The data privacy and protection officials in Canada and the Netherlands have issued a report [unofficial English translation of the report (pdf); Canada’s report] on their investigation into a California-based mobile application developer, WhatsApp Inc. The Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (College bescherming persoonsgegevens, (CBP)) said:
The investigation focused on WhatsApp’s popular mobile messaging platform, which allows users to send and receive instant messages over the Internet across various mobile platforms. While WhatsApp was found to be in contravention of Canadian and Dutch privacy laws, the organization has taken steps to implement many recommendations to make its product safer from a privacy standpoint. At this time however, outstanding issues remain to be fully addressed.
The investigation revealed that WhatsApp was violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data. For example:
- In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users. Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically. […]
The OPC and CBP have worked closely together, but have issued separate reports, respecting each country’s data protection law (Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the Dutch Data Protection Act (Wet bescherming persoonsgegevens (Wbp)). Following the issuance of their respective reports of findings, the OPC and CBP will pursue outstanding matters independently.
Following investigation, the Dutch Data Protection Act provides for a second phase in which the CBP will examine whether the breaches of law continue and will decide whether it will take further enforcement actions. The Dutch legal framework contains the possibility to enforce the Dutch privacy law by imposing sanctions.
Under Canada’s PIPEDA, the OPC will monitor the company’s progress in meeting commitments made in the course of investigation. In most cases, companies are cooperative in meeting their obligations, and WhatsApp has demonstrated a willingness to fully comply with the OPC’s recommendations. Unlike the CBP, the OPC does not have order making powers.