After the investigations carried out by Dutch and Canadian Data Protection Authorities, the Italian Data Protection Authority is also seeking from WhatsApp information on how they use the data of Italian subjects.

The initiative of the Italian privacy watchman

WhatsApp, Inc., the California-based mobile app developer with several million users has received on February 27, 2013, a communication from the Italian Data Protection Authority requesting information to assess WhatsApp’s compliance with Italian Data Protection law.

Why this initiative? The precedent from the Dutch and Canadian Data Protection Authorities

The Italian initiative stems from a recent report released on January 28, 2013 by the Dutch and Canadian Data Protection Authorities in connection with a joint investigation into the handling of personal information by WhatsApp, Inc., which was found to be in breach of Dutch and Canadian data protection law in relation to the retention, safeguard and disclosure of personal data.

Inter alia, the investigation revealed that WhatsApp, Inc. was violating privacy law because the users of WhatsApp do not have a choice to use the app without granting access to their entire address book. After users have given their consent for the use of their address book, all phone numbers from the users’ mobile device are transmitted to WhatsApp. As a result, the company uses the data to identify other WhatsApp users. The mobile numbers of non-users are retained, albeit in hashed format. According to both authorities this contravenes Canadian and Dutch privacy law, pursuant to which personal data may only be retained for so long as it is required for the fulfilment of specific well-defined purposes. The report also envisaged critical security issues, in particular with regard to the retention of data and the access by unauthorized third parties to such data.

What are the potential issues?

The Italian Data Protection Authority wrote to WhatsApp, Inc. asking to clarify a number of issues: what types of personal data are collected and used at the time of the subscription and when the messaging and file sharing services are provided; how such data are stored and protected; which security measures have been taken to limit the risk of unauthorized access to such data (e.g. encryption, generation of credentials etc.); how long personal data are kept and how many users and accounts are related to Italian users.

The Italian Data Protection Authority also questioned the overall security of WhatsApp’s platform in connection with potential security flaws that may allow unauthorized third parties to access the content of the messages exchanged by users. WhatsApp has come under scrutiny multiple times in the past few years for known or potential issues concerning the security of its platform.

The answers WhatsApp will provide will satisfy the Italian Data Protection Authority?

As stated by the Italian Data Protection Authority itself, this latest action, along with other initiatives taken recently, aims at safeguarding the rights of Italian and European citizens even in the large and complex context of globalized services and towards multinational service providers. It remains to be seen whether the answers that WhatsApp will provide will satisfy the Italian Data Protection Authority, or if we will hear more on this subject… stay tuned!