This article is written by Shreya Mazumdar, pursuing a Diploma in Cyber Law, Fintech Regulations & Technology Contracts from LawSikho.
Table of Contents
Introduction
What’s Up WhatsApp?
What is new with WhatsApp is its new privacy policy rules that have been ruling the news headlines for the past few days.
WhatsApp is an App which is used by more than 2 billion people in approximately 180 countries to stay in touch with each other[1]. WhatsApp is free and its services include messaging, calling, video calling etc. on phones all over the world.
The mission of WhatsApp according to its website is that it is an alternative to SMS. The App supports sending and receiving a variety of media like text, documents, location, voice call, video calls etc. It is true to state that some of the very personal data is shared through WhatsApp and therefore WhatsApp has built end-to-end encryption into the App. The entire purpose and mission of WhatApp are to build fast and reliable message services everywhere in the world. WhatsApp screams about privacy and reliability. Mentioned below is the snapshot of the WhatsApp status update:
But what is this new privacy policy which has taken the world by storm and users are thinking about migrating it to other similar Apps which provides better privacy?
WhatsApp’s new privacy policy
WhatsApp’s new privacy Policy was declared on 11th of Jan. 2021 that enabled the encrypted messaging App to share a significant amount of data with commercial user data with parent company Facebook which aims to enhance business usage amongst group companies. This in no way involves personal chats between users to be shared with Facebook but allows the sharing of data on business interactions across the group. In simple terms, many businesses rely on WhatsApp to communicate, for instance, if you purchase a flight ticket, it will be sent to your WhatsApp. This way WhatsApp helps the business to communicate with their client or customers. WhatsApp works with these business entities that use Facebook or third parties to help store and manage better communication with users on WhatsApp[2]. With the present privacy policy, WhatsApp would require consent to sharing transaction data, IP address, mobile device information and data on how they interact with business with Facebook group companies. This step would help Facebook personalise contents and display relevant advertisements across the group multiple social platforms. This will also enable users to interlink services like Facebook Pay account to pay for things on a messaging app.
Data sharing with WhatsApp and Facebook has absorbed the attention of worldwide regulators. It was in 2018 when the UK’s Information Commissioner’s Office (ICO) got WhatsApp to sign an undertaking in which it has promised publicly not to share personal data with Facebook in future until the two services can be GDPR (General Data Protection Regulation) compliant[3].
It was on 25th May 2019 General Data Protection Regulation (GDPR) came into force and Companies in 2021 are still adjusting to its implication. WhatsApp helps business for both employee and customer communication but now the main question stands if WhatsApp will be GDPR compliant?
GDPR and past WhatsApp non-compliance
Mr Daragh O’ Brien, the managing director of data privacy consultancy Castlebridge, states that it would be his advice to stop using WhatsApp immediately. According to him WhatsApp does not comply with GDPR and should not be used. He further mentions that this App is appropriate for personal use but when it comes to professional or community organisation it brings in several non-compliance issues concerning GDPR[4].
There are a few main reasons that WhatsApp lacks in GDPR compliance:
- Firstly, a user can be added to WhatsApp group without explicit consent from the user. It is only very recently WhatsApp added the ability for the user from doing this but this option is not enabled by default. It is mandatory under GDPR laws that personal data can only be processed where there is a lawful basis to do so, i.e., when it comes to the processing of data then it is necessary to perform a contract for legitimate interests or to comply with a legal obligation. Mr. Daragh O’ Brien mentions that the use of this platform has potentially breached requirements around the use of fair as well as permanent and lawful processing of data security, integrity as well as confidentiality principle of GDPR. This happens due to the automatic sharing of group members’ information with other members who are strangers to each other.
- Secondly, your contracts can upload your data to WhatsApp/Facebook if they give access to their contacts and if you are in it even though your consent is absent in this case. WhatsApp mentions the following:
This does not give the contacts right to choose to share such information with WhatsApp. For instance, I am a lawyer and I believe not to use WhatsApp because I feel that it will use my information. My younger sister who is an avid social network user has my phone number and uses WhatsApp. She has given access to WhatsApp to access her contacts which has my phone number. Although I do not use WhatsApp and I don’t want WhatsApp to have my details, it will have access to my contacts through my sister.
A security expert Matt Zeerink has managed to exploit this contact details to make a bot that had its way to access any WhatsApp user’s online/offline status and more[5]. As per GDPR rules, organisations must keep a record of permission from people whose data is stored. WhatsApp has completely breached this rule of GDPR. WhatsApp Business can be the first means of communication with customers and businesses who communicate through WhatsApp need to ensure that this data processing is lawful and meets the criteria in Article 6 (Lawfulness of processing) and Article 13 (Right to be informed) of GDPR. WhatsApp Business contains APT (Application Programming Interface) that enables access to implement different functions of the application in other software products. The users under API are offered a function that allows them to obtain participants and employees consent before interacting with them through WhatsApp.
- Thirdly, it is also not very clear where exactly WhatsApp moves the data and data transfer outside the EU zone is not allowed. As per GDPR rules, one needs to be able to ensure the protection of client data even outside the EU and WhatsApp has refused to comply with France and Germany’s Request for data sample as they believe that WhatsApp shall only be compliant with US laws on data protection[6].
As per the GDPR rules, businesses are required to be able to keep a check on who has access to what data. WhatsApp helps in sharing data, files and messages which can be shared without a limit and also without any trace of who can see one’s file. Furthermore, WhatsApp records this data and archives it on its server making it impossible to be GDPR compliant if your company has a way to use it. A British Medical Journal study found that over one-third of doctors send sensitive patient data through web-messaging apps like WhatsApp despite being warned that this is not a secured platform to send sensitive clinical information. This kind of handling of sensitive information leaves data highly susceptible to errors and malpractices[7].
As mentioned before WhatsApp have mentioned security and end to end encryption as its mission and vision but this security is far from achieving its goals. It has been a target for many cyber-attacks and it is also owned by Facebook which has been infamous for its opaque use of user data.
Updated WhatsApp privacy policy and GDPR
WhatsApp is updating its terms and privacy policy which means that by tapping to “AGREE” the user accepts these terms effective from 8th February 2021. After this date, the user needs to update WhatsApp to comply with their policies else the account has to be deleted. As per the newly updated policy data that WhatsApp will now have access with Facebook included messages, groups, profile photo, status, online status, location data, IP addresses, time zone, phone model, OS, ISP, language, browser, mobile network etc[8]. When the users make payment through WhatsApp the companies will have access to these data and this means that Facebook will have access to more data that to give it to the companies it owns to further their product reach. As data is seen as the new oil this privacy update will hugely benefit Facebook and its subsidiaries. Facebook bought WhatsApp in 2014 for $19 Billion and of course, the business motive behind this buy is visible now.
This update is implemented globally but users in the European Union are protected from this data sharing and update. This is because of GDPR which implements tighter data protection policy. Therefore, users from these countries will not need to share their data with third parties. GDPR is a well-defined law which heftily penalises the parties which breach GDPR. It puts an obligation on business and service providers to collect only need-to-know information that is necessary to provide services.
Conclusion
It can be observed that the EU due to its stringent laws like GDPR could protect its citizens from the policy change which seems to be for the benefit of the App and its parent companies and in a way puts the data at risk of the users of the App. This data share with Facebook may not pose a big risk as of now but it could bring in security threats in the near future. The policymakers and the legislators of the country should know better when it comes to guarding the privacy of the citizens of its country. Data is the new oil and mining it by a private company is a risk to the country and its citizens in terms of privacy, security and data leakage.
It can be concluded that WhatsApp knows that data breach of EU citizens can bring in hefty fines upon them so they have tried to construct their App in GDPR friendly ways. Therefore, it can be understood that if hefty fines are levied by any country, Apps have to comply with the data privacy and data security rules, regulations and standards of the country. The App should run as per the rules of the country and not the other way around.
References
[1] https://www.whatsapp.com/about/
[2] Megha Madavia, WhatsApp Tweaks Privacy Policy to share more user data with Facebook, <https://economictimes.indiatimes.com/tech/technology/whatsapp-tweaks-privacy-policy-to-share-more-user-data-with-facebook/articleshow/80144280.cms> 12 Jan. 2021.
[3] Id.
[4] Jack Horgan Jones, Sports club and political parties advised not to use WhatsApp <https://www.irishtimes.com/news/ireland/irish-news/sports-clubs-and-political-parties-advised-not-to-use-whatsapp-1.4155599> 17th Jan 2021.
[5]Are WhatsApp and GDPR on a Collision Course? <https://www.thebci.org/news/are-whatsapp-and-gdpr-on-a-collision-course.html.> 17th Jan. 2021.
[6] Id.
[7] Id.
[8]Neeraj Krishnan, Explained: WhatsApp’s new privacy rule < https://www.theweek.in/news/biz-tech/2021/01/09/explained-whatsapp-s-new-privacy-rule.html> 17th Jan. 2021.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: