WhatsApp Fine
WhatsApp has rewritten its privacy policy for European users after being handed a record €225 million fine by Irish data protection regulators.
WhatsApp’s Dublin-based European subsidiary was fined by Ireland’s Data Protection Commission (DPC) in September for violations of the stringent GDPR regulations that govern data sharing in the EU.
In its decision, the DPC found that WhatsApp had not been transparent enough about the way it handled users’ data. This meant that the messaging service had not provided enough information about how data was collected “in a concise, transparent, intelligible and easily accessible form, using clear and plain language,” the DPC said. The new policy, includes more detail about how the Meta-owned company collects and uses customer data, how it is stored and when it is deleted.
The messaging service also said it had added more detail on “why we share data across borders,” as well as the legal bases for processing users’ information.
WhatsApp users in the European Union and United Kingdom will receive a notification directing them to the updated information, but will not have to take any other action.
Why is this important?
Often organisations are using WhatsApp for business purposes. WhatsApp was not intended for business use, instead as a platform for instant messaging. This story outlines how WhatsApp plans to change its privacy policy, and while the changes in their privacy policy should aim to prevent the misuse of user’s data, this cannot always be the case.
WhatsApp has not been demonstrating compliance with GDPR since it was introduced in 2018. Therefore if you are using it as a business, you are using a platform that is not sufficiently fit for purpose, as far as GDPR ( which was transposed into UK law via the Data Protection Act 2018 (‘DPA’18’) compliance is concerned.
The fact that companies and organisations have been using WhatsApp for business purposes, is particularly important when we consider highly regulated sectors such as law, finance and medicine. These sectors have to demonstrate (to a higher level than most) compliance with laws and regulations, especially when you consider the type of data that they will be handling; specifically personal data. Additionally the type of personal data that these sectors could be handling may include a ‘special category’ of personal data. This can include: medical records, religious or philosophical beliefs as well as other factors (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/) .
When demonstrating to a regulator that you, as a business, are being compliant there must be a level of transparency as well as safety and security of the data that they collect. A level which until this point, WhatsApp has not been able to provide. Therefore, from a regulatory perspective, they are likely to question the usage of WhatsApp for business purposes.