Forbes India
A class action lawsuit in the US questions one of WhatsApp’s core promises—that messages on the platform are accessible only to the sender and the recipient.The complaint alleges that despite marketing itself as a fully end-to-end encrypted service, the Meta-owned platform may have allowed employees and third-party contractors to access user messages through a “backdoor” in its system. According to the filing, this access was used to review messages flagged for fraud or policy violations, but could extend more broadly, raising concerns about whether users were adequately informed. It claims that such access exists although WhatsApp tells users that “not even WhatsApp” can read their messages.Also Read: Gemini in Gmail: Productivity boost or privacy nightmare?As news of the lawsuit spread, rival tech leaders were quick to respond. Elon Musk on April 9 posted on X: “Can’t trust WhatsApp” and told users to switch to X Chat, promising that it was a more private alternative. Telegram chief Pavel Durov went further, accusing WhatsApp of deceiving users and claiming the platform reads messages and shares them with third parties.Can’t trust WhatsApp https://t.co/Ts55gVXqkD— Elon Musk (@elonmusk) April 9, 2026WhatsApp has denied the allegations, calling them “categorically false and absurd” and reiterating that its end-to-end encryption ensures that messages can only be accessed by the sender and recipient.The claims remain unproven and are part of an ongoing legal process. But they bring up a larger issue: What happens if your “private” messages aren’t private? And what can users do about it?For India, where WhatsApp has over 400 million users, that question sits at the intersection of consumer protection and the Digital Personal Data Protection (DPDP) Act, 2023.Privacy policy and realityWhatsApp’s privacy policy says it has “built our services so delivered messages aren’t stored by us” and that messages are “stored on your device and not typically stored on our servers”. It also says it offers end-to-end encryption so that messages are protected “against us and third parties from reading them”.But the same policy outlines scenarios where access can extend beyond a simple sender-recipient model. For instance, when users interact with businesses on the platform, “the content you share may be visible to several people in that business”, and those businesses may also use third-party service providers to “send, store, read, manage or otherwise process” those messages.For legal experts, the issue comes down to whether users were informed about such possibilities.A gap between what a platform claims and how it operates could amount to “material misrepresentation”, particularly if users signed up based on those claims, says Anand Shrivastava, partner at Sagus Legal,The DPDP Act is built around informed consent. If users were told their messages are visible only to intended recipients while an undisclosed access mechanism existed, “your consent was never properly obtained because you agreed to something that was not true”, says Vinay Butani, partner at Economic Laws Practice.Also Read: How India’s ‘Good morning’ WhatsApp culture is fuelling Canva’s growthThird-party accessThe question of third-party access becomes more direct when one looks at how data is handled beyond the core chat.“If an organisation tells its users that no third party will have access to its messages and provides access to their messages to any third party without their specific consent, such sharing would be considered to be done without adequate consent and would amount to a breach of the DPDP Act,” says Naqeeb Ahmed Kazia, partner at CMS Induslaw.At the same time, the outcome depends on whether the allegations are proven.“If it is conclusively proved that the allegations of the complainants are true, it would vitiate the consent given by the users… In a situation where there is, in fact, a backdoor access to the private messages of WhatsApp users, the consent of the users would not serve as a lawful basis to process data anymore,” says Maitrey Singh, faculty associate, School of Law at BML Munjal University.Can anything be done now?India’s data protection law is not fully in force yet. Vital provisions of the DPDP Act, including those governing consent and penalties, are expected to be operational from May 2027.However, that does not mean there is no recourse. Even under the current framework, misleading claims about privacy could fall under “misleading advertisement” rules in consumer law, which prohibit withholding material information that affects user decisions, Shrivastava says.Gaps in user protectionThe case also highlights a more structural issue: Platforms are largely taken at their word when they make technical claims.WhatsApp says it works with third-party service providers to “operate, provide, improve… and support” its services, including infrastructure, security and customer support. At the same time, it notes that it may access and share information where necessary to comply with legal requests or to address fraud and security concerns.There is no requirement today for independent audits of encryption systems. Legal experts point to the need for periodic third-party checks and stronger cross-border regulatory cooperation, especially for global platforms.Questions around enforcement also remain. The DPDP Act caps penalties at Rs250 crore, which experts, including Butani and Singh, suggest may not be proportionate for large global technology companies.
Go to News Site