The General Data Protection Regulation and the WhatsApp Problem of Enterprises

The European General Data Protection Regulation as the new privacy law affects all enterprises doing business in Europe.

Teamwire, May 01 2020

Enterprises have to adjust their data protection practices in order to comply with the new law and avoid high fines. WhatsApp as part of the shadow IT with its missing data privacy is a critical issue and businesses must ensure compliant enterprise messaging (e.g. with Teamwire).


Key Facts of the GDPR


The European General Data Protection Regulation (GDPR) will apply on 25 May 2018 in all member states of the European Union (EU). The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. The goal of the GDPR is to empower all EU citizens data privacy and to reshape the way businesses in the EU approach data privacy and protect personal user data. The law affects all enterprises that process and hold the personal data of users residing in the EU, regardless of the company’s location. That means the GDPR not only applies to businesses located within the EU but also applies to enterprises located outside of the EU, if they offer goods or services to EU users. It is also important to note that the GDPR applies to controllers as well as processors of user data. In order to enforce this goal from May 2018 onwards enterprises in non-compliance will face heavy fines. For breaching GDPR businesses can be fined up to 4% of annual revenue or €20 million.


Changes with the GDPR


Right to access – This is a strong empowerment of users and probably the most important change: The right for users to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. In addition, the user must be given a copy of the personal data in an electronic format by the enterprise.


Right to be forgotten – This entitles the user to have the data controller erase her personal data, cease further dissemination of her data, and have third parties, which the enterprise collaborates with, halt processing of her data. The right to be forgotten is also known as complete data erasure.


Privacy by design – Basically privacy by design demands the inclusion of data protection from the start of designing a system. That means a later addition or legal work around by the enterprise is not compliant with GDPR anymore. While privacy by design is nothing really new (e.g. Teamwire was designed right from the beginning based on this concept), it is now becoming a core legal requirement for businesses with the GDPR.


Pseudonymisation – The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific user without the use of additional information. The personal data needs to pseudonymised with adequate internal policies and measures by the enterprise.


Transfer of data – The GDPR imposes restrictions on the transfer of personal data outside the EU, to third countries or international enterprises, in order to ensure that the level of data protection of users afforded by the GDPR is not undermined.


Consent – Clear, precise and affirmative consent to the processing of personal data must be provided by the user to the enterprise. Businesses must be able to prove consent (opt-in) and consent may be withdrawn by the user.


Data protection officer – The appointment of a data protection officer will be mandatory for controllers and processors. The data protection officer of an enterprise is responsible for compliant processing of user data during data operations and has to ensure internal record keeping requirements.


Data portability – This should generally allow a user to transfer her data from one business to another. The user can request to receive all her personal data from the controller in a ‘commonly used and machine readable format‘.


Breach notification – When a data breach has occurred and is likely to “result in a risk for the rights and freedoms of individuals”, enterprises must inform their users without undue delay. This will become mandatory in all member states and must be done by businesses within 72 hours of first having become aware of the breach.


WhatsApp Problem for Enterprises


We have written about the problems of using WhatsApp for business several times (e.g. read our article about the limited security and data protection of WhatsApp). Due to the GDPR and the related data protection requirements for enterprises described above, the usage of WhatsApp for business purposes leads to various critical issues:


1. The address book of a user with all contacts including their emails and phone numbers is transferred to WhatsApp and thus Facebook. It is completely unclear, where and for what purpose this data is being transferred and processed. An enterprise using WhatsApp cannot inform customers how this data is being handled and therefore cannot fulfill the „right to access“ requirement of the GDPR. Furthermore, if a customer wants to make use of her „right to be forgotten“ and delete all data related to her, this cannot be enforced with WhatsApp.


2. An enterprise has no explicit consent to transfer the personal data of customers to WhatsApp. For example, by using WhatsApp an enterprise transmits the address book and thus the contact details of customers to WhatsApp. This is non-compliant with the GDPR.


3. While the messages are said to be end-to-end encrypted, WhatsApp does collect meta data of users and related personal data. Thereby WhatsApp has access not only personal identifiers, but who users communicate with, how often users connect with specific contacts, how long users message each other, and so on. This data is perfect to generate personal user profiles and understand social relationships. Again it is completely intransparent, what meta data Whatsapp collects, how it is processed and who it is transferred to. In consequence, if an enterprise uses WhatsApp to communicate with customers, it cannot fulfill the “right to access“ or „right to be forgotten“ of the GDPR.


4. By using WhatsApp for business purposes an enterprise transfers customer data to the USA. This is in conflict with the obligation required by the GDPR to not transfer or store personal data outside the EU. In the USA with its weaker privacy laws an adequate protection of customer data cannot be ensured.


5. It is unlikely that the „privacy by design“ and „pseudonymisation“ principles of the GDPR are met by WhatsApp. The connection of users by uploading and storing the address book does not meet the “privacy by design” concept. Due to the underlying advertising business model of Facebook, it is improbable that the pseudonymisation is widely applied.


6. If an enterprise needs to transfer all data of a customer to another service, this is not possible with WhatsApp. The personal data of a customer is basically locked in WhatsApp. So with regard to the “data portability” of the GDPR, businesses are non-compliant if they use WhatsApp.


As a result it is clear that WhatsApp does not meet the data protection requirements of the GDPR and an enterprise is non-compliant, if it uses WhatsApp for business purposes. Businesses should deploy a professional and secure enterprise messaging app like Teamwire, that ensures maximum data protection and fully complies with the GDPR. The required features of a secure enterprise messaging app to meet the GDPR will be explained in a follow-up blog post next week. For more information please contact us.