Thomas Faas, lawyer and specialist lawyer for employment law. Partner at Küttner Rechtsanwälte in Cologne.

© BVAU e.V.

What it's about: The simultaneous use of WhatsApp and Outlook on a work smartphone is widespread these days. However, the considerable liability risks associated with this are often overlooked or ignored. Anyone who cannot or does not want to take technical precautions to prevent automated address book access by WhatsApp should avoid WhatsApp altogether for themselves or as a company for their employees and switch to other messenger services if necessary. This applies in particular to lawyers and in-house lawyers.

The initial situation

Internet-based instant messenger services such as WhatsApp have now replaced traditional forms of mobile communication such as SMS. In January 2018, around 1.5 billion people worldwide were using WhatsApp to send and receive text messages. The sending of image and video files or voice telephony (Voice over IP) via WhatsApp is also becoming increasingly popular. Due to its widespread use and ease of use, WhatsApp is installed on many smartphones that are used not only for private purposes, but also at least for business. In the case of professional use, MS Outlook or another email client is usually also installed, which is used by default to exchange contact data between the professional mail server and the smartphone address book.

How WhatsApp works

The relevant current WhatsApp terms of use (as of April 24, 2018) stipulate that users regularly provide the operator of the service with the telephone numbers of WhatsApp users and other contacts in their cell phone address book 'in accordance with applicable laws', including both the numbers of WhatsApp users and those of other contacts of the smartphone owner. For WhatsApp users from the European Union, the recipient of the data transferred in this way from the smartphone's digital address book or contact directory has been WhatsApp Ireland Limited, based in Dublin, Ireland, since the change to the terms of use in April 2018. Non-private use of WhatsApp is excluded, subject to approval by WhatsApp.

From a technical point of view, WhatsApp automatically reads the user's complete address book immediately after activation and initial installation on the smartphone and transmits the telephone numbers and names in clear data form to a WhatsApp server via an Internet connection. This process is repeated at unspecified periodic intervals during the further use of WhatsApp. As this applies equally to all WhatsApp users, this ultimately leads to forced networking of all WhatsApp users.

Judgments of the Bad Hersfeld Labor Court

According to two legally binding decisions by the Bad Hersfeld Labor Court on 20 March 2017 (F 111/17 EASO) and 15 May 2017 (F 120/17 EASO), the use of WhatsApp is legally problematic in many cases. In family court proceedings, the court issued temporary orders in accordance with Section 1666 of the German Civil Code (BGB) to safeguard the welfare of the child and issued the following guiding principle, among others:

'Anyone who uses the messenger service "WhatsApp" continuously transmits data in clear data form from all contact persons entered in their own smartphone address book to the company behind the service in accordance with the technical specifications of the service. Anyone who allows this continuous transfer of data through their use of "WhatsApp" without first obtaining permission from their contacts from their own phone address book is committing a criminal offense against these persons and is putting themselves at risk of being warned by the persons concerned for a fee.

Implications for practice

Anyone who uses Outlook for professional purposes on their smartphone in addition to WhatsApp for private communication without further technical precautions can generally hardly avoid committing a criminal offense due to a violation of the right to informational self-determination. Obtaining individual permission to pass on data from possibly several hundred contacts is usually illusory. An implied consent to the transfer of data to WhatsApp cannot be derived from the mere disclosure of one's own telephone number in business dealings. In addition, there will inevitably always be address book entries whose owners do not use WhatsApp at all.

In addition, the General Data Protection Regulation applies to the processing of personal data for purposes that are not merely private (Art. 2 (2) (c) GDPR). From 25.05.2018, unauthorized data transmission will be subject to significantly more severe fines (Art. 83 GDPR). Anyone who, as the owner or representative of a company, fails to take the supervisory measures necessary to prevent data protection violations may also be personally liable in addition to the company (Sections 130, 9 OWiG). Finally, lawyers and in-house lawyers (at least in the context of independent mandates) are subject to special confidentiality sanctioned under criminal law regarding client matters, which may also include the mere existence of a contact (Section 203 para. 1 no. 3 StGB). Since 01.01.2018, the organizational and technical measures required to protect client confidentiality must be taken that are appropriate to the risk and reasonable for the legal profession (Section 2 (7) BORA new version).

Possible solutions

This raises the question of an appropriate response. Professional mobile device management solutions for setting up separate user profiles or containers for professional and private communication on the same smartphone are now technically mature, but involve high costs and administrative effort. They are generally not an option for smaller companies or lawyers in small and medium-sized law firms.

Limiting WhatsApp access permissions to smartphone contacts via the device's control panel is only technically possible on Apple devices. However, its effectiveness is not beyond doubt.

Switching off the automatic synchronization of Outlook address book contacts between the work mail server and smartphone leads to a considerable loss of convenience.

The safest way is therefore to stop using WhatsApp by deleting the account and uninstalling the app. If necessary, the use of an alternative, data protection-compliant messenger service such as Signal or Threema is recommended. Using separate devices for professional communication (without WhatsApp) and for private communication (without Outlook) has the same effect.

Thomas Faas is a lawyer, specialist lawyer for employment law and partner at Küttner Rechtsanwälte in Cologne. The article was first published on the expert forum on employment law .