NPC has learned that the change would allow the sharing of data with third-party companies hosted by its parent firm Facebook.
The move, according to WhatsApp’s new privacy terms, is exclusively intended to expand the application as a growing platform for business transactions and customer service with the extension of marketing features.
“The broad language WhatsApp used in its new privacy terms has stirred confusion and concern. Critical privacy questions such as the scope of data that Facebook and its family companies will be able to harvest from WhatsApp and whether agreeing to the new policy is mandatory remain unanswered,” said NPC in a statement.
While the Commission takes positive note on WhatsApp’s emphatic assurance on its continued end-to-end encryption of messages and calls, it noted that encryption is a bare minimum requirement for ensuring data protection.
In addition, NPC said, WhatsApp’s source code is proprietary and is not viewable by concerned experts who may want to validate the security and privacy of the application. “Thus, we are limited to taking its privacy promises at face value,” said NPC.
More importantly, privacy does not only concern the messages we send and receive nor the calls we make and take, but should apply to the extent of surveillance to which all activities done on the platform are subjected.
NPC listed initial concerns raised by its Data Security and Technology Standards Division on the expanded data processing authority of WhatsApp when the new policy kicks in.
These include the involvement of third parties in operating the service; being provided ”as is” and to be used at the users’ sole risk; having authority to delete your account without prior notice or a reason;
makes no warranty regarding uninterrupted, timely, secure or error-free service; uses your personal data for advertising;
may use tracking pixels, web beacons, browser fingerprinting, and/or device fingerprinting on users; may use your personal information for marketing purposes; can or otherwise transfer your personal data as part of a bankruptcy proceeding or other type of financial transaction;
forces users into binding arbitration in the case of disputes;
keeps user logs for an undefined period of time; and,
gathers information about you through third parties
Another point of contention worth noting, as raised by the public, lies in the mere sharing with companies associated with its parent Facebook, which has not had a stellar record in personal data protection and management.
Like other data privacy regulators around the world, the NPC has repeatedly flagged Facebook for various concerns, some of which have yet to be addressed.
“The Commission is closely monitoring developments and will directly coordinate with WhatsApp to extract specific details on the new policy, as we seek to understand more the data protection measures it currently adopts or will possibly adopt in light of the new privacy terms.
We take this as an opportunity to work with digital movers like WhatsApp to ensure that transparent and easily understandable consent processes, especially in a fast-thriving digital environment, are consistently observed,” said NPC.
As defined by the Data Privacy Act of 2012, consent is “any freely given, specific, informed indication of will” of a data subject, agreeing to the processing of his or her personal data.
Ultimately, we hope to help data subjects choose the best platforms that guarantee their security when communicating digitally.
Pending the result of our discussions, we encourage the public to prepare backing up their data stored in WhatsApp in case moving to a different platform turns out to be the more prudent choice.