UPDATE: The ICO has engaged an undertaking with WhatsApp and Facebook over what they have identified as violations of the current DPA in the sharing of user data. It is clear that they are under the scrutiny of the ICO. The link is here: ICO Undertaking with WhatsApp
Just a quick note before I get to the gist of it — I am working on an editable template derived from the ICO’s own template for our privacy statements. I’ll post a document that you can edit as you need, but you’ll need to fill in the important bits.
In our own review of how we use data and, in particular, how we use and are used by providers of various services, our attention has come to bear on WhatsApp, which was acquired by Facebook in 2014.
I admit that I myself use WhatsApp…with three people, maybe four, but we have found that more and more of our clients are using it and other “social media” providers for routine communications in preference to more conventional — and more secure — forms such as emails and the telephone.
I am constantly aware that if I’m not paying for a service or a product then I’m NOT the customer — I AM the product. The mysterious question is “how am I being sold?” What’sApp is an insidious concern because it has gleaned one of the most powerful bits of personal data out there — our mobile phone numbers. If you don’t know the history of WhatsApp then, briefly, it was founded by a man (now $19 billion richer, give or take) who believed passionately in privacy and security but, as William Lyon Phelps once wrote, if a man doesn’t accept a bribe of $500 it doesn’t make him ethical — it may mean you didn’t offer him enough! Offer someone enough money for a lifetime of security to raise a family and retire and the offer may be too tempting.
I would have done the same thing.
Facebook knew what they were getting — a rock solid way to harvest telephone numbers, the names and locations of the owners, and their friends. The founder, Jan Koum, has now left WhatApp over, apparently, the issues of users’ privacy. Now, Facebook has to find a way to harvest and use this data. I doubt they will be slowed by GDPR or the Cambridge Analytica debacle.
Here, we have always been concerned about “free” services such as Facebook, Twitter, WhatsApp, Gmail, Yahoo, and others because we have virtually no control over how our information is used. We have focussed on WhatsApp because until recently they had no intention of complying with GDPR or raising users’ ages and even though they are now making noise in that direction, their initial reticence raises an eyebrow or two. We are concerned because of the nature of the data and the availability of apps on Android and Apple sites that allow users to easily access the data of other users’ accounts.
Our decision is to remove all forms of free services from business use. For us this means weaning away from our 20 year affair with Apple mail, Twitter, WhatsApp, and texts. The latter item is because of its inherent unreliability and because texts are retained by mobile companies for a very long time. Because of our work in the legal system, we have seen the texts obtained by the Crown as evidence and it makes me a bit squeamish.
Our emails come through our own domain and since most of our client contact began with email, this seems a reasonable way to continue. Telephone remains one of our favourites — messages exchanged are instantly gone, there is little chance of misunderstanding, it takes less time, and you have 100% confirmation that an exchange has occurred.
In reviewing your own approach to GDPR and, beyond that, your responsibility for privacy of your clients and yourself, do give some time to social media forms of communication, including WhatsApp.