On the 4th of January, 2021, WhatsApp published its new terms of service (terms) and privacy policies (notice) for its users with the option to either accept or defer until the 8th of February, 2021. While the decision has now been postponed, this review attempts to analyse what the policy means for users.
It is pertinent to note that the updated terms and notices are of two kinds – one targeted at the users within the European Union (EU), and the other targeted at everyone outside of the EU. Did you guess why right? Clears throat! EU-General Data Protection Regulation (GDPR).
For this report, policy and notice are used interchangeably. Please see here our guide on drafting a standard privacy notice.
The EU and non-EU notices were received by users. The notices (called key updates as seen above) have some noticeable exceptions. The magnitude of this dissimilarity, especially as one unwraps the content of the terms and policy has birthed uproars globally, including from professionals focused on privacy and data protection. There are also assertions that these new updates are but a means of formalising the data sharing practices already being carried out by WhatsApp and its parent company, Facebook.
This review aims to examine the key updates of the privacy policies and the T&Cs, the areas of distinction, the implications for the everyday folks, the issues, and recommendations.
The uproar and claims that followed the recent updates brought Whatsapp to clarify in a blogpost shown in the image below.
The clarification made did not quench the burning criticism that has trailed the new update. At best, this clarification does not sufficiently address its data-sharing arrangement with other Facebook companies; instead, it focuses on what we know about WhatsApps End-to-End (E2E) encryption in messaging. What is clear is that concerns about data and information sharing are still “it is what it is”. Facebook has been the subject of previous controversies due to alleged non-transparency in its actions regarding users’ privacy, ethics, and trust. In 2017, Facebook was fined by the European Commission for having misrepresented to the Commission in 2014, when acquiring Whatsapp, that it would be unable to create an automated matching of Whatsapp and Facebook users’ accounts. The Commission discovered the deception in 2017 and took appropriate steps against the tech giant. Similarly, there is an antitrust inquiry against Facebook for its deceptive use and management of users’ data to stifle competition. With these, one cannot but worry about the recent update.
Key Updates and Comparison
The key updates for the EU and non-EU users differ and can be found in the table below – see Appendix I for details of these key updates’ contents.
|WhatsApp Services||WhatsApp’s service and how it processes personal data||WhatsApp’s service and how it processes personal data|
|Facebook hosted services||How businesses can use Facebook hosted services to store and manage their WhatsApp chats.||How businesses can use Facebook hosted services to store and manage their WhatsApp chats;|
|Facebook companies||How WhatsApp Partners with Facebook to offer integration across the Facebook company products.|
The Structural Approach
Law, Our Rights and Protection
This section sets out the lawful basis for personal data processing as set out under the Information Collection section under the EU WhatsApp policy. However, under the non-EU policy, the only justification for the potential sharing of Information is a good-faith belief by WhatsApp. Good-faith is a very subjective term which may be very nebulous. In the end, it is subject to the whims of the controller. For context, no African country data protection law contains “good faith” as a lawful basis for processing personal data.
How We use your Information
Data Subject Rights
International Transfer of Data
- Standard Contractual Clauses (SCC) approved by the European Commission,
- The European Union’s Commission’s adequacy decision for some countries that have an adequate level of protection or
- Equivalent mechanisms are provided under applicable data protection law.
How we work with other Facebook Companies
Whatsapp further stated the non-EU users’ data are shared with other Facebook Companies for among other things, “. . . improving their services and your experiences using them, such as making suggestions for you (for example, of friends or group connections, or interesting content), personalising features and content, helping you complete purchases and transactions, and showing relevant offers and ads across the Facebook Company Products …”
Thus, it is safe to conclude that Facebook Companies may use such information for their purposes besides WhatsApp’s. It is more worrisome because, for the non-EU users, their data is processed based on good faith, a very subjective term – see Law, Our Rights, Protection section above.
Under the EU, users must be 16 years old or older, depending on country laws before using WhatsApp services without parental permission. In non-EU countries, 13 years is the minimum age. This age threshold for non-EU users is inconsistent with regulations across some non-EU countries for children’s age of consent. More importantly, the nature of the information in the privacy notice is not in a format or worded in a way that may be comprehensible for a 13-year-old.
Data Protection Officer’s (DPO) Contact
Comments and Recommendations
In summary, the absence of vital Information and rights in the privacy policies of non-EU users ignores the specific requirement in most non-EU countries data protection laws, which provides for the principle of transparency and the obligation to provide certain information to users’ about the processing of their personal data. The disregard for these laws suggests Facebook will use information Whatsapp shares with it for its purposes; the exclusion of the DPO’s contact and host of other things is a call-to-action for more countries to legislate on a data protection law, establish an independent supervisory authority and enforce the law. Non-EU countries make up the highest number of WhatsApp users. Some of these non-EU countries have data protection laws, and WhatsApp should comply with these laws. These countries are not oblivious of the best practices concerning data protection.
It is worrying that the new policy section could allow Whatsapp Business to provide Information such as “purchase receipts” for instance, about users and ads targeting users through their interactions with businesses. In a blog post, WhatsApp has stated that “…whether you communicate with a business by phone, email, or WhatsApp, it can see what you are saying and may use that information for its marketing purposes, which may include advertising on Facebook” – a statement which might have achieved the opposite effect of pacifying suspicious users. Nonetheless, it is essential to clarify that this applies to interactions with WhatsApp for Business.
For its previous controversies, Facebook does not appear to inspire confidence in preserving users’ data rights. WhatsApp collects many metadata related to usage and device performance and may collect personal data mentioned under “Information We Collect” which it also shares with other Facebook companies. Therefore, a useful tack might be a more substantial commitment to data protection and privacy, evidenced by consistent actions and transparency.
WhatsApp’s Service and How it Processes Personal Data
According to the Information provided by WhatsApp, the following are practices expected:
- Automatic collection of information relating to how users interact with businesses on WhatsApp; Information concerning when you registered; the features you use like messaging, calling, status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” Information; whether you are online, when you last used WhatsApp (“last seen”).
- Collection of more transaction information which now includes payment method, shipping details, and transaction amount.
- Collection of Information ( your interactions and your messages with them or others) on a reporting and reported user
- Businesses using WhatsApp services may provide WhatsApp with Information on interactions with you; they may share your information within their organisation or outside under the applicable laws.
- Collection of personal data or chat provided by users when they contact customer support
- Expansion of Business interaction on WhatsApp such as catalogues that can be used to browse through products.
- WhatsApp now offers services to businesses such as providing them with metrics concerning their use of the service
How Businesses can use Facebook Hosted Services to Store and Manage their WhatsApp Chats
- Some businesses might be working with third-party service providers (which may include Facebook) to help manage their customers’ communications. For example, the Facebook hosting service. In this case, “whether you communicate with a business by phone, email, or WhatsApp, it can see what you are saying and may use that information for its marketing purposes, which may include advertising on Facebook.”
How WhatsApp Partners with Facebook to offer integration across the Facebook company products
- The third-party service providers which WhatsApp uses now include Facebook companies- Facebook Payments Incorporation, Facebook Payments International Limited, Onavo, Facebook Technologies LLC, Facebook Technologies Ireland Limited, WhatsApp Inc., WhatsApp Ireland Limited, and CrowdTangle.
Allows you to connect your Facebook Pay account to pay for things on WhatsApp or enables you to chat with your friends on other Facebook company products.
Favour Borokini, Tojola Yusuf and Nurudeen Odeshina