Introduction

On the 4th of January, 2021, WhatsApp published its new terms of service (terms) and privacy policies (notice) for its users with the option to either accept or defer until the 8th of February, 2021. While the decision has now been postponed, this review attempts to analyse what the policy means for users.

According to the notice, users have to agree to the terms and privacy policy to continue using WhatsApp. Otherwise, the notice also gracefully comes with instructions on how users can delete their WhatsApp accounts if they do not accept the new terms and policy. A classic “take it or leave it”.

It is pertinent to note that the updated terms and notices are of two kinds – one targeted at the users within the European Union (EU), and the other targeted at everyone outside of the EU.  Did you guess why right? Clears throat! EU-General Data Protection Regulation (GDPR).

For this report, policy and notice are used interchangeably. Please see here our guide on drafting a standard privacy notice.

The EU and non-EU notices were received by users. The notices (called key updates as seen above) have some noticeable exceptions. The magnitude of this dissimilarity, especially as one unwraps the content of the terms and policy has birthed uproars globally, including from professionals focused on privacy and data protection.  There are also assertions that these new updates are but a means of formalising the data sharing practices already being carried out by WhatsApp and its parent company, Facebook.

This review aims to examine the key updates of the privacy policies and the T&Cs, the areas of distinction, the implications for the everyday folks, the issues, and recommendations.

Background

It is worth noting that the sharing of Information between WhatsApp and its parent company, Facebook is not a new development, which commenced since its 2016 update. However, the users had an option to opt-out of such data sharing. It was also contained in its previous privacy policy which was updated in July 2020. The updated privacy policy only moved from the subtle to the fearless approach. Whatsapp, this time, made sure to mention its information-sharing practice with Facebook at every opportunity while giving users the option to “take it or leave it”.  Hence, unlike the previous updates, you either take the offer or cease using the app. After all, it is not by force.

The uproar and claims that followed the recent updates brought Whatsapp to clarify in a blogpost shown in the image below.

Source: WhatsApp

The clarification made did not quench the burning criticism that has trailed the new update. At best, this clarification does not sufficiently address its data-sharing arrangement with other Facebook companies; instead, it focuses on what we know about WhatsApps End-to-End (E2E) encryption in messaging. What is clear is that concerns about data and information sharing are still “it is what it is”. Facebook has been the subject of previous controversies due to alleged non-transparency in its actions regarding users’ privacy, ethics, and trust.  In 2017, Facebook was fined by the European Commission for having misrepresented to the Commission in 2014, when acquiring Whatsapp, that it would be unable to create an automated matching of Whatsapp and Facebook users’ accounts. The Commission discovered the deception in 2017 and took appropriate steps against the tech giant. Similarly,  there is an antitrust inquiry against Facebook for its deceptive use and management of users’ data to stifle competition. With these, one cannot but worry about the recent update.

Key Updates and Comparison

The key updates for the EU and non-EU users differ and can be found in the table below – see Appendix I for details of these key updates’ contents.

‍

The Structural Approach

WhatsApp used the layered approach in delivering the EU privacy policy – see a guide here from the Information Commissioner’s Office (ICO). This approach gives the privacy policy a brief look in manageable chunks and encourages readers to read to the end.  In contrast, the non-EU targeted policy was laid out in a single, long, tiring page which may eventually overwhelm readers with the possibility of agreeing to the policy and accepting the terms without reading because…TLDR. The purpose of a privacy notice is to inform users primarily. If privacy policies are not read, then this purpose is defeated.

Law, Our Rights and Protection

This section sets out the lawful basis for personal data processing as set out under the Information Collection section under the EU WhatsApp policy. However, under the non-EU policy, the only justification for the potential sharing of Information is a good-faith belief by WhatsApp. Good-faith is a very subjective term which may be very nebulous. In the end, it is subject to the whims of the controller. For context, no  African country data protection law contains “good faith” as a lawful basis for processing personal data.

How We use your Information

Both privacy policies (EU and non-EU) stated that personal information collected should be used subject to “applicable laws” – GDPR for the EU and the numerous other laws and regulations for the non-EU regions.  A quick fact check will reveal they have not complied with the data protection laws of many countries. Possibly, that explains why South Africa’s Information Regulator and the Italian Supervisory Authority (Garante) has opened an enquiry into the new policy.  India is also seeking a new privacy policy. Besides, there are many non-EU countries without a data protection law, which leaves users in such countries with no applicable law but the whims of the data controller.

Lawful  Basis

The EU privacy policy contains the lawful basis for personal processing data collected in the app. Beyond that, it spells out the personal data processed under each lawful base with instances under the “how we process your information” section. The lawful basis for processing includes consent, legitimate interest, legal obligation, and vital interest. It is couched in a way that does not leave the user in doubt.

In contrast, the non-EU privacy policy does not contain any lawful basis for processing. This omission for the non-EU region implies that users are not aware of the lawful basis for processing their data. Hence, by association, there appears a distinct standard for transparency applied to non-EU users.

Data Subject Rights

The EU privacy notice lists out all the data subjects’ rights including the right to access, rectify, erase, data portability, restrict processing, object to processing, lodge a complaint with the supervisory authority, and the right to withdraw consent. The section also contains links to help the data subjects exercise their rights. On the other hand, the non-EU privacy policy does not contain the rights of the data subjects. It is amusing that under the “Law, Our Rights and Protection”, WhatsApp says it will access, share and preserve personal Information to “protect the rights . . . of our users”. The rights which the data subjects are unaware of and may never know to exist. In contrast, many non-EU data protection laws contain subject data rights. Is Whatsapp looking the other way?

International Transfer of Data

Both privacy policies inform users of WhatsApp’s global operation and how it may share information with the United States and other third countries. However, the EU privacy policy further provides that for transfer of data to countries outside of the EU, the following will be adopted:

• Standard Contractual Clauses (SCC) approved by the European Commission,
• The European Union’s Commission’s adequacy decision for some countries that have an adequate level of protection or
• Equivalent mechanisms are provided under applicable data protection law.

The data protection laws of many non-EU countries adequately provide for different international transfer mechanisms for personal data, but the privacy policy did not reflect any of it.

How we work with other Facebook Companies

Under the EU privacy policy, Information shared with other Facebook Companies is to be used solely to improve WhatsApp’s services and cannot be used to improve other Facebook Companies’ purposes. However, for non-EU users, WhatsApp can share Information with other Facebook companies to improve Facebook’s services. The EU privacy policy specifically states that “Any information WhatsApp shares on this basis cannot be used for the Facebook Companies’ own purposes”. This clause is excluded from the non-EU privacy policy. Instead, it is included in the privacy policy that WhatsApp “may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customise, support, and market our Services and their offerings, including the Facebook Company Products.”

Whatsapp further stated the non-EU users’ data are shared with other Facebook Companies for  among other things, “. . . improving their services and your experiences using them, such as making suggestions for you (for example, of friends or group connections, or interesting content), personalising features and content, helping you complete purchases and transactions, and showing relevant offers and ads across the Facebook Company Products …”

Thus, it is safe to conclude that Facebook Companies may use such information for their purposes besides WhatsApp’s. It is more worrisome because, for the non-EU users, their data is processed based on good faith, a very subjective term – see Law, Our Rights, Protection section above.

Age

Under the EU, users must be 16 years old or older, depending on country laws before using WhatsApp services without parental permission. In non-EU countries, 13 years is the minimum age. This age threshold for non-EU users is inconsistent with regulations across some non-EU countries for children’s age of consent. More importantly, the nature of the information in the privacy notice is not in a format or worded in a way that may be comprehensible for a 13-year-old.

Data Protection Officer’s (DPO) Contact

The privacy policy for the EU region provides a link to contact the DPO. This allows for ease of contacting the DPO when and where required against having to demand the contact before being able to. The non-EU regions were not provided with the DPO’s contact.

Comments and Recommendations

In summary, the absence of vital Information and rights in the privacy policies of non-EU users ignores the specific requirement in most non-EU countries data protection laws, which provides for the principle of transparency and the obligation to provide certain information to users’ about the processing of their personal data. The disregard for these laws suggests Facebook will use information Whatsapp shares with it for its purposes; the exclusion of the DPO’s contact and host of other things is a call-to-action for more countries to legislate on a data protection law, establish an independent supervisory authority and enforce the law. Non-EU countries make up the highest number of WhatsApp users.  Some of these non-EU countries have data protection laws, and WhatsApp should comply with these laws. These countries are not oblivious of the best practices concerning data protection.

The absence of information on the lawful bases for processing personal data, users rights, the exclusion of the DPO’s contact, and the unregulated restriction to transfer users’ personal data across borders in the non-EU users’ privacy policy also raises questions around the compliance with requirements for the international transfer of data in these countries.  While the absence of data protection laws in some countries may leave them without legal protection, it behoves WhatsApp to adopt measures and best practices to protect the users and inform data subjects of their rights, the lawful basis for processing, and the limitation of Facebook’s use of their information despite the absence of laws in those countries.

Besides, it is also a wake-up call to countries with data protection laws and established regulators like Australia, Japan, Qatar, Senegal, Mauritius and the rest to set the boundaries and demand compliance with their respective laws. At best, similar to what is obtainable in the EU privacy policy. South Africa has taken the lead in this regard by engaging in discussions with Facebook to determine if the Whatsapp privacy policy complies with the Protection of Personal Information Act (POPIA).

The non-EU users’ privacy policy structure could be changed to a layered structure for ease of reading.

It is worrying that the new policy section could allow Whatsapp Business to provide Information such as “purchase receipts” for instance, about users and ads targeting users through their interactions with businesses. In a blog post, WhatsApp has stated that “…whether you communicate with a business by phone, email, or WhatsApp, it can see what you are saying and may use that information for its marketing purposes, which may include advertising on Facebook” – a statement which might have achieved the opposite effect of pacifying suspicious users. Nonetheless, it is essential to clarify that this applies to interactions with WhatsApp for Business.

For its previous controversies, Facebook does not appear to inspire confidence in preserving users’ data rights. WhatsApp collects many metadata related to usage and device performance and may collect personal data mentioned under “Information We Collect” which it also shares with other Facebook companies. Therefore, a useful tack might be a more substantial commitment to data protection and privacy, evidenced by consistent actions and transparency.

Conclusion

The newly introduced updates that have created uproars is not so different from the previous privacy policy save for some differences. The data-sharing relationship between Whatsapp and its parent company has been in existence since 2016. The sad deprivation of non-EU users of fundamental rights and privileges in WhatsApp’s privacy policy is yet another reaffirmation of WhatsApp and more significantly, its parent’s company, Facebooks’ worrisome privacy and data protection practices.

‍

‍

Appendix I

WhatsApp’s Service and How it Processes Personal Data

According to the Information provided by WhatsApp, the following are practices expected:

• Automatic collection of information relating to how users interact with businesses on WhatsApp; Information concerning when you registered; the features you use like messaging, calling, status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” Information; whether you are online, when you last used WhatsApp (“last seen”).
• Collection of more transaction information which now includes payment method, shipping details, and transaction amount.
• Collection of Information ( your interactions and your messages with them or others) on a reporting and reported user
• Businesses using WhatsApp services may provide WhatsApp with Information on interactions with you; they may share your information within their organisation or outside under the applicable laws.
• Collection of personal data or chat provided by users when they contact customer support
• Expansion of Business interaction on WhatsApp such as catalogues that can be used to browse through products.
• WhatsApp now offers services to businesses such as providing them with metrics concerning their use of the service

How Businesses can use Facebook Hosted Services to Store and Manage their WhatsApp Chats

How WhatsApp Partners with Facebook to offer integration across the Facebook company products

Allows you to connect your Facebook Pay account to pay for things on WhatsApp or enables you to chat with your friends on other Facebook company products.

Authors

Favour Borokini, Tojola Yusuf and Nurudeen Odeshina

‍