Following the introduction of the General Data Protection Regulation (GDPR) on May 25th 2018 a number of large companies have decided to ban the use of WhatsApp, SnapChat and similar services on mobile devices, which are either company owned or privately owned devices which are used for business purposes (Bring Your Own Device).
The main reason has to be seen in recent decisions of German courts and opinions publicized by data protection authorities e.g. in Schleswig-Holstein, Thuringia and Lower Saxony.
What are the problems?
Unlimited access to contact dataThe main concern is based on the general terms and conditions of WhatsApp. Users have to agree, in order to make use of the service, to allow access to the telephone numbers of WhatsApp users and other contacts stored on the mobile device (often in Outlook). In that context the user expressly confirms that he is authorized to transfer such personal data to WhatsApp Inc. In practice no user will have received an express consent of all contacts to pass on their telephone numbers and other data to WhatsApp. Such informed consent is – however – required by Article 6 I. 1a, Article 7 GDPR.
Business use only with license
Another problem is the further stipulation in the general terms and conditions, that WhatsApp may only be used for business purposes, if WhatsApp Inc. has expressly agreed to such use. No company known to us has such agreement. Consequently any use for commercial reasons might be a copyright violation.
Data transfer to Facebook
A new concern has been added through new regulations in the general terms and conditions, according to which all data required from users may be passed on to Facebook, the legal owner of WhatsApp since 2014. While such transfer of data according to previous law has been barred by a recent court decision in Hamburg a new legal situation has arisen through the introduction of GDPR. Now an Irish court decision would be required, since WhatsApps European Headquarter is based in Ireland.
Data Processing Agreements required
The data protection authorities further see problems in view of telecommunication law (which would require an individual contract between the company and WhatsApp to allow any data transfer) and see a requirement for an data processing agreement between the company and WhatsApp in view of article 28 GDPR. Such agreement will not be possible, since it would never be possible to verify WhatsApp’s compliance with European data protection laws in view of data been stored on US servers.
Is WhatsApp communication secure (encrypted)?
Further concerns have been raised in view of security measures, since it is by no way guaranteed that any information shared between users is not accessible by WhatsApp and / or Facebook (e.g. the nowadays frequent transmission of photographs of medical certificates from employees to their employer, to name just one issue).
Commercial, tax and Employment laws demands storage of documentationAnother issue is the obligation to store certain company data permanently or for a specific time period in order to proof certain business transactions. Proof of communication might also be useful in case of dispute (e.g. timely reporting of sickness, working time arrangements between employees etc.)
What are the risks?
In view of the legal remedies created by the GDPR and the alleged violations of personality laws by WhatsApp any use of the app by employees on mobile devices, used for business communication might make the company responsible and therefore creates a risk of high fines and penalties.
Further damage claims of WhatsApp and/or third parties are possible, although unlikely. The violation of documentation obligations can create criminal and tax law problems. Further it might be difficult to proof the details of a business transaction and/or contract violation.
What can you do?
The alternatives available are to issue company mobile devices without WhatsApp or devices with WhatsApp installation, while at the same time strictly banning employees from having any unauthorized personal data on the devices.
If such company related personal data is stored on private devices, with WhatsApp in use, such data must be deleted and such deletion must be verified by the company’s IT department.
Technically other solutions are possible (such as barring contact sharing within the settings of the app). This must, in order to be effective be done at the time of the installation of the app. Any later blocking would not delete data already stored on WhatsApp servers. Further any future communication would be impeded since it would not be possible anymore to identify a contact in WhatsApp other than through an anonymous telephone number. Even an active chat initiated by the person that has blocked his / her contacts might not be possible.
Another possibility may be the use of secure folders provided by some mobile devices (container), this solution is – however – somewhat unpractical, since each and every admissible contact would have to be added (or deleted) by hand as WhatsApp.
The use of alternative messenger services based in Germany / Europe is generally possible, although almost useless, since those networks by far do not have the same number of participants.
Company regulation or shop agreement urgently required
Therefore it is recommended to have clear company rules e.g. on the differentiation between private use of WhatsApp (allowed) and the use of the app on mobile devices for business purposes, which should be restricted. Eventually a shop agreement with the competent works council might be useful.