[Update Sept 2021 - WhatsApp issued second-largest GDPR fine of €225m]

[Update Feb 2020 - further coverage and news on WhatsApp - is it GDPR & business compliant?]

The General Data Protection Regulation (GDPR) came into force earlier this year, on May 25. Companies are still adjusting to its implications. Businesses are increasingly using WhatsApp for both employee and customer communications. But is WhatsApp compliant with the GDPR?

Consent issues for WhatsApp

The most glaring incidences of WhatsApp’s ostensible non-compliance with the GDPR centre on whether relevant "data subjects" have given proper consent for the app to process their data. I’ll run through two scenarios to elucidate the issue: (1) My boss; and, (2) My consulting client.


My boss, who doesn’t use WhatsApp

My boss doesn’t have WhatsApp. She has never downloaded the app. She has no notion of what it is and has never agreed to enter a contract with WhatsApp to supply its service to her.

She is, however, a contact in my iPhone, and I have added the following information to her profile: first name, last name, mobile phone number, home phone number, and, email address.

Unlike my boss, I am a WhatsApp user who’s connected my address book to the service via the app. When you first download and open WhatsApp, you encounter this popup:

image6

It specifically asks you to give consent for WhatsApp to upload all your phone contacts to its servers. The app wants this consent so it can scan through your contacts, determine which of them have a WhatsApp account, and add those who do to your list of WhatsApp contacts within the app. Or, as WhatsApp puts it, to help you "quickly get in touch with your friends".

When I hit "OK" and allow WhatsApp to upload my phone’s contacts to its servers I’m not just re-sharing with them the details of people who already have a relationship with WhatsApp. I’m also sharing the personal data of contacts, like my boss, who have no pre-existing relationship with it, and who unwittingly give information about themselves to the app.

This raises obvious questions:

  1. Does WhatsApp ‘process’ the information belonging to my boss when I connect my address book to its service?

  2. Does the information it processes contain and constitute ‘personal data’?

  3. Would the app’s processing of this personal data comply with the GDPR regulations?

Does WhatsApp process my boss’s information?

Ultimately, if WhatsApp were to be pursued in litigation, a deeper investigation would need to be done into what the service actually does with my phone’s contact information. However, my presumption is the service must, at the very least, do the following with it:

  1. Collect and record all phone contact information onto its servers (its popup admits to doing this); and,

  2. Organise and structure the information so a reconciliation can be done to work out which of my contacts already have a WhatsApp account and which don’t.

If WhatsApp didn’t perform these technical operations, it wouldn’t be able to determine which contacts to display to me within the app (i.e., those contacts who are on WhatsApp) and which contacts to not display to me within the app (i.e., those contacts who aren’t on WhatsApp).

I’m not prepared to conclude on points of fact in this article, but there is quite obviously a chance WhatsApp is 'processing' the contact information supplied to it by its users.

Does the information it processes constitute ‘personal data’?

I don’t think there is any doubt that the information I have recorded about my boss on my phone is personal data. It includes her first and last name, her mobile phone number, her landline number, and her email address. I presume that is enough to make her an identified natural person or, at the least, an identifiable natural person, pursuant to Art. 4(1) of the GDPR.

But whether WhatsApp processes all that information when I connect my address book is hard to tell from outside its walls.

For example, when the app asks you to upload all your contacts to its servers, WhatsApp might only take the mobile phone number from each of your contacts and crossmatch it with the registered mobile phone numbers in its database.

At that point, it may not bring across my boss’s home phone number, her email address, and her first or last name. It may completely ignore all of that information, which might mean it is not processing it. If that were the case, the whole debate would revolve around whether processing a person’s mobile phone number is the same as processing their personal data.

What is personal data?

The definition of "personal data" in Art. 4(1) is any information relating to an “identified” person, or any information relating to an “identifiable” person.

If WhatsApp only processes my boss’s mobile phone number, I would presume they’ve fallen short of identifying her. Her phone number is used as a meaningless unique identifier to crossmatch against a database of other identifiers to determine a match. She would, therefore, not be an "identified" person at that stage, and the number would not constitute personal data.

But is she "identifiable" at that point?

What is an identifiable person?

Art. 4(1) goes on to define an "identifiable natural person" as “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

If an action were brought against WhatsApp under the GDPR in relation to this aspect of their practices, and they only processed mobile numbers and not other information in users’ contact lists, the outcome would likely hinge on which side argued a stronger case for whether a mobile phone number can be used, on its own, to identify a person directly or indirectly.

Outside of this circumstance, if WhatsApp is found to be importing and processing all the contact information I have recorded for my boss on my phone, I would imagine they would find it very difficult to argue they haven’t identified her, or are in a position to identify her easily.

Would the app’s processing of this personal data be in breach of the GDPR?

Art. 5(1)(a) requires that personal data be "processed lawfully, fairly and in a transparent manner in relation to the data subject". Art. 6 provides for what the GDPR considers to be “lawful processing” and states that processing of personal data will only be lawful if it meets at least one of six criteria included in the provision.

Those six criteria are as follows:

Art. 6(1)(a) — the data subject has given consent to the processing of his or her personal data for one or more specific purposes

My boss has not given consent for WhatsApp to process her personal data for any purpose. She has given me consent to process her personal data to the extent that I have stored it in my phone, but that consent presumably does not extend to WhatsApp uploading that data to its serves to crossmatch it against registered users on those servers.

Art. 6(1)(b) — processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

The processing of my boss’s data is not necessary for the performance of a contact to which she is a party, or is about to become a party. I might have a contract with WhatsApp as part of its terms of service, but in the case of my boss’s personal information I am not the data subject, she is.

Art. 6(1)(c) — processing is necessary for compliance with a legal obligation to which the controller is subject

I doubt very much the processing of my boss’s personal data is necessary for WhatsApp to comply with any legal obligations it may have. WhatsApp itself claims in its popup that the purpose for them processing my boss’s private data is for it to "help you quickly get in touch with your friends and help us provide a better experience." Neither reasons seem to state or infer a legal obligation on WhatsApp’s part, and I doubt one exists.

Art. 6(1)(d) — processing is necessary in order to protect the vital interests of the data subject or of another natural person

I wouldn’t think that WhatsApp processing my boss’s personal data is necessary to protect her vital interests, or the vital interests of another natural person (like me).

Art. 6(1)(e) — processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Processing my boss’s personal data is not required for the performance of an activity in the public interest, and I presume WhatsApp has no "official authority" to process the data.

Art. 6(1)(f) — processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

I doubt WhatsApp could prove it has a legitimate interest in processing my boss’s personal data, particularly when the EU recognises that she has a fundamental right and freedom to privacy and that is being obstructed without her consent or knowledge.

Conclusion with respect to my boss

If WhatsApp were found to be "processing" “personal data” belonging to my boss (or any other person whose information is uploaded to their server through the action of another person) I don’t think they would be able to contend that the processing was lawful, because the activity doesn’t prima facie satisfy any of the criteria for lawfulness in Art. 6.

Most prominently, my boss (the "data subject") has not consented to her personal data being processed by WhatsApp, and there isn’t really a good alternative reason for it.


My consulting client, who does use WhatsApp

In this example, I’ll use the fictional scenario of me and a consulting client. We use WhatsApp to communicate with each other about business and the work I perform for them.

As was the case in the example above, the client has given me consent to record their personal data against their contact profile on my iPhone. I have recorded their first and last name, their mobile phone number, the name of the company they work for, and their work email address.

When I added the client as a contact in my phone, it automatically synced to WhatsApp, because it has complete access to my phone contacts. The effect of this is that I can go into WhatsApp and see the same information for my client there as I can in my phone contacts.

Here is a screenshot of my contact profile for Joe Bloggs in my phone:

And here is what WhatsApp automatically displays in its contact profile for Joe:

Any information you log in your phone contacts is processed by WhatsApp to display in its app. I went a step further and added a residential address for Joe Bloggs in my phone contact for him:

Again, it was immediately processed and displayed by WhatsApp in its profile for him:

For WhatsApp to display this information in its app, it surely must process the data. Technically, can it draw all of the details about my client from my phone’s contact list and display those details within its app without it storing and organising that information on its servers?

Secondly, there is no doubt the information about my client is personal data that can be used to identify them. Any individual, much less a sophisticated algorithm, could take the first name, last name, email address, and place of work of someone and be able to identify them after five minutes of Google searching.

Further, unlike in the previous scenario, where an outsider couldn’t categorically determine whether WhatsApp processed more than a non-registered user’s mobile phone number, in this scenario the app is clearly processing all the information I have about my client in my phone because I can see it displayed inside the app.

What’s happening here is a concern. In effect, WhatsApp is able to access and process the personal data of my consulting client (the "data subject") not through his activity or relationship with the app, but through my activity or relationship with the app. I, not him, have given consent to WhatsApp to process his personal data, and the app has done so without him even necessarily knowing it. This puts me in a quandary, because I was given permission to store his personal data in my phone, but not anywhere else, and it causes issues for WhatsApp, which is seemingly processing the personal data of a data subject without their consent.

Is WhatsApp in breach of the GDPR in this scenario?

This scenario differs slightly from the first one because in this case both my client and I are registered WhatsApp users. We’ve both entered a legal relationship with WhatsApp and have presumably consented to some things in exchange for accessing the service WhatsApp offers.

But have we given WhatsApp consent to process each other’s personal data?

Art. 6(1)(a) provides that processing of personal data is lawful if "the data subject has given consent to the processing of his or her personal data for one or more specific purposes."

Art. 7 provides the "conditions for consent", that is, what must be established by WhatsApp to demonstrate they have the consent of my client to process all of his personal data.

Art. 7(1) says simply, "the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."

Before I go further, let me make clear that Art. 7 refers to the "data subject" giving consent, which in this scenario is my client. The focus, therefore, is whether he has given WhatsApp consent to process his personal data stored on my phone. The questions stemming from this, which WhatsApp needs to answer pursuant to Art. 7, are:

  1. Has my client consented to WhatsApp processing his personal data by methods that require the app to obtain the data from another user’s phone? (Art. 7(1)); and,

  2. Did WhatsApp ask for my client’s consent in a manner that is "clearly distinguishable" from any other matters, and was it asked for in “an intelligible and easily accessible form, using clear and plain language”? (Art. 7(2))

When you first open the app to install it this popup appears:

image6

It then asks for my consent to enable push notifications, which is irrelevant here. It then displays the welcome page with links to the service’s privacy policy and terms of service, which I am prompted to agree to before continuing. I cannot continue without agreeing:

When I hit 'Agree & Continue', I am prompted to enter my mobile phone number, and when I do that I am given access to use the service. By now, the only explicit consents I have given were for WhatsApp to send me push notifications, and for it to access my phone contacts. I did not consent for it to process personal data about me that it accesses via other users on the network. Presumably, therefore, when my consulting client registered an account he did not give explicit consent for WhatsApp to process his personal data stored on my phone.

I read through the company’s privacy policy (via this link, as at 20 December 2018) and there seems to be only two terms that might be relevant to this issue of consent:

  • "Your Account Information. You provide your mobile phone number and basic information (including a profile name) to create a WhatsApp account. You provide us, all in accordance with applicable laws, the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts. You may provide us an email address. You may also add other information to your account, such as a profile picture and about information."

  • "Account Information. Your phone number, profile information, about information, last seen information, and receipts may be available to anyone who uses our Services, although you can configure your Services settings to manage certain information available to other users and businesses with whom you communicate."

On reading these terms, and the whole privacy policy, I don’t think WhatsApp has successfully elicited my client’s consent to access his personal data stored on my phone, and process it in any way. In any event, Art. 7(2) provides that: "If the data subject’s consent is given in the context of a written declaration which also concerns other matters [e.g. a privacy policy], the request for consent shall be presented in a manner which is clearly distinguishable from the other matters…"

Even if WhatsApp were to contend that consent is elicited by the data subject via its privacy policy, I’m not sure Art. 7(2) is satisfied because I wonder if the request for consent on this specific issue is not “clearly distinguishable from the other matters” contained in the policy.

Outside of consent, is the data processing otherwise lawful in this scenario?

Outside of proving consent, WhatsApp can still establish that the processing of my client’s personal data was lawful per one of the remaining five criteria in Art. 6, which I’ll deal with now.

Art. 6(1)(b) — processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

WhatsApp would contend that the processing of my client’s personal data via another user on the network is necessary for the performance of the contract for service that exists between my client and WhatsApp. I disagree. I can’t fathom how it is necessary for WhatsApp to process my client’s residential address in order for it to perform its service as an instant messaging platform. A mobile number and name, perhaps, but how can WhatsApp reasonably argue that processing residential addresses is "necessary" without consent?

Art. 6(1)(c) — processing is necessary for compliance with a legal obligation to which the controller is subject

Again, I doubt the processing of my client’s residential address and other irrelevant personal data is necessary for compliance with any legal obligations WhatsApp has.

Art. 6(1)(d) — processing is necessary in order to protect the vital interests of the data subject or of another natural person

Again, I don’t see how WhatsApp’s processing of my client’s residential address or company name could be done in order to protect his vital interests.

Art. 6(1)(e) — processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Again, I doubt this applies.

Art. 6(1)(f) — processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

I doubt this applies.

Conclusion with respect to my consulting client

Frankly, it seems hard to believe that WhatsApp is complying with the GDPR in circumstances where it processes the personal data of a data subject without their explicit consent, through a consent mechanism applied to another user on its network, and through accessing that other user’s phone, without the data subject even knowing it’s occurring.


Data deletion and portability

The GDPR introduces a new wave of provisions centred on data deletion/erasure ("the right to be forgotten") and data portability (covering the rights of a data subject to request a copy of all data kept about them by the app, and to port it over to another controller).

WhatsApp accommodates for both of these actions in its settings.

With respect to data portability, there is a setting for a user to "Request Account Info", which allows a user to:

"Create a report of your WhatsApp account information and settings, which you can access or port to another app. This report does not include messages."

image4

With respect to data erasure, there is a setting for a user to "Delete My Account", which promises deletion of the user’s account information and profile photo, their removal from all groups, and the deletion of all message history on the user’s phone and in their iCloud backup.

image2

With respect to data portability, it seems as if WhatsApp does not allow users to port out their message history ("account information and settings" only). While an argument could be made that messages do not necessarily constitute personal data (which is defined as “information relating to an identified or identifiable natural person”), a counter-argument could be made that they do. Individual messages in message histories presumably come tagged with each user’s mobile phone number, which can be used to identify the sender and receiver. Further, a message could contain content that helps to identify the sender or the receiver. In these scenarios, I think WhatsApp could be at risk of breaching the portability provision in Art. 20.

I’m curious as to whether its mechanism for users to delete their account information extends to the deletion of their contacts and the private data recorded for those contacts. For example, if I were to request deletion of my WhatsApp account, my account information and profile photo will be erased, and my message history will be deleted, but there doesn’t seem to be a promise by WhatsApp to remove my contact list from its servers. Assuming they don’t do this, is the right of the data subjects in that scenario (my contacts) to be forgotten upheld? Presumably not.


A final note for businesses using WhatsApp

The scenarios I’ve outlined above pose issues for businesses who rely on WhatsApp to conduct their affairs. If those scenarios weren’t fictional, I would likely be in breach of the GDPR for sharing the personal data of my boss and my client with a third party without either of them knowing or consenting to it.

In the face of the GDPR, this might be more of a problem for me than for WhatsApp given that WhatsApp has done its legal best to pass off liability to those users who choose to use its service for business. In this respect, there is a provision in WhatsApp’s terms of service that prohibits any person from using its app for "non-personal use":

  • "Legal And Acceptable Use. You will not use (or assist others in using) our Services in ways that: (f) involve any non-personal use of our Services unless otherwise authorized by us."

WhatsApp has quite obviously included this provision in its terms to limit its own liability in situations where its users have chosen to use the app for business purposes and have breached the GDPR in the course of those activities. By manouvreing its users who use the app for business purposes to be in contravention of its own terms of service, WhatsApp has a legal trick up its sleeve to claim that any users falling foul of the GDPR on its network have done so against the app’s own rules of use.

It’s important, therefore, that you review how your business uses the WhatsApp service and whether any activity is putting your company at risk of falling foul of the GDPR, and, more importantly, whether it’s putting the personal data of the people you work with, and for, at risk of being unlawfully processed by WhatsApp.

Two obvious things you can do to avoid risk are:

  1. Don’t connect your address book with the WhatsApp service; or,

  2. Don’t use WhatsApp for business purposes.


*Photo by Dayne Topkin on Unsplash.
*


Join Guild 🤝

See for yourself how the Guild experience is different to WhatsApp, Slack, LinkedIn or Facebook Groups.

Guild is a safe space to connect, communicate and collaborate with others.

Join us on a platform that is purpose-built for creating groups, communities and networks on mobile.

Contact us if you want to know more or have any questions.