A city council is sanctioned for adding people to a WhatsApp group despite having permission: this is the way to avoid it


Carelessly handled WhatsApp groups can be a danger to both the administrator and the participants in them.. In 2017, the AEPD condemned (although it did not financially sanction) the municipality of Boecillo (Valladolid) for creating a group in which a councilor put 255 people to inform them of what was happening in the municipality.

Four years later, a sports club in Córdoba was fined 4,000 euros for adding a former member to a WhatsApp group without her permission, ten years after the relationship between the two had ended.

Is now another town hall (that of Tiana, Barcelona), is that just been sanctioned by the regional data protection institution for having added users to a WhatsApp group of municipal information.

However, there is something different in this case: now the explicit permission of each user had been obtained. Then, Why this penalty?

Prior permission does not prevent us from being sanctioned if we violate other privacy elements

Indeed, in this case, the Catalan Data Protection Authority (APDCAT) has not sanctioned the council for lack of prior consent from the users of the group, which in fact they had.

No, the sanction to the Tiana City Council derives from the fact that a WhatsApp group necessarily exposes the data of the members, violating the regulations, in the same way that a massive email that exposed the email addresses of the recipients would violate it.

This is where what Ángel Benito, a lawyer from the group of privacy specialists ‘Secuoya Group’, defines as one of the basic principles inscribed in the European Data Protection Regulation (RGPD) comes in: the principle of “data protection by design”.

“This principle comes to mean, broadly speaking, that privacy requirements (confidentiality, integrity, and availability of data) must be considered from the earliest stages of designing products, services, or, as is the case, applications.”

In other words, what is being held in the face of the city council is that did not adopt the necessary measures to prevent group users from having access to certain personal data of the rest of the participants when they do not previously know each other

… even if this is not something that depends on the city council, but on the very nature and functionalities of the app or the configuration applied by the user himself. But in this case, the council did not even have to do without WhatsApp: it would have been enough to opt for another functionality different from the app.

No, ‘distribution list’ and ‘groups’ are not the same

The Tiana city council stated in its allegation that “any user of the WhatsApp platform already knows that this will happen the moment they access a distribution list.” The problem is that ‘group’ and ‘distribution list’, both WhatsApp functions being similar to each other, are not the same.

Diffusion lists on WhatsApp: what they are for and how to create, modify and delete them

In fact, * the consistory actually opted for the first of the same, while in its writing the APDCAT made it clear that he would not have breached the regulations if he had opted for the second: the ‘distribution list’, which allows only one-way communication, with only administrators being able to send messages.

“If the city council was aware that it could not guarantee the principle of confidentiality with the creation of a WhatsApp group, what it had to do was refrain from using this tool and look for others that did not involve the violation of said principle.”

“[Sin embargo,] all WhatsApp has an option that allows guaranteeing the principle of confidentiality when you want to send messages to several recipients or contacts […] the people included in the distribution list do not know who the other members of the list are and, therefore, cannot access the data of the rest “.

In other words, the only way for this or any other public institution to avoid falling into the same punishable error is, in the words of Benito, “to dispense with the use of the tool [de grupos de WhatsApp]”

“This resolution of the Catalan agency does not question WhatsApp or its messaging tool for use between individuals“, Ángel Benito makes clear.” In fact, this week the AEPD published on its website a series of “Tips to strengthen privacy on WhatsApp”, where it does not question the legality of its use. “

“Simply, [la APDCAT] it comes to say that the functionality of the ‘groups’ of said application is not suitable for the purposes that the City Council intended “.


Please enter your comment!
Please enter your name here