This article is written by Kiran Krishnan who is pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Why do we have a lockable mailbox outside our house? So that no stranger can steal our letters.
Why do we set a strong or secure password? So that our account can be prevented from unauthorized access.
Why do we shred or tear off documents before throwing them away? So that nobody can identify what was on it.
One of the main reasons we take the above-mentioned steps is that we want to protect our personal information. In other words, we value privacy. What is privacy? Well, in layman’s terms, it is when an individual isolates or keeps certain information about himself/ herself from others. There are different data privacy laws enacted in different countries based on each country’s needs and conditions. One such data privacy law is the General Data Protection Regulation (“GDPR”).
The GDPR was adopted in April of 2016 by the European Parliament and the Council of the European Union (“EU”) and became enforceable on 25th May 2018. The GDPR is a data protection & privacy regulation that regulates the processing of personal information of individuals who live in the EU.
According to Article 4(1) of the General Data Protection Regulation (“GDPR”), the term “personal data” is defined as follows:
“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
- It is required by law in almost every country.
- Users care about their privacy and its safety.
- It helps in avoiding costs that may be incurred from lawsuits.
- WhatsApp AND Telegram.
WhatsApp provides two privacy policies catered to two different groups of users or individuals. The two separate privacies policies are:
- Information WhatsApp collects: WhatsApp, under this head, communicates that it requires and therefore collects certain information or personal data from you without which it will not be able to provide its services to you. For instance, WhatsApp requires your mobile number as this information enables WhatsApp to create an account and thereby allow you to use WhatsApp’s services.
It further elaborates that it undertakes the activity of collecting personal data so that it can operate, provide, improve, understand and support its services to provide you an enhanced experience.
WhatsApp also seeks your permission to collect certain information so that it can provide you its optional features. For instance, if you want to share your location data with your contact on WhatsApp, you will have to give your permission to WhatsApp.
WhatsApp assures you that the data or messages you share with each of the WhatsApp users will be end-to-end encrypted. WhatsApp explains that only you and the person you’re chatting with can read or listen to what is sent or shared, thereby protecting the messages against any third-party and even WhatsApp.
WhatsApp requires you to share your contacts list with it so that it can identify which of your contacts is a WhatsApp user. This action will allow you to interact with your contact who is also using WhatsApp. However, to enable this feature, WhatsApp seeks your permission. WhatsApp informs you that it does not share your contact info with Facebook. Besides, WhatsApp reassures you that it will not store phone numbers of non-WhatsApp users from your contacts list on its servers.
WhatsApp has termed you as a third-party in situations when you provide another user’s phone number, name and other information at the time WhatsApp requires you to share your contacts list or when you want to update your contacts list on WhatsApp. In this case, WhatsApp expects that you have lawful rights to collect, use and share such information before providing it to WhatsApp.
WhatsApp can receive your reports to it regarding any possible violation of WhatsApp’s terms or policies by another user.
WhatsApp informs that if you interact with a WhatsApp business user, such business users may provide WhatsApp with information about its interaction with you. However, WhatsApp requires that such business users act in compliance with the applicable law i.e. in this case the GDPR when providing the aforesaid information with WhatsApp. Besides, WhatsApp mentions that your interaction with the WhatsApp business user may be visible to several people in that business and further adds that some businesses might also be working with third-party service providers (including Facebook) to help manage the business user’s communication with their customers.
- How WhatsApp uses Information (Purpose): WhatsApp, in accordance with the GDPR, uses your information to provide the following services, namely:
- Provide customer support, complete purchases or transactions, improve, fix, and customise its services to provide you an enhanced experience.
- Research, develop, and test new features and conduct troubleshooting activities.
- Verify accounts and activity, combat harmful conduct, protect users against bad experiences and spam, promote safety, security, and integrity frequently by investigating suspicious activity or violations of WhatsApp’s terms and policies, and to ensure WhatsApp’s services are being used legally.
- Communicate with you about WhatsApp’s services and inform you of its updates.
- Enable you and businesses to communicate and interact with each other.
- How WhatsApp works with other Facebook Companies: WhatsApp informs you that it shares your information with the other Facebook Companies to promote safety and security across the Facebook Company products in case of spam, abuse or infringement activities. The other Facebook Companies who receive information from WhatsApp also act on WhatsApp’s behalf to provide you with fast & reliable messaging and calls around the world.
Note – “Facebook Companies” are the companies owned and operated by Facebook and include the companies listed below:
- Facebook Payments Inc.
- Facebook Technologies, LLC.
- Facebook Technologies Ireland Limited.
- WhatsApp LLC.
- WhatsApp Ireland Limited.
WhatsApp’s Legal basis for processing data: WhatsApp says that it has a different legal basis to process your personal data for various purposes and it does so while complying with the GDPR.
The various purposes for which WhatsApp processes your data are:
- To operate and provide the messaging and communication services.
- If applicable, where consent is legally required, if you have given consent, you can also revoke it at any time.
- To comply with legal obligations such as when WhatsApp is required to respond to a legal request from law enforcement.
- To protect your vital interests in case of an emergency such as threat to life.
- When it is necessary in the public interest.
How WhatsApp processes your information: WhatsApp begins by saying that it processes your data as it is necessary to perform its contract with you. Subsequently, WhatsApp outlines the processing purposes necessary to provide its services in compliance with the applicable law as follows:
- To provide, improve, customise, and support its services to you.
- To ensure safety, security and integrity of its services to you.
- To transfer, store or process your data in third countries.
WhatsApp uses messaging metadata to ensure safety and security of its services which includes the prevention, detection, investigation and remediation of security incidents, malware and vulnerabilities.
In cases where WhatsApp requires your consent, such as to enable WhatsApp access to your location data, WhatsApp will require your consent after which it enables the location sharing feature which allows you to share the location data with another user. WhatsApp further adds that besides processing your data based on your consent, you have a right to withdraw your consent at any time without affecting the lawfulness of processing of such data.
In cases where WhatsApp processes your data as it is necessary to comply with a legal obligation, for instance, if there is a legal request for certain data via an order from law enforcement regarding an investigation, WhatsApp will disclose the said data pursuant to its legal obligation.
In cases where WhatsApp finds it necessary to process your data for the purpose of its legitimate interests or the legitimate interests of a third party, where such interests are not overridden by your rights and freedom, WhatsApp does so to provide accurate and reliable aggregated reporting to businesses to ensure accurate pricing and statistics on performance. Besides, WhatsApp processes your data in the interest of businesses and other partners to help them understand their customers, improve their business, validate WhatsApp’s pricing models and evaluate the effectiveness and distribution of the services of such businesses.
In cases where WhatsApp processes your data as it is necessary to perform a task in the public interest, WhatsApp will do so in compliance with the applicable law.
How You Exercise your rights: According to the applicable law, WhatsApp mentions your rights as follows:
- Right to receive confirmation from WhatsApp as to whether or not your data is being processed and in case your data is being processed, right to receive access to your data along with certain information, including, among other things, purpose of processing, categories of personal data concerned, period for which personal data will be stored.
- Right to rectification of data, data portability, right to erase data, right to restrict processing of data.
- Right to object to WhatsApp’s processing of your data for direct marketing purpose including profiling to the extent related to direct marketing.
- Right to object to WhatsApp’s processing of your data where WhatsApp is performing a task in the public interest or pursuing its legitimate interests.
WhatsApp also provides the procedure through which you can execute these rights.
WhatsApp provides you a feature to delete your account in case you wish to do so. WhatsApp further adds that on deleting your account, WhatsApp deletes your information apart from certain information namely, certain logs that it reviews past the normal retention period to analyse a security incident, copies of some materials such as certain log records which remain in the WhatsApp database but are disassociated from personal identifiers and no longer linked to your account, copies of information over which WhatsApp has a legal obligation to retain data, to prevent violations of WhatsApp’s terms or if necessary to protect WhatsApp’s rights.
Telegram opens by declaring that it follows two fundamental principles when process your data:
- Telegram does not use your data to show you ads.
- Telegram only stores the data that Telegram needs to function as a secure and feature rich messaging service.
What personal data Telegram uses?
Telegram requires your mobile number and basic account data including profile name, profile picture and about info to create your Telegram account. Telegram informs that it does not require your screen name to be your real name and further adds that other users who have you in their contacts will see you by the name they saved you and not by your screen name. For instance, you can have the screen name ‘Richard Gere’ while appearing as ‘son’ to your mom.
Telegram provides you an option to opt to set up a password recovery email when you enable a 2-step verification for your account. In case you forget your password, Telegram will send a password recovery code on the aforesaid email id.
Telegram is a cloud service. Telegram stores your messages, photos, videos, and documents from your cloud chats on Telegram’s servers. This enables you to access your data from any device anytime without the need to rely on third-party backups. Telegram further ensures that all stored data is heavily encrypted and the encryption keys in each case are stored in several other data centers in different jurisdictions. Telegram communicates that therefore local engineers or physical intruders cannot get access to your data.
Secret chats is a feature on Telegram which is end-to-end encrypted. This means that nobody including Telegram will have direct access to your device to learn what content is being sent in the messages. Telegram assures you that it does not store your secret chats on its servers. Telegram also does not keep any logs for messages in secret chats and for that reason secret chats are not available in the cloud.
Telegram reassures you that each item you send on secret chats such as photos, videos or files is encrypted with a separate key unknown to Telegram’s server. The said key and the file’s location are then encrypted again, with a secret chat’s key and sent to your recipient. The receiver can download and decipher the file.
Telegram asks your permission before syncing your contacts. It uses your phone numbers to help identify whether your contacts use Telegram and thereby allow you to interact with them on Telegram. Telegram also lets you stop syncing contacts or delete it from Telegram’s servers by selecting privacy & security in Settings.
Keeping your Personal Data Safe
Telegram says that if you sign up from the UK or the EEA, your data will be stored in data centers in the Netherlands. Telegram further adds that these are third-party service providers in which Telegram rents a designated space. However, the servers in these data centers which carry personal data including your data is owned by Telegram. Telegram assures you that it does not share your data with such data centers and that all the data is heavily encrypted.
Telegram says that the personal data that you provide will only be stored for as long as it is necessary to fulfil Telegram’s obligations regarding the provision of its services.
Processing your Personal Data
Telegram processes your data to deliver your cloud chat history including messages, media and files to any devices of your choice without the need to use third-party backups.
Telegram collects metadata such as your IP address, devices and Telegram apps you have used to improve the security of your account and to prevent spam, abuse and other violations of Telegram’s terms of service.
Third-Party Payment Services
With whom your personal data may be shared?
Telegram further adds that it shares your data with its parent company Telegram Group inc., located in the British Virgin Islands, and Telegram FZ-LLC, a group member located in Dubai, to help provide, improve, and support Telegram’s services to you. Telegram will implement appropriate safeguards to protect the security and integrity of your data.
Telegram says that it will disclose your IP address and phone number if it receives a court order that confirms you are a terror suspect.
Your Rights regarding the personal data you provide to us
Telegram says that you have a right to:
- request a copy of all your personal data that Telegram stores and to transmit that copy to another organisation.
- Delete or amend your personal data.
- Restrict, or object to the processing of your data.
- Correct any inaccurate or incomplete personal data Telegram holds on you.
- Lodge a complaint with the national data protection authorities regarding Telegram’s processing of your personal data.
Telegram lets you control how your data is used. If you want to delete your account, you can do so on Telegram’s deactivation page. Once deleted, Telegram removes all messages, media, contacts, and other data you stored in the Telegram cloud.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: