• Home
    • Blog
    • Are Telegram’s Secret Chats GDPR-compliant? | Blog

Are Telegram’s Secret Chats GDPR-compliant? | Blog

In a previous post, we have discussed how using Telegram as a data controller can breach the obligations arising under the GDPR. 

In a nutshell, when you share data subjects’ personal data through Telegram, you: 

  • risk losing control over said data (not ideal for data controllers);
  • involve Telegram as your data processor without having signed (or being able to sign) a data processing agreement. 

Yet, the instant messaging service is so practical that you might be reluctant to give it up entirely. 

And this is where Secret Chats enter the picture.

What are Telegram’s Secret Chats?

In the words of the company itself

«Secret chats are meant for people who want more secrecy than the average fella. All messages in secret chats use end-to-end encryption

As the tech-savvy among you already know, end-to-end encryption (or E2E encryption) is a type of encryption protocol where only the sender and the recipient can read the message. No one else – including the service provider – owns the keys to decipher it.

Telegram doesn’t offer E2E encryption by default. Regular Telegram chats (including, critically, all group chats) are protected by client-side encryption (also known as transport layer encryption). This means that while the messages are encrypted in transit, they are decrypted once they reach the server (and then encrypted again as they travel to the recipient).

Secret Chats and Data Protection

At first glance, Secret Chats seem like a perfect solution for data controllers unwilling to give up Telegram. 

While encryption is not explicitly made mandatory by the GDPR, the Regulation mentions it as one of the measures data controllers are encouraged to adopt to ensure processing security

And compared to client-side encryption, E2E encryption offers an extra layer of protection (though it might be worth mentioning that experts have criticized Telegram’s protocols). This makes Secret Chats, generally speaking, safer to use than regular chats. 

Secret Chats also come with some other handy features that enable data controllers to retain greater control over the data they share. 

For one thing, messages sent in Secret Chats cannot be forwarded or screenshotted. 

For another, the sender can set a self-destruct timer and ensure the message – and the sensitive data it contains – will be deleted after the set timeframe has expired. This practical solution prevents personal data from hanging forever in some internet closet (something the GDPR expressly prohibits). 

Oh, and Telegram doesn’t keep logs for messages in secret chats (which means that they won’t even know whom you’ve messaged or when)

Last but not least, E2E has another perk. It doesn’t just keep your data secure; it reduces the amount of info you share with the service provider. 

When you upload personal data (for example, your client’s address) in a “regular” chat, that personal data is decrypted by the Telegram server and stored on the company’s cloud. It’s still protected against man-in-the-middle attacks, but Telegram has full access to it. 

On the other hand, when you send personal data in a Secret Chat, Telegram will only see a string of numbers and/or symbols. 

The company goes as far as saying (Privacy Policy, article 4.2) that:

«[…] we neither store nor process your personal data, rather we store and process random sequences of symbols that have no meaning without the keys which we don’t have

And that “neither store nor process your personal data” part might sound like music to the data controller’s ears. 

After all, If Telegram doesn’t process personal data, they are not really acting as a data processor, right? Meaning you can use their service with no complications – just like you would the mail. 

Unfortunately, it’s (cue our favorite sentence) not so simple.

Are Secret Chats fully GDPR-compliant?

The crux of the matter is that the GDPR doesn’t say anywhere that personal data protected by E2E encryption no longer counts as personal data. 

Some arguments might support this conclusion, but others support the opposite view. Tellingly, Recital 26 GDPR states that «Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.» 

We won’t know for sure until the EDPB or the ECJ pronounce on the matter; meanwhile, data controllers should err on the side of caution and take the view that encrypted personal data is still personal data

In practical terms, this means we’re back at the starting point: if you, as a data controller, share personal data through Secret Chats, you are still processing personal data via Telegram, and Telegram is still acting as your data processor – and we’ve seen why that’s a problem

It’s also worth considering that the enhanced security offered by Secret Chats comes at a price: group chats cannot be made secret (meaning you’ll never enjoy E2E encryption on group chats). And because the content of Secret Chats is not saved on Telegram’s cloud, the chats are device-specific, meaning that you cannot access them from another device.

Last, but not least, there’s no way for you to make sure your employees stick to secret chats when messaging one another. You can obviously adopt strict guidelines (adopting privacy guidelines is something all employers should do) and sanction your employees if they fail to respect them, but you cannot actively prevent them from using Telegram as they like.

If you want to avoid sanctions, you’d better opt for a solution that guarantees a higher degree of control over the way your team treats personal data. 

In Conclusion

Telegram’s Secret Chats represent a better alternative to regular chats – but they still pose risks for data controllers. While E2E encryption, deleting data easily and preventing unwanted forwarding are all features data controllers should look out for when choosing a messaging app, they do not, by themselves, ensure compliance with the GDPR. 

To avoid complications, we recommend opting for solutions designed specifically for data controllers – and not adapted through workarounds. 

Meet Zextras at CloudFest 2022 | Event | Blog
GDPR for non-EU companies: how and when it applies to you | Blog