How Do WhatsApp’s New Regulations Align with Data Protection Requirements?

It’s not just data protection officers who view WhatsApp and similar services with skepticism. Fortunately, European-based alternative messaging platforms can help alleviate these concerns.

The State Commissioner for Data Protection (LfD) of Lower Saxony delivers a clear verdict: “Using WhatsApp for business communication violates the General Data Protection Regulation (GDPR).” Similarly, the Federal Commissioner for Data Protection has stated that “using WhatsApp is prohibited for federal authorities.”

Private users need not delete the popular app from their devices – but using it to communicate with colleagues may pose legal risks. Moreover, WhatsApp’s privacy policy update, announced for May 2021, alarmed many users. However, Niamh Sweeney, WhatsApp’s Director of Policy, has since confirmed that EU users will experience no changes as a result of the update. The revisions do not affect data sharing between WhatsApp and its parent company, Meta (formerly Facebook), within Europe. According to WhatsApp’s official privacy guidelines, nothing has changed for users in the EU.

U.S.-Based Messengers Raise Concerns

While numerous messaging apps exist, most originate in the United States – and thus offer no real data protection advantages over WhatsApp. In July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, which had governed transatlantic data transfers. As a result, European companies’ use of U.S.-based messaging services is generally problematic under GDPR.

Two U.S.-based services – Telegram and Signal – market themselves as privacy-compliant. While Telegram has drawn criticism, Signal is backed by a nonprofit foundation. It emphasizes privacy compliance and displays no advertising. Nevertheless, its U.S. headquarters remain a liability: Signal remains subject to U.S. laws and government oversight – and potentially opaque data practices by the provider.

“For globally active companies, GDPR-level data protection isn’t always the decisive factor when selecting a messaging service. What matters more is reach – i.e., the ability to connect with business partners. That means brand recognition and user base size. WhatsApp reaches approximately 2 billion users; WeChat, 1.3 billion; Telegram, 500 million; Signal, 50 million. Beyond that, adoption drops sharply.

Notably, many companies are unfamiliar with the terms of service of the messengers they use – terms that often include obligations they simply cannot meet.

While technical measures exist to secure messenger usage, they tend to be costly and cumbersome for end users. Companies operating exclusively within Europe should therefore prioritize European alternatives.”

European Solutions Are in Demand

Fortunately, several GDPR-compliant alternatives are available in Europe:

• Threema, based in Switzerland, collects no user data and displays no advertising. According to the company, its solution is 100% GDPR-compliant.
• Wire, headquartered in Germany and Switzerland, guarantees that all user data remains stored exclusively within the EU – ensuring full GDPR compliance.
• Ginlo, developed in Munich, is 100% “Made in Germany” and fully compliant with EU data protection law. Secure communication with colleagues and external partners is thus assured.

Regardless of which messenger your organization ultimately selects for professional use, msecure is happy to advise you on all aspects of corporate information security.

Key Facts

Data Subject Rights: Since 2018, the number of access requests under Article 15 GDPR has increased by over 400 percent.

Breach Notification Obligation: Personal data breaches must be reported to the supervisory authority within 72 hours.

Frequently Asked Questions

What penalties apply for GDPR violations?

Fines of up to €20 million or 4 percent of global annual turnover – whichever is higher. Affected individuals may also pursue civil damages.

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a systematic evaluation of the risks posed by a given data processing activity to the rights and freedoms of data subjects. It is mandatory whenever processing is likely to result in a high risk – for example, in cases involving profiling, video surveillance, or processing of special categories of personal data.

Does the GDPR apply to small businesses?

Yes. The GDPR applies universally to any organization – regardless of size – that processes personal data of EU residents. Small businesses benefit from limited exemptions (e.g., no obligation to maintain a record of processing activities if fewer than 250 employees and processing poses no high risk), but must still comply with all core GDPR principles.

Related Articles

• GDPR 2026: What’s Changing – and What Companies Must Watch
• How to Prevent Cyberattacks on Critical Infrastructure
• Multi-Carrier Connectivity as a Safeguard Against System Failure

More from the MBF Media Network

• Cloud & Infrastructure News at cloudmagazin.com
• IT Strategy Insights for Decision-Makers at digital-chiefs.de

Header Image Source: Adobe Stock / andranik123

Fact: According to Munich Re, cyber insurance premiums rose an average of 15 percent in 2024.

Fact: According to Bitkom, only 43 percent of German SMEs have an IT emergency response plan.

TL;DR

• WhatsApp’s May 2021 privacy policy update alarmed many users.
• In July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, which had governed data transfers to the U.S.
• Threema’s solution is, per company statements, 100% GDPR-compliant.
• Ginlo, developed in Munich, is 100% “Made in Germany” and thus fully data protection-compliant.

About the author: Tobias Massow

More articles by Tobias Massow