Nowadays, it is becoming increasingly popular for groups of people to communicate with each other using WhatsApp group chat. This extends to groups of employees, sports teams, family relatives, committee members or just drinking buddies. It is very handy and saves time making phone calls and/or repeating the message to individual team members. WhatsApp, which is wholly-owned by Facebook, has been at pains in recent times to emphasise that the chats are secured with end-to-end encryption. (Whatever that is! – Ed).
But all is not well in this fair and pleasant land. The collection, aggregation and onward transmission of personal data through WhatsApp is likely to be in breach of the EU General Data Protection Regulation (GDPR) on a number of points. EU rules insist that personal data may only be processed where there is a legal basis for doing so. For example, an insurance company has a legal basis for acquiring and processing our personal data so that it can quote us for an insurance policy. But the insurance company would not be entitled to pass on our personal details to one of its subsidiaries in order to sell us another financial product.
The legal basis for, say, a sports club collecting personal data is to process club membership; for example, name/address, age, sex, phone number, etc. necessary to comply with club rules. But unless it is explicitly set out in “legalese”, the use of the personal data to contact members via group chat is not necessary for processing club membership. The GAA recently fell foul of this clause and warned its member clubs that they might be potentially in breach of GDPR rules. Victorious team photos that proudly hang in the clubhouse cannot be shared on WhatsApp groups unless explicit consent is given. Just imagine the impracticalities of this where the U-14s are disappointed that their good news cannot be shared because the club has failed to get consent from the full-back.
All team members are entitled to secure a copy of their personal data from the club. But if data has been shared and forwarded on WhatsApp, the club will find it increasingly difficult to satisfy the request in full. Imagine a phone number and name shared on one message, a team photo on another and then the full back’s photo being named on another that was forwarded to friends by proud parents. Such a trail could facilitate positive identification of the full back in breach of his/her data protection rights.
Given that WhatsApp is a global communication channel, there is every chance that the full back’s personal data could end up on a non-EU server. The rules state that personal data may only be transferred outside the EU, where EU-type data protection safeguards are in place. How can the sports club ensure this?
The protection of personal data is a legitimate concern but surely not to this extent? Perhaps we should instruct our children to self-isolate to protect themselves from the dreaded GDPR!