Privacy experts have warned that political parties, sports clubs and community organisations should stop using WhatsApp, the instant messaging service, for group activities.

It follows news this week that the GAA had told its member organisations that using the platform raised the risk of non-compliance with strict data privacy laws introduced in 2018.

“My advice would be to stop using WhatsApp immediately. WhatsApp in my view does not comply with GDPR and should not be used,” said Daragh O’Brien, managing director of data privacy consultancy Castlebridge. He said that while the messaging service was appropriate for personal use, its use by professional or community organisations raised a series of compliance concerns regarding the General Data Protection Regulation (GDPR).

“[This applies to] Political parties, community anti-theft schemes done in collaboration with the gardaí, neighbourhood watch groups using WhatsApp, other sports organisations, voluntary organisations,” he said.

He said the use of the platform potentially breached requirements around the fair and transparent and lawful processing of data, as well as the security, integrity and confidentiality principal in the GDPR. This was due to the automatic sharing of group members’ information with other members who may not be known to them.

“While I might want to take part in a sports group, I might not want all members of the club to know my mobile, which can then be copied, saved and used for other purposes,” Mr O’Brien said.

“Administrators and organisations need to recognise that non-compliance carries significant risk to the organisation and therefore the convenience of consumer based tools needs to be balanced against appropriate controls to protect the privacy and safety of members.”

Two years ago

In a statement on Wednesday, the GAA said its member clubs were first warned two years ago not to use WhatsApp and other instant messaging apps.

“GAA clubs, like all data controllers, need to ensure and promote compliance with data protection legislation, including the GDPR and the Data Protection Act.”

The organisation said that its position is outlined in its social media policy and supporting guidelines for GAA clubs. It is pushing clubs to use its own games management system, which enables email and text messaging, as well as messages sent within the app.

The issue came to national prominence this week after the child protection officer of the Laois GAA County Board issued a strong warning to members about using the WhatsApp service. Laois Today reported on Monday night that Seamus Lahart told a county board meeting: “I can’t stress it enough, you have to scrap WhatsApp.”

Speaking on RTÉ’s Morning Ireland programme on Wednesday morning, the GAA’s data protection officer Kelly Cunningham said: “The GDPR was not written with individual GAA clubs in mind, however because each GAA club is processing their member’s data, we in turn are data controllers under the legislation, so we need to make sure every club is compliant with the legislation.”