SC questions WhatsApp, Meta on personal data

Why in news ?

• Supreme Court (2026) questioned WhatsApp–Meta on sharing and commercial use of user data, warning against violating Article 21 privacy rights of millions of Indian “silent consumers.”
• Case relates to challenge against CCI penalty of ₹213.14 crore (2023) imposed for WhatsApp’s 2021 privacy policy update enabling greater data sharing with Meta.
• Court highlighted that data carries economic value, not merely privacy concerns, and sought comparison of India’s law with EU’s stricter digital regulations.

Basics and background

• Personal data includes identifiers, location, online behaviour, and metadata; such data fuels targeted advertising, AI training, and platform revenue models in the global digital economy.
• WhatsApp has 500+ million users in India, its largest market globally, making Indian citizens’ data a major economic asset for global tech firms.
• Scholar Shoshana Zuboff terms this model “surveillance capitalism,” where user behaviour is continuously tracked and monetised for predictive advertising.

Constitutional and legal dimensions

• K.S. Puttaswamy (2017) declared privacy a fundamental right under Article 21, including informational self-determination and limits on non-consensual data use.
• DPDP Act, 2023 mandates consent, purpose limitation, and data fiduciary duties, with penalties up to ₹250 crore per breach for non-compliance.
• However, DPDP focuses on privacy harms, not explicitly on economic exploitation or value extraction from aggregated data.

Governance and regulatory aspects

• India’s digital regulation split among MeitY (data protection), CCI (competition), RBI (financial data), TRAI (telecom), creating fragmented oversight over Big Tech platforms.
• CCI found WhatsApp’s policy violated Section 4 of Competition Act (abuse of dominance) by forcing data-sharing conditions on users.
• Supreme Court scrutiny indicates shift toward converged regulation linking privacy, competition, and consumer protection.

Economic dimension

• Global digital advertising market exceeds $600 billion (2024 estimates), with Meta and Google controlling a dominant share using behavioural data analytics.
• Meta’s revenue is ~97% ad-driven, showing direct linkage between personal data profiling and corporate profitability.
• Data-driven network effects create entry barriers, reinforcing Big Tech dominance and raising antitrust concerns.

Social and ethical dimension

• India has ~850 million internet users, but digital literacy remains uneven; many users cannot interpret complex privacy policies or consent architectures.
• Solicitor General noted citizens are “not only consumers but products,” reflecting commodification of user data without direct user compensation.
• Raises ethical issues of informational asymmetry, consent manipulation, and exploitation of vulnerable users.

Technological dimension

• End-to-end encryption protects message content, but not metadata like contacts, timestamps, device data, or behavioural signals used for profiling.
• Studies show metadata can reveal social networks and preferences, often sufficient for targeted advertising without reading messages.
• Cross-platform integration allows Meta to combine Facebook–Instagram–WhatsApp data ecosystems for richer user profiling.

Global comparison

• EU GDPR allows fines up to 4% of global turnover, leading to multi-billion-euro penalties on Big Tech for data violations.
• EU Digital Services Act (DSA) regulates algorithmic targeting and systemic platform risks, going beyond narrow privacy to platform accountability.
• India’s DPDP framework is less stringent on platform power and data value issues.

Data and evidence

• India contributes one of the largest global data pools due to scale of digital public infrastructure and smartphone penetration.
• Surveys show over 90% users accept privacy policies without reading, weakening the legal fiction of informed consent.
• Data brokerage industry globally valued at $250+ billion, built on personal data trade.

Challenges and criticisms

• Consent fatigue makes repeated permissions meaningless, reducing genuine autonomy.
• DPDP lacks explicit provisions on data valuation, revenue-sharing, or algorithmic accountability.
• Enforcement capacity of the Data Protection Board still evolving.
• Balancing innovation and regulation remains a policy tension.

Way forward

• Introduce granular, multilingual, simplified consent dashboards for real informed choice.
• Develop framework on data value, benefit-sharing, and algorithmic transparency.
• Strengthen coordination between MeitY, CCI, and sectoral regulators.
• Build capacity and independence of Data Protection Board.
• Align gradually with global best practices while preserving India’s digital innovation ecosystem.

---