The exponential growth in communication has been one of man’s landmark achievements in the 21st century and one of the biggest stakeholders in the sector is the social app WhatsApp. Consequently, the news of WhatsApp’s decision, to share users’ data with its parent company Facebook has been the subject of much conversation and criticism on both social and even traditional ‘mainstream’ media. The crux of the new policy update is that WhatsApp will share the data of its users with its parent company Facebook and other social media apps such as Instagram (also owned by Facebook). The goal behind the policy is to monetize WhatsApp in order to enable Facebook and its other apps market their business services. (Nate Lanxon, ‘Why WhatsApp’s new privacy rules are sparking alarm). Whilst WhatsApp has issued a statement to allay fears, there has been increasing concern over data privacy and security by users, regulators and industry experts.
When is the policy’s effective date?
Is the policy implemented globally?
The policy does not apply to users based in the European Union (EU). This is because of the provisions of the General Data Protection Regulation (GDPR) which is in force in the EU and prevents WhatsApp from dealing EU Citizen’s data in that manner. In the United States and for the rest of the world, the policy states that the policy change will enable users to use their Facebook Pay account “to pay for things on WhatsApp.” This will enable them chat with friends on other Facebook products, such as; Portal, “by connecting your WhatsApp account.” This provision does not exist in the version applicable in Europe.
Accordingly, to ensure that uniformity in protecting the data of WhatsApp users is achieved across the globe, it is crucial for the legislative and regulatory agencies of the various jurisdictions where WhatsApp operates globally to apply similar measures.
It is also important for privacy rights groups and experts to sensitize users and governments on the implications of not taking any action against policies that seek to undermine data security and privacy.
Can the policy offend provisions of the Nigeria Data Protection Regulation (NDPR) 2019 and the proposed Data Protection Bill 2020?
The NDPR 2019 is similar in objectives, to the GDPR issued by the EU as it requires that there be consent and lawful use of personal data. For clarity, the proposed policy will likely not offend the provisions of the NDPR if there is sufficient compliance with section 2.3 of the NDPR on procurement of consent. The section amongst other things provides that “where processing is based on consent, the Controller shall be able to demonstrate that the Data Subject has consented to processing of his or her Personal Data and the legal capacity to give consent”.
Whilst the WhatsApp policy may appear to conform with the NDPR, the policy may be scrutinised and potentially sanctioned under the more expansive Data Protection Bill 2020, as the proposed Act highlights the importance of data controllers to take adequate precautions to prevent possible sanctions and fines.
African cybersecurity convention
The uniformity in data protection laws and regulations in the EU with the enactment of the GDPR is at the root of the region’s immunity to a policy like WhatsApp’s. This is important as the WhatsApp policy update shows us that policies like this apply differently across various regions depending on the legal regime in place.
In June 2014, the Assembly of Heads of State and Government approved the African Union Convention on the Confidence and Security in Cyberspace (AUCC). The AUCC is often referred to as the African Cybersecurity Convention. However, despite the enactment of the African Cybersecurity Convention to create a comprehensive data protection framework on the continent, African countries are yet to sign the AUCC in their numbers for it to come into effect. Accordingly, the African Union Commission must lead the conversation to create a continental framework like the case in the EU with the GDPR. This can be done by ensuring that the African Union Commission drives political support on the continent for the widespread signing and ratification of the AUCC to set the standard in the protection of data privacy, electronic communication, etc. on the continent.
Who are the intended beneficiaries of the policy change?
The main beneficiary of the policy change would be Facebook; the Company with the aid of the data shared from WhatsApp, would be able to operate more effectively and improve its offerings with regard to targeted advertisement. Almost the entirety of the $21.5 billion in revenue generated by Facebook in the third quarter of the year 2020 came from advertising and this was without the assistance of data from WhatsApp.
Other beneficiaries as stated by WhatsApp are businesses. Businesses admittedly would be able to track users across all the platforms more effectively in order to sell their products and services. For many small to medium scale businesses, this marketing medium might afford considerable exposure and provide useful information.
Companies such as WhatsApp illustrate that despite several attempts to explain the intent behind their policy revisions, it is imperative that the policies conform to extant requirements of law and that they get ahead of the curve by carrying the general public along. Similar businesses which seek to process data in a like manner are to consider the need to ensure efficient protection and handling of data whilst providing a higher level of transparency and fairness to their users.
*Oni-Egboma & Muhammed are both associates at Kenna Partners.