What is going to change and what consequences does it have on user’s privacy?

21/01/'21 - On the 4th of January, WhatsApp updated their Privacy Policy. WhatsApp users received a notification in the app that they have until the 8th of February to accept the terms, if they wanted to keep using WhatsApp. This caused a big reaction in many different places: newspapers wrote about the new Privacy Policy, tech websites published their analyses, in India WhatsApp is going to face a legal challenge because of the new Privacy Policy and Turkey’s competition authorities have opened an investigation because of the update.

Even though WhatsApp tried to clarify that the update to the Privacy Policy doesn’t change much for WhatsApp users, download numbers of alternative apps such as Signal and Telegram soared, implying that WhatsApp users are switching to the alternatives. Following the backlash, WhatsApp has decided to move the update back three months, until the 15th of May. Reasons for this are partly due to the “confusion” surrounding the update and “lots of misinformation causing concern.” But what is actually going to change in this Privacy Policy and what are the consequences for users? In this blog I will highlight the most relevant changes by comparing the 2018 version of WhatsApp’s Privacy Policy with the most recent one. Please note, I am only focusing on WhatsApp’s Privacy Policy for the European region.

Collected data
WhatsApp processes several different types of data from the user, such as the user’s phone number, profile name, profile photo, hardware model, battery status and IP address. Generally, the categories of processed data have stayed the same between 2018 and 2021. What has been added in 2021 is the ‘Transactions And Payment Data’. In summary, when you use Facebook Pay or WhatsApp Payments, then WhatsApp will process your account and transaction information.

WhatsApp always estimates your location

The most important difference is to be found under ‘Location Information’. In the 2018 version it is stated that location data will be processed when location features are turned on. However, in the most recent version it is stated that WhatsApp also estimates the user’s location when location features are turned off on the device. How WhatsApp exactly uses this information and whether this tracking is real-time is unclear.

WhatsApp and other Facebook Companies
How WhatsApp works with other Facebook Companies changes in 2021. WhatsApp shares user’s data with these companies, and vice versa, so that WhatsApp can improve its infrastructure and services; it is unclear what that exactly entails. In the 2021 Privacy Policy for the European region, it is stated explicitly that the Facebook Companies cannot use the data from WhatsApp for the Facebook Companies’ own purposes. This sentence is crucial as it is not mentioned in the 2018 version of the Privacy Policy, nor is it included in the non European Region WhatsApp Privacy Policy. 

Small differences
Based on these findings I can conclude that the differences between the 2018 and 2021 versions of the European region Privacy Policy are marginal. These changes don’t have big consequences for the privacy of WhatsApp users within the European region.

A broader perspective
Does this mean that with using WhatsApp there aren’t privacy risks involved? No. Compared to alternative applications, such as Signal, Telegram and Threema, WhatsApp processes and shares much more user data. Also, in both the 2018 and 2021 versions of the Privacy Policy, it isn’t clear what categories of personal data are being used for user analysis, how these user analyses are being shared with other businesses and how WhatsApp has balanced the interests of WhatsApp users’ privacy and their own interests. Lastly, it is unclear which categories of data are being transferred out of the European Economic Area and the European Union and which organisations receive these data.

Ka Wing Falkena Legal Consultant

To conclude, it is absolutely worthwhile to assess WhatsApp’s Privacy Policies, and actually all software that you and/or your organisation uses, to assess whether you should accept the Terms of Service and Privacy Policy. Do you need help making these assessments and to make decisions? Do you have other questions in response to this blog or any other privacy related question? Please, don’t hesitate and send us a message!