Full Interview with Dr. Carsten Ulbricht: WhatsApp and Data Protection

1) Are messaging apps like WhatsApp generally more vulnerable (in terms of data privacy) than other digital channels such as social media or e-mail?

No, you definitely can’t make a general statement like this. A specific problem that WhatsApp poses in terms of data protection - and a problem that many people are already familiar with - is that, when I install WhatsApp on my device, WhatsApp reads all of my contact book data without asking for permission. These are transferred to the US and probably processed there. Why does WhatsApp do this? Because WhatsApp say "if we want to connect people, we need their phone numbers." – and that technically makes sense.

This is the important identification criteria, and from WhatsApp’s perspective this is actually understandable. But from a data protection viewpoint this is problematic, because I am not allowed to give WhatsApp the telephone number of each of my contacts.

Another thing to point out, because this comes up relatively often; for private use, I consider this issue to be fully unproblematic legally, because in private data processing doesn’t fall under the terms of the GDPR. Otherwise you would have to decide if you need a Data Protection Officer at hand when you forward a contact to someone, and that would make things difficult. However, it becomes relevant if I use WhatsApp on a company device or as a company, and thus transfer personal data to WhatsApp as a business. Then I need a legitimate reason and consent – generally, at this point I haven’t asked these people about transferring their phone numbers, and that is the main issue with WhatsApp.

2) As a company, am I allowed to communicate with my customers over WhatsApp?

To use WhatsApp as a company, I need to prevent my contact book data transfer to WhatsApp. I can either do this by installing the necessary software on my cellphone, which blocks this transfer, or I can block WhatsApp’s access to my phone, and forestall this basic problem.

3) Which points in the GDPR are relevant for the topic of messenger communication?

Data Protection – including WhatsApp Data Protection – can be explained easily in three sentences:

1. When a company processes personal data, they need to have a legitimate reason.
2. There are different legitimation justifications in Article 6 of the GDPR. These tell me in which situations I am allowed to process data.
3. Article 13 of the GDPR says which information companies need to give users, so that they know what will happen with their data.

Let’s go through this for messenger marketing: let’s say that we avoid transferring data to WhatsApp by using MessengerPeople services. Then, as a company, I have to make sure that my own data processing (processing data I gather from my customers) is legitimate. This means: I get consent from the customers.

Essentially, I say to my customers; "Dear customers, if you communicate with my business over WhatsApp, we will do the following with your data: 1, 2, 3”. I have to list everything relevant and the customer has to make an active decision. That means the customer has to actively say: “Yes! I accept this.” And then your data processing has been legitimated by the customer.

I also have to prepare other information and have this available, for example which data will be processed, who processes the data, and where or to whom it will be forwarded, and a note that metadata from WhatsApp could be taken into consideration in the USA. I also have to write how my company processes the data, for what purposes, and of course I have to let the users know what their rights are. Can the customer request that all data be deleted? Can the customer request more informaion? Make sure to provide information about all these possibilities.

This holds true for all digital channels! Including messenger marketing – and using the method I’ve just described, this can easily be implemented. To sum up: 1) Thoroughly inform your users about how you plan to process the data. 2) Explain how the data will be processed by third parties. 3) Receive active consent. There you go!

4) WhatsApp Data Protection: is messenger marketing over the MessengerPeople software GDPR-compliant?

What is the double Opt-In for e-mail marketing? The thing is, if I want to annoy you, I can take your e-mail address and sign you up for a thousand newsletters. Then you have technically agreed, because you’ve signed yourself up, but they also can’t prove that it was you who did that. That’s why normally in e-mail marketing this second Opt-In process with a confirmation email. When you then say "yes, I accept" then it’s clear that you’re the owner of this e-mail account.

You’ve applied these thoughts to messenger marketing and WhatsApp data protection. You say "Well, anyone can type in a phone number, at this point I don’t really know if it’s the telephone number owner." So you got o the second Opt-In step. This is fully legally sound. To put it in other words, you don’t necessarily need this step, you technically need just one secure step. To ensure the security, you have this double Opt-In process, which is great.

5) Customer service via messaging apps: are there specific recommendations or requirements for situations when messaging apps (WhatsApp, Apple Business Chat, etc,) are used to communication sensitive personal data such as bank information, health information, etc.? (Keywords: Metadata, US-Server)

If I process personal data, I need a legitimate reason to do so. For “normal” data, there are legitimation justifications in Article 6 of the GDPR. For special personal data, such as health data, further information can be found in Article 9 of the GDPR. These are handled a bit differently. Essentially, however, it still holds that with informed consent (to all steps of the data processing) one can legitimate this data usage, in my opinion. I’ve spoken to data protection officers about this at great length, and a few see this situation differently, but I want to explain my viewpoint. The fact is, this is my data.

In a situation in which I have all available information and can decide “do I want this” or “do I not want this,” I have to be able to decide what to do with my data.

Everything that we do with data protection comes back to the basic right of being informed and being able to make your own choices. You could say that this law was created to give each individual the choice of what to do with their own data.

What I’m essentially saying is that I think it is right and important that comprehensive information about data processing should be made available. Then the user can really make an informed decision – and if the user then says “I want to use WhatsApp” or any other communication channel, because it’s practical or simple, then that is the user’s right.

To cut a long story short: active consent is the key to the topic of customer service and WhatsApp data protection. With health data you have even more requirements to fulfill and need to ensure more data security. Therefore I would be a bit careful with health data, but in my opinion, all other types of data are acceptable for customer service via WhatsApp, as long as you get consent first.

6) After how long should data from a customer service inquiry be deleted?

For data protection of course you want to save as little data as possible, and store as little data as possible. You should note that when you gather data, you can only save it for a certain amount of time. This means you ned a „deleting concept“ as a company and it should be thoughtfully created.

How can I regulate this logically? What you store yourself can easily be deleted, but data that has been stored somewhere else, for example over WhatsApp, can only be deleted with restrictions. However, to come back to the important part about WhatsApp: because of the end End-to-End encryption, we are unlikely to have any personal data stored in WhatsApp, and so I don’t need to consider how to delete it.

However, for my own company I should have a deletion concept. I should consider how long I have a valid interest in this data. As long as the reason is legitimate, I can store them. When I gather this data after receiving consent, I should include this information so that the user knows, and I need to let know the user know that they can also override this and ask specifically for the data to be deleted.

7) Since the beginning of October we also support Apple Business Chat – an exciting solution for many companies, especially locally. How would you rate Apple Business Chat legally, in terms of the GDPR?

I have to say that I haven’t taken a closer look at their whole set-up yet. I’ve looked over it a bit, so I can just repeat what I originally said about it. There are three things to keep in mind, when I want to use Apple Business Chat as a company:

1. I need to make sure that I don’t transfer any data to Apple which I’m not allowed to transfer to third parties.
2. I also have to make sure that the people who want to communicate with my company over Apple Business Chat can give me informed consent. How do I do this on this channel? Do I do a double Opt-In or something similar? I need to resolve the technical problems and make this information available.
3. If I want to use this channel for customer communication, then I also have to make sure that it is fully secure.

I’m not sure how this all works with Apple Busienss Chat, like I said before, I haven’t looked into it closely enough. The WhatsApp End-to-End encryption is great, so when they can offer something similar then it’s probably equally good. I really can’t give an absolute answer yet, because I haven’t tried it out yet.

Thank you Carsten!