WhatsApp, the instant messaging application, has been requested by the Italian Data Protection Authority (DPA) to provide details on the processing of data concerning Italian users.
Following the investigation by the Canadian and Dutch DPAs, the Italian authority requested the Californian company to clarify the types of data collected and used as part of the service, the modalities and term of storage of such data, the security measures implemented to limit the risk of access to the data by third parties and in particular whether tools aimed at preventing the illegally access to the content of messages exchanged through the application have been put in place. The investigation arose since the DPA found out that in order to use the service, the application has to access to the all the contacts of the users' director which includes also contacts of persons that do not use it.
It is interesting to see that this is the second time in a short term after the recent investigation on Skype where the Italian DPA questions the conduct of a foreign company on which apparently it does not have jurisdiction. This shows a new approach from data protection regulators based on the "nationality" of the data rather than the place of establishment of the data controller on which the EU Data Protection Directive is based. This approach is supported by the interpretation according to which users' smartphones where the application is installed might be qualified as equipment of the data controller located in the country for the purposes of the applicability of local data protection laws.
We will see the developments of this investigation, but in the meantime if you want to discuss it further, feel free to contact me, Giulio Coraggio.