- Are you using Telegram for your business and wondering if the app is GDPR-compliant?
- Are you using Telegram for your business because you are *sure* the app is GDPR-compliant?
- Are you using Telegram for your business, have a vague idea of a nuisance called “GDPR” existing, and want to know more about it?
You’ve come to the right place.
You see, there are tons of articles written about Telegram and the GDPR – but most of them discuss whether Telegram itself is GDPR compliant. They are written with the “regular” Telegram user in mind: they are addressed to a private individual wishing to chat with friends and family while keeping personal data safe.
In this article, we are going to discuss Telegram from another point of view: that of companies, organizations, or public entities using the app for professional reasons, and thus falling under the GDPR scope.
Even more specifically, we’ll try to assess whether GDPR-bound data controllers can use Telegram to process personal data in a manner consistent with the Regulation.
Telegram and the GDPR: the role of data controllers
In case you are wondering, “who the heck is a data controller, and why should that interest me?” here is a quick recap. (If you already know, feel free to skip to the next section of the article.)
In 2018, the European Union adopted the GDPR (“General Data Protection Regulation” – we’ll also call it “the Regulation” in this article) to strengthen data protection.
The GDPR applies to all data processing activities except those happening «in the course of a purely personal or household activity» (article 2, letter c of the Regulation).
Personal data (also defined by Article 4) are «any information relating to an identified or identifiable natural person (‘data subject’),» and processing means… pretty much anything one could possibly do with personal data.
In practical terms, if you message your aunt, friend, or neighbor and, in doing so, process personal data, the GDPR doesn’t apply to you. But when you process personal data for reasons that are not “purely personal” – for example, professional reasons – then you’re bound to comply with the Regulation. And this is where the data controller comes into the equation.
Article 4 of the Regulation defines the data controller as
«the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.»
Basically, the data controller is the person responsible for ensuring that the data is treated in a way consistent with the Regulation.
If you qualify as a data controller and want to use Telegram, it’s critical that you ascertain whether Telegram enables you to fulfill your obligations and secure the data subject’s rights. It’s not enough to know, or believe, that Telegram guarantees the rights you enjoy under the GDPR.
When you use Telegram for purely personal motives, you’re like a bus passenger: you just have to sit back and enjoy the ride.
But when you use Telegram as a data controller and process other people’s data, you are not a passenger on that bus.
You are the driver.
You have a whole different set of responsibilities.
Telegram and the GDPR: controlling the data
Now, these responsibilities are varied, and we will not examine all of them here.
We’ll just focus on some elements data controllers should take into consideration – and the first one we want to talk about is data ownership and control.
You cannot implement the GDPR if you don’t have a degree of control over the personal data entrusted to you. (There’s a reason for the name “data controller”).
The problem is that all messaging services– not just Telegram – make “controlling the data” fairly hard.
Let’s take an example to clarify what we mean.
Let’s assume you run a travel agency. You have a little team of three persons, and the four of you have a group chat on Telegram. It’s not unlikely for you to share your clients’ data on the group chat: for example, you’ve shared copies of your clients’ passports so that whoever was in charge could book their flights. (Yes, this counts as “processing personal data.” The passport is full of personal data, and as we said, “processing” is an extremely broad notion).
Now, think about it: once you’ve shared the passport picture, do you still control that piece of information? Not really. Sharing it in a chat is not the same as having it on paper. All chat members now have access to the info – and so does the service provider.
What if you want to delete the personal data – something you might be required to do under the GDPR, either because there’s no need to store it anymore (article 5, letter e, the principle of “storage limitation”) or because the data subject has asked you to do so (article 17, “right to erasure”)?
With most messaging services – and Telegram is only a partial exception – once the message has been sent and received, you can only delete it for you.
The other participants will continue to see it, and until all of them delete it, the message will be kept in the provider’s cloud.
That’s how Telegram works (or at least, worked). As the company states in article 10.2 of its privacy policy,
«In cloud chats, you can choose to delete a message for all participants within at least 48 hours after sending. Otherwise, deleting a message will delete it from your message history. This means that a copy will stay on the server as part of your partner’s message history. […]»
For the message to be gone – and for the personal data to be erased, which is what matters to us now – the other partner(s) must delete the message, too.
Why, then, did we say before that Telegram is a partial exception to that model?
For two reasons.
The first is that Telegram offers so-called “secret chats”. And in secret chats, every time you delete a message, it’s deleted for both participants (secret chats can only be one-on-one).
The second reason is that as of version 5.5, Telegram introduced a new feature thanks to which «any party can choose to delete any messages in one-on-one chats, both sent and received, for both sides. There is no time limit.» (Telegram Privacy Policy, article 10.2).
Neither option is available for group chats, though. So to get back to our example, after 48 hours, you wouldn’t be able to delete the passport picture for all participants. You would be forced to rely on your team’s cooperation.
Telegram and the GDPR: data transfer
Sending a message has become so integral to our lives that we do it without bothering about the technicalities.
Take data transfer. We don’t often think about it, but messages travel from server to server. They are stored in servers. But where are these servers located?
In the specific case of Telegram, we can easily answer this question, as the company itself clarifies it in its privacy policy: all around the world.
And that might be a problem when the GDPR is concerned.
Let’s get back to our example and the passport picture you’ve shared on your travel agency working chat. The message travels from server to server, right?
Well, if one of these servers is located outside the EU, what you’ve just done qualifies as “transfer of personal data to third countries and organizations.”
And the GDPR has something to say about it.
In fact, it has quite a lot to say about it, devoting a whole chapter (Chapter V, articles 44 to 50) to the matter.
Though the framework devised by Chapter V is pretty complex, the principle underpinning the chapter is simple: personal data can only be transferred when “the level of protection of natural persons guaranteed by the Regulation is not undermined.”
If this standard isn’t met, the transfer is illegal under the GDPR.
Now, Telegram is aware of this rule. So much so that the company clearly states, in article 4.1 of its privacy policy, that
«[…] if you signed up for Telegram from the UK or the EEA, your data is stored in data centers in the Netherlands.»
Does that mean all is set, and that you don’t have to worry about personal data leaving the EU, and that you can forget about Chapter V entirely?
Unfortunately, not.
The key is what Telegram means with “your data.” Do they refer solely to those personal data they’ve collected from you when you signed up (your phone number, your email address, your username)? Or do they also include personal data of which you are the controller and that you’ve shared through their service – such as the passport picture of our example?
From the way article 4.1 is worded, one gets the impression that the company means the former.
If that it’s indeed true, then article 4.1 is not enough to cover you: it’s an article designed to fulfill Telegram’s obligations towards its data subjects, not your obligations towards your data subjects.
This brings us to the next point.
Telegram and the GDPR: data processing agreement
We’ve come to what is arguably the biggest issue data controllers face when using Telegram to process personal data: the lack of a data processing agreement.
When you send personal data through Telegram – again, think of the passport picture in your example –, Telegram is processing personal data on your behalf (sending the picture, transferring it from server to server, storing it in the cloud: all of this counts as “processing”).
In the GDPR’s words, Telegram is acting as your data processor. (See article 4.8: «’processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller»)
Under the GDPR, data controllers can rely on data processors, but only when two core principles (set forth by article 28 of the Regulation) are met. First, the data processor must «[provide] sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.»
And second, there must be a legally binding instrument in place between the data controller and the data processor.
According to article 28.3: «Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.»
This means that you can’t just send personal data through Telegram and call it a day. If you want Telegram as your data processor, there must be a contract in place between the two of you.
Now, this might sound exaggerated, but it is not. Several service providers (both tech giants and smaller companies) started offering data processing agreements after the GDPR came into force back in 2018. Google, for example, has a data processing agreement in place.
Telegram apparently doesn’t.
Nor does the company mention the matter in its terms of service or its privacy policy: as we’ve said before, the privacy policy is written with the data subject, not the data controller in mind.
Telegram and the GDPR: ok for data subjects, not so much for data controllers
Some instant messaging apps explicitly prohibit all non-personal use of their services. Telegram doesn’t go as far, but it is clear from its terms of service and privacy policy that the Durov brothers designed the app with a specific client in mind: a private individual wishing to use Telegram for purely personal reasons.
And when the GDPR was enacted in 2018, Telegram made efforts to ensure its compliance as a data controller.
But what if you are the data controller?
Well, then the company doesn’t do much to guarantee your compliance, for the simple enough reasons that it is not meant to do so. Telegram offers a B2C service – not a B2B one.
Can you try to make it work anyway?
It’s your choice (and your risk).
But why would you insist on eating ice cream with a fork when you can have spoons?