privacy notice

WhatsApp: Why you must get your privacy notice right

Could a privacy notice cause a data-protection concern so massive to trigger the loss of millions of customers within a few weeks, draw the attention of governments and supervisory authorities across the world, and lead to major reputational damage?

The answer is yes, and it recently happened to WhatsApp. This scenario highlights how data protection documentation is an essential part of the governance of personal data and the impacts poorly thought-out documentation can have on an organisation.

 

A change of policy 

WhatsApp announced its intention to update, and compel its users to accept, its privacy notice by 8 February 2021. Speculation soon became rife that the update would allow WhatsApp to read its users’ messages and share their personal data with its parent company, Facebook Inc.

Further confusion was caused by a perceived inconsistency in regard to the application of the update across different territories, with European users regarded as receiving greater protection for their privacy due to the GDPR and prior agreement between WhatsApp and supervisory authorities.

WhatsApp took to social media to refute what it claimed to constitute ‘false’ reporting in regard to the update as millions of its users began to switch to rival applications in protest. It was reported by The Guardian that the two largest competitors have gained 32.5m additional users between them in the first three weeks of 2021.

The UK Information Commissioner, Elizabeth Denham, announced her intention to contact WhatsApp, which is already engaged with courts and parliamentary committees ranging from the UK to India. She also told a parliamentary committee that Ireland’s Data Protection Commission had enforced the undertaking by WhatsApp in 2018 not to share users’ personal data with Facebook until it could prove that doing so was compliant with the GDPR, but that this responsibility had fallen within the remit of her own office once the Brexit transition period ended on 1 January 2021.

 

Conclusion 

It remains unclear as to whether or not the wider concerns in regard to access to and sharing (if any) of WhatsApp users’ personal data will prove justified in the long term.

However, WhatsApp has implicitly acknowledged that they mismanaged their privacy notice update by postponing it until 15 May 2021, to provide them with an opportunity: “… to clear up the misinformation around how privacy and security works on WhatsApp” and allow: “… people gradually to review the policy at their own pace.”

Instead, organisations should recognise that compliance with data protection obligations can improve decision-making, increase customer trust and ultimately lower costs by providing better information about workflows and data governance structures.

As such, organisations can protect themselves against similar negative impacts by:

  • ensuring that privacy information is concise, transparent, intelligible, easily accessible, and uses clear and plain language;
  • ensuring that privacy information includes the purposes for processing personal data and the recipients with whom those data may be shared;
  • considering carrying out user testing on draft privacy information to get feedback from users as to how easy it is to access and understand; and
  • updating privacy information and proactively bring any changes to individuals’ attention, in particular ensuring and communicating that any intention to process personal data for a new purpose is compatible with the original purpose and what the lawful basis is for the new purpose.

Trilateral’s Data Governance and Cyber-Risk Team has extensive experience working with organisations and their digital partners to ensure that data protection documentation is up-to-date with the latest data protection and ePrivacy regulations. Trilateral can help audit existing practices, develop DPIAs and Data sharing agreements, and offer general compliance support. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.

cookie compliance ipad 1

Enter your email and subscribe to our mailing list to download our Cookie Compliance Guide

By providing your email, you will be included in our outreach activities, which may include the provision of research and insights, invites to webinars and events, and content of interest to the data protection community. You will be able to opt-out at any time. For further information, please see our dedicated privacy notice.

Sanjay Patel

Sanjay Patel is Data Protection Advisor at Trilateral Research.

Sign up for our newsletter

Join our mailing lists to receive updates about our latest research and to hear about our free public events and exhibitions.  If you would like to find out more about how we manage your personal information please see our privacy policy.

    UK
    +44 (0)2070528285

    One Knightsbridge Green, London SW1X 7QA, UK

    IRELAND
    +353 (0)51 833 958

    2nd Floor Marine Point, Belview Port, Waterford, X91 W0XW, Ireland