Private messaging apps are increasingly subject to regulatory scrutiny in many jurisdictions.
In the United States, toward the end of 2022, the Securities and Exchange Commission and the Commodity Futures Trading Commission have approved the use of such technology against several prominent financial institutions (among other things).
In the UK, daily telegraphA recent report on the issue of over 100,000 leaked messages sent using private messaging apps prompted ministers to discuss important work for the UK government and make important decisions during the global COVID 19 pandemic. (a so-called “lockdown file”). , UK Information Commissioner John Edwards stresses the importance of keeping good records when using such apps.
Edwards emphasized the need to keep public records of such personal messages for clarity and accountability, and to facilitate learning from previous experiences. While we didn’t go so far as to suggest that the use of private messaging apps to conduct government business should be prevented, it is clear that such use should be prevented if the relevant messages are not properly documented and retained. He said there is a risk that decisions made using technology will be lost from public records. .
Edwards’ comments follow a 2022 report on similar issues resulting from a 12-month investigation by the Information Commissioner’s Office (ICO). The report notes that the lack of clear rules on the use of private messaging apps in the conduct of government business, and their rapid proliferation, can result in sensitive information being misplaced or unsecured. It points out that government accountability and transparency may be undermined.
Although not entirely analogous, the Information Commissioner’s comments suggest that all organizations that process personal data should, in order to ensure compliance with their obligations under applicable data protection laws, have their employees serves as a reminder of the importance of properly regulating the use of communications technology by EU General Data Protection Regulation 2016/679 (EU GDPR), UK Data Protection Act 2018 (DPA), UK GDPR (as defined in DPA), etc.
For example, under the EU GDPR and the UK GDPR, organizations that handle personal data are required to implement “appropriate technical and organizational measures” to ensure that all personal data is processed securely. Fulfillment of such obligations includes, among other things, conducting risk assessments and implementing comprehensive policies and procedures to ensure the security of Personal Data.
As part of this, organizations should consider implementing information security policies that control employee use of certain technologies, such as private messaging apps, and employee use of personal devices (“Bring-Your- Own-Device” policy). ), in any case for business purposes. This is because the use of such technologies and devices may increase security vulnerabilities (although the organization should ensure that relevant security policies are in compliance with applicable requirements regarding employee monitoring). you also need to make sure it is there).
Other relevant data protection obligations that data controllers should consider when allowing the use of private messaging apps in a business context include (among other things) the following requirements:
- We process personal data fairly, lawfully and transparently.
- Make sure your personal data is accurate and up-to-date.
- We will only retain personal data for as long as necessary for the purpose for which it was collected.
- Maintain adequate and comprehensive records of personal data processing activities.
This can be even more difficult to comply with if the use of certain communication technologies within the workplace remains uncontrolled.
The use of private messaging apps will undoubtedly continue, and the popularity of such technologies may continue to grow. As noted by the Information Commissioner,New technology brings new opportunities. These obviously play an important role in keeping us connected.“
That said, regulatory oversight in this area is likely to continue, whether for government businesses, other public sector organizations, or the private sector. With this in mind, we encourage organizations to consider how to ensure that the use of these technologies within their business is governed in an appropriate and compliant manner.
“Those who cannot remember the past are doomed to repeat it.” Philosopher George Santayana would have barely understood the WhatsApp message, but his 100-year-old quote is very prescient this week. there is.