Since recently, if WhatsApp and GDPR are mentioned together, it is usually within the context of the fine that WhatsApp was awarded for violating GDPR rules. Moreover, this case is often described as the “second largest GDPR fine ever awarded”, which is equal to 225 million euros. Naturally, with WhatsApp being one of the most popular messaging apps on the market, this case drew lots of attention.
GDPR is known for its significantly large fines – they can be as high as 20 million euros or 4% of the violator’s global annual revenue for the past year. Still, what did WhatsApp do to deserve such an amount?
GDPR, which stands for General Data Protection Regulation, was introduced to protect the privacy of user data. It regulates the way such data is collected, processed, and disclosed. While GDPR applies only to EU users, any company serving the European Union must comply, regardless of where it is located or registered.
Like any other act, GDPR is a large and detailed document laying down strict regulations on how businesses can process user data to ensure its maximum protection and privacy. It contains legal requirements for both the data collection process and data security. In short, GDPR requires that any business serving EU customers is transparent about how user data is collected and used, specifically:
In addition, GDPR sets the rules for protecting the user data that companies gather, including the requirements for security policies, encryption, and breach handling procedures. Other regulations deal with compliance audit and accountability. This way, GDPR has users covered every step of the way.
The messenger app was found to provide insufficient transparency about the way it handles user and even non-user data. For example, WhatsApp requests access to the entire list of the user’s phone contacts and the details stored in it. While WhatsApp’s declared purpose is to find contacts that belong to users of the same messenger service and help to connect with them quickly and easily, in fact, it gets access even to contacts that are not its users. Thus, the messenger app breaks the rule requiring explicit consent to collect and process information.
Of course, Facebook and WhatsApp are trying to fight the fine calling it disproportionate and claiming that WhatsApp’s services are secure and private. Now, we can argue whether the fine is justified and appropriate, whether WhatsApp’s policies were, indeed, not transparent enough, and even whether GDPR is a working instrument that can protect the privacy of users. However, while it is in effect, businesses have no other choice but to comply.
GDPR summarizes its requirements to businesses serving EU users in a checklist gathering all the main actions a company must take to be compliant. By running through the checklist, the company can see where it does OK and where its business processes need adjustment.
Basically, GDPR requires companies to let users control how their data is collected and processed, including an easy option to update or remove data and even deny data collection altogether. If data is collected automatically, users’ rights still need to be protected by specially designed procedures.
In order to allow users to make informed decisions on how to manage their data processing, companies must state explicitly which data they collect, in which manner, and for which purposes. This information helps users decide whether to allow data collection or to opt-out. The latter option must be available in all cases.
As a software developer specializing in customer-facing communication products, QuickBlox has taken extra effort to ensure compliance with all the applicable regulations, GDPR included. Apps for instant messaging, chatting, and video calls offered by QuickBlox have all the options required by GDPR to protect users’ data:
Besides, in QuickBlox, users’ data is protected with security mechanisms that can withstand current cyber threats:
The story of WhatsApp tells us that even such communication heavyweights as Facebook can fail in compliance and end up with not only huge fines but also a damaged reputation with users. Thus, businesses building applications for public use should take extra care to ensure regulatory compliance.
Of course, you can do it on your own, however, you will need to engage a full team of experts in software development, data security, communication, and legal compliance to build a functioning app from scratch. Alternatively, you can go a much shorter path and use solutions already built by such a team and tried and tested inside and out.
With QuickBlox, you can be sure that you are getting a secure enterprise messaging app that meets all the criteria and requirements of GDPR compliance. The QuickBlox team follows all the regulatory updates and monitors the cyber threat situation to stay ahead of possible inconsistencies and violations. Using QuickBlox’s SDKs and APIs, you can enhance your messaging service with a powerful communication feature while resting assured that all the compliance requirements are met.
Planning to build a secure messaging app and reach the European Union audience? Reach out – we’ll be happy to help!