WhatsApp's mobile messaging service used by hundreds of millions of customers worldwide breached privacy laws in at least two countries, a joint Canadian-Dutch probe concluded Monday.
The California-based mobile app developer violated "certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data," Canada's privacy commissioner and the Dutch Data Protection Authority (CBP) said in a joint statement.
WhatsApp has taken steps to resolve several privacy issues by implementing many of the privacy watchdogs' recommendations.
"However, outstanding issues remain to be fully addressed," the watchdogs said.
The coordinated Canadian-Dutch investigation is a global first, and "marks a milestone in global privacy protection" in an "increasingly online, mobile and borderless world," noted Canadian Privacy Commissioner Jennifer Stoddart.
The joint probe found that most mobile smartphone users did not have a choice to use WhatsApp's messaging app without granting access to their entire address book, in violation of Canadian and Dutch privacy laws.
In the Netherlands, the CBP said it may take further enforcement action, including sanctions, if it finds that WhatsApp continues to breach privacy laws.
The privacy commissioner's office in Canada has no enforcement powers but said WhatsApp has "demonstrated a willingness to fully comply with (its) recommendations."
The company, for example, has fixed a vulnerability that allowed a third party to send and receive messages in the name of users without their knowledge.
It also recently introduced encryption to its mobile messaging service after the Canada-Dutch investigation revealed that messages sent using WhatsApp's messenger service were prone to eavesdropping or interception, especially when sent through unprotected WiFi networks.