CNPupdates

The legal pulse of Asia in your hands.

Featured authors

Wong Pei-Ling

Partner

Relevant practices

Data Protection And Security >

CNPupdates

PDPA implications of the WhatsApp terms and conditions

SHARE THIS ARTICLE

export this article

Date Published: 1 September 2016

Authors: Wong Pei-Ling and Lorraine Liew. 

With reference to The Straits Times article on 29 August 2016, “Privacy watchdog seeks clarification on WhatsApp’s new terms”, WhatsApp’s terms and conditions have recently been updated to permit the company to transfer data collected from users of WhatsApp to its parent company, Facebook.
WhatsApp has stated in its blog [1] that it will not post or share a user’s WhatsApp number with others, including on Facebook, and that it will not sell, share or give a user’s phone number to advertisers. However, it is coordinating with Facebook to track basic metrics about how often a user uses its services and a user’s phone number will be connected with Facebook’s systems, allowing Facebook to offer better friend suggestions and to show more relevant advertisements if the user also has an account with Facebook. It is unclear how the sharing of a user’s metrics or phone number with Facebook will lead to better friend suggestions or more relevant advertisements being shown to the user. Nevertheless, WhatsApp has stated that the actual message content in chats will not be shared as they are protected by end-to-end encryption.
WhatsApp has in its new Privacy Policy terms provided for an opt-out procedure whereby an existing user may choose not to have his or her WhatsApp account information shared with Facebook to improve his or her Facebook advertisements and product experiences. Nevertheless, there is a time limit of 30 days from the date of acceptance of the new terms to opt-out and there is currently no information on how a user may exercise his or her right to opt-out after the expiry of the 30 days.
Pursuant to the Personal Data Protection Act 2012 (“PDPA”), an organisation is required to seek consent for new use of personal data. Further, the consent must be informed. In this case, WhatsApp’s users’ consent would have to be obtained for the transfer of personal data to Facebook for the purposes of marketing and advertising. The Personal Data Protection Commission (“PDPC”) recommends in its advisory guidelines that an individual should be required to take a positive action to give his or her consent. Arguably, the “positive action” recommendation is satisfied, since WhatsApp requires users to “accept” the new terms and conditions. However, given that the default position is that the user consents to the sharing and it is not uncommon for consumers to simply click “accept” assuming that the update contains insignificant and administrative information, it is unsurprising if many remain unaware of what they have consented to. Many of the less tech-savvy individuals, for example, the older generation may not be able to disable the “set-to-share” default function, without assistance, despite a guide on how this may be done on WhatsApp’s website. The PDPA also provides that individuals may at any time withdraw any consent given in respect of the use or disclosure of their personal data. Reasonable notice of the withdrawal will have to be given to the organisation by the individual and the PDPC advisory guidelines recommend that organisations provide for easy access to the withdrawal policies.
Although the stated primary intention of the sharing is to provide better product suggestions on Facebook, the amount of personal data that could be potentially mined from WhatsApp, a popular multimedia messaging service, raises some concerns, including one on lack of control by users over the sharing of a user’s contact information with Facebook. A conversation involves more than one individual. If one party does not consent to the sharing of his or her personal data but the other party to the communication does, the question arises whether the sharing of one user’s account or phone number details with Facebook may result in Facebook having the personal data of both individuals and the knowledge that these individuals are connected with each other.
Beyond the issues of consent, there are also measures for the care and destruction of personal data which must be considered. For example, the persons who have accepted the terms but who subsequently elect to opt-out – if the data has already been transmitted to Facebook, would the current services provided by WhatsApp include automatic deletion of such persons’ data by Facebook? The PDPC imposes additional obligations on organisations to ensure that such personal data is deleted if an individual does not consent to the transfer or storage of his or her data by another organisation. Nevertheless, an organisation may retain personal data in accordance with its data protection provisions, for example, if the retention is necessary for audit purposes.
We understand that the PDPC is looking into this development.

GENERAL DISCLAIMER

This article is provided to you for general information and should not be relied upon as legal advice. The editor and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents.

related practices

Services related to this article

Swipe right to scroll

service

Data Protection And Security

In the inter-connected world of big data and technology, ensuring the protection of privacy and security of personal data has never been more critical. At CNPLaw, we recognise the importance

Get in touch with the authors.

Our legal team comes decked with deep insights and the necessary legal expertise; all ready to help you with your legal needs.

Get in touch

How can CNP help?

We're ready to assist with your legal needs. Please share more details about the nature of your enquiry for us to better serve you.

Subscribe for CNPupdates!

No spam. Just timely legal insights to help you navigate Asia's ever evolving legal landscape.