12 Aug ANPD concludes the evaluation of the changes made to Whatsapp’s privacy policy
By Fabio Alonso Vieira, Carolina Barbosa Cunha Costa, and Eduarda Mourad Baldavira
Early last year (4.1.2021), the messaging app WhatsApp announced changes to its Privacy Policy, which were seen by many experts as abusive because they allowed the sharing of personal data of the app’s users with Facebook Group companies, and if the user did not accept the policy, they could not use (or continue to use) the app.
Following the strong backlash, WhatsApp globally has decided to postpone the new policy to provide users with more information about the company’s privacy and security practices.
Also in the first quarter of last year (March 21, 2021), the ANPD issued a Technical Note No. 02/2021/CGTP/ANPD (here), in which it analyzed the possible consequences of the changes promoted in the company’s Privacy Policy and Terms of Service and listed some recommendations, such as:
(i) Conducting a data protection impact report on the integration of the WhatsApp Business and WhatsApp services, with reference to the best practices implemented by the market;
(ii) Creating sections in the Privacy Policy that inform the data subjects of the legal bases used and correlate them to the purposes and categories of personal data processed,
(iii) Strengthen security and privacy safeguards, e.g., secure deletion and disposal of data, implementation of administrative privacy controls, implementation of privacy by design and by default; and
(iv) Public disclosure of the identity of the Data Protection Officer.
In May of last year (May 7, 2021), the National Data Protection Authority (“ANPD”), the Administrative Council for Economic Defense (“CADE”), the Federal Public Prosecutor’s Office (“MPF”) and the National Consumer Secretariat (“Senacon”) issued a Joint Recommendation (herein) recommending that the:
(i) WhatsApp Inc.:
a) To postpone the effectiveness of its Privacy Policy;
b) abstain from restricting the access of users to the functionalities of the application; and
c) adopt the measures oriented to the practices of personal data processing and transparency, under the terms of the LGPD, according to Report No. 9/2021/CGF/ANPD and Technical Note No. 02/2021/CGTP/ANPD
(ii) Facebook Miami Inc., Facebook Global Holding III, LLC e Facebook Serviços Online do Brasil Ltda.
a) abstain from performing any kind of processing or sharing of data received from the gathering performed by WhatsApp Inc. based on the changes to the Privacy Policy of the application scheduled to go into effect on 15.5.2021, until the positioning of the regulatory bodies.
Still in May (May 14, 2021), WhatsApp committed to collaborate with ANPD, CADE, MPF and Senacon and not to close the account of any user who does not agree with the terms of the Privacy Policy.
At the end of the first half of 2021 (30.6.2021), the ANPD issued Technical Note No. 19/2021/CGF/ANPD (here) which aimed to:
a) review the WhatsApp Business terms of use and policies again;
b) Verify what has been accomplished by WhatsApp Inc. since the last Technical Note; and
c) Reinforce the recommendations made by ANPD, CADE, MPF and Senacon.
In the past few weeks, the ANPD issued the 3rd Technical Note No. 49/2022/CGF/ANPD (here) that concludes the evaluation phase of the changes made to the Privacy Policy of the message application WhatsApp.
Through this document, the ANPD has analyzed the versions of the Privacy Policy of all WhatsApp tools (“WhatsApp Messenger, WhatsApp for Business and WhatsApp for Business – API”) and verified their adequacy to the Brazilian Data Protection Law (“LGPD”), determining changes for a clearer and more transparent policy for the user.
Finally, the ANPD concluded that
(i) WhatsApp complied with the ANPD’s determination to prepare a Data Protection Impact Report (“DIPR”);
(ii) The model adopted for the DIPR was satisfactory and met international good practices;
(iii) There are still situations that could be changed to improve transparency in the protection of personal data – mainly by adopting user experience principles.
CADE, MPF, and Senacon will also analyze the Note and make their recommendations according to their respective competencies.
Even with WhatsApp’s cooperation, the ANPD said it will open proceedings to analyze, specifically, WhatsApp’s sharing of data with Facebook, which has occurred since 2016 and was not the subject of the latest policy update.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KV Advogados concerning the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments