A. Why are WhatsApp’s terms different in the EU region?
In 2014, Facebook acquired WhatsApp for USD 21 billion. In a statement, WhatsApp had stated that any provision on data sharing with Facebook would need to be approved by the Irish Data Protection Commission i.e. the data regulator in Ireland where WhatsApp Ireland LLP is based. In 2017, Facebook was fined €110m by the European Commission for misleading it about 2014 takeover of WhatsApp. This was a result of an investigation by the European Commission wherein it discovered that Facebook staff was aware in 2014 that it was possible to link WhatsApp phone numbers with Facebook users’ identities.
The European Union has General Data Protection Regulations, 2016 (GDPR) which regulates data sharing, data protection etc. GDPR requires that a data processor can only use data or information for purposes that are reasonably linked to the purpose for which such information was sought. In addition to this, GDPR has several categories of fines including a fine of €10 million or 2% of the company’s global revenue from the preceding financial year, whichever is higher.
While the WhatsApp chats remain end-to-end encrypted i.e. they cannot be accessed by third parties, WhatsApp will:
a. Device data and usage and log information: WhatsApp will now retain a lot more metadata including device information, IP address, your profile photo, phone number, hardware model, operating system information, battery level, signal strength, app version, browser information, connection information etc.
b. Data Sharing with Facebook: The updated terms also state that third-party services integrated with WhatsApp now also includes Facebook Company Products. In the previous terms, this was limited to iCloud and Google Drive.
c. Consent to use WhatsApp: The users who do not consent to updated terms will not be able to use WhatsApp after 8th February, 2021 i.e. when the updated terms will come into effect.
WhatsApp has been receiving a lot of flak for retaining, processing, and sharing large amount of metadata, and for also sharing data with Facebook which is not known for its privacy friendliness.
C. Why are people switching to Signal, and what are the other alternatives to WhatsApp?
There has been an en-masse switch to Signal from WhatsApp by a large number of Indians. This has led to Signal becoming the top free app on App store in India. While Signal is not only an open-source privacy focused messaging application, it is also highly transparent about metadata collection, and data sharing with law enforcement agencies. Signal only retains the following metadata:
a. date and time of the first time a user registered on their service;
b. date and time when a user last used their services.
According to Signal’s website, they do not store anything apart from the aforementioned metadata. In addition to this, whenever legally forced to provide information to any government or law enforcement agencies, Signal discloses the transcripts of that communication on Signal Big Brother Watch.
You can also use the following open-source applications for instant messaging:
Element is an end-to-end encrypted, open source secure messaging application and a team collaboration application which also has video conferencing, file sharing and voice calls functionality.
Threema is an open-source instant messaging application which allows end-to-end encrypted voice and video calls.
SureSpot is an open-source end-to-end encrypted messaging platform which uses symmetric key encryption and has security as a built-in feature instead of an add-on.
Note: SFLC.IN does not recommend Telegram as a safe alternative to WhatsApp. Telegram does not have end-to-end encryption automatically enabled (You can enable end-to-end encryption in Telegram by using secret chats). It has not shared any transparency reports in the past, and its servers are not open source.
D. How does the updated terms compare with the terms applicable in the EU region?
a. Third-Party Service Providers:
b. Third Party Services
There is a significant difference in the sections on third party services.
Simply put, Facebook or other third parties may receive information about what users or others share with them. In case, a user interacts with a third party service or Facebook Company Product linked to WhatsApp, their IP address, and that they are a WhatsApp user would also be shared with such third party and Facebook Company Products.
This Policy nowhere states that any information including IP address or that a user is a WhatsApp user would be shared with third parties and Facebook Company Products.
Legal Basis for Processing Data and How WhatsApp Processes Information
c. Difference in Signing-Up Age
While the terms applicable on people across the world requires a user to be of 13 years of age or more to be able to sign up for WhatsApp, the terms based on EU region requires 16 years to be the minimum age of signing up to WhatsApp.
You can read on why WhatsApp’s newspaper ad is misleading here.