WhatsApp and privacy
Recent headlines involving WhatsApp and Facebook
WhatsApp is the world’s most popular messaging service, allowing users to share moments with friends, family and acquaintances 24 hours a day, seven days a week – in real time. But the announcement of recent weeks and the news from Hamburg’s data protection commissioner Johannes Caspar are detracting from all the chat fun – or are they?
WhatsApp was bought by Facebook for 19 billion euros in early 2014; since then it has been part of the Facebook family, which includes the social network Instagram. In August 2016 WhatsApp then announced its intention to share its users’ data in future with the parent company Facebook. The messaging service is now used by more than a billion people worldwide.
WhatsApp and privacy: So what does this mean for Facebook and WhatsApp?
In a nutshell: Facebook gets absolutely all of WhatsApp’s users’ account information.
This typically includes a WhatsApp user’s mobile number, profile picture, user name and user status, but also their metadata – such as frequency of transmission and usage. However, as WhatsApp itself has emphasised, this does not involve sharing any communications conducted with other users via WhatsApp. Ever since April 2016, all messages as well as calls, voice messages and images which are sent via WhatsApp have been protected from prying eyes via end-to-end encryption.
However, Germany’s Federal Data Protection Act () means that approval is required in all cases for the storage, use and transfer of data. This may involve the user issuing a declaration of consent, or such consent may already have a basis in law. In any case, WhatsApp users have not expressly consented to their account information being shared with Facebook for “other purposes”. Even the checkbox asking users whether their information should be shared with Facebook for advertising purposes is arguably not sufficient to be regarded as an effective approval, since the box had already been checked, meaning users did not have to consciously check the box. In the absence of effective approval on the part of WhatsApp’s users with regard to their data being shared with Facebook, in this case only legal permission can authorise Facebook to store and use data from WhatsApp. And yet, we have tried in vain to find any such permission in existing legislation.
Johannes Caspar, Hamburg’s state data protection officer, agrees. On 27 September 2016, the privacy official from northern Germany imposed an order against Facebook prohibiting it from storing the data of WhatsApp users. The company was also required to delete data it had already received from WhatsApp.
This isn’t the first time that Caspar has stood up for the German population’s right of “informational self-determination” and privacy. He already took action against Facebook’s real name policy back in autumn 2015. At that time, the competent court dismissed the Hamburg data protection officer’s order, pointing out that the case was not subject to German law, but Irish data protection law, since Facebook’s EU headquarters are in Ireland.
As for the more recent order from Hamburg, things may be different and German data protection law could in fact apply, because the Facebook branch specifically responsible for conducting German-language advertising operations is located in Hamburg. As such, national privacy legislation is binding for Facebook’s German advertising operations, and Facebook must comply with this legislation.
Unsurprisingly, Facebook immediately announced that it did not accept the order and that it would be taking legal action to defend itself against the order issued by the Hamburg data protection authority. Pending a court judgement on the matter, Facebook must for the time being comply with the order. If Facebook wants to avoid high fines, which the Hamburg data protection authority could now impose, then the Internet giant must not store or use any data until this matter has been finally clarified. One interesting point: Even though WhatsApp is at the heart of the current disagreement, Germany’s data protection authorities shouldn’t have their sights set on the messaging service itself, because WhatsApp’s registered address is neither in Germany nor elsewhere in Europe.
WhatsApp and privacy: Is it still OK for me to use WhatsApp for my corporate communications?
Businesses are increasingly using messaging services like WhatsApp to communicate with customers or employees. One well-known example: During the ver.di trade union strike in Germany, Hamburg Airport used WhatsApp to inform passengers of current waiting times at check-in, departure times and other relevant developments.
To protect the interests of each individual and prevent their profile picture, profile name, profile status or telephone number from being revealed in the context of a Group Chat, businesses should opt for the Broadcast feature instead of beginning a Group Chat for their external corporate communications.
If you select the “Broadcast” option, it is actually possible to address up to 255 people at the same time without the individual recipients receiving any information about other recipients of the same message. This would be a different story if a business were to use the Group Chat feature. Generally used on an involuntary basis and without the consent of each individual, the Group Chat feature allows all users of a Group Chat to see information about all of the other members of the group, such as their WhatsApp status, picture and name as well as their phone number. This is a violation of current data protection law and, in cases of doubt, infringes the general personal rights of the individual WhatsApp user.
WhatsApp and privacy: conclusion
If you use WhatsApp in your business then you are moving with the times, offering both customers and employees the opportunity to communicate quickly and simply. However, businesses may still find themselves in a legal grey area. This could change if the Facebook subsidiary WhatsApp launches “WhatsApp for Business” and consequently officially permits the commercial use of its service. Despite several major milestones, such as the implementation of end-to-end encryption, when it comes to privacy legislation WhatsApp is still something of a “hot potato” – especially in light of current discussions – and should be treated with caution when used for both private and corporate communications.