New Delhi: WhatsApp and its parent company, Meta Platforms Inc., informed the Supreme Court Monday that they would comply with the National Company Law Appellate Tribunal’s (NCLAT) directions by 16 March—the directions require enhanced privacy and consent safeguards including for data sharing for advertising.
The court was told that pleas seeking a stay on the tribunal’s order would not be pursued. “We don’t want a stay now,” Senior Advocate Kapil Sibal, representing both, submitted, recording an undertaking on behalf of Meta to comply with the NCLAT’s order.
He further stated that they would also file an affidavit explaining which user data categories are shared and which are not.
A Supreme Court bench, led by Chief Justice of India Surya Kant, along with Justices Joymalya Bagchi and Vipul M. Pancholi, thereafter, noted that the applications seeking a stay were dismissed as “not pressed” but “without prejudice to the issues in the main appeal”. The court further directed Meta to file a compliance affidavit with the Competition Commission of India (CCI), in line with the NCLAT’s directions.
During an earlier hearing on 3 February, the Supreme Court issued a stern warning to Meta and WhatsApp, reminding companies of their 2021 privacy policy obligations.
A three-judge bench led by the Chief Justice of India observed that technology platforms operating in India cannot “play with the right to privacy of citizens in the name of data sharing”, emphasising that not “a single digit” of user data should be shared in contravention of privacy norms and public interest.
The court’s observations came during hearings on appeals filed by Meta and WhatsApp against the NCLAT’s November 2025 ruling. That ruling largely upheld an Rs 213.14 crore penalty imposed by the CCI on WhatsApp’s 2021 privacy policy, which expanded compulsory data sharing with other Meta companies under a “take-it-or-leave-it” model.
The bench also raised concerns about how ordinary citizens, including those unfamiliar with legal terms, would be expected to understand complex privacy policies, and questioned the commercial exploitation of behavioural data for advertising purposes.
Also Read: 99 problems, one-text solution: Mana Mitra, the WhatsApp helpline simplifying life in Andhra Pradesh
NCLAT ruling & clarifications
The Supreme Court’s current proceedings stem from the tribunal’s judgment in November 2025. The NCLAT, at the time, upheld the CCI’s finding that WhatsApp had imposed unfair conditions on users, affirming the penalty.
However, it then set aside another CCI direction that imposed a five-year ban on sharing WhatsApp user data with other Meta group entities for advertising purposes. The NCLAT reasoned that a blanket prohibition was not warranted once users are provided with meaningful opt-in and opt-out choices.
Following its judgment, the CCI sought clarification on whether the user-choice safeguards extended to advertising-related data sharing.
Following that, on 15 December 2025, the NCLAT held that the remedial directions would apply to WhatsApp user data collection and sharing for all non-WhatsApp purposes, “including non-advertising and advertising purposes”, granting WhatsApp three months—until mid-March 2026—to comply.
In addition to the appeals by Meta and WhatsApp, the CCI filed a cross-appeal before the Supreme Court, challenging the NCLAT’s decision to set aside the five-year prohibition on advertising-related data sharing. That matter remains part of the ongoing proceedings.
Comparative regulatory framework: EU
In the European Union, another major jurisdiction grappling with digital platform regulation, a robust legal framework exists that restricts how large tech platforms can combine and use user data without explicit consent.
Under the EU’s Digital Markets Act (DMA), which applies to designated “gatekeepers”, including Meta, companies must obtain explicit user consent before combining personal data collected from different core services. The DMA prohibits gatekeepers from processing, cross-using, or combining personal data obtained from one service with data from another without the end user’s clear consent. This includes data used for personalised advertising or behavioural profiling.
In addition to the DMA’s data-separation requirements, the broader General Data Protection Regulation (GDPR), which remains in force across the EU, sets stringent conditions on the lawful processing, transparency, and protection of personal data, granting individuals extensive rights over how their data is used.
Together, the DMA and the GDPR form a comprehensive regime, where default practices that automatically aggregate user data across services or present “take-it-or-leave-it” consent models without meaningful choices, remain restricted and subject to regulatory enforcement and fines.
Also Read: Telecom dept’s limited powers, SIM misuse aid digital arrests—Centre pushes for SIM binding in SC