WhatsApp and privacy
Recent headlines involving WhatsApp and Facebook
WhatsApp is the world’s most popular messaging service, allowing users to share moments with friends, family and acquaintances 24 hours a day, seven days a week – in real time. But the announcement of recent weeks and the news from Hamburg’s data protection commissioner Johannes Caspar are detracting from all the chat fun – or are they?
What happened?
WhatsApp was bought by Facebook for 19 billion euros in early 2014; since then it has been part of the Facebook family, which includes the social network Instagram. In August 2016 WhatsApp then announced its intention to share its users’ data in future with the parent company Facebook. The messaging service is now used by more than a billion people worldwide.
The introduction of new features (for example the voicemail and quote features as well as WhatsApp Calling --> more information is available ) and above all the closer collaboration between WhatsApp and Facebook were taken as an opportunity to revise WhatsApp’s Terms of Service. No sooner had WhatsApp announced its new terms and privacy policy than people began to get worked up. In particular, clauses allowing user data to be shared with Facebook incurred the wrath of users and data protection officials.
And yet, it wasn’t all that long ago that WhatsApp’s CEO Jan Koum assured people at the DLD (Digital-Life-Design) conference in Munich that WhatsApp had no plans to commercialize its service by targeting ads at users. That was in January 2015. But now we are seeing a U-turn – more or less through the back door: Indeed in its new terms, WhatsApp states that “WhatsApp is now part of the Facebook family of companies” and that it may share WhatsApp account information with Facebook “to enhance [the user’s] experience with advertising and products on Facebook.”
From August until the end of September 2016, WhatsApp gave its users the option of objecting to user account information being passed on to Facebook. This could be done by either removing a tick from a checkbox or – if the user had already agreed to the terms without removing the tick – until 25 September 2016 it was still possible for users to adjust their WhatsApp settings so that they could object to Facebook using their data for advertising purposes. Anyone who did not change the tick or their settings by 25 September 2016 or who registers with WhatsApp after 25 September 2016 using a new mobile number or account is unable to prevent their data from being passed on to Facebook for advertising purposes. In such cases, according to WhatsApp’s terms Facebook is permitted to use user data for advertising purposes.
But the following applies equally to all WhatsApp users: Regardless of whether a user did or did not check the box concerning advertising on Facebook, that person’s WhatsApp account information will still be passed on to Facebook for “other purposes”. And the definition of “other purposes” here is still somewhat nebulous. According to WhatsApp, the intention is to improve services and products, in particular to combat spam and abuse, to improve infrastructure and delivery systems and to understand how users use the services WhatsApp and Facebook.
WhatsApp and privacy: So what does this mean for Facebook and WhatsApp?
In a nutshell: Facebook gets absolutely all of WhatsApp’s users’ account information.
This typically includes a WhatsApp user’s mobile number, profile picture, user name and user status, but also their metadata – such as frequency of transmission and usage. However, as WhatsApp itself has emphasised, this does not involve sharing any communications conducted with other users via WhatsApp. Ever since April 2016, all messages as well as calls, voice messages and images which are sent via WhatsApp have been protected from prying eyes via end-to-end encryption.
However, Germany’s Federal Data Protection Act () means that approval is required in all cases for the storage, use and transfer of data. This may involve the user issuing a declaration of consent, or such consent may already have a basis in law. In any case, WhatsApp users have not expressly consented to their account information being shared with Facebook for “other purposes”. Even the checkbox asking users whether their information should be shared with Facebook for advertising purposes is arguably not sufficient to be regarded as an effective approval, since the box had already been checked, meaning users did not have to consciously check the box. In the absence of effective approval on the part of WhatsApp’s users with regard to their data being shared with Facebook, in this case only legal permission can authorise Facebook to store and use data from WhatsApp. And yet, we have tried in vain to find any such permission in existing legislation.
Johannes Caspar, Hamburg’s state data protection officer, agrees. On 27 September 2016, the privacy official from northern Germany imposed an order against Facebook prohibiting it from storing the data of WhatsApp users. The company was also required to delete data it had already received from WhatsApp.
This isn’t the first time that Caspar has stood up for the German population’s right of “informational self-determination” and privacy. He already took action against Facebook’s real name policy back in autumn 2015. At that time, the competent court dismissed the Hamburg data protection officer’s order, pointing out that the case was not subject to German law, but Irish data protection law, since Facebook’s EU headquarters are in Ireland.
As for the more recent order from Hamburg, things may be different and German data protection law could in fact apply, because the Facebook branch specifically responsible for conducting German-language advertising operations is located in Hamburg. As such, national privacy legislation is binding for Facebook’s German advertising operations, and Facebook must comply with this legislation.
Unsurprisingly, Facebook immediately announced that it did not accept the order and that it would be taking legal action to defend itself against the order issued by the Hamburg data protection authority. Pending a court judgement on the matter, Facebook must for the time being comply with the order. If Facebook wants to avoid high fines, which the Hamburg data protection authority could now impose, then the Internet giant must not store or use any data until this matter has been finally clarified. One interesting point: Even though WhatsApp is at the heart of the current disagreement, Germany’s data protection authorities shouldn’t have their sights set on the messaging service itself, because WhatsApp’s registered address is neither in Germany nor elsewhere in Europe.
WhatsApp and privacy: Is it still OK for me to use WhatsApp for my corporate communications?
Businesses are increasingly using messaging services like WhatsApp to communicate with customers or employees. One well-known example: During the ver.di trade union strike in Germany, Hamburg Airport used WhatsApp to inform passengers of current waiting times at check-in, departure times and other relevant developments.
WhatsApp and corporate communications: No contractual permission for commercial use
Generally speaking, WhatsApp’s terms (both those valid before and after August 2016) do not provide for the messaging service to be used commercially. If you want to comply with WhatsApp’s terms, then you may only use the service privately. Unless previously approved by WhatsApp, any “non-private use of the services” is not permitted. Strictly speaking, all businesses which use the messenger for customer service or advertising purposes should first seek the approval of WhatsApp. We are unaware of this having ever occurred in practice.
Unlike the terms which were valid until August 2016, the current Terms of Service no longer expressly prohibit the use of WhatsApp for advertising purposes or for other forms of business-related communication. This turnaround lends weight to the news revealed earlier this year that WhatsApp is already working on the commercial use of WhatsApp in businesses. At present, therefore, commercial WhatsApp users can expect little resistance from WhatsApp.
Using WhatsApp for corporate communications: In view of privacy concerns, caution is advised
Irrespective of whether it is used for internal or external corporate communications and despite the full decryption of messages, images, calls, videos and voice messages which has been in place since April 2016, WhatsApp is and shall continue to be a tricky issue when it comes to data protection law.
This is due in particular to the fact that WhatsApp’s servers are located in California. This means that not just the data sent via WhatsApp, but also the user’s own telephone number, which is required to register with WhatsApp, and all of the contacts in the WhatsApp user’s phone book, end up on a server in the US. This is the only way for WhatsApp to tell whether mobile phone numbers are those of existing WhatsApp contacts or not. From a legal data protection perspective, this also involves a transmission of data to the US which is subject to approval under the German Federal Data Protection Act. Since a legal approval standard for justifying the use of WhatsApp by companies can probably be ruled out, a business that wants to use the messaging service externally or internally could arguably only rely on the fact that its telephone contacts have already given their approval to their information being transferred to the WhatsApp company headquarters in the US. But of course this hasn’t occurred in the case of contacts who are stored in the address book of a mobile device (smartphone, tablet etc.) if they do not have a WhatsApp account of their own.
Corporate communications via WhatsApp: Broadcast feature instead of Group Chat
WhatsApp provides a number of ways to message numerous recipients, in particular via Group Chat or the Broadcast feature.
To protect the interests of each individual and prevent their profile picture, profile name, profile status or telephone number from being revealed in the context of a Group Chat, businesses should opt for the Broadcast feature instead of beginning a Group Chat for their external corporate communications.
If you select the “Broadcast” option, it is actually possible to address up to 255 people at the same time without the individual recipients receiving any information about other recipients of the same message. This would be a different story if a business were to use the Group Chat feature. Generally used on an involuntary basis and without the consent of each individual, the Group Chat feature allows all users of a Group Chat to see information about all of the other members of the group, such as their WhatsApp status, picture and name as well as their phone number. This is a violation of current data protection law and, in cases of doubt, infringes the general personal rights of the individual WhatsApp user.
To protect the interests of each individual and prevent their profile picture, profile name, profile status or telephone number from being revealed in the context of a Group Chat, businesses should opt for the Broadcast feature instead of beginning a Group Chat for their external corporate communications.
If you select the “Broadcast” option, it is actually possible to address up to 255 people at the same time without the individual recipients receiving any information about other recipients of the same message. This would be a different story if a business were to use the Group Chat feature. Generally used on an involuntary basis and without the consent of each individual, the Group Chat feature allows all users of a Group Chat to see information about all of the other members of the group, such as their WhatsApp status, picture and name as well as their phone number. This is a violation of current data protection law and, in cases of doubt, infringes the general personal rights of the individual WhatsApp user.
WhatsApp and privacy: conclusion
If you use WhatsApp in your business then you are moving with the times, offering both customers and employees the opportunity to communicate quickly and simply. However, businesses may still find themselves in a legal grey area. This could change if the Facebook subsidiary WhatsApp launches “WhatsApp for Business” and consequently officially permits the commercial use of its service. Despite several major milestones, such as the implementation of end-to-end encryption, when it comes to privacy legislation WhatsApp is still something of a “hot potato” – especially in light of current discussions – and should be treated with caution when used for both private and corporate communications.