Data Protection Academy » Data Protection News » WhatsApp Privacy 2021

The WhatsApp logo

WhatsApp Privacy 2021

According to a Bitkom study, 81 percent of German Internet users use WhatsApp. The messenger service regularly collects automated data of its users. Since WhatsApp has been a part of the Facebook company since 2014, this data is also partially passed on to Facebook. At the beginning of 2021, the company announced comprehensive adjustments to its terms of use and privacy policy. In the following article, we clarify what this means in terms of data protection law and what should be considered when using WhatsApp.

Most important information about WhatsApp and privacy

  • WhatsApp is a messenger service that has been part of the Facebook group of companies since 2014.
  • About 81 percent of German Internet users also use WhatsApp
  • In early 2021, the company announced sweeping adjustments to its terms of service and privacy policy
  • Even if these are mainly not to affect private users in the EU, experts expect encroachments on privacy.
  • The Hamburg data protection commissioner ordered a ban on the processing of user data by Facebook, an EU-wide approach is being clarified

Content on WhatsApp & Privacy:

Adjustment of the WhatsApp guidelines 2021

The messenger service WhatsApp has updated its terms and conditions, which came into force on 15 May 2021. In order to continue using the full functionality of WhatsApp, users must agree to the changes. However, this consent also means that data will be transferred to Facebook.

What exactly has WhatsApp adjusted?

WhatsApp is changing its terms and conditions and thus also its privacy policy. This much in advance: The changes to the terms and conditions mainly affect companies and relate to the content of the extended offers, such as the Facebook hosting service.

According to the statements of WhatsApp, nothing wil change for users in the EUwho use the messenger for exclusively private communication. This is only partially true, because private users could also be shown more personalised advertising on Facebook and Instagram after agreeing to the changes. The question of why private users still have to agree to the new conditions, WhatsApp justifies with the fact that they could decide in the future to extend the exclusively private communication to the communication with companies.

The new business functions include the following functions:

  • Enabling customer service: Chatting with the company, offering secure hosting services through Facebook.
  • Discover companies: Button in Facebook or Instagram ads with which message can be sent via WhatsApp, consequently users receive personalised ads
  • Shopping experiences: Integration of Instagram and Facebook shops into the WhatsApp company profile.

You can obtain further information via the WhatsApp FAQ or the Articles about WhatsApp's enterprise features retrieve.

WhatsApp receives criticism for adjustments

The Hamburg Commissioner for Data Protection and Freedom of Information issued a Order prohibiting further processing of WhatsApp user data by Facebook. However, this order only applies to German users and is valid for three months due to the urgency procedure. A decision at European level by the European Data Protection Committee (EDPC) is being clarified.

Current status and implications for users

At the beginning of 2021, WhatsApp communicated that users must agree to the new guidelines. If users do not agree, WhatsApp announced that it would first permanently display the consent notice and disable access to chats. Users would then only be able to accept voice and video calls and read messages via notifications. These limited functions should be gradually turned off.

These moves were not only badly received by privacy regulators, but also by users. The download numbers of messenger alternatives, such as Signal and Telegram, increased rapidly. As a result, WhatsApp announced that users should not expect any restrictions for the time being, should they not agree to the new terms. Currently, the messenger service is in consultations with authorities to clarify the further procedure.

WhatsApp use in the private sphere

Even before the update of the privacy policy in 2021, the messenger service WhatsApp accessed data and information of users. This is location information, device data or even third party information. Partly individual-related data by WhatsApp accessing the user's personal address book. Although the use of this data, such as first names / last names or phone numbers of stored contacts, facilitates communication within the messenger, it is questionable that data is also collected from people who have not previously used WhatsApp. This is because WhatsApp collects data at regular intervals and in some cases also passes it on to companies in the Facebook group.

What does this mean for private individuals in terms of data protection? The processing of personal data requires according to General Data Protection Regulation (GDPR) the consent of the persons concerned. This fact does not apply under certain conditions. Should personal data of natural persons be processed for the exercise of exclusively personal or family activities, no consent of the data subject is required.

WhatsApp has been part of the Facebook company since 2014. What does that mean?

In concrete terms, this means that Facebook has access to certain data that is collected by WhatsApp. Even if the person whose data is collected does not use Facebook itself. In some cases, it is possible for users to restrict access to certain information, but this results in usage restrictions.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

WhatsApp use in the company

At the beginning of 2018, WhatsApp released a business version of the app. This offers further functions such as automated quick replies or the creation of a company profile, but does not have any added value in terms of data protection compared to the conventional app. With the update of the privacy policy in 2021, companies should be able to use more possible and functions.

Can WhatsApp be used on the service phone?

WhatsApp cannot easily be used on the service phone. This is because even in this case, personal data stored in the address book of the smartphone is passed on. Although this is unproblematic for users who already use WhatsApp (the company can already access the data), data is also transferred to WhatsApp from people who do not yet use WhatsApp. The transfer of this data is a violation of data protection and can be punished with fines.

WhatsApp and customer contact: allowed by data protection laws?

If a company wants to contact customers via WhatsApp, this is only possible if the consent of the data subject is obtained and a contract is drawn up between WhatsApp Inc. and the company. Otherwise, the use of the messenger service is not legally permissible and violates the provisions of the General Data Protection Regulation. If even one person from the address book objects to being contacted via WhatsApp, WhatsApp's automated access to the contacts in the address book is no longer permitted. Unless this contact is deleted from the address book. Accordingly, the use of WhatsApp in the corporate environment and in relation to compliance with the requirements of the GDPR very critical.

Measures that support data protection when using WhatsApp

Users of WhatsApp can ensure a certain level of privacy through certain settings in the end devices or in WhatsApp itself, for whom this is not enough should switch to alternative messenger services such as Signal or Telegram.

Settings on the mobile device or in WhatsApp for private use

The following Access to information can be restricted in the settings of the end devices or in the settings of WhatsApp:

  1. Status "Last online": The status of the WhatsApp user can be turned off in the settings of the app itself, under "Account" in the "Privacy" section. This means that contacts can no longer see when you last used WhatsApp.
  2. Location information: In the settings of the respective terminal device, access to the current location can be restricted or switched off completely.
  3. Contacts in the address bookIn the settings of the respective terminal device, access to contacts in the address book can be restricted or switched off completely. However, this has the consequence that only the number of the contact is visible in the WhatsApp chat and you yourself can only reply to incoming messages. It is no longer possible to make contact on your own initiative.
  • Read display for messages: The display of the checkmarks when sending messages exists since 2014 and can be deactivated in the app's settings. Deactivating your own status means that you can no longer view the status of other WhatsApp users.
  1. A grey tick: the message was successfully sent
  2. Two grey ticks: the message was sent and received by the recipient
  3. Two blue ticks: the recipient has read the message

In general, it is not recommended to communicate sensitive data via WhatsApp.

Measures for companies to use WhatsApp in a GDPR-compliant manner

In any case, companies should use the WhatsApp Business API and implement the following measures to act in compliance with the GDPR:

  • Coordinate the use of Whatsapp with the data protection officer
  • Order processing contract create with WhatsApp
  • Create processing activities in the register of processors
  • Observe the corresponding deletion periods and store them in the deletion concept.
  • Add WhatsApp to information requirements and make available to customers
  • Obtain the consent of the user
  • Ensure that no data is transferred to WhatsApp
  • Store processed data on German servers
  • Develop and implement roles & rights system for employees

Switch to other messenger services

Even though WhatsApp is undoubtedly one of the most popular messenger services, there are alternatives. These have become increasingly popular since the changes to the usage and privacy regulations became known.

Data protection experts recommend the messenger Signal in particular, as it is open source and relies on end-to-end encryption; contacts are also only synchronised anonymously and metadata is hardly ever stored. Signal also offers the function of making encrypted calls or blocking chats with a PIN code.

Other alternative messenger providers are Telegram, Threema or Wire.

Caroline Schwabe

This might interest you too:

Examples of data breaches: what happens in data protection

According to Art. 33 GDPR, data breaches must be reported to the supervisory authority. Examples of data breaches in data protection.

Data protection and data security while working from home

What do employers and employees need to be aware of? Concrete tips on data protection and advice on data security.

Use of social networks by public authorities

Social networks are often not DSGVO compliant. Data protection and social media use in public authorities: Important instrument or contradiction in terms?