GDPR: Companies to ban WhatsApp, Snapchat from phones?
June 6, 2018German car parts supplier Continental has banned its 240,000 employees from using social media applications WhatsApp and Snapchat on company-issued mobile phones.
The new rule applies to the company's entire global network and affects more than 36,000 mobile phones, Continental said on Tuesday from its headquarters in the northern German city of Hanover.
"We think it is unacceptable to transfer to users the responsibility of complying with data protection laws," CEO Elmar Degenhart said. "This is why we are turning to secure alternatives."
The move aims to protect "business interests, employees and business partners," as the apps access private and therefore potentially confidential information — address book entries, for example — of uninvolved third parties, the company says.
Privacy has moved from a niche topic to one of the biggest headaches for top bosses as they scramble to comply with Europe's new General Data Protection Regulation (GDPR), which governs how data collectors gather and use citizen's information.
GDPR, which came into force on May 25, mandates that consumers have to be informed who is gathering their data such as name, address, email address and ID number, and that they must agree that it may be used.
Also read: Who needs privacy anyway?
Facebook-owned WhatsApp and Snapchat save users' contact data, stored in their phones' address books, and transfer the information to their own servers.
Currently, however, disabling the option to share one's contact details limits the use of the app significantly. According to the GDPR, these regulations can lead to difficulties for companies like Continental, which in theory would have to ask each individual contact for their consent to transfer their data.
Different companies, different practices
In an interview with DW, the data protection ombudswoman for the German federal state of Schleswig Holstein, Marit Hansen, said the extent to which WhatsApp is GDPR-compliant must be assessed in detail.
"Regardless, companies must not pass on address book data without a legal basis or consent," Hansen says, adding that all companies ought to regulate their business communications to avoid any risk that might arise through the sharing of personal data with third parties, regardless of whether the data concerns employees or clients.
Continental isn't the only company listed on Germany's stock exchange to resort to a ban of messenger apps, or similar measures.
Deutsche Bank, for instance, banned the usage of SMS, WhatsApp and other messenger services in January of 2017, citing documentation obligations for banks. Carmaker Volkswagen doesn't allow chat apps for business use at all, instead relying on an internal messenger app. Competitor BMW only permits authorized apps on company phones; WhatsApp and Snapchat aren't among them.
Others, like Germany's largest airline Lufthansa, do allow chat apps for private usage. The separation, according to a company spokesperson, is technically feasible. "Business contacts are exclusively stored in the secured area of the device and cannot be utilized by social media apps."
Hansen and other data protectionists have repeatedly warned of possible legal consequences of using WhatsApp on company phones. She has also pointed out that trade secrets could be at risk, for example when a foreign company gets access to customer data.
While WhatsApp didn't comment, Snapchat publicly rejected the decision of tire giant Continental. "It is completely up to the user whether they wish to grant access to contacts in Snapchat," a spokesperson of parent company Snap said. "If users do upload their contacts to their account they can stop syncing them and delete them at any time from within the app. We also do not store non-user contacts."
Need for a second phone?
Ilona Klein, spokesperson of Germany's Central Association of German Construction Companies (ZDB), called WhatsApp's current data collection practice an "open flank," particularly for small handicraft businesses that use WhatsApp on a daily basis. On construction sites, it is a standard practice to communicate via the app, Klein tells DW. Craftsmen also regularly use it to communicate with clients, for example to have them send images of spots in their homes that need repair.
A company that violates GDPR standards risks fines of up to €20 million ($23 million) or up to four percent of its annual global revenue.
Also read: WhatsApp co-founder to quit Facebook amid data scandal
Klein urged firms to stop using WhatsApp and resort to secure means of communication like email.
"Ultimately, private and professional use of mobile phones need to be separated consistently," Klein says. Employees either need a second phone, or must delete WhatsApp from their existing one.
Echoing Klein, data protectionist Hansen thinks combining private and professional usage of company phones isn't just "problematic" from a data protection perspective. It could also cause company bosses to neglect their control duties, if they cannot be assured of telecommunications privacy. Problems could also arise when business data is shared in a private context.
According to a survey by German digital association Bitkom of more than 1,000 German companies with at least 20 employees, more than one third (38 percent) use messenger apps like WhatsApp for their internal and external communication.
In a press release, Continental said it was prepared to "lift this ban," provided WhatsApp and Snapchat "change the basic settings to ensure that their apps comply with data-protection regulations by default." In a 'privacy by default' mode, the basic setting is such that the user doesn't allow the app to store its data.
WhatsApp, which Facebook acquired in 2014 for roughly $22 billion, has more than 1.3 billion users worldwide.