But without a data privacy law that sets the terms for tech companies with regards to what is acceptable and what’s not—bear in mind, WhatsApp didn’t roll out this update in the EU region that has enforced the stringent General Data Protection Regulation—forcing a company to drop plans for the Indian market that could be central to its business viability erodes business confidence. The government would have done well to take a cue from the Delhi High Court rejecting a plea to intervene, saying WhatsApp was a private service and users had the choice to migrate to other platforms if they disagreed with the changes that the update would entail. Indeed, given significant migration to competing services like Signal and Telegram that offer more privacy, WhatsApp had already postponed the update to May 15.
The government, if it is to protect privacy while offering business policy stability, needs to bring the data privacy law fast; this has been in a limbo for the past four years. The government constituted the expert committee on data privacy and protection in July 2017, and the panel submitted its report in 2018; but the law has been hanging fire since, with deliberations on the provisions of the draft yet to get concluded. Till the time the government does not get the law enacted, it would have to resort to arbitrary decisions on data exchanges and information-sharing, which, in turn, will affect companies’, and not just WhatsApp’s, operations in the country. That said, there is a need to revise the provision of the privacy law to enable more choice to the users.
Despite the Delhi High Court’s opinion on users being free to migrate, the problem is that platforms’ own policies and network-advantages make it difficult for users to take their data elsewhere. The data laws need to build the framework for enabling interoperability between platforms or data migration, with primacy given to user consent. RBI has allowed this for financial aggregators. Platforms, on their part, need to move away from a take-it-or-leave-it stance, and look for use-options where users choosing a higher degree of data privacy don’t get new service updates or don’t get the full array of services like payments etc, in order to manage costs of providing the service. A subscription model may also be considered where users pay a premium for data privacy. But, for all this, the country needs to get the data privacy law first.