Findings under the Personal Information Protection and Electronic Documents Act(PIPEDA)PIPEDA Report of Findings #2013-001Report of FindingsInvestigation into the personal information handling practices of WhatsApp Inc.January 15, 2013Complaints under the Personal Information Protection and Electronic Documents Act (the “Act”)1. On January 26, 2012, the Office of the Privacy Commissioner of Canada initiated a complaint against WhatsApp Inc. (“WhatsApp”), a California corporation, pursuant to subsection 11(2) of the Act, having reasonable grounds to believe that it was collecting, using, disclosing and retaining personal information in a manner contrary to certain provisions of Schedule 1 of the Act.2. The investigation was conducted in collaboration with the Dutch Data Protection Authority (College bescherming persoonsgegevens) and focused on alleged privacy violations concerning consent, limiting collection, limiting use and retention, and safeguards. The investigation was limited to privacy issues identified during the period January 26, 2012 through November 30, 2012.3. WhatsApp was notified of the complaint on February 16, 2012 and cooperated fully with our investigation.4. Representations were received from WhatsApp from March 22, 2012 through to January 4, 2013. On October 15, 2012, based on the results of our investigation, our Office issued a preliminary report of investigation to WhatsApp (“Preliminary Report”). In our Preliminary Report, we made recommendations to WhatsApp with the aim of ensuring that it was meeting its obligations under the Act vis-à-vis the issues we investigated. This report of findings reflects those recommendations and WhatsApp's response.Introduction5. WhatsApp Inc. owns and operates “WhatsApp Messenger” (hereafter “the application”), a cross-platform mobile messaging service which allows individuals to exchange messages on their mobile devices through the Internet rather than by short message service (SMS). The application is available on a variety of mobile devices and platforms, including Apple's iPhone, Research in Motion's BlackBerry, and Google's Android. In addition to basic messaging, the application allows users to send and receive images, video and audio media messages.6. WhatsApp is a US corporation registered and headquartered in California. WhatsApp actively promotes and distributes its service to Canadians. At the time our investigation was initiated, the application was considered one of the top-five best selling apps in the world, and was widely used by Canadians. By some estimates, the application is said to facilitate the transmission of over one billion messages per day globally.7. At the time our investigation was initiated, a subscription to use the application cost $0.99. The application operates free of advertising, and messages sent and received using the application are free of charge to users, but for applicable network data fees. According to WhatsApp, it does not currently sell marketing data and does not share personal information with third parties. Personal information means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.Enrolment and account registrationIssue8. Based on a technical review of the application, our Office initiated a complaint in respect of WhatsApp's service registration process to investigate whether that process allowed for unauthorized access to a user's account, contrary to Principle 4.7 of Schedule 1 of the Act. More specifically, this Office investigated whether a user's WhatsApp account could be used prior to the completion of the user authentication process, thereby allowing a third party to create and control accounts associated with phone numbers which they did not own.Summary of Investigation9. Individuals may download WhatsApp's messenger service from a variety of on-line stores. In some cases, the application is