What you need to know in a nutshell
- WhatsApp may be the most widely used messenger service but it should not be used for your corporate communication.
- Even the popular alternative Telegram has some clear data protection weaknesses.
- Our assessment shows that messenger services that comply with data protection rules do exist.
- Companies can and should oblige their staff to use secure messenger services.
In this article
- Instant messenger and data protection — what is the problem?
- Can I use messenger for confidential communication?
- What constitutes a data protection compliant messenger?
- Which messenger services are particularly problematic when it comes to data protection?
- Which messengers services can be recommended for secure communication?
- How do I convince my contacts to switch to a secure messenger?
- Conclusion
Instant messenger and data protection — what is the problem?
Employers in the UK and throughout the European Union are required to guarantee an adequate level of data protection, as per the General Data Protection Regulation (GDPR) which has been in force since 2018. Since communicating via instant messenger involves the exchange of personal data, it is important to consider data protection. However, it is not always that simple, especially when you have data saved on servers all over the world.
A practical example: an employer wishes to use WhatsApp as a communication channel for sick leave. In this case, personal data relating to a member of staff’s absence due to illness are sent and saved on servers belonging to WhatsApp that the employer has no control over.
It is therefore no surprise that courts and data protection authorities have classified the use of WhatsApp as critical for confidential communication since 2017. As you will see from our data protection assessment (results below), WhatsApp cannot be recommended for companies. There are, however, other messenger services that meet data protection requirements and can be used in everyday work.
Can I use messenger for confidential communication?
When data are strictly confidential, the best method of communication is to whisper in your counterpart’s ear. Old-fashioned copper cable landline telephones also offered a high level of confidentiality. But modern office life is very different.
Chats are probably most comparable to an email and we see here that a good messenger is superior to a non-encrypted email when it comes to data protection.
As such, there is no reason to go entirely without messenger services when corresponding on confidential issues. As you will see below, you simply must avoid certain apps.
What constitutes a data protection compliant instant messenger?
For a data protection authority, it is easy to set out the most important criteria for a good messenger:
- Server location: the server should be located in the EU or another country within the European Economic Area (EEA), i.e. Norway, Iceland, or Liechtenstein. Please note: the UK is no longer an EU member state and will no longer be bound by the GDPR after 2020.
- Business model: the messenger should not be financed by advertising that uses the data you send.
- Encryption: good end-to-end encryption should come as standard in a messenger that meets data protection requirements.
- Contacts: the messenger should not access your contacts list.
- Protocol: the instant messaging protocol should be open source.
- Backup option: it should be possible to store data locally as required, not only in the cloud.
These six criteria are important from a data protection point of view, which is why we have given them significant weight in our assessment.
There are also other important criteria when it comes to confidential communication:
- Deleting the account: it should be possible to delete the account via the app.
- Displaying actions: it should be possible to switch off the message that your counterpart is currently typing. The same applies to notifications that messages have been received/read.
The following is a chart of popular messengers and how each one performs against the aforementioned criteria based on our analysis.
|
Messenger Criteria |
Rating |
Rocket Chat |
Threema |
Wire |
Signal |
Telegram |
|
|
Location of servers (within the EEA); Switzerland was assessed as not having the same but adequate level of 200 points due to the adequacy decision pursuant to Art 46 GDPR and the USA was assessed with 50 points due to the Privacy Shield but the considerable uncertainties around Privacy Shields and the CLOUD Act.
|
300 | 300 | 200 | 200 | 50 | 0 | 0 |
|
Business model Not advertising
|
200 | 200 | 200 | 200 | 200 | 200 | 0 |
|
End-to-end encryption Group chat
|
200 | 200 | 200 | 200 | 200 | 0 | 200 |
|
Access to local address book necessary
|
200 | 200 | 200 | 200 | 200 | 0 | 0 |
|
Standardised, disclosed protocol
|
100 | 100 | 100 | 100 | 100 | 100 | 0 |
|
Backup Possible- On freely selectable storage without cloud
|
100 | 100 | 100 | 100 | 100 | 0 | 0 |
|
Delete account - within the app
|
50 | 50 | 50 | 50 | 50 | 0 | 50 |
|
"Typing" display can be switched off
|
50 | 50 | 50 | 0 | 50 | 50 | 50 |
|
"Receive/Read" indicator can be switched off
|
50 | 50 | 50 | 50 | 50 | 0 | 50 |
|
Comment
|
0
|
Rocket Chat is one of the leading open source team chat software solutions.
|
Secure communication from a Swiss provider.
|
Wire is arguably one of the most comprehensively publicly audited collaboration and communication software on the market.
|
Edward Snowden uses Signal.
|
Telegram claims to prioritise security, making it an alternative to other popular messaging apps.
|
The main advantage of Whatsapp is the distribution, but the data security is not given.
|
|
User numbers
|
0
|
More than 10 million
|
Approx. 8 million
|
Not specified
|
More than 10 million
|
Approx. 400 million
|
Approx. 2 biilion
|
| Total points | 1250 | 1150 | 1100 | 1000 | 350 | 350 |
Which messengers are particularly problematic when it comes to data protection?
Two of the most frequently used instant messengers received a particularly bad rating in our assessment. On the one hand, we have WhatsApp. Despite being used by around two billion people worldwide for communication, it has sub-optimal data protection with the parent company, Facebook. Surprisingly, Telegram, with its 400 million users worldwide, is frequently seen as the shooting star among messengers and (wrongly) as the safe alternative to WhatsApp.
WhatsApp and data protection
Data protection authorities can certainly not give any ‘Likes’ to WhatsApp — especially considering its strong interdependence with its parent company Facebook. Several issues stand out negatively in our assessment:
- Business model: Facebook earns its money with personalised advertising, something that poses a -substantial risk to WhatsApp given the growing interdependence of the various products.
- Location: With WhatsApp, data is not stored on servers located in the EU or EEA.
- Protocol: WhatsApp is the only messenger in the assessment to not have a standardised, open protocol.
- Contacts: Possibly the most critical point from a data protection point of view is that WhatsApp requires access to the contacts list stored on the device.
While WhatsApp’s end-to-end encryption of group chats is positive, it must be emphasised that the contents are encrypted for transmission, but not the metadata. This means the company can, in principle, see who is in contact with whom at any given time.
Incidentally, we cannot recommend WhatsApp Business either. The Data Processing Agreement with Facebook does not cover the minimum requirements for data processing and transfer. Again, we must emphasise its interdependence with the data leech that is Facebook.
Telegram and data protection
Another messenger is taking advantage of WhatsApp’s slightly damaged public image: Telegram. Founded by Pavel Durov, a Russian entrepreneur living in exile, it currently has around 400 million users worldwide and is rapidly growing. Its two tangible advantages are the business model which does not rely on advertising, and the open standardised protocol.
But the assessment shows that Telegram absolutely cannot be recommended as an alternative to WhatsApp. Telegram has global server locations even in countries which have inadequate data protection measures from a European legal point of view. Telegram offers no encryption options in group chats thereby offering even less than WhatsApp. Thumbs down for Telegram at the office.
Which messengers can be recommended for secure communication?
Rocket Chat is the clear winner in our assessment when it comes to data protection with messenger services. Apps in second and third place, Threema and Wire respectively, can also be recommended without hesitation for communication within companies. Despite otherwise good results, the messenger Signal (personally recommended by Edward Snowden), lost points in our assessment because its server is located in the USA.
Rocket Chat and data protection
The greatest advantage of Rocket Chat as a messenger is that the service can be hosted on your own server, meaning that all data remains within the company. The service can be used via your browser without being installed on your device. In terms of the location of its server (and in all other categories), the app is the only messenger in the assessment to be awarded full points.
For companies, performance and functionality of a messenger are just as important as data protection. The good news: there is no need for Rocket Chat users to compromise. Files, images, and videos can all be sent without issues and the app works on a number of operating systems as well as on Android and iOS.
Threema and data protection
The messenger Threema can be recommended just as strongly as Rocket Chat when it comes to communication that meets data protection requirements. The only reason for the slight deduction in points is their server location in Switzerland. Whether that is an issue is open to discussion, but the fact remains that:, when in doubt, a server location in the EU is always better for companies than one outside the EU.
With Threema, you do not have to provide personal details such as your email address or mobile phone number. The app can be used on the basis of a randomly generated Threema ID without accessing your contacts list, but you can enter your name if you like. All communication is secured with end-to-end encryption.
Wire and data protection
Wire Enterprise is a service tailored specifically for communication within companies. To register, you must provide your email address, but the app does not need to access your contacts list. In addition to messenger services, it also offers the option of making Voice over IP (VoIP) calls.
Wire can be used on smartphones and tablets but also on desktop computers. All communication is end-to-end encrypted. Wire is ‘open source’, i.e., the software is transparent and can be checked.
There are, however, two downsides: 1) the server is in Switzerland, where data protection levels are slightly lower than those in the EU and 2) you cannot switch off the feature that allows you to see if your counterpart is currently typing.
Signal and data protection
When it comes to data protection, we cannot entirely recommend using the messenger 'Signal' for communication within companies. Here, our assessment demonstrates just how important the location of the server is. While full scores were achieved in all other data protection-relevant features, physical storage of personal data in the USA, as is the case with Signal, is problematic in terms of data protection law, especially against the background of the ECJ ruling in the ‘Schrems II’ case of 16 July 2020 on the level of data protection in the USA.
Not sure which messenger service to use now for a secure communication? No problem! Our experts would love to give you more details and recommendations. Feel free to reach out!
How do I convince my contacts to switch to a secure messenger?
Data protection is a management task. As such, the use of secure messengers simply must be mandated by companies. The board and management need to lead by example. Be clear: WhatsApp and other unsafe messenger services must not be installed on company phones.
It is more difficult for staff if the use of unsafe messengers in the company is already established and widespread. Here, we recommend speaking to your management or your data protection officer about the issue. Only consider an anonymous report to the data protection authorities if this is unsuccessful despite several attempts.
It is surely most difficult to convince your private circle of friends and acquaintances to switch to a messenger that meets data protection requirements. If you need any help with your argument, it might be worth referring to WhatsApp’s T&Cs which grant WhatsApp full rights of use for private content such as images. It gets lots of people thinking.
Conclusion
All hands should be off insecure messenger services, even if they are convenient and everybody seems to be using them.
If you are part of your company’s management, you are required to lead by example and to set the rules for your company. If you are a member of staff, you at least have good arguments and the clear position of the UK data protection authorities on your side when you attempt to convince your managers of the need for more data protection in messaging. Convenience simply does not pay off in the long run.
Sign up to our newsletter – Get practical tips and invitations to webinars and online Q&A session!
Want to learn more about a secure communication? Feel free to reach out to us.
We will be more than happy to help you with any questions.
Book an appointment
