Data Security: NITDA Advises Nigerians on WhatsApp Privacy Policy Changes

NITDA Advises Nigerians on WhatsApp Privacy Policy Changes
The National Information Technology Development Agency (NITDA) under Section 6 (f) of the NITDA Act 2007 wishes to provide this advisory to Nigerians to address Nigerian concerns on changes to Whatsapp Terms of Service and Privacy Policy which took effect on 15th May, 2021. Millions of Nigerians use Whatsapp platform for business, social, educational, and other purposes. The platform is the social media platform of choice for many Nigerians.

To understand the issues and give an opportunity to explain its views, NITDA in collaboration with the African Network of Data Protection Authorities engaged Facebook Incorporated, the owners of Whatsapp platform, specifically, its global Policy officials on 9th April, 2021. After the engagement, NITDA, as Nigeria’s data privacy regulator, wishes to advise Nigerians on how Facebook’s business decision affects their privacy rights.

What Has Changed?
Facebook acquired Whatsapp in February 2014. Facebook currently has over 2.5 billion users globally, while Whatsapp has over 2 billion users. Whatsapp shared a reviewed Privacy Policy on 4th January 2021, informing its users outside the European Union that it would now share their information with Facebook and its sister companies.

Datasets collected by Whatsapp
Whatsapp collects the following information on users:
⮚   account information;
⮚   messages (including undelivered messages, media forwarding);
⮚   connections;
⮚   status information;
⮚   transactions and payments data;
⮚   usage and log information;
⮚   device and connection information;
⮚   location information;
⮚   cookies etc.

Other information collected by Whatsapp include:
⮚   battery level;
⮚   signal strength;
⮚   app version;
⮚   browser information;
⮚   mobile network;
⮚   connection information (including phone number, mobile operator or ISP), language and time zone;
⮚   Internet Protocol address;
⮚   device operations information;
⮚   social media identifiers.

The new policy best renders the platform’s information sharing practices with Facebook and its companies-
“As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the other Facebook Companies. We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings, including the Facebook Company Products…”

Whatsapp shares the above listed information and the following with the Facebook company:
⮚   account registration information;
⮚   details on how users interact with others;
⮚   mobile device information;
⮚   Internet Protocol address;
⮚   Location data etc.

The Facebook Team confirmed that private messages shared on WhatsApp consumer version are encrypted and not seen by the company. But the metadata (data about the usage of the service) which is also personal information is shared with other members of the Facebook Group.

Whatsapp users are at liberty to decide on giving consent to the processing of their data based on the new privacy policy. The Nigeria Data Protection Regulation (NDPR) recognizes consent (a clear, unambiguous expression of privacy terms communicated by the controller and accepted by the Data Subject) as one of the lawful basis for data processing. Acceptance of the new privacy policy and terms of use implies that user data would now be shared with Facebook and other third parties. Users will now be subject to the terms and policies of Facebook and other receiving entities with or without being direct subscribers to such services.

Advise
As a result of the foregoing, NITDA advises as follows:

Nigerians may wish to note that there are other available platforms with similar functionalities which they may wish to explore. Choice of platform should consider data sharing practices, privacy, ease of use among others; and

Limit the sharing of sensitive personal information on private messaging and social media platforms as the initial promise of privacy and security is now being overridden on the bases of business exigency.

Nigeria’s engagement with Facebook continues. We have given them our opinion on areas to improve compliance with the NDPR. We have also raised concerns as to the marked difference between the privacy standard applicable in Europe, under the GDPR and the rest of the world.

Given the foregoing and other emerging issues around international technology companies, NITDA, with stakeholders, is exploring all options to ensure Nigerians do not become victims of digital colonialism. Our national security, dignity and individual privacy are cherished considerations we must not lose. Because of this, we shall work with the Federal Ministry of Communications and Digital Economy to organize a hackathon for Nigerians to pitch solutions that can provide services that will provide functional alternatives to existing global social platforms.

Mrs. Hadiza Umar MNIPR, M.ARPA, MCIPR
Head, Corporate Affairs and External Relations
Corporate Headquarters, Garki, Abuja