WhatsApp Defends Data Practices in Supreme Court Hearing

As WhatsApp contests a hefty penalty, it asserts compliance with user consent directives for data sharing with Meta amidst privacy policy scrutiny.

Gopi

•February 24, 2026•6 mins read

WhatsApp Privacy Case: Supreme Court Examines Data Sharing, User Consent and Competition Law Implications

Not Started

1. Context: Supreme Court Hearing and Institutional Framework

The Supreme Court is currently examining petitions filed by WhatsApp and its parent company Meta challenging a National Company Law Appellate Tribunal (NCLAT) order. The NCLAT had upheld a ₹213.14 crore penalty imposed by the Competition Commission of India (CCI) over WhatsApp’s 2021 privacy policy.

The controversy revolves around WhatsApp’s alleged “take-it-or-leave-it” policy that required users to accept data-sharing provisions with Meta as a condition for continued access to its messaging services. The CCI held that such conduct amounted to abuse of dominant position under competition law.

During the hearing, WhatsApp argued that it does not improperly share data with other Meta platforms and that its technology prioritises privacy through end-to-end encryption. It also submitted that the Digital Personal Data Protection (DPDP) Act, 2023 now comprehensively addresses privacy concerns.

“There is no question of violating the law.” — Kapil Sibal, Senior Advocate for WhatsApp/Meta

The case represents a critical institutional intersection between constitutional privacy rights, statutory data protection, and competition regulation. If unresolved, it could weaken regulatory clarity in India’s rapidly expanding digital economy.

2. Core Issue: Abuse of Dominance and Forced Consent

The CCI found that WhatsApp’s 2021 privacy policy constituted an abuse of dominant market position. According to the regulator, the prior consent obtained from users to share data with Meta was “manufactured,” as users were compelled to accept the policy to continue using the platform.

The NCLAT reinforced this reasoning, stating that the central objective was to restore user choice and prevent exploitation. It clarified that users must retain control over what data is collected, for what purpose, and for how long.

“The core principle is to remove exploitation by restoring user choice.” — NCLAT

The tribunal observed that non-essential data collection or cross-use, including for advertising, must be based on express and revocable consent of users.

Key Regulatory Findings:

Penalty imposed: ₹213.14 crore
Policy under scrutiny: 2021 WhatsApp Privacy Policy
Concern: Forced data-sharing as condition for service access

This issue reflects a structural challenge in digital markets where dominant platforms can leverage network effects to extract consent. If unchecked, it can erode both consumer welfare and competitive neutrality.

3. Privacy vs Competition Law: Dual Regulatory Dimensions

Senior advocate Madhavi Goradia Divan, representing the CCI, emphasized that the case involves two distinct but interconnected domains: privacy/data protection and competition law.

Privacy law concerns whether personal data is lawfully collected, processed, and shared. Competition law, however, focuses on whether such practices distort market conditions, restrict consumer choice, or strengthen dominance unfairly.

The Supreme Court Bench cautioned that it would not allow platforms to breach the privacy rights of “silent consumers” through commercial exploitation of data. It went so far as to compare improper data-sharing to theft, highlighting constitutional sensitivity around informational privacy.

This reflects the jurisprudential shift post-K.S. Puttaswamy v. Union of India (2017), where the Supreme Court recognised privacy as a fundamental right under Article 21.

The dual lens ensures that digital regulation is not reduced to mere data compliance but also addresses structural market power. Ignoring either dimension may create regulatory blind spots in platform governance.

4. Role of the Digital Personal Data Protection (DPDP) Act, 2023

WhatsApp argued that the DPDP Act, 2023 provides a comprehensive statutory framework addressing privacy concerns. The Act introduces consent-based data processing, obligations on data fiduciaries, and penalties for violations.

However, the existence of a data protection law does not automatically resolve competition law concerns. The NCLAT held that even if users are allowed to opt in or out, the market structure and dominance dynamics remain relevant for scrutiny.

The tribunal found the CCI’s five-year ban on sharing data for advertisement purposes redundant, as users were already being provided with opt-in or opt-out choices. Nevertheless, it insisted on strict compliance with consent norms.

Key Legal Development:

DPDP Act enacted: 2023
Compliance deadline set by WhatsApp: March 16, 2026

The episode highlights that sectoral regulation (data protection) and market regulation (competition law) must operate in complementarity. Relying solely on consent frameworks may be insufficient in markets characterised by asymmetrical power.

5. End-to-End Encryption and Technological Safeguards

WhatsApp submitted a comprehensive affidavit explaining its end-to-end encryption technology, asserting that message content remains inaccessible even to the company.

However, the regulatory concern extends beyond message content to metadata and cross-platform data use for advertising or commercial profiling. The distinction between encrypted communication and commercial data processing lies at the heart of the controversy.

The Supreme Court’s earlier oral remarks indicate a judicial insistence on safeguarding privacy not only in theory but in operational design.

Technological safeguards are necessary but not sufficient. Without transparent data governance practices, encryption alone cannot address concerns about profiling, targeted advertising, or market consolidation.

6. Governance and Policy Implications

This case has broader implications for India’s digital governance architecture.

First, it tests the balance between innovation and regulation in a fast-growing digital economy. Over-regulation could deter investment, while under-regulation may enable data monopolies.

Second, it reinforces the constitutionalisation of digital rights. Judicial oversight ensures that private digital platforms cannot undermine fundamental rights indirectly.

Third, it clarifies institutional roles:

Supreme Court: Constitutional oversight
CCI: Market fairness and anti-competitive conduct
Data Protection Authority (under DPDP Act): Privacy compliance

Consequently, the case may set precedents on:

Validity of bundled consent
Limits of data monetisation
Interplay between privacy and competition law

Clear jurisprudence in this domain is essential to maintain trust in digital platforms. Weak enforcement could undermine consumer confidence and long-term digital transformation goals.

7. Way Forward: Towards Integrated Digital Regulation

India requires a harmonised digital regulatory ecosystem that integrates privacy, competition, and consumer protection.

Key directions include:

Ensuring granular, informed, and revocable consent
Strengthening coordination between CCI and data protection authorities
Promoting transparency in algorithmic and data-sharing practices
Developing jurisprudence on data as a source of market power

India’s digital economy is expanding rapidly, and platforms play a central role in governance, commerce, and communication. The regulatory framework must evolve accordingly.

Conclusion

The WhatsApp privacy policy litigation represents a landmark moment in India’s digital constitutionalism. It underscores that privacy, competition, and consumer choice are interconnected pillars of digital governance.

A balanced regulatory approach—protecting rights without stifling innovation—will be crucial for ensuring that India’s digital transformation remains inclusive, competitive, and constitutionally compliant.

Quick Q&A

Everything you need to know

Key issues: The Supreme Court case revolves around WhatsApp's 2021 privacy policy, specifically its 'take-it-or-leave-it' approach for data sharing with parent company Meta. The Competition Commission of India (CCI) had imposed a ₹213.14 crore penalty, finding that the consent sought from users was effectively manufactured and users had no real choice, thus constituting abuse of market dominance.

Core legal concerns:

Privacy of personal data under the Digital Personal Data Protection (DPDP) Act, 2023.
User consent and its validity when access to services is conditioned upon agreeing to data sharing.
Competition law implications, as the unilateral collection of data by a dominant player may reduce market choice and exploitation of consumers.

Significance: The case addresses the intersection of technology, privacy rights, and market regulation in India, highlighting the responsibilities of digital platforms operating at scale and the regulatory mechanisms needed to protect consumers.

Right to privacy: Privacy is a fundamental right under Article 21 of the Constitution of India, and digital platforms collecting and sharing personal data implicate this right directly. The Supreme Court has repeatedly reinforced that privacy extends to personal communications and the security of user information.

Potential misuse: Unchecked sharing of user data can lead to profiling, targeted advertising, and commercial exploitation without informed consent, which the court likened to a “decent way of committing theft.” The Court’s concern is to prevent both direct abuse and subtle erosion of privacy for millions of silent users.

Market dominance angle: In addition to individual privacy, large-scale data collection by dominant tech platforms can distort market competition and limit user choice. By emphasizing privacy, the Court aims to create a balance between technological growth, individual rights, and consumer protection.

Legal framework: The Digital Personal Data Protection (DPDP) Act, 2023, provides a statutory mechanism for the collection, storage, processing, and transfer of personal data in India. It mandates user consent, data minimization, purpose limitation, and accountability of data fiduciaries.

Consent requirements: The Act emphasizes informed and revocable consent, ensuring that users have control over what data is collected, how it is used, and for what duration. This directly addresses concerns about WhatsApp's prior approach of mandatory acceptance for continued service access.

Enforcement and compliance: Under the DPDP Act, non-compliance can attract penalties, audits, and regulatory scrutiny. The Act complements competition law enforcement by creating transparency in data practices, allowing regulators to assess whether dominant players are exploiting user data unethically.

CCI’s findings: The CCI found that WhatsApp leveraged its dominant market position to impose a 'take-it-or-leave-it' privacy policy in 2021. Users were effectively forced to share personal data with Meta to continue using WhatsApp services, eliminating meaningful choice.

Implications for competition: Such practices create barriers to entry for smaller players, reduce consumer choice, and potentially allow Meta to exploit combined datasets across its ecosystem for commercial purposes. This constitutes abuse of market dominance under India’s Competition Act, 2002.

Objective of the penalty: By imposing a ₹213.14 crore fine, the CCI sought to restore user choice, prevent exploitation, and signal to the market that dominant digital platforms cannot bypass consumer consent, thus protecting both privacy and competitive fairness.

Complexity of digital data: Data collected by platforms like WhatsApp is multifaceted, involving messaging content, metadata, device information, and cross-platform usage. Regulating such data while preserving functionality poses technological and legal challenges.

Consent versus utility: Platforms argue that strict consent requirements could disrupt user experience or service delivery. The debate lies in ensuring privacy without undermining innovation or utility, highlighting the tension between individual rights and corporate interests.

Regulatory overlap: Multiple laws—DPDP Act, Competition Act, and sector-specific regulations—intersect. Ensuring coherent enforcement is challenging, as privacy infringements may simultaneously raise competition concerns. Cases like WhatsApp illustrate the need for integrated regulatory frameworks, technological audits, and continuous judicial oversight to protect privacy and prevent market exploitation effectively.

Compliance measures: WhatsApp has submitted a comprehensive affidavit to the Supreme Court explaining its end-to-end encryption technology, emphasizing that message content cannot be accessed by Meta. This strengthens the privacy protections built into the platform.

User choice: WhatsApp has committed to fully implementing the NCLAT directions by March 16, 2026, allowing users to opt in or out of sharing personal data with Meta for non-essential purposes like advertising.

High-security mode: The platform has introduced enhanced security features for users, signaling technological and policy efforts to protect sensitive data. These steps illustrate how platforms can integrate regulatory compliance with technical safeguards, balancing user trust, operational functionality, and legal obligations.

Global relevance: The WhatsApp-Meta case mirrors international debates on data protection, consent, and platform accountability, similar to GDPR enforcement in the EU and antitrust actions against tech giants in the U.S.

Key lessons:

Dominant platforms must balance data monetization with privacy rights.
Regulatory frameworks must evolve with technology, emphasizing informed consent and user autonomy.
Judicial oversight remains crucial in interpreting laws where statutory guidance is new or evolving, as in India with the DPDP Act, 2023.

Implications: The case sets a precedent for the regulation of digital platforms in India, ensuring that user consent is meaningful, market dominance does not lead to exploitation, and privacy is treated as a core component of consumer protection. It highlights the convergence of privacy, competition, and technology law in the digital era.