It’s no secret that apps run our lives. The advancement of mobile technologies has opened the gates to a plethora of goods and services, now easily available at our fingertips. With the increased use of smart devices and accessing the internet through them (56% as of 2021), app development has evolved into an attractive market. However, not many are aware of the legalities involved in app development, specifically when it comes to data privacy.
Online Apps (such as WhatsApp, Twitter, Facebook, Instagram etc.) generally follow a similar two-tiered contracting pattern: a clickwrap agreement (which ends with “I Agree…”) and / or a browse wrap agreement, whereby a user agrees to and continues to be bound even if the App reserves the right to unilaterally change its terms of use.
In the recent three four years, little happened in the regulatory spectrum regarding the online Apps, despite their usage in wider and wider domains of life. At a technical level, we have seen less cases of Apps that unilaterally change their terms of use, without having the consumers informed; however, the corundum remains as to what happens if the Apps do change their terms of use unilaterally and give notice to the consumers in that respect.
The recent case of WhatsApp informing on their change of terms and conditions in February 2021 came as a relevant example. WhatsApp stated their acquisition by Facebook triggered several changes in the terms of use and simply conditioned the continuation of use of the app to the consumers’ consent on having certain parts of their data shared with Facebook. In a simple explanation, Whatsapp confirmed in January 2021 that only certain data from chats exchanged with business accounts or certain shopping data (whilst allegedly the consumer does such transaction) were to be shared with merchants and Facebook for marketing purposes (personalizing ads, sending promotions etc.).
Nevertheless, WhatsApp confirmed and assured the consumers on the continuation of end-to-end encryption of the regular chats sent via the App. Lastly, the changes brought along severe privacy concerns for the consumers which resulted in their change of preference to other similar Apps, such as Signal or Telegram. The trade in was easily motivated by better privacy assurances on the part of these less commercialized Apps.
But is there a trite law regarding these Apps? The answer varies according to multiple contingencies. All Apps receive, collect, and use data. Such usage regimes are pre agreed by the consumers via the clickwrap agreements. Voluntary disclosure of data keeps the Apps aside from otherwise heavy litigation.
Regulation wise, we might of course investigate what different jurisdictions do. In the EU, the GDPR provides a comprehensive circulation regime for data. Other jurisdictions, such as DIFC to refer to a local example, have enacted similar norms for personal data. However, such regulation sets compliance standards for the Apps and does not interfere with the changes in the terms of use, for as long as these changes remain within the said compliance regime. In the interim, it is understood that an App may change its terms of use, on the condition the changes remain lawful.
The drawback is that many jurisdictions have little normative or procedural history in dealing with similar issues. We have found the most prominent examples in the practice of the US Courts.
As the Ninth Circuit held in Nguyen vs. USA, “[T]he onus must be on website owners to put users on notice of the terms to which they wish to bind consumers”.[1] In Michael Rodman vs. Safeway Inc., the Court held: “The safeway.com agreement did not give Safeway the power to bind its customers to unknown future contract terms, because consumers cannot assent to terms that do not yet exist. A user confronting a contract in which she purports to agree to terms in whatever form they may appear in the future cannot know to what she is are agreeing.”[2]
The approach of such judiciary practice tends to uniformly imply that the online environments need to be reasonable, understandable and easily accessible to all consumers, not only to the ones who are familiar with the data and tech ecosystems.
In 2019, the data protection authority in Hamburg, Germany, notified Facebook of their intention to make use of the GDPR Art. 66, which allows a national agency to order data processing to stop if there is “an urgent need to act in order to protect the rights and freedoms of data subjects”. The action came in response to Facebook manually reviewing certain Google Assistant consumers’ audio snippets.
Whereas Facebook has been in collision with the regulators in the recent years, the change in the WhatsApp terms of use additionally raised severe concerns with a number of regulators, in various jurisdictions: the European Commission, local governments of Ireland, India, Italy, USA etc. The changes in terms have been regarded either as data breaches or even as unfair contract terms, for the jurisdictions that have statutory provisions in this respect, such as the EU.
But all in all, are the changes in the Apps terms of use legal? Generally yes, they are legal if in line with the law. Despite this, an App has a corporate support in most of the cases, which is represented by a company or by a number of companies. Each of these need to align to a specific compliance regime, depending on the place of operation. For instance, the EU regulator of Whatsapp is the European Commission and the GDPR fully applies to Whatsapp within the EU or in relation to EU citizens.
Further, an applicable normative system or the judiciary practice associated with it cannot impose a business (an App) to change or not to change its terms of use. What the normative system does is to set limits to such changes, in order to make them reasonable, known to the consumers and transparent.
In the case of WhatsApp, however, what changed the App’s position towards its intended change of terms was less the regulation; such a shift was commercially driven by the hypothesis of losing consumers (users). Ideally, it should be the regulatory environment to buffer any unreasonable changes in terms, not the loss of profit associated with the terms.
Finally, given that not all Apps are notorious and exposed to the public eye (such as Whatsapp), it is our recommendation that consumers should be able to assess a few simple elements before using such “unsanctioned” Apps. This would safeguard, at least until the time that uniform regulation is enacted, their interests; by this, they may investigate how an app uses data, if it transfers it in different jurisdictions, if is uses secure encryption and related technology, if the App is run by a legitimate company or corporate set up, if it profiles consumers etc. Overall, few simple steps that would help mitigate the detritus of the online ecosystems.
[1] No. 07-30197, Plaintiff-Appellee,D.C. No.v.CR-05-00270-05-RSL, https://law.justia.com/cases/federal/appellate-courts/ca9/07-30197/07-30197-2011-02-25.html, [last accessed on January 31 2021]
[2] ORDER GRANTING PLAINTIFF’S MOTION FOR PARTIAL SUMMARY JUDGEMENT; SETTING CASE MANAGEMENT CONFERENCE, Re: ECF Nos. 171 & 173., JON S. TIGAR, District Judge, https://scholar.google.com/scholar_case?case=5925834191658507423&hl=en&as_sdt=6&as_vis=1&oi=scholarr [last accessed on January 31 2021]
