Dutch Data Protection Authority and Canadian Privacy Commissioner investigate popular mobile text messaging service

WhatsApp Inc, the California-based mobile app developer with upwards of 400 million users, was subject to a joint investigation by Dutch and Canadian Privacy Authorities for violations of their national privacy and data protection laws.

The investigation focused on WhatsApp’s popular mobile messaging platform, which allows users to send and receive instant messages over the internet across various mobile platforms. On the basis of the results of their investigation the two data protection authorities concluded that WhatsApp was violating ‘certain internationally accepted privacy principles’, particularly in relation to the retention and disclosure of the users’ personal data.

Violation of ‘certain internationally accepted privacy principles’

In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. After users have given their consent for the use of their address book, all phone numbers from the users mobile device are transmitted to WhatsApp. Subsequently the company uses the data to identify other WhatsApp users. The mobile numbers of non-users are retained, albeit in hashed format.

According to both authorities this contravenes Canadian and Dutch privacy law, pursuant to which personal data may only be retained for so long as it is required for the fulfillment of specific well-defined purposes. Only iPhone users running iOS 6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically. The authorities deem this not acceptable, as they hold that both users and non-users should have control over their personal data: users must be able to freely decide what contact details they wish to share with WhatsApp.

Other alleged violations of Dutch and Canadian privacy law dealt with the lack of encryption to provide the messaging services, leaving messages prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks. Further the authentication process, in particular the password generating process, was considered not strong enough.

Over the course of the investigation WhatsApp resolved these security issues through the introduction of stronger encryption in its mobile messaging service and by adding more secure randomly generated keys to generate passwords for device to application message exchanges.

Applicability of Dutch privacy law

WhatsApp is California-based, and has no establishments outside the United States. Therefore the applicability of Dutch privacy law, or for that matter any EU privacy law, is an issue in itself. Interestingly, the Dutch Data Protection Authority reasons that WhatsApp uses automated means in the Netherlands for processing personal data, namely the mobile devices of its’ users.

Moreover, the app is used by, and aimed at, users in the Netherlands, which is evident from the Dutch language dialog boxes and settings screens, and frequently asked questions.

For these reasons, the report concludes rather boldly that Dutch Privacy Law applies to the processing of personal data by WhatsApp in the context of the app, insofar as this was relevant for the investigation.

A milestone in global privacy protection

According to both national privacy authorities the coordinated investigation was a global first and marks milestone in global privacy protection. The authorities conducted their work together to examine the privacy practices of the company.  

  • Please click here to see the authorities joint press release (in English).
  • Please click here to see the Dutch Data Protection Authority’s Report on definitive findings (informal English translation).
  • Please click here to see the findings of the investigation by Office of the Privacy Commissioner of Canada