Introduction
Before the onset of COVID-19, many firms did not permit the use of WhatsApp in a work context. However, many employees are now working remotely in response to the government’s guidance to avoid non-essential social contact and travel with effect from Monday March 16 2020, and certain firms may be contemplating relaxing their Whatsapp policy in order to provide their employees with a mode of informal communication with team members to keep up morale and a sense of team spirit in the absence of any face to face contact.
What are the risks?
Whilst such team chats might start out as an anodyne forum for sharing pet photos, jokes and banter, risks could arise for firms where communications on WhatsApp become the norm and slip into work related messages which could be disclosable in the context of any subsequent regulatory enquiry or litigation (particularly where team members start communicating on a one to one basis). The unguarded, informal nature of these WhatsApp chats has proved fertile ground for the FCA in the past. Christopher Niehaus, a former investment banker shared confidential information on WhatsApp in relation to deals he was working on with a view to impressing friends rather than any intention that the information should be acted on. Despite this, as an approved person, he was fined £37,198 for failing to act with due, skill and care (in breach of Statement of Principle 2). In addition, Konstantin Vishynak is facing criminal prosecution for the alleged deletion of his WhatsApp application in the context of an insider dealing investigation by the FCA. Such cases provide good reason for regulated firms in particular to re-visit their communications and monitoring policies around the use of WhatsApp, although this article considers the position whether or not a firm is regulated.
A firm may be unable to monitor such communications through an automatic right of access although this would depend on factors such as the wording of any policy and whether WhatsApp messages are held on a work or personal device.
Can firms get access to Whatsapp messages?
There are a number of hurdles that complicate accessing WhatsApp messages:
WhatsApp’s acceptable use policy prohibits “any non-personal use of the WhatsApp services unless authorised by WhatsApp”. B2B (business-to-business) use is not contemplated (WhatsApp Business is B2C (business to consumer)) and WhatsApp’s service contract is with the employee not the firm, so non-court sanctioned remote access via the service provider WhatsApp Ireland Limited is not possible.
If WhatsApp is being used on a firm owned device, the firm could require the employee to surrender the device to the company’s IT department where provided for under the firm’s information systems use policy.
However before the IT department resets the device password to access its contents it must consider the following:
– what does its IT systems policy say about use of WhatsApp? Is it prohibited? Does it include a provision stating that if prohibited apps are used for work purposes the firm retains the right to access the app to obtain work related communications? For what purposes – for its commercial purposes or just in the event of litigation or regulatory investigation? Or is use of WhatsApp permitted? Just for business purposes? Or for business and non-work purposes? In which case, again, does the policy allow a right of access for the firm?
– if the policy allows use only for business purposes then accessing it should be acceptable (albeit a breach of the WhatsApp acceptable use policy) as the employee should have no expectation of privacy in respect of the WhatsApp communications. It will be absolutely essential that the firm’s right to access and for what purposes (and that those purposes are proportionate) is articulated in the IT systems policy.
– as most firms allow some personal use of work systems any access and review of such communications will need to be undertaken in a privacy friendly manner. This involves targeted searching for the required information and an initial review of the responsive material by persons who will not deal with individual ordinarily (eg outside counsel) to filter out any personal non-work related communications before the remainder is used for the intended purpose. This is often referred to as a “privacy review protocol”.
– if the IT systems policy allows mixed use of the platform, it is even more important that the firm’s right to access and the proportionality of that access is clearly articulated and brought to the attention of the employee and the privacy review protocol is used.
– if there is no policy on using WhatsApp and no clear notice that WhatsApp communications will be accessed, complying with the GDPR and European Convention of Human Rights right to private life and correspondence will be difficult to achieve.
The position becomes more complex if the device is owned by the employee and WhatsApp is installed outside any mobile device management container installed as part of a Bring Your Own Device programme:
– the same policy position as for firm owned devices could be extended to employee owned devices in these circumstances. However, it is doubtful that compelling employees to surrender devices they own and use predominantly for personal use would be proportionate in ECHR terms and therefore the firm’s ability to obtain access will be uncertain without a compelling reason (eg misconduct akin to a criminal offence).
Obviously the position is even harder if there is no BYOD programme and the employee is just using his/her own device for convenience as expectations of privacy are higher (and in these circumstances a number of factors would need to be considered).
It should be noted that in some regulated industries the employee may have a duty him/herself to retain these communications if he/she does not use the employer’s work systems. This can be persuasive in obtaining an employee’s voluntary cooperation with the firm undertaking a search using a privacy review protocol.
Can a firm monitor the use of a WhatsApp account?
The firm should not monitor a WhatsApp account if it is on an employee owned device outside of the mobile device management container (and this is generally only technically possible if the firm installs monitoring software on the phone).
Although it may be able to physically monitor WhatsApp if it is installed within a mobile device management container or using software installed on a firm provided device it will be harder to give counterparties notice that such communications may be monitored if the firm is not able to apply a footer stating this or with a link to its privacy policy in WhatsApp messages.
If a firm is able, and intends, to monitor WhatsApp accounts a privacy impact assessment would need to be undertaken and it is unlikely that such monitoring would be seen as proportionate without significant privacy safeguards such as data capture that only triggers in the event of egregious policy breaches. Again clear notices will also be key. The scope of potential monitoring must not be set broader than is justified as this will be seen as stifling self-determination if employees think all communications can be read even if they are not. In reality it will be difficult to maintain that such monitoring would be justified unless WhatsApp was used as an officially sanctioned and mainstream internal or B2B communications channel of the firm.
What other privacy concerns arise
The inability to access or monitor key business communications reliably is the top concern.
Although WhatsApp communications are famously end to end encrypted, as with any external communication once it has left the firm’s servers or applications, control of the security and further use of the contents has effectively been surrendered. The ease with which groups are expanded and the informal non-work personal use of WhatsApp makes it more likely that confidential information will be disseminated more widely than would be the case if employees were restricted to formal email channels that they know are routinely monitored. If the firm uses WhatsApp groups to communicate it is also quite possible that employees will remain party to those groups once they leave the firm and continue to receive in confidential information.
Once WhatsApp becomes an officially sanctioned communications channel it is quite likely that the firm will become the controller of the work related communications in it, possibly as a joint controller with the employee (as the household exemption will be lost for work related communications). This raises the spectre of having to search WhatsApp chats in response to subject access requests. Given that the firm will be reliant on employees using WhatsApp to provide chats to it and that their WhatsApp account is likely to contain a mixture of work and non-work related chats – sorting these communications and redacting them in response to a subject access request is likely to be fiddly and time consuming.
This post sets out the UK position. The issues that WhatsApp presents in other jurisdictions differ – for example in France and Germany obtaining access to apps predominantly used for personal non-work related communications is difficult without a court order and otherwise subject to criminal sanctions. Additionally many continental European countries would require consultation or consent of works councils or trade unions to implement policies that allowed monitoring or access to such communications.
