If you’ve spent time researching the GDPR, you’ll know that the transfer of personal data outside the EEA (European Economic Area) is strictly regulated.
Data transfer rules (laid down in GDPR Chapter V) are so complex that many data controllers would gladly avoid data transfer altogether. Yet, that’s everything but easy. Servers are spread throughout the planet, and much of the technology we use in our everyday life (emails, direct messaging apps, and so on) entails data transfer.
So data controllers are left wondering if there is a mythical creature, a unicorn app that would enable them to avoid extra-EEA data transfer –without making their lives much harder.
And some believe they’ve found it.
Data Transfer & the GDPR: Is Telegram that Unicorn?
Telegram explicitly addresses the topic of data transfer (or rather, of data storage) in article 4.1 of its privacy policy, where the company states that:
«If you signed up for Telegram from the UK or the EEA, your data is stored in data centers in the Netherlands. […]»
That might sound like the answer to the EEA-based data controller’s prayers: if Telegram stores their data in the Netherlands, then there’s no transfer of personal data outside the EEA, right? No need to worry about the intricacies of Chapter V, right?
Unfortunately, it’s not that simple.
Telegram & data transfer: What Type of Personal Data Are We Talking About?
There are two broad categories of personal data that we should consider here.
The first category (let’s call it “category A”) comprises personal data you have shared with Telegram upon subscription (your name or username, phone number, and email), as well as data that Telegram collects (for example, your location data & IP address, which count as personal data under the GDPR).
This personal data we are discussing here is yours. In this scenario, you are the data subject, and Telegram is the data controller.
But if you use Telegram as a data controller, we should consider another data category (“category B”): the personal data of third parties you share through the app.
For example, if you use Telegram for business reasons, you might share a client’s telephone number with your team. In this scenario, the phone owner is the data subject, you are the data controller, and Telegram would be your data processor.
Having Telegram as your data processor is problematic in and of itself. But let’s not deal with this matter now. Instead, let’s focus on the two different categories of personal data we’ve mentioned above.
When Telegram states, “if you signed up for Telegram from the UK or the EEA, your data is stored in data centers in the Netherlands,” what does “your data” stand for?
Category A?
Category B?
Both?
The Million-Dollar Question: What Do They Mean?
If they mean both, indeed, you are covered. All personal data – including personal data of third parties you have processed through Telegram – is safe in the Netherlands. As long as you don’t intentionally share it with non-EEA-based persons (for example, by sending that phone number to a colleague of yours in the USA), there’s no data transfer.
But if Telegram only addresses personal data belonging to what we’ve called “Category A”…
And unfortunately, there’s no easy way to tell which category of personal data Article 4.1 refers to.
On the one hand, Telegram includes messages among the personal data they collect and use (see article 3.3 of the company’s privacy policy). That would suggest they refer to both “category A” and “category B” when they mention “your data” in article 4.1.
But many other signs point in the other direction. For one thing, the way Telegram’s privacy policy was drafted seems to suggest they had a “regular” user in mind – a private person chatting with friends and family, not a data controller processing other people’s data.
For another, ensuring that all data exchanged between EEA-based users stay in the EEA would be pretty challenging on a technical level, especially as EEA-based users constitute a sizable chunk of the app’s 400 million users.
In Conclusion
There’s no way of knowing whether Article 4.1 of Telegram’s privacy policy also refers to personal data you manage as a data controller.
Of course, you can try and ask the app’s @GDPR bot. (We did. Not that we’ve had any luck with it so far).
Or you can consult with a lawyer, which is always a recommended course of action in such cases.
But until you get a satisfactory answer, do not assume that, just because you’re based in the EEA, the personal data you process via Telegram doesn’t leave the EU space. It likely might. And if it does, the whole of Chapter V applies.