27 Jun 2017
Blog » How Enterprises Protect Themselves Against Warnings Because Of WhatsApp
A German court today ruled that WhatsApp violates the data protection law and WhatsApp users can be warned theoretically. When using WhatsApp, the phone numbers of all contacts in the address book are automatically passed on to the messenger. According to the judgment of the District Court of Bad Hersfeld (Germany), WhatsApp thereby violates the right of the users to informational self-determination. The judgment ultimately affects not only private users, but also companies and authorities that use WhatsApp for business purposes. Many enterprises are now wondering how they could be affected by warnings and how they can protect themselves against such warnings.
1. To What Extent Are Enterprises Affected by the Judgment?
Firstly, the court's decision concern the transfer of contact data to WhatsApp. When used, WhatsApp reads out the contact information and regularly updates it to determine whether known contacts already use WhatsApp. This naturally affects every user and also every enterprise whose employees use WhatsApp for business purposes.
This data processing of WhatsApp is clearly criticized in the judgment. It is easy to argue that WhatsApp violates German and European data protection laws with this data processing. Because personal data from contacts, that do not use WhatsApp, are simply transferred to WhatsApp without these contacts having agreed to. Since according to the last terms of service in addition to WhatsApp the data is also transferred to the parent company Facebook, this makes the matter with a business use of Whatsapp for enterprises even more problematic.
From a legal point of view, a user would require the permission of all persons in the address book to forward their personal data to WhatsApp. If this consent is not given, a contact can admonish a WhatsApp user who has passed on his/her personal data. A great number of warnings for private users of WhatsApp is not expected. Hardly private users want to admonish their family and friends.
The business use of WhatsApp is clearly more critical. Depending on the constellation and the parties involved, enterprises must always comply with several laws and regulations. Due to German and European data protection laws, e.g. enterprises may not pass on data data to WhatsApp without the consent of a business partner, employee or customer. Hardly enterprises are currently complying with this legal requirement.
In the day-to-day life, most employees do not bother that customer contacts stored in the address book will be automatically transferred when using WhatsApp. Employees thus violate the informational self-determination rights of customers, business partners and colleagues who are stored in their address book. Since WhatsApp is widely used as a part of shadow IT in enterprises, this happens very often.
In this respect, the risk of warnings for enterprises is certainly significant. Customers or business partners, whose contact data were transferred without consent, could quickly come up with the idea to issue a warning to an enterprise. Through the media attention of the judgment, many customers are currently informed about the possibility of warnings when using WhatsApp.
2. How Can Enterprises Protect Themselves Against Warnings?
There are a number of things that are recommended for enterprises in order to be compliant, ensure European data protection and to prevent warnings:
Do Not Use WhatsApp for Business Purposes
In addition to possible warnings under the present judgment, there are a number of further problems with the use of WhatsApp for enterprises. We have already pointed out the damages and disadvantages for enterprises caused by the use of WhatsApp. The use of WhatsApp for enterprises is also problematic in many respects as well as not in compliance with the forthcoming European General Data Protection Regulation (GDPR). In addition to warnings, high penalties are also possible for enterprises using WhatsApp. All in all, businesses can only be discouraged to use WhatsApp.
Use a Secure Messenger for Enterprises
Basically, there is currently a transition from email to messaging. WhatsApp is certainly easy to use, increases productivity and improves communication, but nowadays there are numerous messengers specifically for use in businesses and government agencies. Such secure messengers do not use the data in clear form. Data is transmitted fully encrypted and ideally not stored at all. That means, the vendors/providers of the messenger can no longer identify or reuse/resell personal data. Also the vendors/providers of this messenger have business models, which are not based on data marketing.
Secure messengers for enterprises (such as Teamwire) not only provide all the features like WhatsApp, but also strong European data protection, comprehensive security, professional administration, enterprise-wide compliance, integration into the IT ecosystem and many features to increase productivity. In order to be compliant, protected and forward-looking, businesses should introduce such a secure messenger for enterprises. We've written two blog posts that help businesses choose a leading messenger and the best messaging app for European enterprises.
Adapt Data Protection Guidelines and Inform Customers
Enterprises should adapt their privacy policies for the use of messengers. That means customers and business partners should be proactively informed about the transfer of personal data to such services. At the latest with the upcoming GDPR, many companies will have to update or adapt their data protection guidelines. Companies could take the opportunity to create transparency regarding the use of a messenger.
Select a Messenger in Conformity with the Law
Even if a large number of messengers for enterprises market themselves with privacy and security, there are big differences between vendors. For enterprises, it is essential that the messenger complies with strong European data protection, data is only stored within Europe and the GDPR is completely guaranteed. We have described in a blog post, which criteria a compliant messenger in conformity with the GDPR should fulfill. In addition, businesses should consider an agreement on data order processing with the vendor/provider, if the use a cloud solution.