Data Protection and WhatsApp
As a daughter company of Meta (formerly Facebook), WhatsApp has often been criticized because of massive concerns about data protection and privacy. Despite all the data protection concerns: according to studies (including here), 85 percent of customers would like to be able to contact companies via WhatsApp. Due to the popularity and practicality of WhatsApp, companies are therefore interested in using it in a way that complies with data protection regulations.
The WhatsApp app and the WhatsApp business app intended for business communication are problematic from a data protection perspective (among other things, because of the transfer of all contacts in a WhatsApp app user’s phone address book to American servers). However, the situation is somewhat different if the WhatsApp business cloud API is used instead of the app. The automatic transfer of phone book contacts to US servers, which is often criticized from a data protection perspective, does not take place here.
We want to take a closer look at the data protection implications of the WhatsApp business cloud API in this blog.
For this purpose, it is first important to distinguish between the WhatsApp app, the WhatsApp business app and the WhatsApp business API, as the technical process is different in each case.
WhatsApp App = App for Private Customers
This app is only intended for private communication. The WhatsApp terms of use prohibit commercial use. GDPR compliance is unlikely to be ensured here in most cases, as all phone book entries of a WhatsApp user in particular are uploaded to servers in the USA (for which there is basically no legal basis).
WhatsApp Business App = Free App for Small Businesses
The WhatsApp business app is a free and standalone version of the messenger that was developed specifically for small businesses. In addition to the familiar functions, relevant information about the company, e.g., address, company description, location, website and opening hours can be stored in the business version. Catalogues can also be created to showcase products and services, and automated messaging can be set up. With the help of these tools, communication is facilitated. Here, too, GDPR compliance is problematic due to the synchronization of address book contacts and the associated third-country transmission.
WhatsApp Business Cloud API = Interface to the WhatsApp Infrastructure
The WhatsApp business cloud API is aimed at medium-sized and large companies. The API is subject to a fee and companies basically need so-called business solution providers (BSP) to gain access to the API interface. These BSPs usually offer web applications for companies that can be used to communicate with WhatsApp users. A WhatsApp app is not required, which avoids the problematic aspects of the app in terms of data protection (including the matching of the phone address book).
Another aspect is that BSP handle all communication and storage of data via their own server infrastructure, which is independent of WhatsApp. The chats with customers (or applicants, etc.) are not stored on WhatsApp servers here, but on the servers of the respective BSP. In this respect, the transfer to third countries can be avoided by selecting a suitable BSP. If a provider is selected that operates its own servers in the EU/EEA (and in particular not at subsidiaries of US providers such as Amazon, Google & Co.), the highly problematic third-country transfers according to the Schrems II decision of the ECJ (Case C-3111/18) can be avoided. Of course, the conclusion of a controller-processor agreement pursuant to Art. 28 GDPR with the BSP should not be forgotten.
In combination with WhatsApp’s standard end-to-end encryption – whereby WhatsApp has no access to the content of the chat communication – the WhatsApp business cloud API is to be judged as less problematic in terms of data protection in this respect.
However, at the moment of delivery of chats on the part of the BSP via the WhatsApp business cloud API into the WhatsApp network, WhatsApp has access to the metadata created at the interface, such as name, telephone number, IP address, time and duration of the chat.
In this respect, WhatsApp processes personal data again. However, the processing of personal data of WhatsApp users who have already explicitly agreed to the terms of use and data processing of WhatsApp takes place here. In this respect, there should be consent to WhatsApp for the processing of this data. WhatsApp then processes the meta data as the controller within the meaning of data protection law (not as a processor).
In this respect, the question arises whether, in view of the above, a controller-processor agreement with WhatsApp is still necessary at all.
Is WhatsApp a Processor or a Controller?
Assuming that WhatsApp is the independent data controller for the meta data, the question of it being the processor in the context of the business cloud API arises solely for the chat data transmitted to WhatsApp in encrypted form.
The new legal situation in telecommunications law must be considered here. With the reform of the Telecommunications Act (TKG) and Telemedia Act (TMG) and creation of the Telecommunications Telemedia Data Protection Act (TTDSG) at the end of 2021, WhatsApp is now to be classified as a telecommunications service pursuant to § 3 No. 61 TKG when the TTDSG comes into force (the earlier and differing ECJ case law, e.g. in ECJ judgement dated June 13, 2019 – C-193/18, is thus irrelevant).
According to the European Data Protection Board (EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 12-13), telecommunications service providers are themselves controllers within the meaning of the GDPR when providing their services.
Accordingly, being the processor would be ruled out.
However, it is difficult to say whether this assessment can be upheld after the strong expansion of the definition of telecommunications services in the TKG.
In addition, WhatsApp classifies itself as a processor (see Section 7 of the business terms of service).
In any case, from our point of view, it can be well argued with the above arguments that WhatsApp is not a processor in the context of the business cloud API and thus must be regarded overall as a data controller within the meaning of data protection law.
Regardless of the question of the role of WhatsApp under data protection law, a company should nevertheless also always refer in its data protection information to the processing of personal data within the scope of WhatsApp and its terms of use.
Conclusion
In our view, the WhatsApp business cloud API can be operated largely in compliance with data protection requirements, provided the appropriate precautions are taken (especially BSP from the EU).
We would be happy to advise you on the data protection compliant use of the WhatsApp business cloud API in your company – please contact us if required.