Since January 7th, many users received a notification from WhatsApp concerning the new privacy policy adopted by Facebook’s instant messaging app. The communication pointed out that refusing the new conditions would have prevent users to continue using WhatsApp from 8th February, on which those changes were supposed to take effect.
“Were supposed to”, because thousands of users strongly disapproved this imposition on the use of their data, leaving the app and leading Whatsapp to partially turn back on its decision.
Avviso privacy Whatsapp, ecco cosa non torna: i nodi giuridici
What caused particular concern in the new privacy policy
Following the announcement, Google’s Play Store reported download statistics in contrast with the normal trend: the downloads of alternative messaging applications, more privacy-friendly than WhatsApp, increased sharply. Telegram recorded more than 500 million downloads in just a few days, while Signal, previously unknown to many, reached 10 million downloads within a few weeks.
But what has triggered all this? And above all, to what extent users’ fears about the dangers to their privacy are justified?
What caused particular concern was, first and foremost, the warning pop-up followed by the appearance of the app’s privacy policy: both were not formulated in a clear and transparent manner, raising doubts about the actual use that WhatsApp would have made of the personal data of all its users – in particular, in relation to the sharing of personal data within the Facebook group. A big mistake in the communication and management of this update, which brought Zuckerberg’s company in the eye of the storm.
Analyzing the pop-up containing the new privacy terms, the trenchant approach is evident: we are dealing with a “forced consent”.
We know that consent, in order to comply with the conditions set out in the GDPR, must be freely given, specific, informed and unambiguous, as well as collected by means of a request that shall be presented in a manner which is clearly distinguishable from the other matters, in a intelligible and easily accessible form, using clear and plain language, as stated in Article 7, par. 2 of the GDPR.
The first manifest communication error by WhatsApp
WhatsApp, in this case, gave to its users two “choices”: unconditionally accepting the new privacy policy or renouncing the instant messaging service.
This is the first manifest communication error by WhatsApp: what should have been an acknowledgement of the new privacy policy, with a focus on the changes introduced for business users, was interpreted by most of the users as a unilateral imposition of such policy, even though the update did not introduce any substantial change in relation to marketing activities or other processing carried out on data subjects in the EU on a voluntary basis (such as access to location data, camera or photos, which would have still required a specific consent, which could have been withdrawn at any time).
The sharing of personal data processed by WhatsApp with Facebook
Another thorny issue that caused confusion among the users is the sharing of personal data processed by WhatsApp with Facebook.
WhatsApp’s privacy policy – applicable to EU users – states that the platform, based on its own legitimate interests, collaborates and shares information with other companies of the Group to:
- offer fast and reliable messages and calls and analyse performances;
- ensure security, and integrity of data on WhatsApp, by removing spam accounts and thwarting inappropriate activity;
- connect the user experience on WhatsApp with other products offered by other companies of the Group.
WhatsApp shares with Facebook some pieces of information about the device and personal data of the user including – by way of example – the verified phone number provided when signing up to WhatsApp, the operating system version, the application version, the country code of the mobile number and some pieces of information on the use of the app (such as last access, date of registration, used functions and their usage frequency).
Quite apart from the legal questions that the identification of an appropriate legal basis for such processing raises, it is important to note that these activities were already performed – and mentioned in WhatsApp privacy policy – even before the release of the update. However, the lack of transparency led users to perceive this update as a real danger for their privacy.
The views of the Italian Data Protection Authority
The Italian Data Protection Authority also expressed its views on the topic. In January, it issued a note on its institutional website commenting that “The message devised by WhatsApp to inform its users about the updates to the terms of service taking effect from the 8th of February – which concern in particular the sharing of data with other companies in Facebook’s group – and the new privacy policy itself are not clear and intelligible enough and have to be assessed in depth by having regard to data protection legislation”.
The Italian DPA therefore concluded that the term of service and the new privacy policy do not enable users to understand what changes have been introduced or what processing operations will be factually carried out by WhatsApp after the 8th of February.
For this reason, the Italian DPA decided to raise the issue before the European Data Protection Board (which includes representatives from all EEA data protection authorities), and at the same time did not rule out the taking of urgent measures to protect Italian users and enforce compliance with personal data protection legislation.
Following these complaints, WhatsApp – through the publication of some FAQs on its website –attempted to clarify what would change and what, instead, would remain unchanged with the updates.
Whatsapp explained that was forced to clarify that “Neither WhatsApp nor Facebook can read your personal messages or hear your calls with your friends, family and co-workers on WhatsApp, because they are protected by end-to-end encryption”.
Conclusions
The whole issue demands serious attention on the increasing awareness of consumers towards the protection of their personal data and, therefore, on the importance of paying due attention to this matter and to the ways in which companies communicate with their products or their services users. Transparency and compliance with the regulations are distinctive traits that strengthen the users’ trust in organizations. A breach of this trust relationship can have serious consequences, as made evident by the Whatsapp case.
