India Punishes Meta For Its ‘Take-It-Or-Leave-It’ Approach To Collecting And Sharing Personal Data

Techdirt. 2024-11-25

Whether you like the results or not, there’s no denying that the EU’s GDPR legislation has tackled a wide range of privacy problems in the online world. Other countries around the globe — including the US — may lack comparable national legislation but there are alternative ways of protecting people’s privacy, as a recent ruling in India shows. The Competition Commission of India (CCI) has imposed a fine of ₹213.14 crore (about $25.25 million) on Meta for exploiting its dominant position through WhatsApp’s 2021 Privacy Policy update. The Internet Freedom Foundation of India explains how what it calls a “landmark penalty” will improve the privacy of users:

The policy update, which compelled users to accept expanded data collection and sharing within the Meta group on a ‘take-it-or-leave-it’ basis, violated user autonomy by offering no opt-out option. The [CCI] ruling reinforces the need for greater accountability from tech giants, ensuring that users’ rights are protected, and the principles of fair competition are upheld in digital markets.

The CCI found that Meta’s actions violated Indian competition law under Section 4(2)(a)(i) by imposing unfair conditions and abusing its dominant position in the market.

That is, it was competition law rather than privacy law that was used, an approach Germany also adopted some years ago. In India’s case, it has led to a fine (admittedly pretty small given the size of Meta) and restrictions on how Meta operates in India. The press release from the Competition Commission of India (pdf) spells out what those are:

WhatsApp will not share user data collected on its platform with other Meta Companies or Meta Company Products for advertising purposes, for a period of 5 (five) years from the date of receipt of this order.

After that time, Meta must abide by the following:

Sharing of user data collected on WhatsApp with other Meta Companies or Meta Company Products for purposes other than for providing WhatsApp services shall not be made a condition for users to access WhatsApp Service in India.

In respect of sharing of WhatsApp user data for purposes other than for providing WhatsApp Services, all users in India (including users who have accepted 2021 update) will be provided with:

a) the choice to manage such data sharing by way of an opt-out option prominently through an in-app notification; and

b) the option to review and modify their choice with respect to such sharing of data through a prominent tab in settings of WhatsApp application

Those are quite similar to GDPR requirements, and show that the same results may be obtained by different means. As to the motivation for the Competition Commission of India’s investigation into Meta, the Internet Freedom Foundation of India noted back in 2021 that it was “suo moto” — that is, begun by the Indian authorities without being requested to do so by any other party — but also that it was “a huge opportunity to present the user’s point of view to the Commission!” The final result certainly seems like a win for WhatsApp users in India. It will also serve as a warning to other major online players not to adopt a ‘take-it-or-leave-it’ approach when it comes to their data collection practices in India.

Follow me @glynmoody on Bluesky and on Mastodon.