The Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DDPA) were engaged in a collaborative investigation of how WhatsApp’s mobile messaging platform handles personal information. It is the first time that two national data protection authorities jointly carried out this type of investigation.

WhatsApp asks its users to consent to the use of their address book to populate the subscribers’ WhatsApp contact list. Once consent is obtained from the user, WhatsApp then automatically transfers the address book to the app’s contact list to identify which other WhatsApp users are in the address book. The issue here is that WhatsApp does not remove the non-users’ numbers but retains them in hash form. This violates Dutch and Canadian data protection laws, as according to these laws, data may not be retained any longer than necessary for the fulfilment of an identified purpose.

Furthermore, it became apparent that WhatsApp did not encrypt the messages that its users sent to their recipients. This made the messages vulnerable to interception, especially when unprotected WiFi-networks were used. As a partial response to this finding from the investigation, WhatsApp introduced encryption in September 2012.

The two authorities also discovered that the authentication process used by WhatsApp was not adequately secure. As such, there would be a risk that a third party could “steal” the identity of WhatsApp users and then use the app’s service on the users’ behalf. WhatsApp has since strengthened its procedure; however, users will need to update their WhatsApp themselves to obtain this updated version.

The two authorities will now pursue the outstanding issues separately. The DDPA will decide whether or not enforcement actions will be taken. The OPC does not have the power to impose sanctions, but it will monitor whether or not WhatsApp will follow its recommendations. (FVDJ)

The decision can be found on