Our Data In WhatsApp

Last days, we have seen a lot of buzz around the changes in Privacy Statement (or as some call it Privacy Policy). Many of us have been sharing concerns about our data in WhatsApp. As a privacy expert, I have read and written multiple Privacy Statements. And, as a user, I tend to be aware of what is done with my data, when it is possible. Given the buzz, my experiences and my interests, I thought of reading Privacy Statement from What's App. Now that I have done so, I am sharing my observations.

Disclaimer - This is not a judgement or legal opinion. I am not paid by anyone to write this. The opinions are personal and being shared with you for a discussion. I am not making any suggestions or recommendations. These are pure opinions. If you like it, write a comment and share. If you don't, comment on it and forget it. There is nothing personal or competitive here.

The Big Fat Truth

What's app differentiates the protection of privacy for its users based on region. Those in the EU are provided with significantly higher data protection measures and rights while those who are outside of the EU are provided with information on what it does with users data. This is blatantly visible as the company has put two versions of its Privacy Statement i.e., one for those in the EU and everyone else. Even more, the versions say the companies controlling our data are different. Yes, I understand that WhatsApp Ireland is the controller (the entity that decides on collection and purpose of the processing of our personal data) of individuals in EU while everyone else has WhatsApp LLC as their controller.

Obviously, this is because of the EU GDPR which sets the bar in data protection a lot higher than many other privacy laws.

What Exactly Do People Outside of the EU Miss Out?

Whilst the two variants of privacy are different in word, spirit and law, the following sections are altogether missing from non-EU version:

1. Legal bases for processing are not mentioned. This means if you are outside the EU, you need to read and guess what is the basis of processing your personal data. I struggled to find anything other than business interests. That too is not explicit.
2. How do we work with other Facebook companies? This means if you are outside the EU, you rely on the section "Our Global Operations" to understand what is going on. Even though this same section is there for those in the EU, I find the one for EU more elaborate and transparent (on a relative basis) as regard what is being done and on what basis. For example, it states that transfers from the EU are based on Standard Contractual Clauses while it is open to interpretation as to how other transfers are being safeguarded.
3. How we process your information? This means if you are outside the EU, you need to read other parts and guess what is being done with your data. In my view, this is fairly understandable if you are an expert in this field.
4. How to exercise rights? This means if you are outside the EU, you need to find ways on how you can get your queries answered. This is likely to be tricky because there is no legal redressal like the EU GDPR.

While the above is missing in a version for outside of the EU, it is striking to see that a section named "Automatically Collected Information" is placed. This mentions a lot of data collection automatically, including cookies, transactional, device information etc. Similarly, cookies are placed in services outside the EU in section information we collect.

And, There Are Minor Variations...

1. Part of security, the EU version mentions the integrity of data. This surprised me.
2. Favourite lists may be created without any user action on part non-EU users while the EU version says "You can use the contact upload feature and provide us, if permitted by applicable laws, with the phone numbers in your address book on a regular basis, including those of users of our Services and your other contacts."
3. The outside EU version says "We use cookies to operate, provide, improve, understand, and customize our Services." This shows the spirit that if there is no law, we will do it.

Conclusion

It is a challenge for us, as users to choose because we have developed habits that rely on WhatsApp a lot. And, we have been so lured into free calls, group calls, group chats and instant information on whether the message is read or not. With so much of proliferation into our day to day activity, we do not even have an alternative that has similar features. I have heard about Signal as a viable alternative (still to check on it) but how many of us are there on Signal? So, it is not an individual choice but a societal one.

On the other hand, the optimist in me says that this is a good development. I would rather know what is being done with my data in a transparent manner than it is done in a secret way. So, in the long run, it will be a good test for our privacy institutions alertness as well as our desire for privacy. Maybe, other countries will also implement EU GDPR likes laws. In my view, this is evolution and it will continue.

And, any analysis apart, we need to cognizant of the fact that there is never a free lunch.

When the product is free,

you are the product.

And, this is the case for all social platforms and Google services. And, many more on the internet. So, how can WhatsApp be different? What did we expect when Facebook bought WhatsApp? We knew it. So, why this noise now.

In the end, it will all be okay.

My Choice For Now

Being in the EU, my choice is simplified. Basically, I do not need to decide for now. I do have concerns about what happens to my data when it is listed in a contact list of someone who is outside of EU. But then, I do realize that even if I were to quit WhatsApp, I have the influence over others and cannot ask to remove my data from their contact list. And, if I cannot, what am I protecting by moving way? Nothing. So, I choose to stay.

But, what do you think? What is your choice?