Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Why is WhatsApp's privacy policy facing a legal challenge in India?

March 01, 2026 4 min read Polity & Governance Science & Technology GS2 (Government Policies Regulatory Bodies) GS3 (Science & Technology Cybersecurity)
On This Page

What Happened

  • In January 2021, WhatsApp updated its privacy policy requiring all users to consent to sharing their data with Meta (then Facebook) and its subsidiaries for advertising purposes — with no opt-out option for existing users.
  • The Competition Commission of India (CCI) investigated the policy as an abuse of dominant position and, in November 2024, imposed a penalty of ₹213.14 crore on Meta for violations under the Competition Act, 2002.
  • CCI also directed a five-year ban on WhatsApp sharing user data with other Meta companies for advertising, and mandated a consent-based framework giving users opt-out rights.
  • Meta appealed before NCLAT (National Company Law Appellate Tribunal), but WhatsApp informed the Supreme Court in February 2026 that it will comply with CCI's directions and implement a consent framework by March 16, 2026.
  • The case is significant as it is the first major instance in India where competition law has been applied to enforce data privacy rights.

Static Topic Bridges

Competition Commission of India (CCI) and Abuse of Dominant Position

The Competition Commission of India (CCI) is a statutory body established under the Competition Act, 2002 to prevent anti-competitive practices, promote fair competition, and protect consumer interests in markets. CCI has jurisdiction over all enterprises operating in India — including foreign digital platforms.

  • Section 4 of the Competition Act, 2002 prohibits abuse of a dominant position. Section 4(2)(a)(i) specifically prohibits imposing unfair or discriminatory conditions on purchase or sale of goods/services.
  • Section 4(2)(c) prohibits practices that create entry barriers, which CCI found applicable to WhatsApp's data-sharing arrangements that entrenched Meta's ecosystem advantage.
  • CCI can impose penalties up to 10% of average relevant turnover for three preceding financial years.
  • The WhatsApp case involved a "take-it-or-leave-it" policy on a platform with over 500 million users in India — the largest user base globally — making market dominance clearly established.
  • CCI found that excessive data-sharing between WhatsApp and Meta created structural entry barriers for rival messaging apps.

Connection to this news: CCI's ₹213.14 crore penalty and five-year data-sharing ban demonstrate how competition law can be a regulatory tool for enforcing digital privacy, bridging the gap until comprehensive data protection legislation is operationalised.

Puttaswamy Judgment (2017) — Right to Privacy as a Fundamental Right

In Justice K.S. Puttaswamy v. Union of India (2017), a nine-judge constitutional bench of the Supreme Court unanimously held that the right to privacy is a fundamental right under Article 21 of the Constitution. This landmark ruling overruled the earlier ADM Jabalpur (1976) and M.P. Sharma (1954) judgments, which had denied privacy as a fundamental right.

  • The nine-judge bench delivered six concurring opinions, all agreeing that privacy is an intrinsic part of the right to life and personal liberty under Article 21.
  • The judgment established that informational privacy — the right to control one's personal data — is a protected aspect of this fundamental right.
  • It also held that privacy rights operate against both state and non-state (private corporate) actors.
  • The judgment explicitly called for a robust data protection law, which eventually led to the Digital Personal Data Protection Act, 2023.
  • The case was originally filed challenging the Aadhaar Act's mandatory biometric data collection requirements.

Connection to this news: WhatsApp's forced data-sharing policy directly implicates informational privacy rights recognised in Puttaswamy. The CCI's intervention effectively enforces a privacy protection that the DPDP Act 2023 is yet to fully operationalise.

Digital Personal Data Protection Act, 2023 (DPDPA)

The Digital Personal Data Protection Act, 2023 is India's comprehensive data protection legislation, enacted after nearly six years of deliberation following the Puttaswamy judgment. It establishes a consent-based framework for processing personal data.

  • The DPDPA requires data fiduciaries (entities processing data) to obtain free, informed, specific, and unconditional consent from data principals (individuals).
  • Section 6 mandates that consent must be as easy to withdraw as it was to give — directly addressing the WhatsApp-style "take-it-or-leave-it" consent model.
  • Section 17(2)(b) allows the Central Government to exempt government instrumentalities from certain provisions on grounds of national security and public order — a contested provision.
  • A Data Protection Board of India is to be constituted as the adjudicatory authority under the Act.
  • As of early 2026, the DPDPA's rules had not been fully notified, leaving CCI as the primary enforcement mechanism for data-related competition concerns.

Connection to this news: The WhatsApp case highlights the regulatory vacuum that exists while DPDPA rules remain un-notified. CCI has stepped in to enforce data rights through competition law in the interim.

Key Facts & Data

  • CCI penalty on Meta: ₹213.14 crore (November 2024)
  • WhatsApp users in India: Over 500 million (world's largest user base)
  • CCI remedy: Five-year ban on WhatsApp-Meta data sharing for ads + mandatory consent framework
  • Compliance deadline set by Supreme Court: March 16, 2026
  • Legal provisions violated: Section 4(2)(a)(i) and Section 4(2)(c), Competition Act, 2002
  • Foundational privacy judgment: Puttaswamy v. Union of India (2017) — 9-judge bench
  • Data protection legislation: Digital Personal Data Protection Act, 2023 (rules pending)
  • Appeal route: NCLAT → Supreme Court