Dutch and Canadian DPAs challenge WhatsApp's compliance with their privacy laws

WhatsApp is in breach of data protection law, Canadian and Dutch data protection authorities have revealed. The Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority say that the app violates their privacy laws in relation to the retention, safeguard, and disclosure of personal data.

The coordinated investigation into WhatsApp is a global first, the two national data protection authorities say. 

“Our Office is very proud to mark an important world-first along with our Dutch counterparts, especially in light of today’s increasingly online, mobile and borderless world,” said Jennifer Stoddart, Privacy Commissioner of Canada. “Our investigation has led to WhatsApp making and committing to make further changes in order to better protect users’ personal information.”

Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, said: “But we are not completely satisfied yet. The investigation revealed that users of WhatsApp – apart from iPhone users who have iOS 6 software – do not have a choice to use the app without granting access to their entire address book. The address book contains phone numbers of both users and non-users. This lack of choice contravenes (Dutch and Canadian) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.”

WhatsApp, with hundreds of millions of users, is an instant-messaging application for smartphones, and is a free online alternative to text messaging.

The DPAs continue to monitor WhatsApp and the Netherlands may impose penalties later. The Canadian DPA does not have order making powers.

Canada recently launched myPRIVACYapp., which is a free app aimed at educating consumers about privacy in their mobile devices.
The report on WhatsApp 

Jennifer Stoddart, Privacy Commissioner of Canada, will speak on global data protection law enforcement action at Privacy Laws & Business's 26th Annual International Conference, Bridging Privacy Cultures, at Queens' College, Cambridge 1-3 July 2013.