Since Facebook an Co. are already in that much hot water, what about “WhatsApp”?
Here the news are even worse. There is common consensus amoung lawers, the chamber of commerce and the GDPR authorities that WhatsApp and GDPR rules are incombatible. The big problem with WhatsApp is how it handles personal contact information and with that users private data. WhatsApp takes all the data out of a users addressbook and transmits all the data to the WhatsApp server, regardless if those contacts have an WhatsApp account or not. Since WhatsApp belongs to the Facebook group, the data that has been transmitted to the WhatsApp server will sooner rather than later be used by Facebook in some way. Currently there is no technical method to prevent WhatsApp from doing that. Therefore WhatsApp and GDPR rules are incombatible. That is not exactly new, since that has been going on for years. Even with the old GDPR regulations WhatsApp has always been in violation of GDPR rules. However, up till now, authorities rarely spoke out a warning or handed out penalties for those regulations.
On May 25th 2018 the new GDPR regulations went into effect and they are way stronger than the old ones. Besides the previous breach of users data security with the new GDPR rules there is another problem that is even worse.
The new regulations force companies, who are using WhatsApp, to get permission form each and every user that is in there WhatsApp contacts in order to continue to communicate with them. Furthermore those regulations state that the Opt-In for continued use has to occur before the first use of WhatsApp after the new rules went into effect on May 25th. The basis for that is the fact that the use of WhatsApp and the transmission of the user data is considered a processing event according to GDPR regulations. If the users permission hasn’t been been obtained before the first use after the new regulations went effect, this would have already been a breach of GDPR rules with all the consequences that come with it. Either a warining or a penalty by the GDPR authorities.
It would have been an enourmous undertaking for companies to get these permissions befor the new rules went into effect. On top of that there is another problem native to WhatsApp. There is currently no Opt-In method before user data, that is already in the WhatsApp contacts, is being transmitted to WhatsApp. To makes matters even worse, there is still no method to prevent WhatsApp from transmitting the entire data of a users addressbook in the first place.
What does that mean for a company now?
Regardless if a company gets permission from users to continue communicating with them via WhatsApp, they’re screwed either way. If they use WhatsApp the addressbook is being transmitted to WhatsApp and that is a violation of GDPR rules. If you’re missing just one permission from one of your WhatsApp contacts you’re again in violation of GDPR rules. On top of that the new GDPR rules force to entities inform a user, prior to using WhatsApp, that his personal data will be transmitted into a country outside the European Union with different/lower data protection requirements. Again there is currently no method in WhatsApp to inform the user prior. With that you have the third violation of GDPR rules. It’s not a matter if a comapny will receive a warning or a penalty, it’s just a matter of how quickly that will be occuring.
When WhatsApp updated their TOS (terems of service) a big portion of the net-community rejoyced, that WhatsApp was finally moving in the right direction and starting to follow GDPR rules. But this was a very short lived moment of joy for the net-community. Turns out the new TOS weren’t even remotely enough to fullfil GDPR rules. So what is the problem one might want to ask?
The thing the TOS states first is that data is being shared with other companies of the Facebook group. However, there is no mention that data is being transmitted into courtries outside the European Union and the fact that the data security rules are way less than they would be if the data were stored within the European Union.
Next up are the Social Media Sharing buttons. No mention that they are deploying iFrames and no mention that this actually in itself would be a violation of GDPR rules. The next statement is actually a boldfaced lie. WhatsApp itself states that they are sharing no data with the Facebook group. If you dig a little deeper you find out that your phone number, the details about your cell phone, about your cell phones OS and how often you’ve used which features are beeing transmitted to Facebook. The next statement is even “funnier”. The data transmitted to Facebook is secure. Unless of course a new data scandal has made your private information publically accessible. Something Facebook has become famous for lately.
After that it gets really wishy-washy. Facebook shares your private user data with trusted third-parties. But no mention who these alleged trusted thrid parties are nor how they came to the deterimnation, that those parties are in fact trustworthy. The TOS states that the data sharing is done to protect users data security. No mention on that is being accomplished nor any mention of the process on how they intend to keep user personal data secure.
Further down you find a short mention that you voluntarily agree that WhatsApp can transmit the data of your entire cell phone contacts to the WhatsApp server. No mention the data is being transmitted into the United States with weaker GDPR requirements. No mention that this is already a violation of GDPR rules and no mention that there is currently no method to pervent this from occuring in the first place.