View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
  2. Privacy and data protection
February 23, 2021updated 29 Jul 2022 11:01am

WhatsApp’s privacy policy could cause legal headaches for employers

The messaging app's privacy policy leaves the door open to customers' data being shared with Facebook without their consent, a data protection lawyer warns.

By Claudia Glover

Earlier this year, WhatsApp faced an outcry from customers and policymakers alike after a routine privacy update revealed (or resurfaced) the extent to which users’ contact data can legally be shared with parent company Facebook. This could cause legal difficulties for employers in future, a data protection lawyer has told Tech Monitor: if workers use WhatsApp to contact customers, the door is open for WhatsApp to share those contacts with Facebook without their consent.

whatsapp privacy policy

A routine update drew fresh scrutiny – and legal challenges – to WhatsApp’s privacy policy. (Photo by Rachit Tank/Unsplash)

WhatsApp is the world’s most popular messaging app – and usage has spiked during Covid-19 lockdowns. A study by market researchers Kantar found that WhatsApp usage grew by 40% globally in the first lockdown.

This popularity has inevitably leaked into work usage. A study by Guild, a rival app designed for professional use, claims that 41% of UK workers admit to using WhatsApp for work purposes, rising to 53% for workers who are under 45. This makes WhatsApp’s privacy policy, which drew fresh scrutiny following a routine update earlier this year, a concern for employers.

The update itself was relatively innocuous but the roll-out prompted an outcry among customers, some of whom mistakenly believed WhatsApp was planning to share unencrypted messages from its parent (the company has firmly denied this). This outcry drew attention to the company’s current privacy policy, which was updated in 2016, and sparked legal challenges from data protection agencies in India, Italy and Ireland.

[Keep up with Tech Monitor: Subscribe to our weekly newsletter]

According to Toni Vitale, partner and head of data protection at JMW Solicitors, the policy update in 2016 allowed it to share with Facebook “a list of your phone numbers that you have on your device and other people’s phone numbers that are stored in your address book and your profile, those profile pictures, status messages that you might post and also diagnostic data that they gather from app logs”.

WhatsApp’s privacy policy currently reads: “You provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts… You confirm you are authorised to provide us such numbers… We may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Consent not obtained from the client

An employee using WhatsApp “probably won’t understand that you’re giving consent for everyone in your address book’s data to be passed to Facebook,” says Vitale. “There are quite a few privacy issues in relation to this.”

He adds: “If I’m doing that as an employee of a company, my firm could be vicariously liable for me, particularly if I’m doing that in the course of my normal business, not having asked the client for consent. My employer is going to have deeper pockets than me and therefore is more likely to be a target for someone bringing an action in.”

WhatsApp parent Facebook told Tech Monitor that “WhatsApp does not share your WhatsApp contacts with Facebook or any other members of the Facebook Companies for use for their own purposes and there are no plans to do so”.

The issue, says Vitale, is that nothing is stopping them from doing so legally.

Back in 2016, when the current privacy policy was implemented, it went relatively unremarked. Now, though, the increased scrutiny on WhatsApp’s privacy policy has prompted regulators to look again. Last week, India’s Supreme Court issued WhatsApp with a notice citing “grave concerns” over the 2016 privacy update.

“I think it’s fair to say that 2021 is a different privacy landscape to 2016,” says Vitale. “Whereas in the past, users were happy to trade access to their personal information for services which are free at the point of use, now I don’t think people are willing to make that trade.”

The change is in part due to the EU’s data protection regime GDPR. “Throughout the world, not just in the EU, [GDPR has] raised privacy and data protection higher up on people’s agenda,” says Vitale.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.