privacy
Image source: https://rb.gy/rkcujv

This article is written by Kiran Krishnan who is pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.

Introduction

Why do we have a lockable mailbox outside our house? So that no stranger can steal our letters. 

Why do we set a strong or secure password? So that our account can be prevented from unauthorized access.

Why do we shred or tear off documents before throwing them away? So that nobody can identify what was on it.

One of the main reasons we take the above-mentioned steps is that we want to protect our personal information. In other words, we value privacy. What is privacy? Well, in layman’s terms, it is when an individual isolates or keeps certain information about himself/ herself from others. There are different data privacy laws enacted in different countries based on each country’s needs and conditions. One such data privacy law is the General Data Protection Regulation (“GDPR”).

The GDPR was adopted in April of 2016 by the European Parliament and the Council of the European Union (“EU”) and became enforceable on 25th May 2018. The GDPR is a data protection & privacy regulation that regulates the processing of personal information of individuals who live in the EU.   

According to Article 4(1) of the General Data Protection Regulation (“GDPR”), the term “personal data” is defined as follows:

“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

To understand the said definition, let us consider an example: You install “WhatsApp” which is an online messaging platform. Once the application is installed and you open it, the first thing you will see is WhatsApp asking you to read its privacy policy and terms of service and to tap on agree & continue to proceed. After you click on agree & continue, you will be asked to enter your phone number. This piece of information is one example of your ‘personal data’. Besides, at the same time, WhatsApp will collect other personal data including your profile name, phone numbers in your contacts list, profile photo, IP address.    

The GDPR requires any company like WhatsApp which processes personal data to adopt a privacy policy wherein the company shall device appropriate technical and organisational measures to ensure that the requirements of the GDPR are fulfilled.   

That brings us to the question, “What is a privacy policy and why is it important?”

Privacy Policy and its importance

A privacy policy is a legal document displayed on a company’s website which discloses to its users how the company will collect, use, protect and store the personal information provided by the users. The privacy policy is crucial for a list of reasons, namely:

  • It is required by law in almost every country.
  • Third-parties require the company to have a privacy policy.
  • Users care about their privacy and its safety.
  • It helps in avoiding costs that may be incurred from lawsuits.

A company which has a clear and concise privacy policy, typically helps instil trust in the minds of the users. Trust, safety, and security is what a person usually expects from another person or a company in this case which possesses personal information (i.e. personal data) of that person.

Let us now take a step further and analyse the privacy policy of two of the most popular online messaging platforms in the following order:

  • WhatsApp AND Telegram.

WhatsApps Privacy Policy

WhatsApp provides two privacy policies catered to two different groups of users or individuals. The two separate privacies policies are:

  1. The Privacy Policy provided by WhatsApp Ireland Limited (for users living in the European region); AND
  2. The Privacy Policy provided by WhatsApp LLC (for users living outside the European region). 

In this note, we will be summarising in brief, the privacy policy provided by WhatsApp Ireland Limited:

  • Information WhatsApp collects: WhatsApp, under this head, communicates that it requires and therefore collects certain information or personal data from you without which it will not be able to provide its services to you. For instance, WhatsApp requires your mobile number as this information enables WhatsApp to create an account and thereby allow you to use WhatsApp’s services.  

It further elaborates that it undertakes the activity of collecting personal data so that it can operate, provide, improve, understand and support its services to provide you an enhanced experience.

WhatsApp also seeks your permission to collect certain information so that it can provide you its optional features. For instance, if you want to share your location data with your contact on WhatsApp, you will have to give your permission to WhatsApp.           

WhatsApp assures you that the data or messages you share with each of the WhatsApp users will be end-to-end encrypted. WhatsApp explains that only you and the person you’re chatting with can read or listen to what is sent or shared, thereby protecting the messages against any third-party and even WhatsApp.       

WhatsApp requires you to share your contacts list with it so that it can identify which of your contacts is a WhatsApp user. This action will allow you to interact with your contact who is also using WhatsApp. However, to enable this feature, WhatsApp seeks your permission. WhatsApp informs you that it does not share your contact info with Facebook. Besides, WhatsApp reassures you that it will not store phone numbers of non-WhatsApp users from your contacts list on its servers.  

WhatsApp also uses cookies to help customise its services and improve your experience on WhatsApp. A cookie is a small text file stored on your device by your browser when you visit a particular website. For instance, WhatsApp uses cookies to remember your choices, such as your language preferences.

WhatsApp has termed you as a third-party in situations when you provide another user’s phone number, name and other information at the time WhatsApp requires you to share your contacts list or when you want to update your contacts list on WhatsApp. In this case, WhatsApp expects that you have lawful rights to collect, use and share such information before providing it to WhatsApp.     

WhatsApp can receive your reports to it regarding any possible violation of WhatsApp’s terms or policies by another user.

WhatsApp informs that if you interact with a WhatsApp business user, such business users may provide WhatsApp with information about its interaction with you. However, WhatsApp requires that such business users act in compliance with the applicable law i.e. in this case the GDPR when providing the aforesaid information with WhatsApp. Besides, WhatsApp mentions that your interaction with the WhatsApp business user may be visible to several people in that business and further adds that some businesses might also be working with third-party service providers (including Facebook) to help manage the business user’s communication with their customers.

  • How WhatsApp uses Information (Purpose): WhatsApp, in accordance with the GDPR, uses your information to provide the following services, namely:
  • Provide customer support, complete purchases or transactions, improve, fix, and customise its services to provide you an enhanced experience.  
  • Research, develop, and test new features and conduct troubleshooting activities.
  • Verify accounts and activity, combat harmful conduct, protect users against bad experiences and spam, promote safety, security, and integrity frequently by investigating suspicious activity or violations of WhatsApp’s terms and policies, and to ensure WhatsApp’s services are being used legally.
  • Communicate with you about WhatsApp’s services and inform you of its updates.
  • Enable you and businesses to communicate and interact with each other.  
  • How WhatsApp works with other Facebook Companies: WhatsApp informs you that it shares your information with the other Facebook Companies to promote safety and security across the Facebook Company products in case of spam, abuse or infringement activities. The other Facebook Companies who receive information from WhatsApp also act on WhatsApp’s behalf to provide you with fast & reliable messaging and calls around the world.

 

Note – “Facebook Companies” are the companies owned and operated by Facebook and include the companies listed below:

  • Facebook Payments Inc.
  • Facebook Technologies, LLC.
  • Facebook Technologies Ireland Limited.
  • WhatsApp LLC.
  • WhatsApp Ireland Limited.

WhatsApp’s Legal basis for processing data: WhatsApp says that it has a different legal basis to process your personal data for various purposes and it does so while complying with the GDPR.

The various purposes for which WhatsApp processes your data are:

  • To operate and provide the messaging and communication services.
  • If applicable, where consent is legally required, if you have given consent, you can also revoke it at any time.
  • To comply with legal obligations such as when WhatsApp is required to respond to a legal request from law enforcement.
  • To protect your vital interests in case of an emergency such as threat to life.
  • When it is necessary in the public interest.

How WhatsApp processes your information: WhatsApp begins by saying that it processes your data as it is necessary to perform its contract with you. Subsequently, WhatsApp outlines the processing purposes necessary to provide its services in compliance with the applicable law as follows:

  • To provide, improve, customise, and support its services to you.
  • To ensure safety, security and integrity of its services to you.
  • To transfer, store or process your data in third countries. 

WhatsApp uses messaging metadata to ensure safety and security of its services which includes the prevention, detection, investigation and remediation of security incidents, malware and vulnerabilities.

In cases where WhatsApp requires your consent, such as to enable WhatsApp access to your location data, WhatsApp will require your consent after which it enables the location sharing feature which allows you to share the location data with another user. WhatsApp further adds that besides processing your data based on your consent, you have a right to withdraw your consent at any time without affecting the lawfulness of processing of such data.    

In cases where WhatsApp processes your data as it is necessary to comply with a legal obligation, for instance, if there is a legal request for certain data via an order from law enforcement regarding an investigation, WhatsApp will disclose the said data pursuant to its legal obligation. 

In cases where WhatsApp finds it necessary to process your data for the purpose of its legitimate interests or the legitimate interests of a third party, where such interests are not overridden by your rights and freedom, WhatsApp does so to provide accurate and reliable aggregated reporting to businesses to ensure accurate pricing and statistics on performance. Besides, WhatsApp processes your data in the interest of businesses and other partners to help them understand their customers, improve their business, validate WhatsApp’s pricing models and evaluate the effectiveness and distribution of the services of such businesses.     

In cases where WhatsApp processes your data as it is necessary to perform a task in the public interest, WhatsApp will do so in compliance with the applicable law.

How You Exercise your rights: According to the applicable law, WhatsApp mentions your rights as follows:

  • Right to receive confirmation from WhatsApp as to whether or not your data is being processed and in case your data is being processed, right to receive access to your data along with certain information, including, among other things, purpose of processing, categories of personal data concerned, period for which personal data will be stored.   
  • Right to rectification of data, data portability, right to erase data, right to restrict processing of data. 
  • Right to object to WhatsApp’s processing of your data for direct marketing purpose including profiling to the extent related to direct marketing. 
  • Right to object to WhatsApp’s processing of your data where WhatsApp is performing a task in the public interest or pursuing its legitimate interests.

WhatsApp also provides the procedure through which you can execute these rights.

  • Managing and retaining your information: WhatsApp informs that it stores your data for as long as it is necessary for the purposes identified in this privacy policy. WhatsApp further clarifies that it does not retain your messages when providing its services (except in exceptional circumstances such as when it is bound by a legal obligation to do so). WhatsApp deletes the messages delivered by you from its servers. However, in case such a message is not delivered, WhatsApp keeps it in encrypted form in its servers for up to 30 days trying to deliver it after which it is deleted.

WhatsApp provides you a feature to delete your account in case you wish to do so. WhatsApp further adds that on deleting your account, WhatsApp deletes your information apart from certain information namely, certain logs that it reviews past the normal retention period to analyse a security incident, copies of some materials such as certain log records which remain in the WhatsApp database but are disassociated from personal identifiers and no longer linked to your account, copies of information over which WhatsApp has a legal obligation to retain data, to prevent violations of WhatsApp’s terms or if necessary to protect WhatsApp’s rights. 

WhatsApp says that you will be notified of any amendment or update to the privacy policy through a “Last Modified” date at the top of the privacy policy. It further requests you to review the privacy policy from time to time.   

Telegram’s Privacy Policy

Telegram opens by declaring that it follows two fundamental principles when process your data:

  • Telegram does not use your data to show you ads.
  • Telegram only stores the data that Telegram needs to function as a secure and feature rich messaging service.

What personal data Telegram uses?

Telegram requires your mobile number and basic account data including profile name, profile picture and about info to create your Telegram account. Telegram informs that it does not require your screen name to be your real name and further adds that other users who have you in their contacts will see you by the name they saved you and not by your screen name. For instance, you can have the screen name ‘Richard Gere’ while appearing as ‘son’ to your mom. 

Telegram provides you an option to opt to set up a password recovery email when you enable a 2-step verification for your account. In case you forget your password, Telegram will send a password recovery code on the aforesaid email id. 

Telegram is a cloud service. Telegram stores your messages, photos, videos, and documents from your cloud chats on Telegram’s servers. This enables you to access your data from any device anytime without the need to rely on third-party backups. Telegram further ensures that all stored data is heavily encrypted and the encryption keys in each case are stored in several other data centers in different jurisdictions. Telegram communicates that therefore local engineers or physical intruders cannot get access to your data.

Secret chats is a feature on Telegram which is end-to-end encrypted. This means that nobody including Telegram will have direct access to your device to learn what content is being sent in the messages. Telegram assures you that it does not store your secret chats on its servers. Telegram also does not keep any logs for messages in secret chats and for that reason secret chats are not available in the cloud.

Telegram reassures you that each item you send on secret chats such as photos, videos or files is encrypted with a separate key unknown to Telegram’s server. The said key and the file’s location are then encrypted again, with a secret chat’s key and sent to your recipient. The receiver can download and decipher the file. 

Telegram asks your permission before syncing your contacts. It uses your phone numbers to help identify whether your contacts use Telegram and thereby allow you to interact with them on Telegram. Telegram also lets you stop syncing contacts or delete it from Telegram’s servers by selecting privacy & security in Settings.

Telegram uses cookies only to provide its services on the web. It does not use cookies for profiling or advertising. Besides, Telegram allows you to block cookies with your web browser if you intend to.

Keeping your Personal Data Safe

Telegram says that if you sign up from the UK or the EEA, your data will be stored in data centers in the Netherlands. Telegram further adds that these are third-party service providers in which Telegram rents a designated space. However, the servers in these data centers which carry personal data including your data is owned by Telegram. Telegram assures you that it does not share your data with such data centers and that all the data is heavily encrypted. 

Telegram says that the personal data that you provide will only be stored for as long as it is necessary to fulfil Telegram’s obligations regarding the provision of its services.        

Processing your Personal Data

Telegram processes your data to deliver your cloud chat history including messages, media and files to any devices of your choice without the need to use third-party backups. 

Telegram collects metadata such as your IP address, devices and Telegram apps you have used to improve the security of your account and to prevent spam, abuse and other violations of Telegram’s terms of service.  

Third-Party Payment Services

Telegram relies on different payment providers to process payments on Telegram. It is the payment providers that handle and store your credit card details and not Telegram. Telegram has suggested that you study the relevant payment provider’s privacy policy before making your data available to them. Therefore, in case of any payment dispute you have with the payment provider, only the concerned payment provider can handle the complaint regarding the dispute and Telegram does not take any responsibility.   

With whom your personal data may be shared?

Telegram says that you share your data with those who you choose to communicate with implying that you are instructing Telegram to transfer your data to other users in accordance with the privacy policy. Telegram offers assurance that it devices appropriate technical measures to ensure a level of security for your personal data.

Telegram further adds that it shares your data with its parent company Telegram Group inc., located in the British Virgin Islands, and Telegram FZ-LLC, a group member located in Dubai, to help provide, improve, and support Telegram’s services to you. Telegram will implement appropriate safeguards to protect the security and integrity of your data.

Telegram says that it will disclose your IP address and phone number if it receives a court order that confirms you are a terror suspect.   

Your Rights regarding the personal data you provide to us 

Telegram says that you have a right to: 

  • request a copy of all your personal data that Telegram stores and to transmit that copy to another organisation.
  • Delete or amend your personal data.
  • Restrict, or object to the processing of your data. 
  • Correct any inaccurate or incomplete personal data Telegram holds on you.
  • Lodge a complaint with the national data protection authorities regarding Telegram’s processing of your personal data. 

Telegram lets you control how your data is used. If you want to delete your account, you can do so on Telegram’s deactivation page. Once deleted, Telegram removes all messages, media, contacts, and other data you stored in the Telegram cloud. 

Telegram finally says that it will review and may update the privacy policy from time to time. Telegram also requests you to check its website frequently to see any updates or changes to its privacy policy.

Conclusion

A company which carries out an online business must have a clear, concise, and well-drafted privacy policy in place. This is necessary primarily because it is required by law, if applicable, of the concerned country and secondly because the users care about their privacy. There has been a great hue and cry recently, about WhatsApp’s decision to update its privacy policy with the focus on allowing WhatsApp’s business users to share the information of their interaction with WhatsApp’s individual users with Facebook and its other subsidiaries.

This has led to a lot of confusion over how WhatsApp will be executing the said update, thereby resulting in many WhatsApp’s users crossing over to rival platforms such as Telegram. To clarify the situation, WhatsApp has sent an alert to all users reassuring them that it will not change the privacy of individual users’ private conversations. WhatsApp has also decided to update the privacy policy soon along with reminding the users to accept the updated policy when it rolls out. WhatsApp’s parent company, Facebook, has however informed that WhatsApp’s users living in the EU and the UK are exempted from the aforesaid data-sharing change implying that WhatsApp will not share the data of users living in the EU and UK with Facebook. The lesson that one can learn here is that it is a near-perfect blend for a country having a well-drafted data privacy & protection law to ensure effective enforcement of the said law.

However, a well-drafted law and the effective enforcement of it coupled with a legally aware citizen would help achieve a state of balance. Therefore, whenever you come across a privacy policy, do read it carefully before clicking on “agree”.

References


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here