Summary: India’s Digital Personal Data Protection Act, 2023 (DPDP Act) does not prohibit the use of WhatsApp, Google Drive, shared network folders, or other cloud storage platforms for processing personal data. Instead, the Act adopts a technology-neutral approach, requiring organizations acting as Data Fiduciaries to ensure that personal data is processed lawfully, only for authorized purposes, and with reasonable security safeguards. Organizations must implement access controls, role-based permissions, secure sharing settings, periodic access reviews, and timely deletion of data when it is no longer required. They remain responsible for compliance even when third-party cloud service providers act as Data Processors. Sharing sensitive information through public links, broad WhatsApp groups, or unrestricted shared folders may result in unauthorized disclosure and potential personal data breaches, triggering notification obligations under the Act. Ultimately, compliance depends not on the platform used but on whether personal data is handled in accordance with the DPDP Act’s principles of purpose limitation, accountability, security, and breach management.
Use of WhatsApp, Google Drive, and Shared Folders Under the DPDP Act, 2023
Under India’s Digital Personal Data Protection Act, 2023 (DPDP Act), the use of WhatsApp, Google Drive, and shared folders is not prohibited. However, organizations remain responsible for ensuring that personal data is processed lawfully, securely, and only for authorized purposes.
Page Contents
Using WhatsApp to share client documents, employee records, KYC information, or financial data can create compliance risks if proper controls are not in place.
Key DPDP Considerations
- Personal data should only be shared for a legitimate and disclosed purpose.
- Access should be limited to authorized individuals.
- Data should not be retained longer than necessary.
- Organizations must implement reasonable security safeguards to prevent unauthorized access or disclosure.
Risk Example: Sending a client’s PAN card, Aadhaar details, or payroll information to a WhatsApp group with unnecessary participants could constitute an unauthorized disclosure of personal data.
Google Drive
Google Drive can be used for storing and sharing personal data, but organizations must manage access carefully.
Key DPDP Considerations
- Access permissions should follow the principle of least privilege.
- Public links should generally be avoided for documents containing personal data.
- Sharing settings should be reviewed regularly.
- Organizations should know who can access, download, edit, or further share the data.
Risk Example: A folder containing employee records is shared using an “Anyone with the link” setting, making personal data accessible beyond the intended audience.
Shared folders are often one of the biggest sources of accidental data exposure.
Key DPDP Considerations
- Role-based access controls should be implemented.
- Access logs and permissions should be reviewed periodically.
- Sensitive personal data should be restricted to those who genuinely need access.
- Data should be deleted when no longer required for the stated purpose.
Risk Example: All employees can access a common HR folder containing salary information, identity documents, or performance records.
What Does the DPDP Act Require?
Organizations acting as Data Fiduciaries must:
- Process personal data only for lawful purposes.
- Provide appropriate notices where required.
- Implement reasonable security safeguards.
- Protect against personal data breaches.
- Delete personal data when it is no longer necessary for the purpose for which it was collected.
- Ensure that vendors and service providers handling personal data also maintain adequate safeguards.
Practical Checklist for Finance and Accounting Firms
Before sharing personal data via WhatsApp, Google Drive, or shared folders, ask:
✓ Does the recipient actually need this information?
✓ Is access restricted to authorized persons?
✓ Is the data being shared for the purpose originally communicated?
✓ Is there a process to remove access when no longer required?
✓ Are sensitive documents protected from public sharing links?
✓ Is there a mechanism to respond if a data breach occurs?
Relevant Provisions
1. Security Safeguards
Section 8(5)
“The Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.”
Why It Matters for WhatsApp, Google Drive, and Shared Folders
This section does not mention WhatsApp or Google Drive specifically. However, if personal data is shared through these platforms, the organization must ensure “reasonable security safeguards.”
Examples include:
- Access controls
- Permission management
- Secure sharing settings
- Protection against unauthorized disclosure
2. Responsibility for Data Processors
Section 8(2)
“A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals.”
Section 8(8)
“A Data Fiduciary shall be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.”
Why It Matters
If a firm stores client files on:
- Google Drive
- Microsoft OneDrive
- Dropbox
- Any cloud storage provider
the cloud provider may be acting as a Data Processor (depending on the contractual arrangement). Even then, the firm remains responsible for compliance.
3. Purpose Limitation
Section 4
“A person may process personal data only in accordance with the provisions of this Act and for a lawful purpose—
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.”
Why It Matters
Personal data cannot be freely circulated on WhatsApp groups or shared folders merely because it is convenient. The sharing must be connected to the lawful purpose for which the data was collected.
4. Data Minimisation Through Notice and Purpose Limitation
Section 5(1)
“The notice given to the Data Principal must include the purpose for which the personal data is proposed to be processed.”
Why It Matters
If employee or client data was collected for one purpose, sharing it broadly through shared drives or messaging groups for unrelated purposes could create compliance concerns.
5. Erasure of Personal Data
Section 8(7)
“A Data Fiduciary shall erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served…”
(subject to applicable legal retention requirements)
Why It Matters
Common compliance issues include:
- Old client folders remaining indefinitely in Google Drive.
- Former employees retaining access to shared folders.
- WhatsApp groups retaining personal data long after the purpose has ended.
6. Personal Data Breach Obligations
Section 8(6)
“In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal intimation of such breach…”
Why It Matters
If:
- A Google Drive folder is accidentally made public;
- A WhatsApp message containing personal data is sent to the wrong recipient; or
- A shared folder is accessed by unauthorized persons,
the incident may qualify as a personal data breach and trigger notification obligations.
What the DPDP Act Does Not Say
The DPDP Act does not contain any provision stating:
✗ “WhatsApp cannot be used.”
✗ “Google Drive is prohibited.”
✗ “Shared folders are illegal.”
Instead, the Act is technology-neutral. It focuses on:
- lawful processing;
- purpose limitation;
- accountability;
- security safeguards; and
- breach management.
Therefore, the legal question is not which platform is used, but whether the personal data is processed in compliance with the Act while using that platform.
Short Answer
WhatsApp, Google Drive, and shared folders can be used under the DPDP Act, but convenience does not remove responsibility. The organization remains accountable for ensuring lawful processing, access control, security safeguards, and prevention of unauthorized disclosure of personal data.
Author Bio
