₹213.14 Crore Fine and the Larger Issue: Supreme Court Takes Meta to Task
On February 4, 2026, the Supreme Court of India delivered sharp rebukes to Meta and its messaging platform WhatsApp, flagging practices of "surveillance capitalism" as breaches of Indians' fundamental right to privacy under Article 21. Meta's enforcement of its controversial privacy policy—mandating metadata sharing for cross-platform monetization—had already attracted a ₹213.14 crore fine from the Competition Commission of India (CCI) in 2024. But judicial scrutiny extended far beyond penalties to interrogate systemic flaws in India's data governance.
Why WhatsApp’s Practices Are a Bigger Problem in India
The real issue isn’t just user agreement to terms, but the coercion embedded within those terms. In a country where WhatsApp serves as more than a social messaging app—often functioning as a critical tool for banking alerts, health services, and even school communication—the "take-it-or-leave-it" ultimatum disproportionately impacts vulnerable populations. The Supreme Court pointedly described this as "social and economic exclusion disguised as consent".
This is no abstract fear. WhatsApp has over 530 million users in India as of January 2026—a third of the population. Unlike the European Union, where GDPR restricts automatic approvals without explicit consent, India’s lack of comparable safeguards left millions exposed to the monetization of their behavioral metadata. This "ownership-of-data gap" between ordinary citizens and tech giants undermines autonomy. The CCI's identification of an abuse of dominant position was only the beginning. Compliance penalties, while important, fail to dismantle systemic asymmetries of power.
The Institutional Machinery: Acts and Authorities Under Scrutiny
The Supreme Court's critique unpacked not just corporate practices but also the shortcomings of India's regulatory framework:
- Digital Personal Data Protection Act, 2023: The DPDP Act operationalizes consent-based data processing and establishes a Data Protection Board for enforcement. Yet, as the SC noted, the law addresses "privacy protection" but ignores data's economic value—a pressing concern in the age of monetized algorithms.
- Competition Act, 2002: The ₹213.14 crore penalty imposed by the CCI was a landmark recognition of data misuse as an abuse of dominant position under Section 4. But enforcement remains uneven and slow.
Interestingly, the Supreme Court urged the Ministry of Electronics and Information Technology (MeitY) to study the European Union’s Digital Services Act (DSA). Where the DPDP Act focuses on privacy, the DSA operationalizes accountability mechanisms for economic harm caused by data exploitation. For instance, provisions in the DSA mandate transparency in targeted advertising and provide users the right to opt-out of algorithmic profiling. As MeitY compares provisions, the deeper question looms: Can India's fragmented regulatory apparatus adopt such comprehensive safeguards?
What Are We Measuring? The Data vs. The Claims
The government has postured about India’s “consent-based data protection regime”, but the ground-level reality diverges sharply. WhatsApp's privacy updates in 2021 required users to "approve" metadata sharing or lose access to the platform entirely. This hardly qualifies as consent. In fact, the high court observed that such manufactured agreements disproportionately affect India's rural and semi-literate population, incapable of navigating dense terms of service.
Even the DPDP Act’s so-called limitations on data processing offer little solace when behavioral metadata is turned into a profit stream. According to industry estimates, Meta’s advertising revenue from Indian data-driven insights totaled over $2 billion in 2024. Despite policies promising safeguards, users are commodified without compensation.
The irony here is striking: While WhatsApp assures "end-to-end encryption" for messages, the company still captures metadata—delivery times, interaction patterns, frequency—that is monetized across platforms like Instagram and Facebook. Encrypted content is protected, but behavioral data is unregulated treasure.
Uncomfortable Questions That Remain Unanswered
Even as regulatory institutions attempt to catch up, several questions remain unresolved:
- Regulatory Capture: Can India’s existing mechanisms prevent tech giants from lobbying policymakers? Meta's potential influence over framing consent norms underscores this risk.
- Talent Gaps: Both the CCI and the nascent Data Protection Board lack adequate expertise in algorithmic auditing, which is critical for understanding metadata exploitation.
- State-Level Variability: Though data protection law is centralized, implementation often hinges on state-level enforcement capacity, which can vary significantly.
Moreover, the timeline for moving toward proactive regulation remains uncertain. Comparisons to European bodies like the European Data Protection Board highlight disparities both in sophistication and enforcement agility.
Lessons From the European Union: GDPR vs. DSA
India’s predicament mirrors an earlier controversy in the EU, where Facebook attempted to monetize WhatsApp data post its acquisition. Here, GDPR’s strict user consent norms prevented unilateral policy changes, mandating opt-in mechanisms. The newer Digital Services Act takes further steps, compelling companies to disclose algorithmic criteria and provide fair economic returns for user data monetization.
Contrast this with India’s DPDP Act—it remains narrow, focusing on privacy but omitting economic dimensions like compensation or rent-sharing. While Meta faces regulatory hurdles in both regions, India's fragmented approach struggles to keep pace with evolving regulatory challenges. The model exemplified by the EU is not only more protective but also sets enforceable benchmarks.
- Q1: Under which section of the Competition Act, 2002, did the Competition Commission of India penalize Meta for an abuse of dominant position?
(a) Section 3
(b) Section 4
(c) Section 29
(Correct answer: b) - Q2: Which of the following Acts mandates opt-in consent for data sharing in the European Union?
(a) GDPR
(b) DSA
(c) DMA
(Correct answer: a)
Practice Questions for UPSC
Prelims Practice Questions
- Statement 1: The Supreme Court identified 'surveillance capitalism' as a breach of privacy rights.
- Statement 2: The judgment imposed stricter regulations on end-to-end encryption.
- Statement 3: The ruling highlighted the coercive nature of WhatsApp's user agreements.
Which of the above statements is/are correct?
- Statement 1: It operationalizes consent-based data processing.
- Statement 2: It completely regulates the economic use of data.
- Statement 3: It establishes a Data Protection Board for enforcement.
Which of the above statements is/are correct?
Frequently Asked Questions
What was the Supreme Court's ruling on Meta's practices and why was it significant?
The Supreme Court's ruling was significant as it highlighted the practices of 'surveillance capitalism' by Meta and WhatsApp as violations of the fundamental right to privacy under Article 21. This ruling extends beyond just penalties, provoking deeper scrutiny of systemic data governance flaws in India.
How does WhatsApp's user agreement reflect coercion, according to the Supreme Court?
The Supreme Court indicated that WhatsApp's 'take-it-or-leave-it' user agreement reflects coercion rather than genuine consent, especially as the platform serves critical functions for banking and communication in India. This creates a scenario where vulnerable populations are disproportionately affected by the terms of service.
What are the concerns regarding India's regulatory framework as identified by the Supreme Court?
The Supreme Court raised concerns about India's regulatory framework, particularly the Digital Personal Data Protection Act, 2023, which only addresses privacy protection and overlooks the economic value of data exploitation. There are calls for comprehensive safeguards similar to those in the European Union's Digital Services Act.
What gaps exist in India's data protection regime highlighted by the article?
Key gaps in India's data protection regime include the inadequate enforcement of existing laws like the Competition Act, 2002, and the lack of expertise within the Competition Commission of India and Data Protection Board regarding algorithmic auditing. This makes it challenging to prevent exploitation of user data by tech giants.
What role does behavioral metadata play in the privacy and economic debate surrounding WhatsApp?
Behavioral metadata is central to the debate as it is captured and monetized without proper consent, as users are often unaware of its implications. Despite assurances of privacy, such as end-to-end encryption for messages, the unregulated nature of metadata undermines user autonomy and economic fairness.
About LearnPro Editorial Standards
LearnPro editorial content is researched and reviewed by subject matter experts with backgrounds in civil services preparation. Our articles draw from official government sources, NCERT textbooks, standard reference materials, and reputed publications including The Hindu, Indian Express, and PIB.
Content is regularly updated to reflect the latest syllabus changes, exam patterns, and current developments. For corrections or feedback, contact us at admin@learnpro.in.