The updated policy delves into the sharing of data collected from WhatsApp users with the broader Facebook ecosystem. Reportedly, it seeks to differentiate between “messages with friends or family” and “messages with a business”. However, even though most of the data collected pertains to account information, some information which can potentially be shared, such as details of transactions and payments, can be sensitive. To be sure, users perturbed by the changes in the policy terms always have the option of opting out and migrating to other platforms. However, given the network effects — the instant messaging platform has more than 400 million users in India — such a substitution is unlikely to be smooth.
The absence of a personal data protection architecture, and a regulatory authority, leaves individuals vulnerable to exploitation. In India, if the data privacy law was in place, it is possible that while the messaging platform could have limited the services provided to users, it may not have been able to deny services based on an individual’s data preferences. In the European Union where the General Data Protection Regulation (GDPR) allows individuals greater say over their data, the new WhatsApp rules will not apply. Putting in place a regulatory apparatus will not only help monitor the flow of data, but also help address critical questions such as what kind of data is collected, is it sensitive, where it is stored, among others.