SC questions WhatsApp, Meta on personal data

SC Questions WhatsApp, Meta on Personal Data

UPSC Study Note — Prelims + Mains

1. At a Glance

• The Supreme Court of India (3-judge Bench headed by CJI Surya Kant) questioned WhatsApp and Meta on their practice of sharing and commercially exploiting personal data of Indian users without meaningful consent. [S1]
• The case highlights the tension between Big Tech data monetisation and the fundamental right to privacy (Article 21) recognised in K.S. Puttaswamy v. Union of India (2017).
• India's first statutory data-privacy law — the Digital Personal Data Protection (DPDP) Act, 2023 — is now in force, with DPDP Rules, 2025 notified on 14 November 2025; this case tests whether the law adequately covers commercial value of data beyond mere privacy. [S2]
• Critical for GS-II (governance, judiciary, rights) and GS-III (technology, data economy).

2. Why in the News

• 4 February 2026: Supreme Court Bench (CJI Surya Kant + Justices Joymalya Bagchi + Vipul M. Pancholi) took up a case concerning WhatsApp/Meta's data-sharing practices. [S1]
• Court compared sharing of private data to a "decent way of committing theft", stating platforms "must have taken away millions of bytes of data." [S1]
• Justice Bagchi pointed out that the DPDP Act, 2023 addresses only privacy and is silent on the commercial value/data value accruing to platforms from users' data. [S1]
• CJI Kant raised the digital literacy concern: whether a poor street vendor or rural user can navigate "cleverly-crafted" consent language and give informed consent. [S1]
• Triggered by WhatsApp's 2021 Privacy Policy update (which forced data-sharing with Meta's family of companies), generating massive user backlash in India and regulatory scrutiny.

3. Background & Evolution

4. Core Static Facts

The DPDP Act, 2023

• Full title: The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) [S2]
• Enacted: 11 August 2023
• Implementing ministry: Ministry of Electronics and Information Technology (MeitY)
• Design principle: SARAL — Simple, Accessible, Rational, Actionable [S2]

Key Definitions (DPDP Act)

Individual Rights under DPDP Act [S2] - Right to access, correct, update, or erase personal data - Right to nominate another person to exercise rights - Data Fiduciaries must respond within maximum 90 days

DPDP Rules, 2025 [S4] - Notified: 14 November 2025 - Compliance window: 18 months (phased)

SC Case (Feb 2026) - Bench: CJI Surya Kant + Justice Joymalya Bagchi + Justice Vipul M. Pancholi - Petitioners/Respondents: WhatsApp & Meta (represented by Mukul Rohatgi and Amit Sibal) - Core issue: Data sharing + commercial exploitation without meaningful informed consent

5. Multi-Dimensional Analysis

Legal / Constitutional

• Article 21 (Right to Life and Personal Liberty) is the constitutional anchor; SC's 2017 Puttaswamy judgment held privacy a fundamental right. [S1]
• DPDP Act, 2023 is the first statutory framework; Justice Bagchi flagged its gap: it covers privacy but not the commercial value of data — a legislative lacuna. [S1]
• WhatsApp/Meta's defence of opt-out + consent clashes with SC's concern over informed vs coerced consent in a platform-dependent economy.
• CCI's concurrent jurisdiction (competition angle) adds complexity: data dominance ≠ competition law violation per se, yet meta-data accumulation confers market power.

Economic

• Data is sometimes called the "new oil"; Meta/WhatsApp monetise user behavioural data through targeted advertising — a multi-billion dollar revenue stream.
• India has ~600 million WhatsApp users — among the largest markets globally; the economic stakes of any restriction on data sharing are enormous.
• Justice Bagchi's observation about "data value" points toward a potential future data dividend or data taxation regime.

Social / Equity

• CJI Kant's concern about poor street vendors and rural users unable to parse consent forms = a digital literacy and equity problem. [S1]
• Marginalised users face asymmetric power: platform is indispensable; opting out is not a real choice for those dependent on WhatsApp for livelihood.
• Disproportionate impact on women, elderly, illiterate users who cannot navigate privacy settings.

Ethical / Governance

• The concept of "meaningful consent" vs. "dark patterns" in UX design — consent manufactured through opaque, legalese-laden policies.
• SC's framing of data-sharing as a "decent way of committing theft" signals judicial intent to pierce consent-based defences.
• Accountability gap: Data Protection Board under DPDP Act, 2025 Rules is yet to be operationally tested.

Scientific / Technological

• WhatsApp messages are end-to-end encrypted (E2EE) — metadata (who contacts whom, when, location) is NOT encrypted and is shareable. [S1]
• Metadata profiling enables granular behavioural targeting even without reading message content.
• Justice Bagchi's "every silo of data has value" reflects the concept of data aggregation — individually innocuous data points combine into sensitive profiles.

6. Recent Developments (Last 12–18 Months)

• January 2025: MeitY releases Draft DPDP Rules, 2025 for public consultation; deadline 18 February 2025. [S3]
• 14 November 2025: DPDP Rules, 2025 notified by Government of India; 18-month phased compliance period commences. [S4]
• 4 February 2026: Supreme Court 3-judge Bench questions WhatsApp and Meta on personal data sharing and commercial exploitation; flags gap in DPDP Act regarding data's commercial value. [S1]
• CCI's investigation into WhatsApp's 2021 privacy policy update remains a parallel track (competition law angle).

7. Prelims Hooks

1. The DPDP Act, 2023 bears the number No. 22 of 2023 and was enacted on 11 August 2023.
2. Implementing ministry for the DPDP Act: Ministry of Electronics and Information Technology (MeitY) — NOT Ministry of Law.
3. The DPDP Rules, 2025 were notified on 14 November 2025, with an 18-month phased compliance period.
4. The Act follows the SARAL design principle: Simple, Accessible, Rational, Actionable.
5. Under the DPDP Act, an individual is called a Data Principal; an entity processing data is a Data Fiduciary.
6. Data Fiduciaries must respond to access/correction/erasure requests within 90 days maximum.
7. Data Protection Board is the adjudicatory body; it is fully digital — complaints filed online.
8. The right to privacy as a fundamental right was upheld by a 9-judge SC Bench in K.S. Puttaswamy v. Union of India (2017) under Article 21.
9. The 3-judge SC Bench (Feb 2026) was headed by CJI Surya Kant, with Justices Bagchi and Pancholi.
10. WhatsApp was represented by Mukul Rohatgi; Meta was represented by Amit Sibal.
11. Justice Bagchi noted the DPDP Act covers privacy but is silent on the commercial value of data — a legislative gap.
12. The B.N. Srikrishna Committee (2018) submitted the first draft Personal Data Protection Bill.
13. Consent Manager is a DPDP Act concept: a registered entity helping Data Principals manage and withdraw consent.
14. Significant Data Fiduciary (SDF) designation is made by the Central Government based on risk/sensitivity criteria.
15. WhatsApp argued messages are end-to-end encrypted and users can opt out of data sharing — both defences were questioned by the SC Bench.

8. Mains Relevance

Plausible Mains Questions 1. "The Digital Personal Data Protection Act, 2023 is a landmark but incomplete framework. Critically examine its provisions and gaps in light of the Supreme Court's observations in the WhatsApp-Meta case (2026)." (GS-II/III) 2. "Informed consent is a fiction for millions of digitally illiterate Indians. Analyse the equity dimensions of data privacy regulation in India and suggest corrective measures." (GS-II) 3. "Data is the new oil, but its commercial value remains unaddressed in Indian law. Discuss, with reference to the DPDP Act, 2023 and international best practices." (GS-III)

9. Related Topics to Study Next

10. Common Errors / Trap Areas

1. Wrong ministry: DPDP Act is under MeitY, NOT Ministry of Law or Ministry of Home Affairs.
2. Confusing the Act number: DPDP Act is No. 22 of 2023, not to be confused with the IT Act, 2000 (No. 21 of 2000) — adjacent numbers, common slip.
3. "DPDP Act protects all data": The Act covers digital personal data only — not anonymised data, not data processed for national security, not offline/paper data.
4. Conflating opt-out with consent: WhatsApp's "opt-out" model is legally distinct from explicit/affirmative consent (opt-in); SC's concern was precisely this conflation.
5. E2E encryption = total privacy: WhatsApp messages are E2EE but metadata (contacts, frequency, location) is NOT encrypted and CAN be shared — a technically important distinction often missed.
6. DPDP Rules, 2025 vs. DPDP Act, 2023: The Rules were notified 14 November 2025, two years after the Act; aspirants sometimes treat them as contemporaneous.

11. Sources

• [S1] "SC questions WhatsApp, Meta on personal data" — The Hindu, 4 February 2026 — https://www.thehindu.com/todays-paper/2026-02-04/th_international/articleG0SFHLIVP-13366556.ece — (Tier 4; article excerpt as primary source)
• [S2] Digital Personal Data Protection Act, 2023 — MeitY — https://www.meity.gov.in/content/digital-personal-data-protection-act-2023 — (Tier 1)
• [S3] MeitY Draft DPDP Rules 2025 — PIB — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2090048 — (Tier 1)
• [S4] DPDP Rules, 2025 Notified — PIB — https://www.pib.gov.in/PressNoteDetails.aspx?NoteId=156054&ModuleId=3&reg=3&lang=2 — (Tier 1)
• [S5] Digital Personal Data Protection Bill, 2023 — PRS India — https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 — (Tier 1-adjacent / reference)