Since recently, if WhatsApp and GDPR are mentioned together, it is usually within the context of the fine that WhatsApp was awarded for violating GDPR rules. Moreover, this case is often described as the “second largest GDPR fine ever awarded”, which is equal to 225 million euros. Naturally, with WhatsApp being one of the most popular messaging apps on the market, this case drew lots of attention.
GDPR is known for its significantly large fines – they can be as high as 20 million euros or 4% of the violator’s global annual revenue for the past year. Still, what did WhatsApp do to deserve such an amount?
What is GDPR?
GDPR, which stands for General Data Protection Regulation, was introduced to protect the privacy of user data. It regulates the way such data is collected, processed, and disclosed. While GDPR applies only to EU users, any company serving the European Union must comply, regardless of where it is located or registered.
Like any other act, GDPR is a large and detailed document laying down strict regulations on how businesses can process user data to ensure its maximum protection and privacy. It contains legal requirements for both the data collection process and data security. In short, GDPR requires that any business serving EU customers is transparent about how user data is collected and used, specifically:
- Users should be able to give explicit consent to gathering their data or object to it.
- Users should be able to know which details the business collects from them.
- Users should be able to update their information stored with the business.
- Users should be able to request their data to be removed permanently.
In addition, GDPR sets the rules for protecting the user data that companies gather, including the requirements for security policies, encryption, and breach handling procedures. Other regulations deal with compliance audit and accountability. This way, GDPR has users covered every step of the way.
Why was WhatsApp fined under GDPR?
The messenger app was found to provide insufficient transparency about the way it handles user and even non-user data. For example, WhatsApp requests access to the entire list of the user’s phone contacts and the details stored in it. While WhatsApp’s declared purpose is to find contacts that belong to users of the same messenger service and help to connect with them quickly and easily, in fact, it gets access even to contacts that are not its users. Thus, the messenger app breaks the rule requiring explicit consent to collect and process information.
Moreover, WhatsApp also allowed sharing its users’ contacts with its parent company, Facebook. Its privacy policy was not exactly transparent about this and did not provide a clear description of which data is being shared and why. Under social and media pressure, WhatsApp updated its user data protection policies but that did not save the messenger app from the GDPR violation fine.
Of course, Facebook and WhatsApp are trying to fight the fine calling it disproportionate and claiming that WhatsApp’s services are secure and private. Now, we can argue whether the fine is justified and appropriate, whether WhatsApp’s policies were, indeed, not transparent enough, and even whether GDPR is a working instrument that can protect the privacy of users. However, while it is in effect, businesses have no other choice but to comply.
How to ensure GDPR compliance?
GDPR summarizes its requirements to businesses serving EU users in a checklist gathering all the main actions a company must take to be compliant. By running through the checklist, the company can see where it does OK and where its business processes need adjustment.
Basically, GDPR requires companies to let users control how their data is collected and processed, including an easy option to update or remove data and even deny data collection altogether. If data is collected automatically, users’ rights still need to be protected by specially designed procedures.
In order to allow users to make informed decisions on how to manage their data processing, companies must state explicitly which data they collect, in which manner, and for which purposes. This information helps users decide whether to allow data collection or to opt-out. The latter option must be available in all cases.
GDPR compliance in QuickBlox
As a software developer specializing in customer-facing communication products, QuickBlox has taken extra effort to ensure compliance with all the applicable regulations, GDPR included. Apps for instant messaging, chatting, and video calls offered by QuickBlox have all the options required by GDPR to protect users’ data:
- Full list of personal data collected from users
- Purposes for which personal data may be collected
- Potential disclosure scenarios
- Data retention policy
- User’s options to amend their data and stop its processing
If you would like to see the complete account of GDPR compliance measures taken by QuickBlox, see its privacy policy.
Besides, in QuickBlox, users’ data is protected with security mechanisms that can withstand current cyber threats:
- Data encryption, both in transit and at rest
- Availability and Disaster Recovery plans ensuring data integrity even in case of service failure
- Continuous environment monitoring
- Anti-malware protection
Build GDPR-compliant communication apps with QuickBlox
The story of WhatsApp tells us that even such communication heavyweights as Facebook can fail in compliance and end up with not only huge fines but also a damaged reputation with users. Thus, businesses building applications for public use should take extra care to ensure regulatory compliance.
Of course, you can do it on your own, however, you will need to engage a full team of experts in software development, data security, communication, and legal compliance to build a functioning app from scratch. Alternatively, you can go a much shorter path and use solutions already built by such a team and tried and tested inside and out.
With QuickBlox, you can be sure that you are getting a secure enterprise messaging app that meets all the criteria and requirements of GDPR compliance. The QuickBlox team follows all the regulatory updates and monitors the cyber threat situation to stay ahead of possible inconsistencies and violations. Using QuickBlox’s SDKs and APIs, you can enhance your messaging service with a powerful communication feature while resting assured that all the compliance requirements are met.
Planning to build a secure messaging app and reach the European Union audience? Reach out – we’ll be happy to help!
