WhatsApp Terms of Service and Privacy Policy: Everything You Need to Know

On January 4th, 2021, WhatsApp updated its privacy policy and terms of service(hereinafter “terms”) which led to controversy and users en masse switching to Signal or Telegram. These terms, however, are not applicable for the residents of the European Union. The terms applicable for residents of European Region are of WhatsApp Ireland LLP. In this post, we analyse the differences between terms of WhatsApp in the EU region with the terms across the world.

A. Why are WhatsApp’s terms different in the EU region?

In 2014, Facebook acquired WhatsApp for USD 21 billion. In a statement, WhatsApp had stated that any provision on data sharing with Facebook would need to be approved by the Irish Data Protection Commission i.e. the data regulator in Ireland where WhatsApp Ireland LLP is based. In 2017, Facebook was fined €110m by the European Commission for misleading it about 2014 takeover of WhatsApp. This was a result of an investigation by the European Commission wherein it discovered that Facebook staff was aware in 2014 that it was possible to link WhatsApp phone numbers with Facebook users’ identities.

The European Union has General Data Protection Regulations, 2016 (GDPR) which regulates data sharing, data protection etc. GDPR requires that a data processor can only use data or information for purposes that are reasonably linked to the purpose for which such information was sought. In addition to this, GDPR has several categories of fines including a fine of €10 million or 2% of the company’s global revenue from the preceding financial year, whichever is higher.

B. What is WhatsApp’s updated terms of service and privacy policy, and why is it receiving a lot of flak?

(You can read about our comments on WhatsApp’s misleading claims on its privacy policy here)

While the WhatsApp chats remain end-to-end encrypted i.e. they cannot be accessed by third parties, WhatsApp will:

a. Device data and usage and log information: WhatsApp will now retain a lot more metadata including device information, IP address, your profile photo, phone number, hardware model, operating system information, battery level, signal strength, app version, browser information, connection information etc.

b. Data Sharing with Facebook: The updated terms also state that third-party services integrated with WhatsApp now also includes Facebook Company Products. In the previous terms, this was limited to iCloud and Google Drive.

The last privacy policy allowed existing users to choose not to have their WhatsApp account information shared with Facebook to improve Facebook ads and products experiences. This provision, however, was not present in the European Union’s previous privacy policy.

c. Consent to use WhatsApp: The users who do not consent to updated terms will not be able to use WhatsApp after 8th February, 2021 i.e. when the updated terms will come into effect.

WhatsApp has been receiving a lot of flak for retaining, processing, and sharing large amount of metadata, and for also sharing data with Facebook which is not known for its privacy friendliness.

C. Why are people switching to Signal, and what are the other alternatives to WhatsApp?

There has been an en-masse switch to Signal from WhatsApp by a large number of Indians. This has led to Signal becoming the top free app on App store in India. While Signal is not only an open-source privacy focused messaging application, it is also highly transparent about metadata collection, and data sharing with law enforcement agencies. Signal only retains the following metadata:

a. date and time of the first time a user registered on their service;

b. date and time when a user last used their services.

According to Signal’s website, they do not store anything apart from the aforementioned metadata. In addition to this, whenever legally forced to provide information to any government or law enforcement agencies, Signal discloses the transcripts of that communication on Signal Big Brother Watch.

You can also use the following open-source applications for instant messaging:

I. Element (Previously Riot)

Element is an end-to-end encrypted, open source secure messaging application and a team collaboration application which also has video conferencing, file sharing and voice calls functionality.

II. Threema

Threema is an open-source instant messaging application which allows end-to-end encrypted voice and video calls.

III. SureSpot Encrypted Messenger

SureSpot is an open-source end-to-end encrypted messaging platform which uses symmetric key encryption and has security as a built-in feature instead of an add-on.

Note: SFLC.IN does not recommend Telegram as a safe alternative to WhatsApp. Telegram does not have end-to-end encryption automatically enabled (You can enable end-to-end encryption in Telegram by using secret chats). It has not shared any transparency reports in the past, and its servers are not open source.

D. How does the updated terms compare with the terms applicable in the EU region?

While the updated terms for users across the world mandate data sharing with Facebook, the privacy policy for residents of the EU does not explicitly state that their data would be shared with Facebook. It has also been clarified by WhatsApp Ireland LLP that “WhatsApp does not share European region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or advertisements.”

Information Collected:

a. Third-Party Service Providers:

In the terms applicable across the world, the Privacy Policy explicitly states that “when we share information with third-party service providers and other Facebook companies in this capacity, we require them to use your information on behalf and in accordance with our instructions and terms.

However, the Privacy Policy applicable on residents of the European Union does not explicitly mention that data is shared with Facebook Companies. It has a separate section on data shared with Facebook Companies and it states that any information WhatsApp shares on this basis cannot be used for the Facebook Companies’ own purposes

b. Third Party Services

There is a significant difference in the sections on third party services.

The section of Privacy Policy applicable across the world except the EU reads as “When you or others use third-party services or other Facebook Company Products that are integrated with our Services, those third-party services may receive information about what you or others share with them. For example, if you use a data backup service integrated with our Services (like iCloud or Google Drive), they will receive information you share with them, such as your WhatsApp messages. If you interact with a third-party service or another Facebook Company Product linked through our Services, such as when you use the in-app player to play content from a third-party platform, information about you, like your IP address and the fact that you are a WhatsApp user, may be provided to such third party or Facebook Company Product. Please note that when you use third-party services or other Facebook Company Products, their own terms and privacy policies will govern your use of those services and products.”

Simply put, Facebook or other third parties may receive information about what users or others share with them. In case, a user interacts with a third party service or Facebook Company Product linked to WhatsApp, their IP address, and that they are a WhatsApp user would also be shared with such third party and Facebook Company Products.

However, the provision on third party services in Privacy Policy applicable on the EU region reads as “We allow you to use our Services in connection with third-party services and Facebook Company Products. If you use our Services with such third-party services or Facebook Company Products, we may receive information about you from them; for example, if you use the WhatsApp share button on a news service to share a news article with your WhatsApp contacts, groups, or broadcast lists on our Services, or if you choose to access our Services through a mobile carrier's or device provider's promotion of our Services. Please note that when you use third-party services or Facebook Company Products, their own terms and privacy policies will govern your use of those services and products.”

This Policy nowhere states that any information including IP address or that a user is a WhatsApp user would be shared with third parties and Facebook Company Products.

Legal Basis for Processing Data and How WhatsApp Processes Information

While these provisions are present in the privacy policy of the European region, they are not present in the privacy policy applicable on users across the world. The Policy for European region also has a section on erasure of data.

c. Difference in Signing-Up Age

While the terms applicable on people across the world requires a user to be of 13 years of age or more to be able to sign up for WhatsApp, the terms based on EU region requires 16 years to be the minimum age of signing up to WhatsApp.

You can read on why WhatsApp’s newspaper ad is misleading here.