WhatsApp’s new privacy policy may go against the data protection principles of purpose limitation and data minimisation, warns Michalsons attorney Nathan-Ross Adams.
Facebook recently issued a notice to WhatsApp users which forced them to accept new terms of service and privacy policy by 8 February 2021 to continue using the app.
The new privacy policy contained a clause that allows Facebook to share data from WhatsApp across its other products, including its own social media platform, Instagram, and Oculus VR.
WhatsApp’s updated privacy policy also revealed that Facebook will have access to users’ phone numbers, their contacts’ phone numbers, profile names, and pictures, and status messages including “last online” time.
The updated terms of service and privacy policy caused a social media backlash that resulted in numerous negative mainstream media reports.
Facebook tried to do damage control by informing users that WhatsApp’s new privacy policy is only about business messaging and that there will be no change in WhatsApp’s data sharing with Facebook for non-business chats and account information.
WhatsApp also assured users that they continue to protect private messages with end-to-end encryption and that they cannot see private messages or hear calls.
The horse has, however, already bolted. Numerous WhatsApp users started to use alternative messaging platforms like Telegram and Signal.
So significant was the backlash that WhatsApp delayed the introduction of the new privacy policy to 15 May 2021 to give it more time to explain the changes better.
“There’s been a lot of misinformation causing concern and we want to help everyone understand our principles and the facts,” WhatsApp said.
South Africa’s Information Regulator gets involved
South Africa’s Information Regulator met with Facebook on 13 January to discuss the revised WhatsApp privacy policy and how it relates to the Protection of Personal Information Act (POPIA).
“In terms of the revised policy, it appears that there are different terms of service and privacy policies for users in the European countries and in non-European Countries,” the regulator said.
Advocate Pansy Tlakula, chair of the Information Regulator of SA, highlighted that the revised WhatsApp privacy policy seems to be different in Europe and the rest of the world.
This is because the European Union’s (EU) General Data Protection Regulation (GDPR) has stricter guidelines in relation to how users’ data is stored and processed.
Tlakula questioned why Facebook would reportedly discuss their new WhatsApp privacy policy with the European Union but not with a country like South Africa.
She said it is concerning that there is a differentiation and different treatment of users in Europe and those outside of Europe.
South Africa’s privacy laws are modelled on the GDPR, which means the local WhatsApp privacy policy should reflect that of the EU.
South Africa’s privacy law requires a company to get consent from the owner of the data – i.e. users – before they further process this data.
“The consent in terms of our law is specific – it is a voluntary expression of will on what you are consenting to,” Tlakula said.
“On the face of it, the new WhatsApp privacy policy looks like it requires involuntary consent because it says you should leave the platform if you do not give consent. That can never be voluntary consent.”
The Information Regulator subsequently requested the WhatsApp privacy policies for both Europe and South Africa for a comparative analysis to see if the local policy is in line with the POPI Act.
Adams said the recent backlash has highlighted the fragmented nature of data protection laws across the world.
“You can glean this from the fact that WhatsApp will not share EU citizens’ data with Facebook,” he said.
“If data protection laws had applied consistently across jurisdictions, WhatsApp probably wouldn’t have created the policy.”
A simple explanation from Nathan-Ross Adams
Many South Africans are still uncertain as to how the privacy policy changes will impact them and whether they should move.
To answer these questions, attorney Nathan-Ross Adams wrote an extensive blog post which explained WhatsApp’s new privacy policy in simple terms.
He said people value their privacy and take action when they know a company doesn’t care about it.
“Privacy covers the content of messages and metadata because they can be equally damaging,” said Adams.
“Privacy is power. However, to exercise this power, companies need to be transparent about how and why they process personal information.”
In the case of Facebook and WhatsApp, they are missing the mark on both the “why” and the “how”.
“For consent to be meaningful, you need to know what you’re consenting to when you accept a privacy policy,” said Adams.
“How can you agree if you don’t understand what inferences Facebook can draw from your data? Not even data scientists can answer this question.”
The Facebook ecosystem contains such advanced algorithms that users can’t understand how they reach decisions to predict their inferences about us.
With the significant concerns about its new privacy policy, it raises the question of why the company decided a change was needed.
Adams said the change is aimed at helping Facebook to gain revenue from in-app ads.
“Facebook is determined to turn WhatsApp into an e-commerce service. Currently, it’s running trials of this service in India with Jio,” he said.
How to check if you are happy with WhatsApp’s new policy
Adams advised people to consider three pillars when choosing a messaging platform – Privacy, Security, and Governance.
- Privacy – Review the privacy policy to see how they plan to protect your personal information. The less information the app collects and shares about you, the better.
- Security – Check how the app protects your messages. Ensure that they use end-to-end encryption for messages, profiles, calls, and metadata. Confirm that they can’t decrypt any of your data stored on their servers.
- Governance – Research the app, the company that owns it, and its owners’ identity to see if you trust them.
Commenting on the revised WhatsApp privacy policy, Adams said the scope of the policy is extensive.
“I would go so far as to say it goes against the data-protection principles of purpose limitation and data minimization,” Adams said.
- Purpose limitation means that WhatsApp must unambiguously set out why it collects your personal information and what it intends to do with it.
- Data minimisation means that WhatsApp must identify the minimum amount of personal information it needs to provide its services.
Adams argued that WhatsApp may miss the point by continually referring to end-to-end encryption in response to the public outcry about privacy.
“The point of concern is not the security of data. It’s the privacy of personal information,” said Adams.
These privacy concerns have promoted many South Africans to look for alternatives, but it is not as simple as deleting the app and moving to another messaging platform.
This is because WhatsApp messenger is a crucial part of the South African government’s strategy to communicate with citizens.
Many South African businesses have also adopted WhatsApp as a core part of their client support.
So, while Telegram and Signal have enjoyed strong growth in South Africa over the past few weeks, WhatsApp remains dominant without any signs of losing a large number of users.
Read Michalsons attorney Nathan-Ross Adams’s excellent post about the issue here.
What data each app collects about you
A comparison of the data apps collect about you
Data Linked to You Collected by Apps | ||||
Data linked to you | Telegram | Signal | ||
Contact Info | Yes | Yes | Yes | – |
Contacts | Yes | Yes | Yes | – |
Identifiers | Yes | Yes | Yes | – |
Purchases | Yes | Yes | – | – |
Financial Info | Yes | Yes | – | – |
Location | Yes | Yes | – | – |
User Content | Yes | Yes | – | – |
Usage Data | Yes | Yes | – | – |
Diagnostics | Yes | Yes | – | – |
Health and Fitness | Yes | – | – | – |
Search History | Yes | – | – | – |
Browsing History | Yes | – | – | – |
Sensitive Info | Yes | – | – | – |
Other Data | Yes | – | – | – |
Now read: WhatsApp’s new privacy policy delayed
Sourced from: My Broadband. View the original article here.