Senacon sees no problem in WhatsApp data sharing

image by: Alberto Rodríguez Santana on Unsplash
by Augusto Herrmann on November 25, 2022

It seems so long ago now, when in the beginning of 2021, WhatsApp, the leading messenger app in Brazil, used daily by 95% of Brazilians for everything from family chat to commercial transactions, caused a stir when they decided that they would change their privacy policy to share data with its parent company, then called Facebook, now Meta. Users would be required to accept the new policy if they wanted to continue using the app.

After the PR disaster this change caused, WhatsApp decided then to postpone the change in Brazil. The new rules would also not apply to Europe, allegedly due to the strong personal data protection framework there. However, Brazil does have a data protection law very similar to the European GDPR: the LGPD. As Michel de Souza, director of public policies of the non-profit Derechos Digitales puts it:

Our data law is heavily inspired in the European regulation. So why don’t they apply the same policies here?

Later in 2021 the change went into effect anyway. Anyone who did not opt out of the data sharing within a 30 day window opened in 2016 is submitted automatically to the new rules.

According to Instituto Brasileiro de Defesa do Consumidor – IDEC, (Brazilian Institute for Consumer Protection), a local non-profit CSO focused on consumer protection, the data sharing violates not only the LGPD, but also the Brazilian Consumer Protection law, because it constitutes a “forced consent”. In 2016 they produced a report detailing the reasons.

Today, the Secretaria Nacional de Defesa do Consumidor – Senacon (National Secretariat for Consumer Protection), the federal government body responsible for enforcing consumer protection in Brazil, has published in the National Official Gazette a decision regarding the matter. They say that the WhatsApp data sharing practice does not violate Brazilian consumer protection law and close the case:

Request for clarifications by this Department of Consumer Protection and Defense. Information provided by the ascertained. Absence of violation to consumer legislation. Suggestion of closure. Accepting the reasons expressed in Technical Note no. 42/2022/CGCTSA/DPDC/SENACON/MJ (20929036) which become part of the present decision, I determine: closure of the present case,

Source: Despacho n.º 1.573/2022, in today’s Diário Oficial da União (National Official Gazette), section 1, page 204, rectified by Despacho n.º 1.613/2022, in D.O.U. for 1/12/2022, section 1, page 59.

Brazilian Government rubber stamping Meta’s practices

The decision follows an unfortunate trend of the Brazilian government deciding in favor of market expansion of Meta in Brazil. In 2016, regarding the company’s practice of paying local telcos for keeping its apps out of the mobile internet data transfer limits, a deleterious practice that is used to this day known as zero rating, the telco regulator Anatel decided in favor of zero rating, suggesting that the practice could be even beneficial:

As set forth by the analysis, in addition to the efficiency gains that I have just demonstrated, it’s perceivable that the practice of different prices, hereby charged by Ministério Público Federal (federal public prosecutor office) at the CADE (Administrative Council of Economic Defense, responsible for antitrust enforcement), does not produce limiting effects to the innovation capacity and disruptive character of the content provision market and, for that reason, does not constitute barriers to entry therein.

Part of Anibal Diniz's decision, Anatel's Councilman, in favor of zero rating, dated 9th November 2016

Part of Anibal Diniz's decision, Anatel's Councilman, in favor of zero rating, dated 9th November 2016.

This is despite the Brazilian internet law, Marco Civil da Internet, explicitly mandating net neutrality in article 9:

Art. 9 The party responsible for transmission, commutation or routing has the duty to deal in isonomic fashion any data packages, with no distinction made for content, origin and destination, service, terminal or application.

Source: Marco Civil da Internet

The decision was also rubber stamped by CADE, which decided in 2018 that zero rating did not constitute an anti-competitive practice and did not violate anti-trust laws.

We all know the result: WhatsApp became even more dominant than before in Brazil in the following years, with no other messaging up even getting close to WhatsApp’s share in quantity of users. The massive disinformation campaigns waged in WhatsApp in the same year, according to Yasodara Cordova, then a researcher at the Berkman Klein Center for Internet & Society at Harvard University, did heavily influence elections that year.

Future of Whatsapp users’ data sharing

According to IDEC, the case is still pending at the Brazilian data protection authority, ANPD, which recently gained independence, gaining the legal status of an autarchy.

However, today’s decision is certainly a win for meta, and a loss for the privacy of millions of Brazilians.

Meanwhile, people can always use more privacy respecting messengers like Signal or Element. The trouble is getting their contacts to use the same app, as most people tend to resist using anything different to what they are used to – notwithstanding the matter that that acquaintance was forced upon them by a giant company using shady business tactics.

I hate reading privacy policies as much as anyone else. That’s why I recommend everyone to check and see if a privacy policy has already been evaluated by ToS;DR before they sign in to, or continue using, any service. And to contribute an evaluation if it has not.

Edited: to include reference to the article about terms of service and to include the rectifying decision by Senacon, which changed the number of the referenced Technical Note.

Update (24/12/22): after having access to the technical note that supported this decision, I have written another post analysing it.