WhatsApp in GDPR context

GDPR – the General Data Protection Regulation is an issue which at least over the last half year started to be very important in Romania and across Europe. But have you ever thought what exactly does it mean, how does it affect you as a citizen or your enterprise?

Until now it is likely you already scanned your company activity in terms of Data Protection and implemented some rules in accordance with GDPR, but have you also considered common practice like using apps?

After the big security breach that Facebook, who in 2014 bought WhatsApp for $19 Billion, has suffered we had a look to this latter app from the GDPR point of view.

    According to the new Data Privacy regulation which directly applies in European Union Member States starting on 25 May of this year, data subjects have the following rights:
  • Access: data subjects are entitled to ask the controller if it is processing their data and, if affirmative, they can obtain the details of such processing and a copy of the personal data it holds about them;
  • Correction: data subjects are entitled to request that any incomplete or inaccurate personal data the controller holds about them to be completed and corrected;
  • Erasure: data subjects are entitled to ask the controller to delete their personal data in certain circumstances (the Right to be Forgotten);
  • Restriction: data subjects are entitled to ask the controller to suspend the processing of their personal data in certain circumstances;
  • Portability: data subjects may ask the controller to transfer their personal data to another data controller;
  • Objection: if the controller is processing data subjects’ personal data based on legitimate interests (or those of a third party) they may challenge this;
  • Consent: if the controller is processing personal data based on data subjects’ consent, they can withdraw it anytime.
  • In respect to such rights, WhatsApp’s GDPR compliance is questionable on several counts, including the Right to Access, the Right to be Forgotten and Data Portability.

    Thus, it is well known about WhatsApp that, among others:
  • transfers users (meaning the eventual customers of your enterprise) data to the USA; This is in conflict with the obligation required by the GDPR to transfer or store personal data outside the EU provided that specific conditions are met. In this context, it should be noted the USA weaker privacy laws which results that an adequate protection of customer data cannot be ensured.
  • the address book of a user with all contacts including their emails and phone numbers is transferred to WhatsApp and thus Facebook without your enterprise being able to inform customers how this data is being handled and therefore to fulfill the „right to access“ requirement of the GDPR;
  • collects meta data of users and related personal data, even though the messages are said to be end-to-end encrypted, thus generating personal user profiles and understanding social relationships without being transparent what meta data WhatsApp collects, how it is processed and who it is transferred to and therefore GDPR compliant.

Bearing all this information in mind, some enterprises had already banned WhatsApp among their employees, while others had implemented professional and secure enterprise messaging app.

In the light of the above, you may consider either giving up on WhatsApp, or deploying an enterprise messaging app.

For the first choice, you should pay attention to the fact that a WhatsApp ban must be technically and organizationally feasible, meaning it is not sufficient to ban WhatsApp if employees do not apply such rule. However, there are some options to reduce the risk of GDPR non-compliance, such as separating business and personal contacts that mobile operating systems provide. Though, this solution is not 100% secure.

    Nonetheless, if you consider implementing an enterprise messaging app you should take into consideration, among others, the following:
  • if the enterprise messaging app does store data outside the European Union;
  • if the enterprise messaging app does pseudonymize and encrypt personal data as far as possible;
  • if the enterprise messaging app gives full transparency in its privacy policy and terms how personal data is used, processed and stored;

In conclusion, it is clear that WhatsApp does not meet the data protection requirements of the GDPR and an enterprise is non-compliant, if it uses WhatsApp for business purposes. Therefore, we suggest you that at least analyze how your employees use WhatsApp for business purposes so that to reduce the risk of GDPR non-compliance, or to deploy a professional and secure enterprise messaging app, that ensures maximum data protection and fully complies with the GDPR.

If you are considering to ban the WhatsApp and/or are looking for deploying a GDPR-compliant enterprise messaging app, we can assist you in implementing such measures in accordance with GDPR.