WhatsApp Probe Shows Growing Power of International Regulatory Cooperation, Privacy Chiefs Say
CAMBRIDGE, U.K. -- The inherently global nature of the digital economy and the companies that lead it is forcing data protection authorities (DPAs) to boost cross-border cooperation, said Canadian Privacy Commissioner Jennifer Stoddart Monday. One focus of that increased coordination was a joint Canadian-Dutch investigation of California-based WhatsApp, a mobile messaging platform, said Stoddart and Jacob Kohnstamm, chairman of the Netherlands Data Protection Authority. The company has begun to clean up its act, but the situation isn’t yet resolved, Kohnstamm said. Mobile apps in general, and geolocation services in particular, create privacy headaches which industry is trying to cure, said other speakers at a Privacy Laws & Business conference.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The Dutch DPA focused on WhatsApp’s mobile messaging platform, which lets users send and receive instant messages on the Internet, Kohnstamm said. Investigations by his and Stoddart’s offices found that that popular app violated their national privacy laws on data retention, disclosure of personal data and privacy safeguards, he said.
WhatsApp requires access to all contacts in a user’s mobile device to assist in identifying other WhatsApp users, Kohnstamm said. That’s legal, but rather than then deleting the numbers of non-WhatsApp users, the app keeps them. Users and non-users alike must be able to decide what numbers they share with WhatsApp, said Kohnstamm. Another problem the investigations revealed was that messages sent on the app were unencrypted, leaving them open to interception, he said. WhatsApp was using passwords which could easily expose users to third parties when connected to a Wi-Fi network, he said. The company has since tightened security and responded positively, but “we're not there yet,” he said.
Other WhatsApp concerns were pursued by Canada and the Netherlands independently, Kohnstamm said. He will decide whether to take further enforcement action against the company, he said. The WhatsApp situation offered “an interesting glimpse” of what might be possible in terms of global privacy enforcement, said Stoddart. Acting together, national authorities have more clout against global players, she said. WhatsApp had no immediate comment.
There are challenges to cooperation, Stoddart said. Different jurisdictions have differing laws or no legislation. Even when countries have laws, they may not legally be allowed to share information across borders. Not long ago, the prominent paradigm for privacy protection was the “silo effect,” but that’s not useful in a networked world, said Stoddart. The FTC and some European DPAs can impose “attention-getting sanctions,” but Canada can’t, she said. The proposal in the draft EU data protection plan to harmonize enforcement powers across Europe will be a big step toward greater coordination, she said. Worldwide cooperation will continue because DPAs have the will to cooperate, she said. Authorities are growing more comfortable with the idea that they can use different paths to enforce some common privacy principles, she said. That’s clear from an open letter recently sent by 34 DPAs to Google raising concerns about the wearable computer called Google Glass, she said.
The U.S., U.K., Ireland, Canada and many EU national DPAs recently cooperated on a sweep of online privacy policies, Stoddart said. They jointly chose the websites according to a grid of relevance and swept them during the same week, she said. The results of the survey are expected to be unveiled at the international conference of data protection and privacy officers in Poland in September, she said.
Apps are rolling out at 1,600 per day, said Scott Singer of the law firm Dentons, U.K. That they raise privacy concerns is clear from reports, such as one saying a flashlight app stored all its geolocation information on a server in Israel along with phone numbers and other personal details, he said. The EU Article 29 Data Protection Working Party, with members who are national DPAs and the EU data protection supervisor, said EU cookie law applies to smartphones and apps, requiring consent for processing personal data, he said.
The chief privacy issues of mobile apps raised by the working party include the scope of data on devices that application programming interfaces are allowed to access; the lack of transparency about what’s done with user data; and lack of informed user consent, said Singer. There can also be poor security measures and a disregard, deliberate or otherwise, for data minimization and purpose limitations, he said. The group’s recommendations included (http://bit.ly/14JLbCc) that the different market players in the app ecosystem take a team-based approach to privacy and that there be granular consent for each type of data collected, he said.
The mobile, ad and other industry segments are working on guidance for protecting privacy in mobile apps and geolocation, said Vodafone Global Privacy Counsel Kasey Chappelle. The GSM Association is preparing guidelines for operators’ own apps and those they will distribute, she said. Direct and interactive ad bodies are focusing on mobile ads, she said. So many different groups are working on these issues that some worry it will become too confusing, she said. But industry can achieve some things regulators can’t, because they can operate across industry sectors and borders, she said.