tl;dr
Last week, the Ministry of Electronics & Information Technology used a government-run account to send a WhatsApp message to millions of users, purportedly seeking feedback and suggestions on their governance. Although the ECI has asked MeitY to discontinue these messages given that the Model Code of Conduct is in force, users were quick to raise pertinent questions about government access to such a database, the role of online communication platforms in facilitating formal government communication, the timing of the message in the context of the upcoming elections starting in April, and the regulations (or lack thereof) in place to safeguard our privacy. In this post, we unravel these questions in depth and document the actions we have taken in search of some answers.
Background
From March 15, 2024 onwards, millions of WhatsApp users received a message from a government-run account named ‘Viksit Bharat Sampark’ seeking feedback and suggestions from Indian citizens on existing welfare schemes, adjoined with a letter from Prime Minister Narendra Modi. The letter enumerates reform efforts brought on by the incumbent government and their plans to “work to fulfil the resolve of building a Viksit Bharat” or ‘advanced India’. This missive was sent by the Ministry of Electronics & Information Technology (“MeitY”) and undersigned by the Prime Minister.
There are a number of concerns and questions that emerge from this outreach. First, questions about data privacy of our contact information – where did MeitY secure the contact information of such a large database of users from? When did it begin using this information for outreach, arguably without their consent? Is any of this in line with established data privacy norms?
Second is the question of why WhatsApp was chosen as a medium for outreach, and what roles and responsibilities similar platforms have in context of political campaigns and elections. Third, we look into how the soon-to-be-enacted Digital Personal Data Protection Act (“DPDPA”) affects (or exempts) government actions along this line and what to expect when it is finally operationalised. Lastly, we look at what this means in context of the upcoming General Elections. Sent only a few days ahead of the Election Commission of India (“ECI”) issuing its Model Code of Conduct (“MCC”), the message may also serve as a vessel for covert electoral campaigning in a manner that potentially flouts the MCC.
On a positive note, on March 21, the ECI took note of the several complaints it received stating that the message was being sent while the Model Code of Conduct was in force, and wrote to MeitY, instructing them to discontinue the messages and too send a compliance report at the earliest.
A peek into MeitY’s contact book
The first and most important question that emerges from this fiasco is – where did MeitY get my number from? It is not clear what database (one, or many?) MeitY has relied on to send out the broadcast, further made confusing by the fact that individuals from UAE and Pakistan, who are not Indian citizens, have received it too. This becomes more convoluted when we begin speculating upon the intent of the government to send out the message merely a few days before important guidelines on election campaigning over platforms come into effect (more on this in later sections) – if the intent is campaigning, why were individuals who are not Indian citizens targeted? Were there criteria based on which database(s) or recipients were chosen? What were the criteria?
Further, it may be the case that MeitY has obtained the database from another agency/authority, either public or private, but that raises doubts about the lawfulness of how it was obtained, or whether privacy norms (such as the obligation to take specific and informed consent before processing or using personal data for a purpose other than the purpose originally consented to) were followed.
We have asked the ministry to clarify these doubts through an RTI request, where we seek information on, among other things, the source of contact information, total number of messages sent, and costs incurred:
But we have a data protection law, right? RIGHT?
It is worth remembering that the government holds access to this extensive database (one, or many) in the absence of an operational data protection law. The DPDPA, 2023 is not in operation yet, but even when it gets enacted and its procedural rules notified, it may still not be able to adequately regulate data storage and sharing by the government. Simply because Section 17 of the Act holds the power to exempt government and other public authorities from its very application at any given time. Read more about how the DPDPA fails to safeguard our privacy here.
A government DM on WhatsApp was not on my 2024 bingo card
While we are accustomed to receiving messages from the government through our telecom service providers, communication through an online communication platform has caught us off guard – making us question what statute/ law exactly allows this. WhatsApp’s Business Messaging Policy clearly states that a business account may only contact people on WhatsApp if: “(a) they have given you their mobile phone number; and (b) you have received opt-in permission from the recipient confirming that they wish to receive subsequent messages from you on WhatsApp”. WhatsApp emphasises on the need to have informed consent of the users receiving the message and clear communication regarding the opt-in choice of the user. It also suggests best practices to create a high-quality opt-in experience:
Disappointingly, the message sent by the government does not declare how and when, if at all, users shared their mobile numbers and gave their consent/ opted-in to being contacted on WhatsApp. The policy also states that the business account is “responsible for and must secure all necessary notices, permissions, and consents to collect, use, and share people's content and information, including maintaining a published privacy policy, and otherwise complying with applicable law.” Since the DPDPA, 2023 is not yet operational, its provisions and limited safeguards will not apply to the government.
Clause 7 of the DPDPA, 2023 allows the Data Fiduciary to not obtain the informed consent of the Data Principal and assume the consent if the processing was considered necessary as per certain situations. It is worth noting that the DPDPA, 2023 varied from its 2022 iteration as it omitted “public interest” as one of the situations wherein consent may be deemed and data processed non-consensually. This was a positive development since the 2022 iteration failed to strictly define the situations in which it may be invoked and thus, could have been widely interpreted leading to misuse. Notably, Clause 7(b) gives state instrumentalities a concerning amount of liberty to process the personal data of data principals if the latter has previously consented to its processing or if such data is maintained by any instrumentality of the State. However, at the moment we are unable to decipher if such unsolicited and non-consensual outreach from the government would have been a violation of Clause 7 of the Act, since it is not yet in operation.
Outreach right before the elections? The timing is sus
The message, broadcast to millions of people through WhatsApp, may be viewed in the context of the upcoming elections as the communication happened around the time the Model Code of Conduct went into effect. Reports of the message being received by individuals surfaced as early as March 16, the same day the ECI announced the election dates. The MCC prohibits the party in power from the misuse of official mass media during the election period for partisan coverage of political news and publicity regarding achievements. The ECI, through the MCC, also prohibits the issuance of advertisements at the cost of the public exchequer in newspapers and other media during the election period. This may lead us to question - Does the timing of the communication, which happened around the time the election dates were announced and the MCC went into effect, have potential electoral implications?
On March 21, 2024, the ECI wrote to MeitY, asking them to discontinue delivery of the messages on WhatsApp. As per the letter, the ECI received several complaints from individuals about getting the message from MeitY during the MCC period. The letter also notes that although the Ministry sent out the messages on March 15, the system architecture and network limitations of the communication platform chosen by the government delayed the delivery. The ECI also asked MeitY to send a compliance report at the earliest. We appreciate the ECI for taking note of the complaints, enforcing the MCC, and instructing MeitY to discontinue the messages.
Now: EC instructs MeitY to stop sending WhatsApp messages about Viksit Bharat during MCC. pic.twitter.com/PE0cd0289L
— Aditi Agrawal (@Aditi_muses) March 21, 2024
However, we also note that this kind of communication by MeitY is not new, especially with the general elections less than a month away. In the months leading up to elections, electoral candidates and political parties make large investments in campaigns, rallies, outreach, and other modes with which they can reach voters and influence popular vote. A prevalent way of doing this is targeted outreach or ‘votebank politics’, where parties can appeal to certain socio-economic groups specifically by outlining the kind of welfare they can bring to the groups.
In recent years, parties have resorted to questionable means of collecting demographic data for the purposes of targeted campaigning. By tapping into government databases and accessing beneficiary information across schemes, or by means of online ‘surveys’ and mobile apps, parties are able to extract a lot of personal information about voters and create 360° profiles to run extremely targeted campaigns. This video by Shivam Shankar Singh titled ‘Weaponising Data for Politics’, explains how precisely parties are able to draw voter profiles from data accessed by dubious means. We are working on a detailed explainer on how this is done, and the privacy concerns emerging from the practice. Meanwhile, we hope the ECI keeps their momentum going after this incident, and engages more meaningfully on how political parties access personal data.
What has IFF done about it?
Much like several concerned people on the internet, we too have questions about this outreach. In the hopes for some answers, we have filed the above mentioned RTI application. We have recently also published a short video summarising concerns and efforts. We are additionally exploring all avenues, including potential legal challenges to the inadequate DPDPA, 2023 pushing for a rights-respecting data protection framework.