WhatsApp updated privacy policy – A commentary from a Singapore law perspective

Lisa ThengManaging Partner, CNPLaw LLP

The Authors: Wong Pei-Ling and Marvin Chua.

Our Practice: Data Protection and Security.

Read the article here instead to view the footnotes.

 

On 6 January 2021, WhatsApp users around the world were greeted with an in-app notice, stating that WhatsApp will be updating its terms and privacy policy, and users are required to accept the new terms and privacy policy to continue using the services offered by WhatsApp. In general, the new terms and privacy policy implied that WhatsApp will share users’ data with Facebook and other Facebook-owned entities. The notice resulted in huge public outcry against WhatsApp. In a matter of days, Signal and Telegram swiftly became the top download messaging apps in most countries with millions of user sign-ups. The resulting outcry was so serious that WhatsApp had to issue a clarificatory statement on 12 January 2021 to reassure users that the new terms and privacy policy will not affect the privacy of users’ messages or contacts. Users are also given up till 15 May 2021 (extended from the initial 8 February 2021 deadline) to decide whether to accept the new terms and privacy policy.

This article analyses the implications of WhatsApp’s recent announcement from a Singapore law perspective, in particular, under Singapore’s data protection laws.

 

Singapore’s data protection regime

In Singapore, the collection, use and disclosure of personal data by organisations are regulated by the Personal Data Protection Act 2012 (the “PDPA”). The PDPA applies to all organisations, regardless whether they are formed or recognized under the laws of Singapore. In this regard, every organisation is required to comply with the PDPA in respect of activities relating to the collection, use and disclosure of personal data in Singapore unless the collection, use and disclosure of personal data are expressly excluded from the application of the PDPA.

Personal data refers to data, whether true or not, about an individual who can be identified from that data on its own or from that data and other information to which the organisation has or is likely to have access. Data which can identify an individual on its own is referred to as a unique identifier, and the Personal Data Protection Commission (“PDPC”) generally considers such unique identifiers to include an individual’s full name, NRIC number or FIN, passport number, personal mobile telephone number, facial image of an individual, voice of an individual, fingerprint, iris image and DNA profile.

Under WhatsApp’s new terms and privacy policy, the information that WhatsApp can share with Facebook (and associated companies) will include[1]:

  • A user’s account registration information (including phone number), transaction data, service-related information, mobile device information and IP address;
  • Information on how a user interacts with others via WhatsApp;
  • Information identified in WhatsApp’s privacy policy section; and
  • Such other information obtained upon notice to a user or based on the user’s consent.

Based on the above, it is apparent that the information that WhatsApp collects and shares with Facebook will include personal data, and as such, Facebook will be required to comply with the obligations set out in the PDPA in relation to the collection, use and disclosure of personal data, namely[2]:

  • Whether data is collected, used or disclosed for purposes that a reasonable person would consider appropriate in the circumstances;
  • notifying users of the purposes and obtaining users’ consent for the collection, use or disclosure of personal data;
  • Allowing users to access and correct their personal data;
  • protecting personal data (including observing the requirements for international transfers) and not retaining personal data if no longer needed; and
  • Having policies and practices to comply with the PDPA.

 

Obtaining consent

Under the PDPA, an organisation is generally not allowed to collect, use or disclose a user’s personal data unless the user has given or is deemed to have given, his consent for the collection, use or disclosure of personal data[3]. In order for consent to be valid, the PDPA requires an organisation to notify users of the purposes for which their personal data will be collected, used or disclosed. In addition, if an organisation intends to use or disclose personal data for purposes other than as notified to users or for which it has not obtained users’ consent (“New Purposes”), the organisation will be required to inform its users of the New Purposes and obtain fresh consent for the New Purposes.

In this regard, WhatsApp has through its in-app notice, sought to notify users of the New Purposes (user data would now be shared with Facebook to “offer deeper integrations across the Facebook products”), and to obtain consent from them on the use and disclosure of their personal data.  Users who agree to the new terms and privacy policy are to provide their consent by tapping on the “Agree” button at the bottom of the announcement. Users who do not consent to the updated terms will not be able to continue using WhatsApp’s services. Despite negative outcry, WhatsApp has been transparent in bringing the updated terms to the attention of its users, and has complied with the notification requirements under the PDPA[4].

 

Disclosure of data to Facebook

Notwithstanding the above, the PDPA also stipulates that organisations providing a product or service to an individual must not, as a condition for providing the product or service, require the individual to consent to the collection, use or disclosure of his personal data beyond what is reasonable for the provision of the product or service, or provide false or misleading information or use deceptive or misleading practices to obtain the individual’s consent[5]. Any consent obtained in the foregoing circumstances would not be valid. For the avoidance of doubt, the PDPC has advised that an organisation may require an individual to consent to the collection, use and disclosure of his personal data as a condition of providing a product or service where it is reasonably required in order to provide the said product or service[6].

In the present instance, it remains unclear if the sharing of a WhatsApp user’s data with Facebook, for the purposes set out in the WhatsApp privacy policy, would be an action that is reasonably required by WhatsApp in order for it to provide its instant messaging services.

WhatsApp in its clarificatory statement on 12 January 2021[7] stated that the purpose for sharing user data with Facebook was to make it easier and better for WhatsApp users to engage in business messaging as users are inter alia able to use secure hosting services from Facebook to manage their WhatsApp chats with their customers, answer questions and send helpful information to their customers. Given that there are many WhatsApp users who use WhatsApp primarily for social and not business purposes (“Non-Business users”), it is not apparent why WhatsApp has to share such Non-Business users’ data with Facebook, in order for it to continue to provide instant messaging services.

It may be useful to note that the PDPC has advised organisations who intend to share personal data for marketing purposes, to also provide individuals with the option to decide whether or not to give their consent for the marketing purposes stipulated in their terms of use or privacy policy, and organisations should not deny the provision of product or services to these individuals simply because they have not given consent for the organisation’s marketing purposes [8].

 

Alternatives to express consent

The PDPA provides for two general situations where an individual does not need to expressly consent to the collection, use and disclosure of his personal data. First, if an individual voluntarily provides his personal data to an organisation for a purpose, he would be deemed to have consented to the collection, use and disclosure of his personal data for that purpose, if it is reasonable for him to have voluntarily provided his personal data[9]. The organisation must also be able to show that the individual was aware of the purpose for which his personal data was collected, used or disclosed. Second, an individual is deemed to have consented to the collection, use and disclosure of his personal data by an organisation (“A Co”) for a particular purpose, if he has consented or is deemed to have consented to the disclosure of his personal data by another organisation to the first organisation, i.e. A Co. In the present case, if a WhatsApp user has consented to the sharing of his user data by WhatsApp with Facebook for the purposes set out in WhatsApp’s privacy policy, the user would be deemed to have consented to the collection, use and disclosure of his personal data by Facebook for the purposes set out in WhatsApp’s privacy policy.

In addition to the above, the Personal Data Protection (Amendment) Bill was passed in Parliament on 2 November 2020, to amend the PDPA. The amendments expanded the categories of consent by introducing deemed consent by notification. An individual may be deemed to have consented to the collection, use or disclosure of personal data for a purpose that he had been notified of, if he has not taken any action to opt out of the collection, use or disclosure of his personal data. However, deemed consent by notification will only be effective if:

  • The organisation, prior to the collection, use or disclosure of personal data, has conducted an assessment to determine that the proposed collection, use or disclosure of personal data is not likely to have an adverse effect on the individual;
  • The organisation has taken reasonable steps to ensure that the individual is notified of the organisation’s intent to collect, use or disclose the personal data; the purpose of such collection, use or disclosure; and the period within which the individual can opt out of the collection, use or disclosure of his personal data for such purpose; and
  • The opt-out period must be reasonable.

 

Potentially, this means that if a WhatsApp user has been informed that his user data will be shared with Facebook or any related entity for the purposes set out in the WhatsApp privacy policy (whatever they may be), and he continues to use the WhatsApp services, without opting-out, he would be deemed to have consented to the sharing of his user data with Facebook or any related entity for the purposes set out in the WhatsApp privacy policy (whatever they may be), as long as WhatsApp has satisfied the requirements set out in the amended PDPA (see above).

Separately, under the amended PDPA, an organisation may rely on the “business improvement” exception to use personal data collected by the organisation (as long as this is done in accordance with the PDPA), to increase operational efficiency, develop new products, improve or enhance its services. However, this exception may only be relied upon for such purposes that a reasonable person may consider appropriate in the circumstances and where such purposes cannot be achieved without use of the personal data. Potentially, this “business improvement” exception may be applied to the sharing of personal data between entities in a group, as long as the conditions under the amended PDPA are met.

 

Closing remarks

 

Whilst the updates to WhatsApp’s terms of use and privacy policy have raised concerns across the globe, and it remains to be seen whether the sharing of data in this manner will be seen as a move that is justifiable or reasonable, recognition should be given for WhatsApp’s efforts to comply with data privacy regulations in the relevant jurisdictions (including Singapore) in relation to the collection, use and disclosure of user data. As a matter of prudence, users of alternative messaging platforms may wish to take a closer look at the terms of use and privacy policies of these messaging platforms, if they have not already done so, to determine if they are satisfied with the purposes for which their personal data is being collected, used and disclosed, and if not, whether they are able to opt-out.

 

Disclaimer: This update is provided to you for general information and should not be relied upon as legal advice.

 


Links