22 Jan 2021

The WhatsApp Case: The Love & Hate Relationship between Big Tech and Data Protection

Is there another earthshattering change in the tech sector that will be making headlines for the next few weeks?  Tech behemoths have certainly kept journalists and bloggers on their toes lately due to many recent dramatic changes and major decisions. WhatsApp, a company owned by Facebook, wanted to go the whole nine yards to become the most successful messaging and calls application, so its executives have quite recently reached a decision to update its privacy policy. 

As it rolled out the latest updates for Android and iOS, the internet exploded with claims that this encrypted messaging app, whose major selling point was that it is a privacy-focused service, will start forcing users to share personal data with its parent company, by having users agree to let Facebook and its subsidiaries collect WhatsApp data, including users’ phone numbers, contacts’ phone numbers, and locations.  WhatsApp’s announcement was interpreted as stating that users will lose access to the platform if they do not agree to the changes by February 8, 2021.  WhatsApp users obviously thought that they caught this tech giant red-handed in its attempts to get their data through a privacy policy update and, based on the report of numerous online complaints, they were not up for turning a blind eye to this.  The announcement, which was clear as mud, led WhatsApp to take to its own blog with the most recent update from January 15, 2021, trying to clear the waters.

WhatsApp went to great lengths to explain itself: it professed that the company was built on a simple idea – that what you share with your friends and family stays private.  This means that the app will always protect users’ personal conversations with end-to-end encryption so that neither WhatsApp nor Facebook can see these private messages.  After adding that this is why they do not keep logs of everyone’s messages and calls, WhatsApp’s leaders insisted that shared location and contacts have not been and will not be shared with Facebook nor its subsidiaries.

Although the new privacy policy announced by WhatsApp will be applied globally, it will be tailored to the applicable regulations of the territory where they are being implemented.  Thus policy changes might have a great impact on the US market where WhatsApp will be able to collect and share information about location, IP address, phone model, operating system, battery level, signal strength, mobile network, time zone, and even International Mobile Equipment Identity (IMEI).

In the EU, WhatsApp users received a significantly different announcement about the change to its privacy policy.  Under much stricter rules of the General Data Protection Regulation (“GDPR”),  users’ data is not subject to sharing with third parties.  GDPR 2018 applies to any company processing data of any EU resident, regardless of where in the world the headquarters or a representative office of the company is located, and especially when the company or organization performs any kind of monitoring of user behavior.  The basis for personal data processing is most often found in “consent” and “legitimate interest”.  The change in the privacy policy is clearly made to monitor user behavior and then advertise to the user/data provider through digital marketing. Does this represent a legitimate interest?  Also, by giving one-click electronic consent, do we allow access to information to just one company, or to all companies connected to it?

Although not an EU Member, Serbia fully aligned its Personal Data Protection Act (“Act”) with the GDPR.  All companies and organizations collecting personal data must inform data subjects on this activity, keep records of the collected data and actions taken to collect data, seek an opinion from the Commissioner for Information of Public Importance and Personal Data Protection, etc.  The Act requires pseudonymization of data, a process similar to encryption that prevents attribution of data to a specific individual.

However, WhatsApp is not located in Serbia and it likely processes personal data abroad.  Due to its territorial reach and for such type of data processing, the Act requires that the data collecting company is present in Serbia.  Consequently, if WhatsApp decides to change its privacy policy in Serbia in line with the changes it made in the United States, it would have to appoint its representative in Serbia and provide terms that are in accordance with the Act.

Restricting speech or competition?

In the digital market worth multiple billions, personal data is an asset. It contains the most vital business information: that about clients and their preferences.  The expected surge of data privacy breaches and unlawful data collection gave rise to data protection and privacy concerns.  But the question goes beyond that.  Personal data on digital markets also concerns competition.  And this market is dominated by global giants.  The two recent events, increased censorship on Twitter censorship and WhatsApp`s announced privacy policy update, showed just how powerful Big tech companies are.  Therefore, it would be inappropriate for states to allow Big tech companies to be the ones driving all the developments. Given that this concerns both data protection and competition, coordination and cooperation between regulators and supervisors (data protection officers and competition authorities) needs to be fine-tuned, both domestically and internationally. Big tech companies must not restrict, but also should not be restricted.

GDPR represents the Magna Carta of data protection and its importance and effect cannot be overstated.  However, the tech sector requires proper alignment with the principles of competition and a more holistic approach.  Although GDPR was envisioned as a safeguard against Big Tech, there are some side effects to competition and innovation. This is because it provides a legal framework for collecting personal data, and from the Big Tech perspective, this is a limitation.  This is where communication between data protection officers and competition authorities comes to the surface. An adequate balance between human rights and business needs to be established.  Data subjects are also consumers.  Communication of supervisors with local Big Tech representatives, such as the one WhatsApp would need to appoint in Serbia if it would turn commercial, could create a win-win situation.

Until then, there is no need to worry: no one is getting their WhatsApp account deleted on February 8.  WhatsApp officials decided to move the date on which users will be asked to review and accept the terms.  Hopefully, WhatsApp users will be able to relax once they get to know how privacy and security work on WhatsApp.  Due to heavy criticism, WhatsApp set May 15, 2021, as the new rollout date for their updated privacy policy. Let us hope that regulators, supervisors, and Big Tech’s reach a mutual understanding by then.


Authors: Miodrag Jevtić, Mina Kuzminac, Teodora Ristić and David Spaić