Supreme Court Slams Meta and WhatsApp Over Privacy Policy Exploitation

In a scathing rebuke that underscores India's deepening commitment to data sovereignty, a Supreme Court bench led by Chief Justice Surya Kant on Tuesday sharply criticized Meta Platforms Inc. and WhatsApp LLC for their 2021 privacy policy update, deeming it a veiled mechanism for exploiting Indian users' personal data. Hearing appeals against a National Company Law Appellate Tribunal (NCLAT) ruling that upheld a ₹213.14 crore penalty imposed by the Competition Commission of India (CCI), the Court refused to permit even "a single piece of information" to be shared without safeguards, highlighting the fundamental right to privacy under Article 21 of the Constitution. The bench, comprising Justices Joymalya Bagchi and Vipul Pancholi, admitted the appeals but conditioned further proceedings on affidavits from the tech giants clarifying their data practices, while impleading the Ministry of Electronics and Information Technology (MeitY). This intervention not only amplifies scrutiny on Big Tech's monopolistic behaviors but also signals a judicial pivot toward enforcing robust data protection in the digital age, potentially reshaping compliance landscapes for multinational corporations operating in India.

The Court's remarks came amid arguments that WhatsApp's policy imposed a "take-it-or-leave-it" framework, forcing users to consent to data sharing with Meta entities for advertising purposes or risk losing access to the platform. CJI Kant likened this to "a decent way of committing theft of private information," emphasizing the lack of meaningful choice for average consumers, including vulnerable users like street vendors or rural residents who may not comprehend complex policy terms. This hearing, part of Civil Appeals Nos. 301-302/2026 (Meta) and 366-367/2026 (WhatsApp), also addressed a cross-appeal by the CCI challenging NCLAT's partial relief allowing such data sharing. With WhatsApp holding a near-monopoly in India's over-the-top (OTT) messaging market—boasting over 500 million users—the case raises profound questions about the intersection of competition law and privacy rights, at a time when the Digital Personal Data Protection Act, 2023 (DPDP Act) awaits enforcement.

Background of the Dispute

The controversy traces back to WhatsApp's controversial 2021 privacy policy overhaul, which expanded data collection and sharing practices with parent company Meta (formerly Facebook) to fuel targeted advertising. The CCI, in its November 2024 order, investigated these changes under Section 4 of the Competition Act, 2002, which prohibits abuse of dominant position. Finding WhatsApp's dominance in the relevant market undeniable, the regulator concluded that conditioning service access on acceptance of the policy constituted an unfair imposition, effectively leveraging the platform's monopoly to extract user data for non-messaging purposes like ad personalization across Meta's ecosystem.

The CCI's probe was triggered by user backlash and petitions highlighting the policy's opt-out limitations—users could decline data sharing but faced reduced functionality or bans, creating an illusion of choice. In a landmark directive, the CCI not only levied the ₹213.14 crore penalty on Meta (calculated at 5% of its average turnover) but also issued remedial measures: prohibiting tying messaging access to data consent, mandating transparent opt-in/opt-out interfaces, and requiring disclosures on data flows between WhatsApp and other Meta apps like Facebook and Instagram. These steps aimed to restore user autonomy and prevent anti-competitive bundling in digital services.

Meta and WhatsApp swiftly appealed to the NCLAT in January 2025, arguing the CCI overstepped into privacy regulation, a domain reserved for data protection laws. In November 2025, the NCLAT upheld the abuse-of-dominance finding and penalty, affirming that the policy distorted competition by entrenching Meta's ad market power. However, it granted partial relief by setting aside a five-year ban on advertising-related data sharing and ruling that no dominance was abused in the broader advertising ecosystem. The CCI's cross-appeal to the Supreme Court contested this leniency, urging stricter curbs on data monetization. This layered litigation reflects the evolving regulatory mosaic in India, where antitrust authorities increasingly intersect with privacy enforcers, especially post the 2017 Puttaswamy judgment recognizing privacy as intrinsic to life and liberty.

The backdrop also includes an ongoing Constitution Bench reference examining the 2021 policy's constitutionality, where WhatsApp previously undertook not to ban non-compliant users—a commitment reiterated during Tuesday's hearing. Moreover, the DPDP Act, enacted in August 2023, looms large, imposing fiduciary duties on data handlers like WhatsApp to ensure consent is free, specific, and informed. Though not yet notified (with a compliance deadline of May 2027), its principles of data minimization and purpose limitation were invoked, though Justice Bagchi noted its non-enforceability for now.

Supreme Court's Fiery Remarks

The February 2026 hearing opened with senior advocates Mukul Rohatgi (for Meta) and Akhil Sibal (for WhatsApp) informing the bench that the penalty had been deposited, seeking admission of appeals. However, CJI Kant immediately pivoted to substantive concerns, questioning the policy's equity: "Consumer has no choice, you have created monopoly. You are making a mockery of the constitutionalism of this country." He challenged the efficacy of opt-outs, rhetorically asking, "A poor woman selling fruits on the streets, will she understand the terms of your policy? Nobody will be available to understand. Will your domestic help understand this?"

The Chief Justice's tone escalated as he addressed data sharing: "We may hear the appeal on merits. In the meantime, we will not allow you to share even a single piece of information. You cannot play with the right of privacy of this country." Drawing from personal anecdote, CJI Kant illustrated behavioral targeting: "If a message is sent to a doctor on WhatsApp that you are feeling under the weather, and the doctor sends some medicine prescriptions, immediately you start seeing ads." This underscored the Court's view of data as a commodified asset, exploited without adequate safeguards.

Justice Bagchi echoed these sentiments, probing the commercial underbelly: "Every silo of data, irrespective of privacy, has a value, we would like to examine, what is the rent sharing of data... we are concerned about how our behaviour is utilised and monetised for trends." He contrasted India's framework with the EU's, where data sharing carries a taxable notional value under GDPR, a point amplified by Solicitor General Tushar Mehta: "Our personal data is not only sold, but also commercially exploited." The bench also flagged notification disparities—platforms push in-app consents but bury opt-outs in newspaper ads—questioning accessibility for "silent consumers" in remote areas.

Arguments from the Parties

Representing the appellants, Rohatgi and Sibal defended the policy as compliant with global standards, stressing WhatsApp's end-to-end encryption: "WhatsApp messages are end-to-end encrypted and that even WhatsApp cannot see the messages sent between two users." They invoked the Constitution Bench's undertakings and the DPDP Act's timeline, arguing the NCLAT merely aligned Indian users with international practices. Rohatgi offered a one-page affidavit to detail operations, which the Court accepted.

For the CCI, Senior Advocate Samar Bansal countered by framing users as unwitting products: "Their entire revenue comes from advertising. We are the products milords. It is free because of that." He affirmed the regulator's exhaustive examination of data's ad value, justifying the penalty. Mehta, intervening, reinforced the "take-it-or-leave-it" coercive nature, while the Court suggested legitimate monetization is acceptable but not at privacy's expense: "There is nothing wrong if you are making legitimate income out of it," CJI Kant noted, provided undertakings are given.

Faced with this judicial volley, the bench adjourned to the following Monday, directing affidavits and impleading MeitY for policy input. It also barred penalty withdrawal pending resolution.

Intersecting Legal Frameworks

This case exemplifies the tension between competition and privacy regimes. Under the Competition Act, the CCI's focus on market foreclosure via data tying aligns with global precedents like the EU's probes into Google's Android bundling. Yet, the Supreme Court's invocation of privacy elevates it to constitutional stature, per Puttaswamy (2017), where data protection was deemed essential to dignity. The policy's adhesion contract nature—standard-form terms with unequal bargaining—may violate Article 14's equality guarantee, as consent becomes illusory for non-negotiable services.

The DPDP Act, once enforced, will mandate granular consent for non-essential processing like ads, potentially nullifying opt-outs buried in fine print. Unlike the EU GDPR's extraterritorial bite and data adequacy mechanisms, India's law emphasizes sovereignty, restricting cross-border flows without reciprocity. Justice Bagchi's query on data "renting" highlights an underexplored valuation—could courts impose notional pricing, akin to EU digital services taxes? End-to-end encryption, while robust for messaging, falters on metadata (e.g., contacts, timestamps) shared for ads, exposing a loophole the Court seems poised to close.

Critically, the ruling could redefine dominance in platform economies, where "free" services mask extractive models. Legal scholars may draw parallels to U.S. cases like FTC v. Facebook, but India's hybrid approach—blending antitrust penalties with rights-based injunctions—offers a unique template.

Implications for Data Governance in India

The Supreme Court's stance reverberates across sectors. For tech litigators, it heralds intensified challenges to user agreements, spurring class actions under emerging DPDP rules. Compliance advisors will counsel MNCs on localized policies, perhaps accelerating data centers in India to affirm sovereignty. Competition lawyers anticipate broader CCI probes into ecosystems like Amazon or Google, scrutinizing data moats as barriers to entry.

On the justice system, this bolsters judicial activism in tech regulation, filling legislative lags until DPDP's rules. It empowers vulnerable demographics, recognizing digital divides in consent validity—rural or low-literacy users could invoke this for protections. Globally, it pressures Meta to harmonize practices, lest fragmented regimes erode efficiencies; non-compliance risks market exit, as CJI Kant implied: "Business operations in India are contingent upon adherence to national laws."

Broader societal impacts include heightened privacy awareness, potentially curbing surveillance capitalism. Yet, challenges persist: balancing innovation with rights, without stifling FDI in digital infrastructure.

Next Steps and Conclusion

With affidavits due next week and detailed orders slated for February 10, 2026, the litigation promises deeper dives into data economics. The impleadment of MeitY signals governmental alignment, possibly fast-tracking DPDP notifications.

In essence, the Supreme Court's admonition—"You can’t play with the privacy of our country"—marks a watershed, affirming that economic imperatives cannot eclipse constitutional safeguards. For legal professionals, it is a clarion call to advocate for equitable digital futures, where user data serves individuals, not just algorithms.