NPC Statement on WhatsApp Terms of Use (Updated)

The National Privacy Commission (NPC) has learned that the widely used WhatsApp messenger is set to change its privacy policy in a way that would allow the sharing of data with third-party companies hosted by its parent firm Facebook.

The move, according to WhatsApp’s new privacy terms, is exclusively intended to expand the application as a growing platform for business transactions and customer service with the extension of marketing features.

On Jan. 25, 2021, the Commission sent a letter to WhatsApp to address concerns on its plan to obtain the consent of its users to all the provisions stated in the Terms of Service and Privacy Policy to be able to continue using the app.

The broad language WhatsApp used in its new privacy terms has stirred confusion and concern. Critical privacy questions such as the scope of data that Facebook and its family companies will be able to harvest from WhatsApp and whether agreeing to the new policy is mandatory remain unanswered.

While the Commission takes positive note on WhatsApp’s emphatic assurance on its continued end-to-end encryption of messages and calls, we would like to note that encryption is a bare minimum requirement for ensuring data protection.

In addition, WhatsApp’s source code is proprietary and is not viewable by concerned experts who may want to validate the security and privacy of the application. Thus, we are limited to taking its privacy promises at face value.

More importantly, privacy does not only concern the messages we send and receive nor the calls we make and take, but should apply to the extent of surveillance to which all activities done on the platform are subjected.

The Data Security and Technology Standards Division of NPC summarizes the following concerns on the expanded data processing authority of WhatsApp when the new policy kicks in:

  1. Being provided ''as is'' and to be used at the users' sole risk
  2. Having authority to delete your account without prior notice or a reason
  3. Makes no warranty regarding uninterrupted, timely, secure or error-free service
  4. Uses your personal data for advertising
  5. May use tracking pixels, web beacons, browser fingerprinting, and/or device fingerprinting on users.
  6. May use your personal information for marketing purposes
  7. Can or otherwise transfer your personal data as part of a bankruptcy proceeding or other type of financial transaction.
  8. Forces users into binding arbitration in the case of disputes
  9. Keeps user logs for an undefined period of time

Another point of contention worth noting, as raised by the public, lies in the mere sharing with companies associated with its parent Facebook, which has not had a stellar record in personal data protection and management.

Like other data privacy regulators around the world, the NPC has repeatedly flagged Facebook for various concerns, some of which have yet to be addressed.

Rest assured that the Commission is closely monitoring developments and will directly coordinate with WhatsApp to extract specific details on the new policy, as we seek to understand more the data protection measures it currently adopts or will possibly adopt in light of the new privacy terms.

We take this as an opportunity to work with digital movers like WhatsApp to ensure that transparent and easily understandable consent processes, especially in a fast-thriving digital environment, are consistently observed.

As defined by the Data Privacy Act of 2012, consent is “any freely given, specific, informed indication of will" of a data subject, agreeing to the processing of his or her personal data.

Ultimately, we hope to help data subjects choose the best platforms that guarantee their security when communicating digitally.

Pending the result of our discussions, we encourage the public to prepare backing up their data stored in WhatsApp in case moving to a different platform turns out to be the more prudent choice.

# # #