Last week, data protection lawyer and Partner at Hassans’ Michael Nahon received confirmation from WhatsApp that their European Privacy Policy would apply to Gibraltar residents going forward.

Whilst checking WhatsApp's privacy policy updates at the beginning of this year, Michael noticed that the instant messenger giant was to operate two privacy policies side by side – one for the European Region, and the other for the Rest of the World - and that Gibraltar had been left out of the European Region. He contacted them urging them to amend their definition of European Region to include Gibraltar, thereby bringing local users of the service within their European Privacy Policy framework.

WhatsApp’s European Privacy Policy is designed to provide the high privacy standards of protection required under the General Data Protection Regulation (GDPR), but WhatsApp only apply it to countries falling within their definition of the European Region. The privacy policy which applies to the Rest of the World - and which WhatsApp would have applied to Gibraltar users – is not tailored to the GDPR.

Michael wrote to WhatsApp explaining that as a result of Brexit, Gibraltar had implemented GDPR equivalent legislation into domestic law, known as the “Gibraltar GDPR” .

“Gibraltar GDPR has the same rights and standards, and the same extra territorial effect provisions as the GDPR and the UK GDPR. So even if your organisation is not based in Gibraltar but you offer goods or services into Gibraltar, or if you monitor the behaviour of our residents, local data protection law can apply.

"The fix was simple. WhatsApp wrote back saying they would be making amendments and when I checked again, Gibraltar had been included.”

Michael said the development was important to ensure privacy standards are maintained in a post-Brexit environment.

“We must try to align ourselves as closely as possible to European Data Protection standards. Being bundled in with the Rest of the World would have made it harder for local users to enforce their privacy rights - it certainly would have placed them at a severe disadvantage compared to their European counterparts”. 

This has come at a time of increased global scrutiny of WhatsApp and its privacy practices, in particular following changes that were announced making the mandatory sharing of data with business partner and social media behemoth, Facebook.

In reference to safety, Michael says that “safe is a relative term” depending on the content of the information, but that not much has changed for individual users and that he would, for the time being, continue to use WhatsApp for social purposes.

As regards confidential information, end to end encryption is still a central feature of the service, meaning that WhatsApp cannot see the messages themselves. However, Michael acknowledged that WhatsApp had been criticised when compared to other instant messaging service providers as to the volume of metadata it shares with third party partners and urged caution.

“You need to think carefully when using instant messaging services generally.” “Hacking risks exist, especially when data is backed up from your phone into the cloud - it might not be encrypted, and once information is there, it’s outside of your control.”