The Office of the Privacy Commissioner of Canada (OPC) released the findings today of their investigation into the personal information practices of the WhatsApp Inc., the developer of a popular mobile messaging app WhatsApp for smartphone devices. The investigation was initiated by the OPC and conducted in collaboration with the Dutch data protection authority.

The OPC alleged violations of the requirements under the Personal Information Protection and Electronic Documents Act concerning (i) consent, (ii) limiting collection, (iii) use and retention, and (iv) safeguarding related to the following functions in connection with WhatsApp:

  • Enrolment and account registration
  • Integration with a user's address book
  • Automatic sharing of status messages
  • Offline storage of messages
  • Transmission security
  • Data retention and account termination

Of particular note, the OPC was critical of a requirement in WhatsApp that required users to consent to the collection of the user's entire address book in order to use the app. The OPC noted that at the time the investigation was initiated, there was no ability to add users one-by-one, though this functionality has since been added to the iOS app and is planned for the future on the Android app.

The OPC also found that WhatsApp did not have appropriate safeguards in place to protect communications between users since, at the time of the investigation was initiated, messages were sent unencrypted and unique device identifiers were used to auto-generate passwords for message exchanges on behalf of users.

In addition, the OPC held that WhatsApp was retaining personal information for longer than required when contacts were uploaded from a user's address book in order to identify other WhatsApp users. The mobile numbers of non-users of WhatsApp were not being deleted once it was determined that the mobile number related to a non-user and were instead retained in hashed form.

Both the OPC and the Dutch data protection authorities released their own reports of findings and will be pursuing any outstanding matters independently. The Dutch data protection authority's has released an unofficial translation of their finding. The OPC's finding follows the OPC's release of mobile application guidelines in October 2012.