WhatsApp Privacy News

A U.S. federal court found NSO Group liable for hacking 1,400 WhatsApp users with its Pegasus spyware, ruling the company violated state and federal hacking laws and WhatsApp's terms of service. The landmark ruling affirmed that spyware makers can be held legally accountable for enabling surveillance of platform users. A jury subsequently ordered NSO Group to pay over $167 million in damages.

The UK's Online Safety Act received Royal Assent, becoming law despite strong opposition from WhatsApp, Signal, and other encrypted messaging services. While the government signaled it would not immediately force platforms to scan encrypted messages, the law retained the power for Ofcom to mandate 'accredited technology' for content scanning, keeping the threat to encryption alive.

WhatsApp updated its EEA privacy policy to set 'legitimate interest' as the legal basis for data processing, following the January 2023 DPC ruling that found the previous 'contract' basis invalid. Under the new framework, users gained the right to object to their data being used under legitimate interest, marking a shift in how WhatsApp justifies its data processing in Europe.

WhatsApp launched Channels, a one-to-many broadcast feature, globally in over 150 countries. While designed as a 'private way to follow what matters,' Channels are not end-to-end encrypted by default, unlike regular WhatsApp messages. Channel history is stored on WhatsApp servers for up to 30 days, representing a departure from the platform's encryption-first messaging model.

WhatsApp threatened to leave the UK if the Online Safety Bill's encryption provisions passed into law. The bill gave regulator Ofcom powers to require platforms to scan encrypted messages for child abuse content using 'accredited technology,' which WhatsApp and security experts argued would fundamentally undermine end-to-end encryption for all users worldwide.

The Irish DPC fined WhatsApp an additional 5.5 million euros for GDPR breaches related to its legal basis for data processing. The European Data Protection Board overruled the DPC's initial finding, determining that WhatsApp could not rely on 'contract' as a legal basis for processing personal data for service improvement and security purposes. WhatsApp was ordered to achieve compliance within 6 months.

WhatsApp launched Communities, a feature enabling larger structured groups of up to 1,024 users for organizations, schools, and clubs. While phone numbers were hidden from the wider Community and only visible to admins and sub-group members, privacy advocates raised concerns about potential misuse for coordinating illegal activity, similar to problems seen in Facebook Groups.

The Irish Data Protection Commission fined WhatsApp Ireland 225 million euros for GDPR violations, the largest DPC fine at the time and second-largest ever under EU data law. The fine addressed failures to provide transparent privacy information to both users and non-users. The amount was quadrupled from the original 30-50 million euro proposal after objections from eight EU regulators.

WhatsApp filed a lawsuit against the Indian government challenging the IT Rules 2021, which required messaging platforms to enable traceability of the 'first originator' of messages. WhatsApp argued compliance would require breaking end-to-end encryption for all users by adding permanent identity stamps to every message, violating constitutional privacy rights.

WhatsApp announced a controversial update to its Privacy Policy and Terms of Service requiring users to accept expanded data sharing with Facebook for business interactions. The update triggered a massive backlash, with millions of users migrating to Signal and Telegram. Signal gained 4.6 million new users in days. WhatsApp was forced to delay enforcement from February to May 15, 2021.

WhatsApp's lawsuit against NSO Group, filed in October 2019, continued to advance through U.S. courts. WhatsApp alleged that NSO Group exploited a vulnerability in its audio calling feature to deploy Pegasus spyware to approximately 1,400 devices belonging to journalists, activists, and diplomats. The case established important precedent for platform liability in spyware attacks.