Popular mobile messaging app WhatsApp breached “internationally accepted privacy principles” by storing users’ contact data, two national data protection regulators have found.
The WhatsApp application asks users to give permission to access their contracts book, in order to find contacts that also use the app. According to joint investigation by Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (CBP), WhatsApp also collects and stores contacts that do not use the app.
It is the fact that this data was retained with no identified purpose that breaches data protection law, the regulators said. In a statement on Monday, they said it “contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose”.
“Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp”, said CBP chairman Jacob Johnstamm.
The data watchdogs initially investigated WhatsApp because messages sent using the app were unencrypted. The company fixed that in September 2012, but the investigation also revealed the contact data breach.
The two data regulators said they would pursue legal action against WhatsApp seperately. According to the CBP, the Dutch Data Protection Act enables a second phase that will allow it to examine whether breaches of law continue before deciding to take further enforcement actions.
Information Age has contacted WhatsApp and is awaiting response.
WhatsApp, which has had between 100 and 500 million downloads on Android devices from Google’s Play store, is also available on Windows Phone, BlackBerry, Nokia S40 and Nokia Symbian platforms.