Whatsapp is practical but legally sensitive: The Messenger violates the General Data Protection Regulation (DSGVO). What does that mean in concrete terms – and what can happen if companies still use Whatsapp?
No Whatsapp in the job, this applies since 5 June at the automotive supplier Continental. Around 36,000 employees had to delete the messenger from the Diensthandy – for privacy reasons. Because since 25 May in the EU, the General Data Protection Regulation ( DSGVO ) and thus stricter guidelines in the use and processing of contacts – to which the American company Whatsapp does not comply.
Businesses should, therefore, examine exactly if and why they use the Messenger,” says Tobias Neufeld, a lawyer at Allen & Overy Germany. “Whatsapp is actually meant for home use; who uses it professionally, is going to be a big risk.
To what extent does WhatsApp violate the GDPR?
Issue 1: Whatsapp is processing unauthorized data
“Whatsapp automatically accesses all contacts stored in the smartphone,” explains Philip Keller, a lawyer from Cologne. “This usually includes data from people who do not use the messenger service.”
And that is exactly the problem: according to DSGVO, a company needs the written consent of all persons whose data is used and processed. The messenger, however, accesses information from people who have never allowed it – and do not even know that their data is stored on an American server. “Anyone who uses Whatsapp professionally, without having obtained this permission from each individual to contact, thus violates the General Data Protection Regulation,” says lawyer Keller.
In principle, there must be a legal basis for the processing and storage of data. But one legal reason can never lie in the fact that Facebook and Whatsapp copy all data from the address book and store it on its own servers. Incidentally, the same applies to Whatsapp Business, the messenger service for businesses.
Problem 2: Whatsapp shares data with Facebook
Another problem: Whatsapp passes the collected data to Facebook. Although Whatsapp has been a Facebook subsidiary since 2014, data sharing between companies is still prohibited without the consent of users (Article 6 of the GDPR). Unless Facebook has a legitimate interest in the information. But when an interest is justified is not explained in the law.
In Germany, Whatsapp was previously not allowed to pass on data to Facebook – that had decided the Hamburg Higher Administrative Court. Since the entry into force of the GDPR, the data protection authority is now responsible, in whose country the company is based – and the European subsidiary of Facebook and Whatsapp is located in Ireland. That means in this case: The Irish privacy advocates must decide whether Facebook may use data from Whatsapp or not.
At the moment Whatsapp shares for its own account but although no news and photos with Facebook, but for example:
- the phone number of the user
- Device information (for example device ID and operating system)
- when the user has registered
- when Whatsapp was last used
- which functions are used frequently
Can employees use the messenger internally?
“In the opinion of the data protection authorities, teams can communicate via Whatsapp as long as no customer data is stored on the mobile phone or other personal data are sent back and forth,” says lawyer Tobias Neufeld. In this case, however, one should only store contact details of those team members on the mobile phone who agree to communicate via Whatsapp.
Regardless of personal data, lawyer Neufeld sees another risk in the company’s communication via Whatsapp: “The question arises whether the exchange of confidential information or even business and trade secrets is sufficiently protected,” he says.
Should companies ban Whatsapp on the company phone?
“The only legal way to use Whatsapp on company phones is to only store data from customers who have previously been notified of the data policies of Facebook and Whatsapp and who have expressly agreed to store their data in the address book and use of the Messenger,” says Keller. Those who want to make sure they do not violate privacy laws should not allow their employees to install Whatsapp or other messengers on the company’s mobile phone.
However, if employees use their own mobile phone (“bring your own device”) and downloaded Whatsapp, employers can not ask them to delete the app. If there are data from customers or business partners stored on the private employee cell phone, the company has a problem: “Whatsapp accesses contacts and data that are on the phone,” says Philip Keller, “regardless of whether the device is a company phone or not.”
What are the penalties for using Whatsapp professionally?
“Basically, according to data protection authorities and courts, the professional use of WhatsApp was risky even before the GDPR,” says Neufeld. “Now, however, companies have an extended obligation to provide information and documentation and have to prove via which route and to whom they have transmitted data.”
In addition, the DSGVO threatens much higher penalties for data breaches: “If the protection of personal data is insufficient, fines of up to 20 million euros or four percent of annual revenue,” says Neufeld.
However, representatives of the German data protection authorities have repeatedly said in recent weeks that Germany will not play a pioneering role in the amount of the fines and also does not intend to impose severe penalties in the coming months. “Instead, the privacy advocates first try to push the compliance with the GDPR through tests and instructions,” said Neufeld. “High fines are therefore unlikely unless there are deliberate or intentional violations of companies against the DSGVO.”
Privacy despite Messenger: What solutions are there?
If you use an iPhone, Whatsapp can deny access to the address book under the menu item “Settings, Privacy”. Android users do not have it so easy: You need to download an additional app to stop Whatsapp from accessing contacts.
Another possibility is offered by so-called Exchange containers. These programs ensure that Whatsapp cannot access other data in the smartphone. Disadvantage: The user must then save the contacts individually in the messenger. “For small companies, this is too much time and cost,” says Neufeld. That’s usually not worth it.
Instead, companies could use other messenger services: “The best programs whose servers are in Europe and thus comply with data protection.” According to Neufeld, possible alternatives are for example Threema, Signal or Wire. “These services are safer than Whatsapp while being similarly fast and straightforward.”