In May last year a German lower federal court ruled that the use of WhatsApp is not legitimate without having obtained consent from those individuals whose contact data is uploaded to a WhatsApp messenger account (AG Bad Hersfeld, 15.05.2017 – F 120/17). The court considered the fact that WhatsApp automatically uploads the phone numbers of all contacts in a smartphone‘s address book. In its standard terms and conditions WhatsApp declares the following:
“Address Book. You provide us the phone numbers of WhatsApp users and other contacts in your mobile phone address book on a regular basis. You confirm you are authorised to provide us such numbers to allow us to provide our Services.”
In the court’s opinion, this automated upload infringes other user’s rights of self-determination if done without their consent. No less important, the court even ruled out implied consent of those users were already subscribed to WhatsApp and, as such, should be aware of this automated data upload mechanism. In the ruling the court asked a mother to produce the missing consent of those individuals that had been uploaded by her son to his WhatsApp messenger account.
An interview by Günther Leissler
Since this was the first case where a court not only scrutinised the legitimacy of cloud-based communications services, but also put the spotlight on the user’s responsibilities when using such services, we asked Mr Thilo Weichert for his expert opinion.
Mr Weichert was the Federal State Commissioner for Data Protection and Freedom of Information in Schleswig-Holstein from 2004 to 2015. Besides other functions, he now works for the "Netzwerk Datenschutzexpertise". Mr Weichert is probably best known for his endeavours to ensure Facebook's data protection compliance over the past years.
Q: Mr Weichert, the District Court of Bad Hersfeld has passed two resolutions originally dealing with custody proceedings that ended up being a hotly discussed topic in the field of data protection. At the centre of attention is the messaging service WhatsApp.
In both cases, the court instructed mothers to produce the data protection declarations of consent of the entities who were uploaded on WhatsApp by their underage children. Do you think this marks a paradigm shift – a turn away from the user's status as a mere protection element in the world of social networks towards legal self-responsibility?
A: The decision does not mark a paradigm shift; it only describes the generally existing liability under civil law, data protection law and legal custody. To quote a famous German saying: "No plaintiff, no judge". This is a unique decision, as it is uncommon for a breach of privacy caused by an app to be taken to court.
Ever since I was a child, construction sites have had signs saying that parents are liable for their children.Children are only to be held account-able for their actions in a limited way. This particularly applies for online activities. Who else but the parents should take responsibility in this case?
The district court treated the question of the privilege of data protection in private data usage with wariness. In summary, it categorised the un-authorised uploading of telephone contacts as a private act, which failed to comply not primarily with the data protection law, but rather with the German tele-media act.
In your opinion, how big is the risk for companies that allow their employees to use their own mobile devices for both business and private purposes? This could lead to an upload of business data through their personal WhatsApp account. Could the company be held liable for a "bring your own device" policy?
Employers who allow staff to use their private smartphone for business purposes are even less savvy than the boy's mother. Business data is transferred onto the private device and therefore cannot be effectively controlled by the employer. The private device is, in principle, not subject to its direction rights. This requires a high level of trust in the employees. In any case, private and business matters on smartphones or tablets should be clearly separated from each other. If data is mixed, the employer is also partially responsible for the resulting data protection violations.
WhatsApp users implicitly acknowledge and approve that their contact details are uploaded to WhatsApp through other users. However, the district court surprisingly emphasises that there is no such "implied consent", because the underlying technical processes are too complicated for the individual user. Does this pose a general risk for the agreement model in other apps and programs with a high degree of networking, even with explicit declarations of consent?
The argumentation of the district court is perfectly fine, as there is no such thing as legal valid implied consent. The requirements of consent are becoming even stricter with the General Data Protection Regulation, which comes into effect in May 2018. This has occurred through the instruments of "prohibition of linking" (Koppelungsverbot) and "privacy by default". One problem is that service providers still base their processing on largely inadmissible consents. Another is services with so-called layered design (graded), which is situation-related and with scarce information handling consent.
The court decisions we have been discussing are all in Germany, but the underlying legal ideas have their roots in general and European data protection principles. Do you think that the decisions of the magistrate's court are a flash in the pan?
Should we also expect court rulings in other Member States that prioritise self-responsibility of users?
Case law will certainly increase in this area with the entry into force of the General Data Protection Regulation, since additional possibilities for legal protection are created.
In addition, since the beginning of 2016, there have been improved opportunities for collective actions in Germany in the interests of consumers in the area of data protection.
In the past, we frequently saw decisions where the judges apparently did not understand the technical, economic and social conditions. Hopefully this will improve in the future, too.
Lastly, we have a stable jurisdiction with awareness of data protection on the part of the German Federal Constitutional Court and the European Court of Justice.
And yet, to take the metaphor further, there are plenty of indications that in the area of data protection the "flash in the pan" may become a judicial blaze.
Thank you for the interview.-------------
Read about Schoenherr's view on the topic