Answer given by High Representative/Vice-President Borrell on behalf of the European Commission

3.6.2020

The European External Action Service (EEAS) uses a proprietary instant messaging solution, which is an integral part of the Restreint UE/EU Restricted classified communication system.

This is a solution completely hosted on premise (in the EEAS) for the server and with security-hardened hardware for the mobile device. This solution complies with the rules for EU Restricted applications and has been vetted accordingly. The Data Protection Impact assessment in accordance with Article 39 of Regulation (EU) 2018/1725[1] is foreseen, in cooperation with, in particular, the European Commission.

WhatsApp and Gmail are not officially endorsed or supported solutions by the EEAS. Thus, the EEAS cannot measure the usage of these applications and has not made an official risk assessment. Since not all the EEAS staff are eligible for a corporate mobile phone, the WhatsApp, as a publicly available and widely popular application, could be used for business continuity communication purposes.

The EEAS strategy is to ensure that all the sensitive discussions and exchanges of information take place on the proprietary EU Restricted instant messaging solution. Under no circumstances, it is permitted to use any other messaging application to share information classified as sensitive non-classified or above.

• [1] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data: http://data.europa.eu/eli/reg/2018/1725/oj