This article first appeared in Digital Edge, The Edge Malaysia Weekly on March 22, 2021 - March 28, 2021

WhatsApp reached out to Digital Edge to provide clarity on the nature and extent of its data sharing practices, since its updated terms of service is set to go into effect on May 15 this year. 

This email interview was conducted in the wake of a cover story that appeared in Digital Edge on Feb 1, 2021 with the headline “WhatsApp debacle exposes local privacy problems”. 

While the interview addresses many concerns, questions remain as to the extent of its compliance with the Personal Data Protection Act 2010, which, in all fairness, is itself long overdue for updating, according to various experts contacted over the past year.

Another possible point of contention that WhatsApp did not address at sufficient length has to do with the business-related data-sharing policies between WhatsApp and its parent company Facebook, and its other subsidiary, Instagram, and how these policies could change once the May 15 terms and services go into effect. 

According to WhatsApp, the key difference between the latest and previous terms is the optional business features on WhatsApp, and details about how it collects and uses data for those purposes. The updates related to these optional business features are part of the company’s broader efforts to make communicating with businesses more secure and easier for everyone. 

Legal experts whom Digital Edge spoke to over the last few months pointed out, however, that the older, pre-May 15 terms of service already contained generalised data sharing and usage provisions between WhatsApp and other Facebook companies. 

The earlier terms of service noted how WhatsApp would share certain information with Facebook companies to help improve infrastructure and delivery systems, while better understanding how its services are used. 

For all intents and purposes, the incoming May 15 terms of service serve only to provide more specificity about the data it collects and shares with the other Facebook companies, and how that would now relate to WhatsApp’s business account services. 

What is still unclear is whether pre-May 15 data sharing practices already allow for user data to be shared and used for WhatsApp’s various business account services.

Therefore, while WhatsApp has in recent months attempted to inform users that it would collect and share additional data with Facebook for the purposes of providing a more effective business account service, it appears that these functions, to some extent at least, may already have been in place well before the initial announcement that sparked the international backlash.

It should be emphasised at this point that, thanks to WhatsApp’s end-to-end encryption (E2EE) capabilities, neither WhatsApp nor Facebook can see users’ messages or hear calls. WhatsApp also does not keeps logs of messages or calls, it stressed.

In any case, there are various data points that WhatsApp receives and collects, and this depends on how individuals use its various services. 

For those using WhatsApp’s basic E2EE messaging service, information collected includes: 

• Account information: Mobile phone number and basic information (including a profile name of your choice). This also includes other account information you choose to share, such as a profile picture and “About” information;

• Status information: If you include a status to your account;

• Usage and log information: WhatsApp collects information about user activity on its services, such as service-related, diagnostic and performance data;

• Device and connection information: WhatsApp collects device and connection-specific information when you install, access or use its services. This includes information such as hardware model, operating system information, battery level, signal strength, app version, browser information, mobile network, connection information, language and time zone, IP address, device operations information and identifiers; and

• Location information (optional): It collects and uses precise location information from your device with your permission when you choose to use location-related features, such as when you decide to share your location with your contacts or view locations nearby or locations others have shared with you.

The scope and nature of the data sharing and usage practices will also depend on the sort of WhatsApp account that the user happens to be on at the moment. 

To this end, there are three types of WhatsApp accounts, or products, each of which comes with its own data sharing and usage implications. It is worth noting that, at press time, WhatsApp had yet to clarify the product-specific data sharing and usage practices. 

The three WhatsApp products are: 

• The consumer app, which is free and best known among users at large;

• The WhatsApp Business App, which is also free and used mostly by small businesses; and

• The WhatsApp Business API, a premium product used by larger businesses such as airlines, banks, healthcare providers and telecommunications services providers. The May 15 terms of service have to do with users messaging a business that happens to be using the WhatsApp Business API service. 

Chats with businesses that use WhatsApp messenger or WhatsApp Business App or that self-host the WhatsApp Business API are considered E2EE. 

If a business chooses, however, to use a third-party service provider to operate the WhatsApp Business API on its behalf, WhatsApp would not consider this particular dynamic to be E2EE, simply because the business will most likely have multiple people reading user messages and providing customer service.

As mentioned, WhatsApp discloses only the most general of data sharing relationships between itself, Facebook and Instagram, so there is precious little on the scope, nature and specifics of the data sharing and how these might change, depending on which of the three products happen to be in use.

Having said that, the following is a general guide, provided by WhatsApp, which details its data sharing practices with Facebook and Instagram. 

• As a subsidiary of Facebook, WhatsApp both receives and shares information with other Facebook companies. It may use the information it receives from them and they may use the information that WhatsApp shares with them to help operate WhatsApp’s services and offerings. WhatsApp shares certain categories of information, including:

• User account registration information (such as a user’s phone number);

• Information about how the user interacts with businesses when using WhatsApp’s services (there is no additional clarity on this point);

• Mobile device information;

• IP address; and

• Other information identified in WhatsApp’s Privacy Policy section entitled “Information We Collect”, or obtained upon notice to the user, based on the user’s consent.

Amid the myriad sets of terms of service and privacy policies cutting across WhatsApp’s three products, Digital Edge was able to find the following generalised data points (available in the WhatsApp Business Terms of Service, last updated on Oct 29,2020). 

The following data is probably currently collected in accordance with the WhatsApp Business and the WhatsApp API products: 

• Information from business account and registration;

• Usage, log and functional information generated from use of the business service;

• Performance, diagnostics and analytics information;

• Information related to technical or other support requests; and

• Information about the user from other sources such as other WhatsApp users, business, third-party companies and the Facebook companies.

This particular provision goes on to say that WhatsApp and the Facebook companies may share this information with one another, and “will use all the information we have to develop, operate, provide, improve, understand, customise, support and market our Business Service, our other services and the services and products of the Facebook companies. It is not possible to opt-out of these data practices.” 

It is not certain whether this is the full list of data points or to what extent the collection of these data points may change after May 15. 

For more information, log on to www.whatsapp.com/legal/updates/priva cy-policy.

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.