The popular cross-platform mobile instant messenger contravened Canadian and Dutch data and privacy laws over the requirement to upload users' phone numbers.
One of the world's most popular cross-platform applications "violates" international privacy laws, according to the Canadian and Dutch data protection authorities, because it requires users to provide their entire contact list to the service.
The Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority today announced their findings for what they called a "collaborative investigation into the handling of personal information" by the California-based company.
WhatsApp, an instant messenger application for iPhone, Android devices, and BlackBerry smartphones, provides a free service to rival text messaging, and sends more than 1 billion messages to users around the world every day.
In a statement, the agencies concluded that the application violated privacy laws in both the Netherlands and Canada because users had to provide access to all of their phone book contacts, including users and non-users of the application.
"The investigation revealed that users of WhatsApp -- apart from iPhone users who have iOS 6 software -- do not have a choice to use the app without granting access to their entire address book. The address book contains phone numbers of both users and non-users," Jacob Johnstamm, chairman of the Dutch Data Protection Authority, said in a statement.
iPhone users running the iOS 6 mobile operating system are asked if they are willing to allow an application to access certain sensitive data on the device, such as location data, or in this case contact list data.
The two agencies explained that WhatsApp relies on a user's phone number to populate the instant messenger's contacts list. All the user's phone numbers are transmitted to WhatsApp to "assist in the identification of other WhatsApp users." But, rather than deleting the phone number of non-users, WhatsApp retains the numbers, albeit in an unreadable hash form.
This falls foul of both Canadian and Dutch privacy law, which states that personal data may only be retained for as long as it is required for the fulfillment of a certain service.
"Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp," Johnstamm remarked.
"Our investigation has led to WhatsApp making and committing to make further changes in order to better protect users' personal information," Canadian Privacy Commissioner Jennifer Stoddart said in a statement.
While in breach of Dutch law, and though the Netherlands is a member of the European Union bloc of 27 member states, the mobile app is not thought to have breached wider European data protection law.
The Dutch authority will examine the California-based developer's case in a "second phase" in which "further enforcement actions" may be enacted, including sanctions. While the Canadian authority does not have order-making powers, it will keep a close eye on the company.
CNET put in a request for comment to WhatsApp, but we did not hear back at the time of publication. If we hear back, we'll update the piece.