X's privacy dilemma: When blocking is not really blocking anymore

With social media constantly evolving, privacy concerns are growing, especially in jurisdictions like India, where data privacy is a fundamental right. The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces strict privacy regulations for digital platforms in India. Recently, X announced a controversial update to its block function: blocked users will still be able to view posts if they are public, though they cannot engage with them through likes, replies, and reposts.

This change raises serious privacy concerns, particularly in India, where users highly value control over their personal data.

The DPDP Act mandates that data fiduciaries, including X, must process personal data with clear consent, transparency and adequate safeguards. By allowing blocked users to view posts without consent, X risks violating several provisions of the DPDP Act, including requirements related to informed consent, unauthorised access and data breach protection.

Application of the DPDP Act to X

The DPDP Act is built on principles such as user consent, data security, and transparency, ensuring users control their personal data. However, X’s update to the block feature appears to violate these principles by allowing blocked users to view public posts. These violations under the DPDP Act, 2023, are discussed as follows.

Firstly, under Section 6 of the DPDP Act, any processing of personal data must be based on informed, freely given consent. In X’s case, users who block others assume that the blocked individuals cannot access their content. By allowing blocked users to view public posts, X risks violating Section 6. The DPDP Act stresses transparency in processing personal data, yet X has not offered users an opt-in or opt-out for this change. Users should have been given the option to consent to blocked users viewing their public posts. Without this, the update does not comply with the Act’s informed consent principle.

Secondly, the DPDP Act defines unauthorised access (through a combined reading of Sections 6, 8, and 9) as processing personal data without the user’s knowledge or consent. With X’s update, blocked users can view posts, creating unauthorised access. Users who blocked someone expected complete restriction, including both interaction and visibility. Users who blocked someone did so under the expectation of complete restriction, which includes both interaction and visibility. By enabling blocked users to view content, X risks violating Section 8, which mandates data fiduciaries to prevent unauthorised access to personal data. This access, without the user’s explicit consent, undermines their privacy expectations and could lead to misuse or abuse of personal information, especially in cases where the blocking was done to avoid harassment or maintain personal safety.

Thirdly, X’s update could raise concerns related to data breaches under Section 9 of the DPDP Act. A personal data breach occurs when there is unauthorised access or disclosure compromising data confidentiality. Allowing blocked users to view content could inadvertently facilitate a breach, especially when sensitive information is shared in public posts. For instance, if a user discusses private matters in public posts, their blocked contacts could access this information without the user’s knowledge, leading to unintended disclosure. This is especially concerning in India, where data privacy is heavily regulated, and breaches can attract significant penalties.

Fourthly, the update’s most significant impact is on user control over their data. By changing the block feature, X compromises the level of control users expect over who can access their content. Users block individuals to prevent them from viewing or interacting with their posts; altering this understanding without clear consent damages the platform’s trustworthiness. The DPDP Act grants users the right to protect their data under Chapter III, and by weakening the block function’s privacy controls, X risks eroding user confidence in its commitment to data privacy and compliance.

Consequences for X under the DPDP Act

Firstly, under Section 33 of the DPDP Act, the Data Protection Board of India can impose monetary penalties for violations. If X is found to have breached provisions related to unauthorised access, consent or data breaches, it could face substantial fines. The DPDP Act’s Schedule of Penalties allows the Data Protection Board to impose penalties based on the severity of the violation. These penalties vary depending on factors like the gravity of the breach, data volume and impact on users. For instance, if X’s update leads to a large-scale privacy breach, where blocked users gain access to personal data without consent, penalties could be substantial. The Board may also consider whether X took steps to mitigate the breach or comply with the DPDP Act upon learning of potential violations. 

Secondly, as a data fiduciary under the DPDP Act, X has obligations to protect user data, as detailed in Section 8. These include preventing unauthorised access, maintaining transparency about data usage and ensuring data security. The new block feature may compromise these obligations by allowing blocked users to access content without the blocker’s consent, thereby breaching privacy expectations. X could face compliance challenges related to:

• Inadequate consent mechanisms: The update does not provide users with a clear option to consent or object to blocked users viewing their content, violating the DPDP Act’s consent requirements under Section 6.

• Transparency and user rights: Users must be informed of any changes in how their data is accessed or shared and should have the ability to control that access under Section 11. Failure to meet these requirements, especially with sensitive data, could lead to legal scrutiny and penalties.

• Data breach notification requirements: If allowing blocked users to view posts is deemed an unauthorised data breach, X would need to notify the Data Protection Board and affected users under Section 9. Failing to do so promptly could increase the severity of penalties.

Thirdly, beyond monetary penalties, failure to comply with the DPDP Act could damage X’s reputation in India, a crucial market for the platform. User trust is vital for social media platforms and privacy breaches, particularly those involving sensitive data, can erode that trust. The Data Protection Board may also issue directives to bring X into compliance, potentially requiring the platform to reverse the block feature update or enhance privacy controls. Additionally, under Section 13 of the DPDP Act, users have rights to redress, which could lead to a surge of grievances from those affected by the update. X would need effective mechanisms to handle these grievances to avoid further penalties and legal action.

Aliases paradox

X’s update can also be examined through the Aliases Paradox, which reflects the contradiction where users share personal information publicly while expecting selective control over who can access it. In X’s case, users may want to make public posts but use the block function to control who can view their content, especially those they have intentionally blocked. This paradox highlights the tension between public accessibility and restricted access expectations.

However, X’s update breaks this illusion of selective control, revealing the contradiction of the Aliases Paradox. Users who relied on blocking as a privacy measure now face a situation where blocked contacts can view their public posts, even without interaction. This change disrupts the delicate balance users attempt to maintain between public sharing and selective privacy, worsening the paradox.

Under the DPDP Act, 2023, X’s policy amplifies this dilemma by compromising informed consent. By allowing blocked users to view content, X is breaching the implicit contract users assumed - that they could post publicly while exercising selective control. Such actions violate transparency and consent requirements, as they create unauthorised access and blur boundaries of user control, deepening the paradox and exposing users to unforeseen risks.

X’s update, therefore, exacerbates the Aliases Paradox by removing a vital privacy safeguard without explicit consent or transparency, violating the DPDP Act’s privacy standards and potentially leading to non-compliance consequences.

Neeraj Dubey is the Founder and Managing Partner of The Valid Points Law Offices. Pushpit Singh is an Associate at the firm.