A look at “WhatsApp” Data-Protection-Policy

If you take a “under the hood” look so the speak at “WhatsApp” Data-Protection-Policy, this is partially quite an odd thing.

That WhatsApp has to collect an process data is quite obvious and in compliance of the GDPR. However to collect an process data in order improve system performance, to indiviulaize and for marketing purposes is not exactly convered by the terms of the GDPR. I would argue that system performance improvements are not exactly an “legitimate interest” of a company an therefore not covered by the GDPR. What this means is that we have here partially a infraction of GDPR rules concerning legal justification of the data collection and data processing.

The subsection about the data that is being collected during the Sign-up process ist pretty much straight forward. What is entirely missing, is that fact that the data in question is being transmitted and stored on servers outside the European Union and that the data protection requirements in the Untited States are a lot weaker than within the European Union. The fact that this information is missing in the data protection policy is already a violation of GDPR requirements.

The subsection regarding the Log-Data is pretty much straight forward. The part regarding the IP-address is a complete wishy-washy. No mention that the entire IP-address is being recorded, although that is in violation of GDPR rules. And the part that individual ID’s are being recorded to services that belong to the Facebook group. No mention about the services that are covered by that part of the data protecion policy, nor any mention what exactly it is being done with the data of that special ID and of course we never ever find out what data actually is recorded with this special ID in the first place.

That WhatsApp is using Cookies is OK and pretty much common knowledge. However there is absolutely no mention for how long the data recorded in the cookies is being stored and no mention of the technical process on how this data is being destroyed after the legal justification for storing that data no longer exists. This again is a violation of GDPR rules, although only a minor one. The subsection about marketing material is particularly odd. WhatsApp states that the can provide the user with marketing material. No mention about the GDPR to get the users permission to do so in the first place. This is actually a major breach of GDPR requirements.
The subsection about thrid party provider is even a worse case of whishy-washy. No mention on who those thrid party providers are. No mention what information is being shared with thrid party providers and the legal justifaction for the use of an external order processor is missing all togehter.This is another major breach of GPDR rules.

The paragraphs dealing with the implementation of the GDPR is actually pure comedy or someone really didn’t know what they were doing. This paragraph starts out with mentioning all the legal justifications lined out in the GDPR. Considering the servicest WhatsApp is providing, only the the first 2 reasons apply. WhatsApp is allowed to record user data in order to process it in order to fulfill a contract with the user. Absolutely no question here. The part with the premission is already a lot trickier. WhatsApp would need to explain what the premission actually entails. If the permission entails the data processing during the sign up process, that would mean as soon as the user retracts the premission WhatsApp would have to delete the entire account. That’s something that WhatsApp doesn’t do. The only reason to go the route of the user premission is to be able to send the user markting material. The fact that it isn’t stated what the permission entails makes it a blanco permission and that is illegal and a violation of GDPR rules. All the other reason, “leagal duty, public interest and vital interest” doesn’t even apply to services like WhatsApp.

The subsection about data portability is definitely not in a accordance with GDPR rules. It is not the users job to ensure the portability of his personal data. This is clearly the job of the company providing the services in the first place. Here we have a lawsuit in the making and it will be very interesting to see how the courts are going to rule in this particular instance.

The section about deletion of data is fascinating to say the least. WhatsApp states here the obvious. If the user deletes his account or sends a deletion request of his personal data, than the data will be deleted on the WhatsApp server. No kidding. That this doesn’t apply to the information that has been shared with other users prior is obvious as well. Again WhatsApp tries to circumvent the GDPR rules. It is not the users job to actively delete his account in accordance with GDPR rules, but it is the provider who has to do so if instructed by the user. No mention on how WhatsApp is going to comply with the requirement of proof the user is actually the person who sent the request of deletion in the first place. No mention on how WhatsApp intends to proove after the fact that the usere data in fact has been deleted. In that particular instance the minimum requirements of GDPR rules aren’t even met remotely by WhatsApp. With all conseques to come with such a major breach of GDPR requirements.

In the subsection about WhatsApp “Global Activities” they finally state, that user data is being transmitted into the United States and other countries outside the European Union. No mention which countries these are. No mention either that the data protecion level in the United States and those “other countries” is much weaker than the GDPR requirements in the European Union.

After examining the WhatsApp Terms of Service and Data-Protection-Policy, what have we learned?
The TOS and the Data-Protection-Policy are equally bad. A lot of infractions and major breaches of GDPR requirments. Quite a number of very clumsy attempts of circumventing certain regulations of the GDPR. All in all, in it’s current state WhatsApp is absolutely a No-Go for companies. Those companies who can’t give WhatsApp the boot due to the nature of their business will be well adviced not to give all employees WhatsApp access and limit that access only to the upper management or the CEO himself.