WhatsApp, the popular instant-messaging app, made headlines on Monday, 17th July, when it announced a significant update to its privacy policy. This move came after facing a sanction from the Irish Data Protection Commissioner in January, which questioned the legal basis for processing personal data within the European Union.
The European Union’s General Data Protection Regulation (GDPR) mandates that organizations processing personal data must have a legitimate legal basis to do so. However, Ireland’s data protection authority found WhatsApp’s existing legal basis, referred to as the ‘contract’ basis used by its parent company Meta, to be insufficiently founded. This decision was triggered by complaints from the digital rights NGO NOYB, led by Austrian activist Max Schrems.
Initially, the Irish privacy watchdog favored Meta’s position, but the European Data Protection Board, representing all EU data protection authorities, overruled this decision. Consequently, WhatsApp faced a €5.5 million sanction, while Facebook and Instagram received even higher fines of €210 million and €180 million, respectively.
The situation took an interesting turn when the European Court of Justice supported the competence of national antitrust authorities to identify data protection infringements in a case against Meta. The court also indicated that obtaining user consent might be the only valid legal basis for the company’s data processing.
As a result of the sanction, WhatsApp, along with other Meta services, appealed the decision but was required to comply and switch to a new legal basis, which they found in the concept of ‘legitimate interest.’ Under this new basis, WhatsApp claims that users can still object to the use of their information.
However, there are concerns about the viability of this legal basis. In the past, the Italian authority warned against using ‘legitimate interest’ for delivering personalized advertising. Additionally, the European Court of Justice’s ruling suggested that ‘consent’ might be the only justifiable option for Facebook’s use of personal data for online advertising.
Despite the update, WhatsApp assured its users that their privacy remains a top priority. All personal messages are protected with end-to-end encryption, ensuring that neither WhatsApp nor any other party can read or listen to them.
It is worth noting that this is not the first time WhatsApp has faced scrutiny regarding its privacy policy. In January 2021, the company’s policy update led to complaints from consumer organizations, accusing WhatsApp of pressuring users into accepting changes without adequately explaining their implications. As a result, corrective measures were put in place to address these concerns.
WhatsApp’s decision to shift to a ‘legitimate interest’ legal basis comes in the wake of EU sanctions and legal challenges. While the company claims users can still object to data usage, there are lingering doubts about the stability of this legal ground. With data privacy becoming an increasingly critical concern, users are advised to stay vigilant and informed about any updates to WhatsApp’s policies and terms of service.
