ArticlesCybersecurity

WhatsApp and the question of data-privacy models

By January 22, 2021 No Comments

In early January, WhatsApp, the popular encrypted messaging app updated their privacy policy. At the time, many users and social media outlets perceived the updates as users being required to share significant amounts of personal information with Facebook such as location, IP address, mobile operator, language and more. Furthermore, WhatsApp indicated that if users did not agree to the changes in the update, they would be forced to delete their account.

Originally, users would have to agree to the changes by February 8th. However, a backlash from users saw the app delaying its changes until May 15th.

The reason for the delay WhatsApp said was to clarify exactly what changes were occurring. In a statement, WhatsApp reassured its users that the app could not read the contents of user’s messages, nor was it collecting more personal information to share with Facebook. Instead, the company said the changes were related to “optional business features” and to provide clarity on how they collect and use data.

WhatsApp’s original announcement saw considerable backlash by users, notable public figures like Elon Musk and privacy experts, who pointed out the hypocrisy of an app which champions security and privacy, freely sharing data with Facebook for commercial purposes.

The recent news surrounding WhatsApp has resurrected the question of privacy laws in different jurisdictions. Indeed, WhatsApp’s first announcement was significant because while non-European users had (and will still have to) agree to the new terms outlined in the policy, European and UK users were exempt from the alleged changes.

Why is this the case? And what does it say about privacy?

To understand the differences, it is important to note that the way Facebook and any other organization collects, manages and uses data is fluid. The way data is handled is not in one static manner but uniquely fluid across jurisdictions, geographical areas and organizations. How data is handled is also always rapidly changing as information flows across the world and as other parties like governments react to such changes in information by introducing data privacy regulations or laws. 

EU/UK Privacy Laws

Like most things in the era of globalization, data privacy is not governed by one blanketed law with all the same terms. Rather, data privacy protection laws vary depending on your region.

The European model of data privacy, first conceived with the passing of the EU Data Protection Directive in 1995 regulates data privacy based on governmental regulation. The Directive harmonized data privacy laws across the EU based on OECD recommendations under seven principles, which included notice, consent, accountability, access, disclosure, security and purpose. It also set out comprehensive requirements for the exporting of data outside the EU. The law covered aspects including the right to access, delete, or correct information stored about users. Under this Directive, exports of data to was banned to places the EU has not deemed having sufficient privacy laws similar to its own. Scholars have often described this form of data privacy laws as “protectionist” for its one model applicable to all nations approach, rather than having a series of laws.

Consent and personal data are very clearly defined in EU laws, especially following it’s 2018 update to the Directive, now called the General Data Protection Regulation (GDPR).

EU laws have a wide view of what is considered personal data. Personal data includes information like name, address, Social Insurance Number, IP address, but is also broad enough to include things like cookie data. These all require the same level of protection under EU privacy law.

Consenting to data collecting and sharing is also made clear. Under European law, it’s not enough for users to “opt-out,” you have to clearly “opt-in” and agree that personal data will be stored and/or used for the purposes clearly outlined by the company in question. Privacy laws also state that you have the right to withdraw consent from a company using your personal data at any time. If a company like WhatsApp violated any of these terms, the consequences would be considerable.

The 2018 update aims to further inform users in detail how data is collected about them and further restricts how personal data is collected and handled by companies. Companies now need to spell out in further detail what data is being collected, why it is doing so and if a profile of a person’s actions online will be created. It also gives users the right to access stored data about them and choose if (most) cookies should be enabled while they browse a website. There is a UK equivalent to the GDPR, the UK GDPR, which is very similar to the EU law.

Violating the GDPR should not be understated. Any company who violates the EU’s GDPR could face up to up to €20 million in fines, or a fine of 4% of the company’s worldwide annual revenue from the last fiscal year.

These broadly defined laws, along with significant consequences and a difficulty in exporting data to different regions (as they have to meet EU standards) means WhatsApp will continue to be prevented from sharing its data with Facebook, even if it makes plans to in the future. Many European experts and privacy regulators hailed the initial exclusion from these changes as the successful protection of user data in Europe. Critics of the law note that the GDPR is too vague and there are potential loopholes that could be exploited. Other critics claim the GDPR will become a burden for businesses.

North American laws: A closer look at Canada’s Privacy Laws 

There are two other models of privacy regulation in the west; an American model and a Canadian one. This piece looks closer into the Canadian model compares it to the EU model.

To understand the Canadian model, one has to examine the US model.

The USA takes a “sectoral” approach to data privacy. There is no one Federal law regulating data privacy for Americans. Rather, there is a collection of Federal and State level laws enacted to enforce data privacy at different levels. 

For example, the Children’s Online Protection Policy Act (COPPA) was passed by the federal government in 2000. Under COPPA, companies cannot ask for personal information of children under the age of 12 without parental consent. Personal information here includes screen names, email addresses, photographs, audio files, and GPS location.

It is difficult to provide a precise comparison between the EU’s single law and America’s numerous state and federal laws. A closer examination of many of these laws however finds similarities to EU law including the right to access, delete or correct information stored about users, depending on the state/federal laws in place. 

Canada has been known for taking the “middle” ground between the EU’s “protectionist” approach and the USA’s “sectoral” approach. 

Canada’s approach towards data privacy began with the federal Privacy Act of 1985 and later was updated through the Personal Information Protection and Electronic Documents Act (PIPEDA) of 2001. 

PIPEDA shares similar principles to the EU’s data privacy laws and the previous OECD model. Personal information is defined very broadly and includes demographic information, SIN numbers, information related to purchases or income and email or IP addresses,  although cookie data is not included in the list. PIPEDA also clearly outlines what constitutes consent, notice, security and how one can go about revoking consent, asking for information collected on users, correcting information or destroying it. 

There are some exceptions to PIPEDA’s jurisdiction. Employee personal information is subject to the applicable provincial or territorial legislation. Provinces like Quebec, British Columbia and Alberta have their own privacy legislation while provinces like Ontario have specific legislation like the Personal Health Information Protection Act, relating to the use of health information. 

The key difference between Canada and the EU/UK’s data privacy laws lies in the definition of what constitutes consent and removal of data. 

Canada does not have an “opt-in” default model like Europe. While informed consent must be obtained from the company to collect, store or share personal data, forms of consent can vary. According to the Office of the Privacy Commissioner, implied consent can be appropriate if the information being collected is less sensitive, and opt-out models can also be used, where if a person does not indicate they don’t consent, it is assumed they do consent. 

This is why you have to explicitly opt-in to receiving marketing emails from shopping stores in Canada, but do not explicitly opt-in to cookies on certain websites. It’s also why sometimes users will find that their Facebook account settings are more public than they like; they simply did not indicate they didn’t consent to how information is being collected. 

Furthermore, you can revoke consent of your personal information like in the European model. However, PIPEDA is considerably less comprehensive than the GDPR. Under PIPEDA, users may withdraw consent at any time “subject to legal or contractual restrictions and reasonable notice.” 

In other words, if a user wanted to avoid sharing their information with Facebook with any app for example, they need to abide by the restrictions in place. The restrictions that WhatsApp had (and will express) is clear; agree or stop using the app. Europe’s model is more detailed and ultimately, stricter.

What does this all mean for WhatsApp? And what about users?

WhatsApp’s delay of the changes has been celebrated as a successful example of how users an influence a company to clarify or take action, merely by taking their business elsewhere.

Many WhatsApp users are continuing to seek more secure apps for communication. Secure messaging apps like Signal saw a surge in downloads after the initial announcement, an increase many attributed to Elon’s Musk’s latest Tweet on January 7th which had one simple message: use Signal. 

In one of WhatsApp’s most popular markets, India, downloads for Signal have surpassed WhatsApp as Indian users reconsider what is important to them where it concerns privacy.

And while WhatsApp has clarified that personal information and messages will remain secure, many users can’t help but reflect on their parent company, Facebook’s, numerous data privacy blunders.

The controversy over WhatsApp is just another complication for what some scholars call “the fallacy of data-privacy self management.” The term, used by communications studies scholar Jonathan A. Obar maintains that users seek to self-manage their data-privacy and certainly desire to do so, but cannot achieve data-privacy on their own because of the complexities surrounding data in the first place. It is, according to Obar, impossible to access all of a user’s data across multiple jurisdictions with different regulations and then painstakingly sort through it until we are satisfied with the level of privacy. There’s just too much and not enough time or expertise. 

Users fleeing WhatsApp for more secure apps like Signal are doing just that; trying to manage their data privacy. But as Obar notes, it’s impossible to have privacy and safety because we can’t manage all the steps to achieve it. 

As companies like Facebook seek to test the waters where it concerns privacy in different regions, governments are trying to manage data-privacy for their users, often in different ways.

Back in December 2020, the American Federal Trade Commission (FTC) filed a lawsuit against Facebook, alleging that the company has been trying to monopolize the world of social media and eliminating competition by acquiring companies like WhatsApp. 

In the lawsuit, it specifically requests that Facebook separate itself from Instagram and WhatsApp, and that the company must seek government approval for future mergers. 

In Canada, the introduction of Bill C-11 in 2020, which aims to overhaul PIPEDA and the Privacy Act in favour of a new “Digital Charter” will be something that Canadians should  watch for where it concerns data privacy laws. However, the Bill has yet to be passed. 

Meanwhile in the EU, a long-time review of WhatsApp-Facebook data-sharing policy continues. Ireland’s Data Protection Commission has sent their decision regarding this concern to the EU.

Governments, like their citizens are too engaged in a race against time where it concerns data-privacy management. WhatsApp’s latest decision has certainly re-ignited the conversation for them. It remains to be seen if North American governments will change their privacy models or if they will adapt unique strategies to handle the growing need to protect personal information online. Nevertheless, the debate around privacy regulations is likely to be salient in the nearby future.