WhatsApp is legally bound to not share data with Facebook in the European Region because it’s a contravention of the provisions of the General Data Protection Regulation (GDPR)
GDPR is a regulation in the European Union law on data protection and privacy in the European Union and the European Economic Area.
1. It does not retain your messages in the ordinary course of providing our Services to you. Instead, your messages are stored on your device and not typically stored on their servers. Once your messages are delivered, they are deleted from their servers.
2. When a user forwards media within a message, they store that media temporarily in encrypted form on their servers to aid in the more efficient delivery of additional forwards.
3. WhatsApp's end-to-end encryption is used when you message another person using WhatsApp Messenger. End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp
4. Data exchange with Facebook is in fact, already taking place. While users in the European Union can opt-out of data-sharing with Facebook, the rest of the world does not have the same choice. WhatsApp shares the following information with Facebook and its other companies: account registration information (phone number), transaction data (WhatsApp now has payments in India), service-related information, information on how you interact with others (including businesses), mobile device information, and IP address. It is also collecting more information at a device hardware-level now.
India is not a party to any convention on the protection of personal data which is equivalent to the GDPR or the Data Protection Directive. However, India has adopted or is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognize the right to privacy.
India has also not yet enacted specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) (“IT Act”) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information. The Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) under Section 43A of the IT Act. A clarification to the above Rules was issued on 24 August 2011 (the “Clarification”). The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive.
India has introduced a biometric-based unique identification number for residents called ‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016 (“Aadhaar Act”) and rules and regulations issued thereunder. Entities in regulated sectors such as financial services and telecom sector are subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes or only in the manner agreed with the customer.
Finally, personal data is protected through indirect safeguards developed by the courts under common law, principles of equity, and the law of breach of confidence. In a landmark judgment delivered in August 2017 (Justice K.S Puttaswami & another Vs. Union of India), the Supreme Court of India has recognized the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. “Informational privacy” has been recognized as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be given the protection of privacy (“Privacy Judgment”). The court stated that every person should have the right to control the commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has expressly recognized the right of individuals over their personal data.
Fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court in the same judgment recognized that enforcing the right to privacy against private entities may require legislative intervention.
The Government of India, therefore, constituted a committee to propose a draft statute on data protection. The committee proposed draft law and the Government of India has issued the Personal Data Protection Bill 2019 (“PDP Bill”) based on the draft proposed by the committee. This will be India’s first law on the protection of personal data and will repeal S. 43A of the IT Act.
India does not have a national regulatory authority for the protection of personal data. The Ministry of Electronics and Information Technology (the “Ministry”) is responsible for administering the IT Act and issuing the rules and other clarifications under the IT Act. The authorities established under the IT Act – i.e. the adjudicating officer and cyber appellate tribunal and, thereafter, the different High Courts and the Supreme Court, are responsible for enforcing the IT Act.