Earlier this year, WhatsApp faced an outcry from customers and policymakers alike after a routine privacy update revealed (or resurfaced) the extent to which users’ contact data can legally be shared with parent company Facebook. This could cause legal difficulties for employers in future, a data protection lawyer has told Tech Monitor: if workers use WhatsApp to contact customers, the door is open for WhatsApp to share those contacts with Facebook without their consent.
WhatsApp is the world’s most popular messaging app – and usage has spiked during Covid-19 lockdowns. A study by market researchers Kantar found that WhatsApp usage grew by 40% globally in the first lockdown.
This popularity has inevitably leaked into work usage. A study by Guild, a rival app designed for professional use, claims that 41% of UK workers admit to using WhatsApp for work purposes, rising to 53% for workers who are under 45. This makes WhatsApp’s privacy policy, which drew fresh scrutiny following a routine update earlier this year, a concern for employers.
The update itself was relatively innocuous but the roll-out prompted an outcry among customers, some of whom mistakenly believed WhatsApp was planning to share unencrypted messages from its parent (the company has firmly denied this). This outcry drew attention to the company’s current privacy policy, which was updated in 2016, and sparked legal challenges from data protection agencies in India, Italy and Ireland.
[Keep up with Tech Monitor: Subscribe to our weekly newsletter]
According to Toni Vitale, partner and head of data protection at JMW Solicitors, the policy update in 2016 allowed it to share with Facebook “a list of your phone numbers that you have on your device and other people’s phone numbers that are stored in your address book and your profile, those profile pictures, status messages that you might post and also diagnostic data that they gather from app logs”.
WhatsApp’s privacy policy currently reads: “You provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts… You confirm you are authorised to provide us such numbers… We may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary.”
Consent not obtained from the client
An employee using WhatsApp “probably won’t understand that you’re giving consent for everyone in your address book’s data to be passed to Facebook,” says Vitale. “There are quite a few privacy issues in relation to this.”
He adds: “If I’m doing that as an employee of a company, my firm could be vicariously liable for me, particularly if I’m doing that in the course of my normal business, not having asked the client for consent. My employer is going to have deeper pockets than me and therefore is more likely to be a target for someone bringing an action in.”
WhatsApp parent Facebook told Tech Monitor that “WhatsApp does not share your WhatsApp contacts with Facebook or any other members of the Facebook Companies for use for their own purposes and there are no plans to do so”.
The issue, says Vitale, is that nothing is stopping them from doing so legally.
Back in 2016, when the current privacy policy was implemented, it went relatively unremarked. Now, though, the increased scrutiny on WhatsApp’s privacy policy has prompted regulators to look again. Last week, India’s Supreme Court issued WhatsApp with a notice citing “grave concerns” over the 2016 privacy update.
“I think it’s fair to say that 2021 is a different privacy landscape to 2016,” says Vitale. “Whereas in the past, users were happy to trade access to their personal information for services which are free at the point of use, now I don’t think people are willing to make that trade.”
The change is in part due to the EU’s data protection regime GDPR. “Throughout the world, not just in the EU, [GDPR has] raised privacy and data protection higher up on people’s agenda,” says Vitale.