GDPR and Other Privacy Laws
In addition, the lack of centralized data management can lead to potential violations of the General Data Protection Regulation (EU) 2016/679 (GDPR) or similar privacy laws in other jurisdictions, as applicable. For example, many of these apps have the ability to access contact data in users’ mobile address books, and the app providers’ terms of use tend to place the burden on users to obtain consent from their contacts for this data sharing. Realistically, however, it seems unlikely that a typical app user would reach out to all their contacts to obtain approval to share their contact data with WhatsApp. Moreover, to the extent personal data is exchanged over a consumer messaging application, it is questionable whether a company can fully comply with a request to delete someone’s personal data under the GDPR or similar legislation if that person’s data exists on various individual phones and in the app provider’s Cloud for which the company exerts no control.
Spoliation and Adverse Inferences
The use of consumer messaging applications for business communications can also lead to claims of spoliation and adverse inferences where a company cannot comply with document preservation obligations. E.g., In Siras Partners LLC v. Activity Kuafu Hudson Yards LLC, 100 N.Y.S.3d 218 (2019). Relatedly, if a company is obliged to produce communications within these apps, the company would need to physically collect mobile devices from the relevant employees. This can be administratively burdensome, and in any event, the data remains vulnerable to deletion or loss by users until the company actually collects the data.
How to Mitigate the Risks
Theoretically, companies can eliminate the risk of consumer messaging apps by prohibiting their use for business communications. However, a complete ban may not be practicable for some companies, particularly when their customers or clients prefer using these apps over traditional communication methods or when employees have become accustomed to using them. Moreover, to the extent employees use the apps anyway, the company may face liability if it fails to take action to curb unauthorized use or remains willfully blind to it.
Where a complete ban is not feasible, companies may decide to take a risk-based approach focused on actively managing usage of these apps. In doing so, practitioners should consider the following:
- Limit usage to employees with a business need. Instead of permitting usage of the apps by all employees, a company may decide to limit usage to those who have been approved (e.g., by company management) to use the app in light of a demonstrated business need.
- Clearly identify acceptable and unacceptable types of communications. For example, a company may limit usage of the apps to non-substantive communications such as scheduling meetings or coordinating logistics. Alternatively, where there is a business need, a company might permit substantive communications but prohibit certain types, such as discussions regarding confidential business strategies or pricing, customer disputes, or similar matters.
- Provide clear instruction in regard to employees’ legal and regulatory preservation obligations. For example, employees subject to a legal hold may be asked to cease using the apps for the duration of the hold, or if that is not feasible, they may be instructed to refrain from discussing any topics subject to the hold.
- Train employees on acceptable usage. Once policies and procedures addressing usage of the apps are implemented, it is important to train employees on new guidelines and provide supplemental (e.g., annual) training to remind them regarding proper usage and to highlight key provisions for ongoing compliance.
- Explore vendor solutions that may allow for centralized data management. For example, there are vendors that provide contact software solutions that can capture customer interactions across various mobile messaging communication channels through partnership with the app providers. While these solutions may be cost prohibitive or even unavailable in certain industries, it may resolve at least some of the company’s data management concerns.
All in all, companies should ensure its acceptable use policies and procedures take into account new and emerging types of communication platforms and implement ground rules to mitigate risks associated with those platforms.