Date Published: 1 September 2016
With reference to The Straits Times article on 29 August 2016, “Privacy watchdog seeks clarification on WhatsApp’s new terms”, WhatsApp’s terms and conditions have recently been updated to permit the company to transfer data collected from users of WhatsApp to its parent company, Facebook.
WhatsApp has stated in its blog  that it will not post or share a user’s WhatsApp number with others, including on Facebook, and that it will not sell, share or give a user’s phone number to advertisers. However, it is coordinating with Facebook to track basic metrics about how often a user uses its services and a user’s phone number will be connected with Facebook’s systems, allowing Facebook to offer better friend suggestions and to show more relevant advertisements if the user also has an account with Facebook. It is unclear how the sharing of a user’s metrics or phone number with Facebook will lead to better friend suggestions or more relevant advertisements being shown to the user. Nevertheless, WhatsApp has stated that the actual message content in chats will not be shared as they are protected by end-to-end encryption.
Pursuant to the Personal Data Protection Act 2012 (“PDPA”), an organisation is required to seek consent for new use of personal data. Further, the consent must be informed. In this case, WhatsApp’s users’ consent would have to be obtained for the transfer of personal data to Facebook for the purposes of marketing and advertising. The Personal Data Protection Commission (“PDPC”) recommends in its advisory guidelines that an individual should be required to take a positive action to give his or her consent. Arguably, the “positive action” recommendation is satisfied, since WhatsApp requires users to “accept” the new terms and conditions. However, given that the default position is that the user consents to the sharing and it is not uncommon for consumers to simply click “accept” assuming that the update contains insignificant and administrative information, it is unsurprising if many remain unaware of what they have consented to. Many of the less tech-savvy individuals, for example, the older generation may not be able to disable the “set-to-share” default function, without assistance, despite a guide on how this may be done on WhatsApp’s website. The PDPA also provides that individuals may at any time withdraw any consent given in respect of the use or disclosure of their personal data. Reasonable notice of the withdrawal will have to be given to the organisation by the individual and the PDPC advisory guidelines recommend that organisations provide for easy access to the withdrawal policies.
Although the stated primary intention of the sharing is to provide better product suggestions on Facebook, the amount of personal data that could be potentially mined from WhatsApp, a popular multimedia messaging service, raises some concerns, including one on lack of control by users over the sharing of a user’s contact information with Facebook. A conversation involves more than one individual. If one party does not consent to the sharing of his or her personal data but the other party to the communication does, the question arises whether the sharing of one user’s account or phone number details with Facebook may result in Facebook having the personal data of both individuals and the knowledge that these individuals are connected with each other.
Beyond the issues of consent, there are also measures for the care and destruction of personal data which must be considered. For example, the persons who have accepted the terms but who subsequently elect to opt-out – if the data has already been transmitted to Facebook, would the current services provided by WhatsApp include automatic deletion of such persons’ data by Facebook? The PDPC imposes additional obligations on organisations to ensure that such personal data is deleted if an individual does not consent to the transfer or storage of his or her data by another organisation. Nevertheless, an organisation may retain personal data in accordance with its data protection provisions, for example, if the retention is necessary for audit purposes.
We understand that the PDPC is looking into this development.
This update is provided to you for general information and should not be relied upon as legal advice.
With the prevalence of technology and increasing connectivity through the internet, cybersecurity and data protection are areas that have grown more important in Singapore.
Since the introduction of the Personal Data Protection Act 2012 (“PDPA), it is mandatory for organisations to comply with data protection rules and we strive to help our clients understand that compliance with the PDPA is no longer an option.
At CNPLaw, we have worked with our clients and helped them navigate through a variety of data protection issues, which include:
- Reviewing existing policies in order to advise on our client’s compliance with the law
- Highlighting possible legal risk areas
We also advise our corporate clients in relation to ad hoc queries on potential breaches of the law and the PDPA, and highlight data protection issues that may arise in the context of employment or HR policies.