016年,德里高等法院,主持一项挑战对WhatsApp然后修订政策,强制退出机制的实现共享数据与Facebook只可用一段三十天。之后,是容许WhatsApp限制只服务那些新员工培训用户(在2016年9月25日)接受其隐私政策。虽然目前正在等待最高法院裁定之前,我们可以得出结论,仅仅没有退出条款不能导致政策的失效完全。
WhatsApp的新隐私政策和服务条款:一个实际诈骗或偏执的保护主义?
那么,WhatsApp的新隐私政策和服务条款不符合这个框架?关键是要明白,收集和处理策略采用WhatsApp不是小说。WhatsApp收集帐户信息(姓名和电话号码等),联系人的地址簿,交易和支付数据(WhatsApp支付的用户),活动数据(与WhatsApp互动服务的方式和持续时间),和设备和连接数据(如硬件信息、ISP信息、IP地址、惟一标识符),等等。
政策的变化对相关数据的收集和共享与第三方服务提供者选择Facebook的主机服务通过WhatsApp管理客户端通信。只有在这里,端到端加密的承诺不是扩展,和发送的消息可以使用这样的企业营销的目的。
隐私政策的评估显示必要的遵守所有SPDI规则的要求。然而,起源于一个热衷于批评政府可能导致不正确的和non-judicial合规的解释。例如,隐私政策允许用户退出同意通过删除WhatsApp账户,从而删除数据是“不再需要操作(ed)和提供“它的服务。
虽然WhatsApp澄清性质的数据应当删除(未被释放的消息,消息历史,其他账户信息,等等),它没有明确的本质残留数据,应当保留(除了日志记录)。然而,一个灰色地带的存在决定所需的信息“知情同意”的宪法。
共鸣的通用数据保护规定,提供的信息必须是颗粒在一定程度上,它不是“过度破坏或混乱”。使用指示性条款保存用户从hyper-technical语言不一定被视为违规。引入这种主体性在“知情同意”的标准,负担也可能引发企业排放的负担程度的数字素养表现出每个类的目标受众。
WhatsApp的政策也似乎是行业惯例。不和的隐私政策,推出,Truecaller Zomato等还强调,他们收集数据相关设备信息,IP地址,与网站和企业互动,惟一标识符等。他们还通知用户的政策以类似的方式,通知出现在顶部的交谈,详细的数据收集活动各自的平台。
这就是信息自主权赋予的重要性,并希望用户不仅拥有一个正确的控制,但同样的锻炼保持警惕的轨迹数据。购者自慎的基本原则——买家当心,在这里发挥作用。政府规章草案——特别是行政授权,不应该重塑作为其dilutant。
clickwrap方法获得同意,通过几次“我同意”按钮,被断定为弄坏任何通知机构运动的可能性。本身,这种要求的合同不是非法的,如果他们不违反显失公平原则,即。,实行不平等的当事人之间不合理的条款和条件。在这方面,最高法院在1995年,认为“虚线”合同不承担一个谈判的机会,导致个人接受不合理的条款或放弃完全的服务。
仅仅缺乏谈判的机会不让这种合同不合理的,因为这样的要求将一个巨大的负担在公司打开谈判渠道为每个用户。无理性可能只包括实践,比如“同意疲劳”,由数据对象疲惫为同意被重定向到多个网页访问的目的服务的隐私政策的基本条件。因此,仅仅clickwrap这些合同性质不得夸大意味着显失公平。
最后,担忧的制定不同的隐私政策为欧洲经济区域和世界其他地区是一个问题。自WhatsApp和印度是无法得知“最惠国”条款,WhatsApp是没有义务去超越印度需求的隐私框架提供GDPR-like保障。从业务和服务提供的角度来看,WhatsApp,像公司一样,不能指望政府作为代理人,确保保护比公认的公民。这正是为什么更细粒度的PDP法案制定。是政府设置一个先例SPDI的解释规则,弥补其延迟通过PDP法案?
但一定是错的,对吗?
然而,这并不是说,WhatsApp是完全清楚的。例如,用户接触的其他用户可能force-add前组聊天或播放列表未经许可或同意。经常使用这个功能WhatsApp商业占推动目标营销服务跨批量发送消息异形根据以往的互动和潜在客户提供的数据Facebook和其他相关公司。类似地,用户允许WhatsApp访问他们的联系人目录也规避非用户的同意提供他们的联系信息给第三方。
所以,现在该做什么?
的报告?WhatsApp,作为响应MEITY的注意,才决心限制其服务功能的PDP法案生效。这将是有趣的,看看它的隐私政策现在持有反对该法案,誉为印度急需的数据保护解决方案,虽然自己的失望。
法律站在哪里?
相比个人数据保护法案,2019年(“PDP法案”),法律目前要求公司要少得多的收集和使用他们的用户的数据。规则3下的信息技术(合理的安全操作和规程和敏感的个人数据或信息)规则,2011年(“SPDI规则”),唯一WhatsApp收集的数据可能被列为敏感的个人数据(SPD)有关“金融信息,如银行账户或信用卡或借记卡或其他支付手段细节”。账户信息,联系人列表细节,使用和日志信息,和网络连接和其他基于位置信息被归类为“个人信息”,而不是社会民主党,和不需要的应用下面的详细规定。
收集SPD, SPDI规则包含义务为企业获得(1)收到明示同意和采取合理的措施,以促进一个知情的选择作为社民党的收集和处理,(2)限制收集、使用和存储的数据为一个合法的函数或活动是必要的,(3)提供一个退出机制,收集的数据和相应的使用之前或期间的服务,和(4)限制在社民党披露给第三方,除非同意。
规则5(7),有趣的是,提供一个退出机制的存在,使企业“不提供商品或服务的信息是寻求“如果数据主体不提供必要的信息或随后撤回同意。通知要求,在这方面,限制类型的数据收集,收集的目的、必要性和渠道披露给第三方,和预期的收件人的联系方式这样的数据。
印度的地图数据保护,然而,不能随着SPDI规则而结束。所有的立法也受到司法解释,多年来,填补了有些差距,打开。识别信息隐私和自决等基本权利是一个天赐良机,彻底改变了数据保护景观在印度。
在正义Chandrachud的话说,“信息控制授权个人使用隐私当作挡箭牌保留个人控制有关的信息的人。”在这一过程中,他还提到“隐私的马赛克理论”,由美国最高法院确认,认为长期收集的谦逊的或无关紧要的数据或元数据可能产生的聚合马赛克可以揭示一个突兀的肖像的个人(包括“自然的人格:饮食习惯、语言、健康、爱好、性偏好,友谊,衣服和政治立场的方式”)。
有趣的是,德里高等法院,听到WhatsApp当前挑战的隐私政策,指出,没有人强制用户参与这样的数据共享的过程和可能,很容易转向其他消息传递网络,如果他们不满意。与企业的互动可以限制每个用户选择从WhatsApp与他们交谈。另外,用户可能会寻求独立平台的企业或利用其他主机服务承包企业与人打交道。在这种情况下,用户可能会限制数据共享与WhatsApp和其他Facebook公司,除非提供的隐私政策各自的业务。
2016年,德里高等法院,主持一项挑战对WhatsApp然后修订政策,强制退出机制的实现共享数据与Facebook只可用一段三十天。之后,是容许WhatsApp限制只服务那些新员工培训用户(在2016年9月25日)接受其隐私政策。虽然目前正在等待最高法院裁定之前,我们可以得出结论,仅仅没有退出条款不能导致政策的失效完全。
WhatsApp的新隐私政策和服务条款:一个实际诈骗或偏执的保护主义?
那么,WhatsApp的新隐私政策和服务条款不符合这个框架?关键是要明白,收集和处理策略采用WhatsApp不是小说。WhatsApp收集帐户信息(姓名和电话号码等),联系人的地址簿,交易和支付数据(WhatsApp支付的用户),活动数据(与WhatsApp互动服务的方式和持续时间),和设备和连接数据(如硬件信息、ISP信息、IP地址、惟一标识符),等等。
政策的变化对相关数据的收集和共享与第三方服务提供者选择Facebook的主机服务通过WhatsApp管理客户端通信。只有在这里,端到端加密的承诺不是扩展,和发送的消息可以使用这样的企业营销的目的。
隐私政策的评估显示必要的遵守所有SPDI规则的要求。然而,起源于一个热衷于批评政府可能导致不正确的和non-judicial合规的解释。例如,隐私政策允许用户退出同意通过删除WhatsApp账户,从而删除数据是“不再需要操作(ed)和提供“它的服务。
虽然WhatsApp澄清性质的数据应当删除(未被释放的消息,消息历史,其他账户信息,等等),它没有明确的本质残留数据,应当保留(除了日志记录)。然而,一个灰色地带的存在决定所需的信息“知情同意”的宪法。
共鸣的通用数据保护规定,提供的信息必须是颗粒在一定程度上,它不是“过度破坏或混乱”。使用指示性条款保存用户从hyper-technical语言不一定被视为违规。引入这种主体性在“知情同意”的标准,负担也可能引发企业排放的负担程度的数字素养表现出每个类的目标受众。
WhatsApp的政策也似乎是行业惯例。不和的隐私政策,推出,Truecaller Zomato等还强调,他们收集数据相关设备信息,IP地址,与网站和企业互动,惟一标识符等。他们还通知用户的政策以类似的方式,通知出现在顶部的交谈,详细的数据收集活动各自的平台。
这就是信息自主权赋予的重要性,并希望用户不仅拥有一个正确的控制,但同样的锻炼保持警惕的轨迹数据。购者自慎的基本原则——买家当心,在这里发挥作用。政府规章草案——特别是行政授权,不应该重塑作为其dilutant。
clickwrap方法获得同意,通过几次“我同意”按钮,被断定为弄坏任何通知机构运动的可能性。本身,这种要求的合同不是非法的,如果他们不违反显失公平原则,即。,实行不平等的当事人之间不合理的条款和条件。在这方面,最高法院在1995年,认为“虚线”合同不承担一个谈判的机会,导致个人接受不合理的条款或放弃完全的服务。
仅仅缺乏谈判的机会不让这种合同不合理的,因为这样的要求将一个巨大的负担在公司打开谈判渠道为每个用户。无理性可能只包括实践,比如“同意疲劳”,由数据对象疲惫为同意被重定向到多个网页访问的目的服务的隐私政策的基本条件。因此,仅仅clickwrap这些合同性质不得夸大意味着显失公平。
最后,担忧的制定不同的隐私政策为欧洲经济区域和世界其他地区是一个问题。自WhatsApp和印度是无法得知“最惠国”条款,WhatsApp是没有义务去超越印度需求的隐私框架提供GDPR-like保障。从业务和服务提供的角度来看,WhatsApp,像公司一样,不能指望政府作为代理人,确保保护比公认的公民。这正是为什么更细粒度的PDP法案制定。是政府设置一个先例SPDI的解释规则,弥补其延迟通过PDP法案?
但一定是错的,对吗?
然而,这并不是说,WhatsApp是完全清楚的。例如,用户接触的其他用户可能force-add前组聊天或播放列表未经许可或同意。经常使用这个功能WhatsApp商业占推动目标营销服务跨批量发送消息异形根据以往的互动和潜在客户提供的数据Facebook和其他相关公司。类似地,用户允许WhatsApp访问他们的联系人目录也规避非用户的同意提供他们的联系信息给第三方。
所以,现在该做什么?
的报告?WhatsApp,作为响应MEITY的注意,才决心限制其服务功能的PDP法案生效。这将是有趣的,看看它的隐私政策现在持有反对该法案,誉为印度急需的数据保护解决方案,虽然自己的失望。
免责声明:作者的观点仅和ETTelecom.com不一定订阅它。乐动体育1002乐动体育乐动娱乐招聘乐动娱乐招聘乐动体育1002乐动体育ETTelecom.com不得负责任何损害任何个人/组织直接或间接造成的。
Where does the law stand?<\/strong>
As compared to the Personal Data Protection Bill, 2019 (\u201cPDP Bill\u201d), the law as it stands is much less demanding of companies in the business of collecting and using their users\u2019 data. Under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (\u201cSPDI Rules\u201d), the only data collected by WhatsApp that may be classified as sensitive personal data (\u201cSPD\u201d) is that relating to \u201cfinancial information such as Bank account or credit card or debit card or other payment instrument details\u201d. Account information, contact list details, usage and log information, and network connection and other location-based information are classified as \u2018personal information\u2019 rather than SPD, and do not warrant the application of provisions detailed below.
To collect SPD, SPDI Rules contain obligations for corporates to obtain (1) receipt of express consent and adoption of reasonable measures to facilitate an informed choice as to collection and processing of SPD, (2) limitation on collection, use, and storage of data to that which is necessary for a lawful function or activity, (3) availability of a withdrawal mechanism, before or during collection of data and accompanying use of service, and (4) restriction upon disclosure of SPD to a third party, unless consented to.
Interestingly, Rule 5(7), providing for the existence of a withdrawal mechanism, empowers corporates \u201cnot to provide goods or services for which the said information was sought\u201d if the data subject does not provide the requisite information or withdraws consent subsequently. Notification requirements, in this respect, are restricted to type of data collected, the purpose of collection, the necessity and channels for disclosure to third parties, and the contact details of the intended recipients of such data.
The data protection map of India, however, does not end with the SPDI Rules. All legislation is also subject to interpretation by the judiciary which, over the years, has filled some gaps and opened others. The recognition of informational privacy and self-determination as a fundamental right was one such godsend which revolutionised the data protection landscape in India.
In the words of Justice Chandrachud, \u201cinformational control empowers the individual to use privacy as a shield to retain personal control over information pertaining to the person.\u201d In doing so, he also alluded at the \u2018mosaic theory of privacy\u2019, affirmed by the Supreme Court of the United States, which holds that long-term collection of unassuming or insignificant data or metadata may produce an aggregated mosaic which could reveal an obtrusive portrait of an individual (including \u201cnature of the personality: food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation\u201d). <\/em>
Interestingly, the Delhi High Court, hearing current challenges to WhatsApp\u2019s Privacy Policy, noted that users are not mandated to partake in such data sharing processes and may, just as easily, shift to other messaging networks if they are dissatisfied. Interactions with businesses can be restricted by each user by opting out from conversing with them over WhatsApp. Alternatively, users may seek independent platforms of businesses or utilize other hosting services contracted with by businesses to engage with them. In such cases, users may restrict data sharing with WhatsApp and other Facebook companies, unless provided for by the privacy policies of the respective businesses.
In 2016, too, the Delhi High Court, presiding over a challenge against WhatsApp\u2019s then revised policy, mandated the implementation of an opt-out mechanism to sharing data with Facebook which was only available for a period of thirty days. Thereafter, it was permissible for WhatsApp to restrict services to only those onboarding users (after September 25, 2016) who accepted its Privacy Policy. While the matter is currently pending adjudication before the Supreme Court, we can come to the conclusion that the mere absence of an opt-out clause cannot result in the invalidation of the policy in its entirely.
WhatsApp's new privacy policy and terms of service: An actual overreach or paranoid protectionism? <\/strong>
So, are WhatsApp\u2019s new Privacy Policy and Terms of Service incompatible with this framework? The key is to understand that the collection and processing strategies adopted by WhatsApp are not novel. WhatsApp collects account information (name and phone number, etc.), contacts in one\u2019s address book, transaction and payments data (for users of WhatsApp Pay), activity data (manner and duration of interaction with WhatsApp Services), and device and connection data (such as hardware information, ISP information, IP address, unique identifiers), etc.
The change in policy has been with respect to the collection and sharing of data associated with third-party services providers who choose Facebook\u2019s hosting services to manage customer-end communications through WhatsApp. It is only here that the promise of end-to-end encryption is not extended, and messages sent can be used by such businesses for marketing purposes.
An evaluation of the Privacy Policy reveals requisite compliance with all the requirements of the SPDI Rules. However, the criticism arising from an overzealous government may lead to incorrect and non-judicial compliance interpretations. For instance, the Privacy Policy allows users to withdraw consent by deleting their WhatsApp accounts, and thereby deleting data which is \u201cno longer need[ed] to operate and provide\u201d its services.
While WhatsApp clarifies the nature of data that shall be deleted (undelivered messages, message history, other account information, etc.), it does not clarify the nature of residual data that shall be retained (apart from log records). However, a grey area exists in determining the extent of information required for the constitution of \u2018informed consent\u2019.
As resonated by the General Data Protection Regulation, information provided must be granular to the extent that it is not \u201cunduly disruptive or confusing\u201d. The use of indicative terms which save users from hyper-technical language cannot necessarily be seen as non-compliance. Introducing such subjectivity within the standard for \u2018informed consent\u2019 may also open a floodgate which burdens corporates to discharge their burdens according to the degree of digital literacy exhibited by each class in their target audience and otherwise.
WhatsApp\u2019s policies also seem to be industry practice. The privacy policies of Discord, Viber, Truecaller, Zomato etc. also highlight that they collect data related to device information, IP address, interaction with websites and businesses, unique identifiers etc. They also notify users of their policies in a similar manner, with notifications appearing at the top of conversations, detailing the data collection activities of their respective platforms.
This is where the importance of informational autonomy empowers and expects users to not just possess a right of control, but to exercise the same by remaining vigilant as to the trajectory of their data. The foundational principle of caveat emptor \u2013 buyer beware, comes into play here. Governmental regulation \u2013 especially executive mandates, should not be reshaped to act as its dilutant.
The clickwrap method of obtaining consent, through a one-touch \u2018I Agree\u2019 button, has been posited as vitiating any possibility of the exercise of informed agency. Per se, such \u2018take-it-or-leave-it\u2019 contracts are not illegal, if they do not violate the doctrine of unconscionability, i.e., the imposition of unreasonable terms and conditions between unequal parties. In this regard, the Supreme Court, in 1995, held that \u2018dotted line\u2019 contracts do not afford an opportunity for negotiation, leading individuals to either accept the unreasonable terms or to forego the service entirely.
The mere lack of opportunity for negotiation do not make such contracts unreasonable since such a requirement would put an enormous burden upon corporates to open negotiation channels for each user. Unreasonableness may only include practices such as \u2018consent fatigue\u2019, by which data subjects are exhausted into assenting by being redirected to multiple webpages for the purpose of accessing basic terms of a service\u2019s privacy policy. Thus, the mere clickwrap nature of these contracts must not be exaggerated to imply unconscionability.
Lastly, the concern raised as to the enactment of different privacy policies for the European Economic Area and the rest of the world is a non-issue. Since WhatsApp and India are not privy to a \u2018most-favoured-nation\u2019 clause, WhatsApp is under no obligation to go above and beyond the requirements of India\u2019s privacy framework to provide GDPR-like safeguards. From a business and service providing perspective, WhatsApp, and like companies, cannot be expected to act as surrogates of the Government, ensuring more protections than are recognized for citizens. That is precisely why the more granular PDP Bill was formulated. Is the Government setting a precedent on the interpretation of the SPDI Rules, to compensate for its delay in passing the PDP Bill?
But something must be wrong, right?<\/strong>
That is not to say, however, that WhatsApp is completely in the clear. For instance, users are exposed to the mercy of other users who may force-add the former into group chats or on their broadcast lists without their permission or consent. Often, this feature is used by WhatsApp business accounts for pushing target marketing services by sending across bulk messages to profiled potential customers based on previous interaction and data provided by Facebook and other associated companies. Similarly, users who allow WhatsApp to access their contact directory also circumvent the consent of non-users into providing their contact details to a third party.
So, what now?<\/strong>
Report from the field? WhatsApp, as a response to MEITY\u2019s notice, is resolved to not limiting the functionality of its services until the PDP Bill comes into effect. It would be interesting to see whether its Privacy Policy now holds up against the Bill, heralded as India\u2019s much-needed data protection fix, albeit with its own sets of disappointment.","blog_img":"","posted_date":"2021-06-28 16:18:45","modified_date":"2021-06-28 16:22:25","featured":"0","status":"Y","seo_title":"Rematerialising the Caveat Emptor doctrine: Tackling WhatsApp's privacy policy","seo_url":"rematerialising-the-caveat-emptor-doctrine-tackling-whatsapp-s-privacy-policy","url":"\/\/www.iser-br.com\/tele-talk\/rematerialising-the-caveat-emptor-doctrine-tackling-whatsapp-s-privacy-policy\/4990","url_seo":"rematerialising-the-caveat-emptor-doctrine-tackling-whatsapp-s-privacy-policy"},img_object:["","retail_files/author_1624876489_66240.jpg"],fromNewsletter:"",newsletterDate:"",ajaxParams:{action:"get_more_blogs"},pageTrackingKey:"Blog",author_list:"Probir Roy Chowdhury",complete_cat_name:"Blogs"});" data-jsinvoker_init="_override_history_url = "//www.iser-br.com/tele-talk/rematerialising-the-caveat-emptor-doctrine-tackling-whatsapp-s-privacy-policy/4990";">
Chowdhury Probir罗伊
伙伴,J Sagar AssociatesProbir罗伊Chowdhury专门从事企业商业风险/私人股本和信息技术/ FinTech。他一直专注于参与公司事务显示更多…
