Answer given by Mr Breton on behalf of the European Commission

6.2.2020

The Commission is aware of reports of the use of sophisticated spyware infecting mobile phones, also via a WhatsApp vulnerability, and is following the developments closely. Privacy and security of our citizens is of the utmost importance. All stakeholders, public and private, need to take their responsibility seriously in protecting EU citizens.

This includes complying with all relevant EU legislation for protecting personal information, applying security measures and notifying incidents to authorities.

Over-the-top communications services (OTTs) like WhatsApp are subject to the security obligations of the General Data Protection Regulation (GDPR), to the extent that personal data is concerned. The confidentiality of communications enshrined in the ePrivacy Directive does not yet apply to OTTs but only to traditional telecommunications.

However, with the new European Electronic Communications Code (EECC), those services become electronic communications. Consequently, OTTs will have to comply with both the security requirements of the EECC and the ePrivacy rules. Moreover, the ePrivacy Regulation proposal harmonises and strengthens the enforcement of such rules and introduces higher penalties.

Exports of ‘intrusion software’ are controlled under Regulation (EC) 428/2009, and national competent authorities are responsible for making licensing decisions and for the enforcement of the regulation. The Commission has seized the competent authority in Cyprus of the matter with a request to confirm the correct application of the regulation.