Adv. Shraddha Sunil

The digital age has redefined the contours of privacy, autonomy, and regulation, and few questions capture this shift more sharply than platform governance and data protection. In India, the debate intensified after the Supreme Court, during hearings on 3 February 2026 arising from regulatory proceedings concerning WhatsApp’s 2021 privacy policy update, made strong observations on WhatsApp and its parent company, Meta. The Court described the policy as a “take it or leave it” arrangement (in oral observations) and raised serious concerns about its implications for users’ constitutional right to privacy.

The Supreme Court’s observations arose in appeals stemming from regulatory proceedings concerning the 2021 update. The update triggered antitrust scrutiny and led to an order by the Competition Commission of India (CCI) imposing a monetary penalty and issuing directions. The National Company Law Appellate Tribunal later modified certain directions while sustaining the penalty, prompting a further challenge before the Supreme Court.

The controversy surrounding WhatsApp’s privacy policy did not just involve contractual terms between a private corporation and its users. Rather, it brought to the fore larger questions: Can consent be meaningful in a digital ecosystem dominated by high-dependency or dominant platforms? Do private platform data practices raise constitutional concerns through the lens of State regulation and safeguards? And how does India’s privacy jurisprudence—particularly post-Puttaswamy—shape judicial scrutiny of such conduct?

Also Read: Menstrual Health as a Constitutional Imperative: An Analysis of Dr. Jaya Thakur v. Union of India and the Expanding Scope of Article 21

In January 2021, WhatsApp announced changes to its privacy policy. The updated terms clarified data-sharing and related processing between WhatsApp and its parent company, Facebook (now Meta), particularly in relation to business interactions. While WhatsApp maintained that end-to-end encryption would continue to protect the content of personal chats, the update addressed broader information-sharing and operational integration within Meta’s group entities.

The controversy stemmed from three principal concerns:

• Mandatory acceptance: The Competition Commission of India and other critics characterised the update as a “take it or leave it” arrangement, alleging that users were effectively required to accept the revised policy to continue using the service
• Data-sharing ambiguities: Critics and regulators contended that the policy did not clearly disclose the scope, categories, and purposes of information-sharing with Meta group entities.
• Comparative treatment: Commentators also pointed to differential user protections across jurisdictions—particularly in the European Union under the General Data Protection Regulation (GDPR)—raising questions about differential treatment and the quality of consent across markets.

The update prompted public outcry, regulatory scrutiny, and litigation in India. The dispute has now reached the Supreme Court in appeals arising from CCI/NCLAT proceedings, where the Court has made notable observations on privacy and consent.

Any analysis of the Court’s intervention must begin with the landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), in which a nine-judge bench of the Supreme Court unanimously recognised the right to privacy as a fundamental right under Article 21 of the Constitution.

The Puttaswamy ruling established that:

• Privacy is intrinsic to life and personal liberty.
• Informational privacy is a constitutionally protected facet of the right.

It is also widely read as recognising that privacy jurisprudence can entail both negative obligations (restraint from arbitrary interference) and, in appropriate contexts, positive regulatory obligations—i.e., a duty on the State to create safeguards that can protect individuals against privacy harms, including those arising from non-State actors. This is best understood as a doctrinal development flowing from broader privacy jurisprudence, invoked here to explain how private-platform data practices may attract constitutional scrutiny through the lens of State regulation.

This doctrinal expansion is crucial as, by recognising informational privacy as constitutionally protected, the judgment provides a framework for examining questions about data practices not only in the context of State action, but also where State regulation (or its absence) shapes the impact of private platforms on individual privacy. In that light, the Supreme Court’s “take it or leave it” remarks on WhatsApp’s 2021 policy can be read as flagging broader concerns about meaningful digital consent and user autonomy in platform-dominated environments.

One of the most powerful aspects of the Court’s criticism was its characterisation of the privacy policy as a “take it or leave it” arrangement. This language invokes the doctrine of adhesion contracts.

A contract of adhesion refers to a standard-form contract drafted by a dominant party and presented to the weaker party on a non-negotiable basis. Indian courts have historically scrutinised such contracts under principles of:

• Unconscionability
• Inequality of bargaining power
• Public policy

In Central Inland Water Transport Corporation v. Brojo Nath Ganguly (1986), the Supreme Court invalidated an unfair employment clause on grounds of unequal bargaining power. The principle emerging from that case remains relevant in digital contexts.

Critics characterised WhatsApp’s privacy update as presenting users with a binary choice: accept the revised terms or discontinue use of the platform. Given WhatsApp’s near-ubiquity in India with hundreds of millions of users, the “choice” was arguably illusory for many.

Consent under Indian contract law requires free will. However, when a platform achieves near-monopoly status, user dependence may undermine voluntariness.

The Supreme Court’s remarks reflect an evolving recognition that:

• Digital platforms function as essential infrastructure.
• Exiting such platforms can impose significant social and economic costs.
• Consent extracted in such circumstances may not be genuinely voluntary.

This raises a fundamental question: Should digital platforms with dominant market positions be held to higher standards of fairness?

A recurring jurisprudential question is whether constitutional rights apply horizontally between private parties. Indian constitutional adjudication has traditionally conceived fundamental rights as operating vertically—primarily enforceable against the State. However, the Court’s jurisprudence has, over time, recognised that constitutional rights may be implicated even in disputes involving private actors, particularly through the State’s duty to establish and enforce regulatory safeguards. In such cases, constitutional scrutiny often arises indirectly—through examination of whether the State has discharged its obligations by maintaining adequate law, oversight, and remedies.

On this understanding, platform data practices can invite constitutional scrutiny primarily through the lens of the adequacy of State regulation and safeguards, rather than through a direct application of fundamental rights between private parties. Thus, the Supreme Court’s observations on WhatsApp’s policy can be read as raising questions about whether the existing regulatory framework adequately safeguards citizens’ informational privacy.

At the time of the controversy, India lacked a comprehensive data protection framework; The Information Technology Act, 2000, and associated rules provided limited safeguards.

Subsequently, India enacted the Digital Personal Data Protection Act, 2023, and the Digital Personal Data Protection Rules were notified in November 2025. The DPDP framework introduces, inter alia:

• lawful processing requirements;

• notice and consent obligations;

• rights of data principals; and

• penalties for non-compliance.

While the WhatsApp controversy predates the Digital Personal Data Protection Act, it formed part of the broader public and regulatory debate on data governance that preceded the DPDP framework. The episode illustrates how judicial discourse can catalyse regulatory reform in emerging technological domains.

Comparable questions have been examined in other jurisdictions. In the European Union, data protection regulators have emphasised that consent must be genuine and free, particularly where services are offered on ‘consent-or-pay’ or similarly constrained choices. In Germany, competition authorities have scrutinised dominant platforms’ data-combination practices through an antitrust lens. By contrast, the United States continues to operate without a single comprehensive federal privacy statute, relying instead on a sectoral and state-by-state framework.

 India is among the world’s largest digital markets, and policy choices typically require balancing innovation and growth, data-driven entrepreneurship, and protection of fundamental rights. The WhatsApp episode illustrates that privacy safeguards need not be framed as anti-innovation; robust protections may strengthen trust and support sustainable digital growth.

Looking ahead, further adjudication and regulatory engagement may provide greater clarity on:

• the scope and content of “meaningful” digital consent;

• the standards expected of dominant or high-dependency platforms when presenting privacy choices; and

• The relationship between statutory rights under the DPDP framework and constitutional privacy principles in appropriate cases.

The Supreme Court of India’s observations on WhatsApp’s 2021 privacy policy have assumed significance in India’s evolving digital privacy discourse. By describing the policy as a “take it or leave it” arrangement, the Court highlighted concerns about consent and user choice in platform-mediated environments. The controversy, therefore, extends beyond contractual fairness, engaging questions of informational privacy, inequality of bargaining power in standard-form digital contracts, competition-law considerations, and the State’s role—through regulation and oversight—in safeguarding digital autonomy and privacy interests.

Also Read: Export of Services under GST: Supreme Court on Refund Claims of Education Consultants

In the post-Puttaswamy landscape, privacy occupies a central place in constitutional values linked to dignity and autonomy. How courts and regulators ultimately reconcile platform governance with privacy protections is likely to shape the next phase of India’s digital constitutionalism.

About the Author:

Shraddha Sunil is a legal researcher and advocate deeply committed to advancing human rights and constitutional justice in India. She holds an LL.M. in Human Rights, where her dissertation examined India’s inconsistency with its treaty obligations under CEDAW, focusing on the non-criminalisation of marital rape and the State’s positive obligations under international law. Her academic and professional work reflects a strong intersectional approach, engaging with issues of gender, surveillance, and digital rights.

• NB: The author certifies that the work is original. Views expressed are personal.