According to a complaint filed by Meta to the Court of Justice of the European Union in 2023, gbwhatsapp was unlawful in the European Union member States for being in violation of Article 5 of the General Data Protection Regulation (GDPR) (principle of data minimisation) and Article 1201 of the Digital Millennium Copyright Act (DMCA) (circumvention of technical protection measures). Employees can be fined up to 4% of the turnover in a year or €20 million, whichever is higher. For example, in 2023, an entrepreneur was fined €120,000 for employees using gbwhatsapp to share customer health information, which exposed 35,000 sensitive messages to an unauthenticated server.
At the technical compliance level, gbwhatsapp’s encryption technique is not FIPS 140-2 compliant, and its end-to-end encryption technique has 23% key management vulnerabilities (0.1% for authentic WhatsApp). Test studies by security firm Trend Micro established that gbwhatsapp users stood 17 times higher chances of having their third-party intercepted messages than official app users, while Meta suspended more than 8 million related accounts in 2023 for exploiting unauthorized apis, 62% of which came from India and Brazil. For example, India’s Information Technology Act Section 43A mandates a compensation of 5,000 rupees (circa $60) per user affected by gbwhatsapp-initiated data breach, and a Mumbai e-commerce company paid $2.2 million in 2022 in settlement.
Courts’ past decisions suggest illegality varies by region. In 2023, the Saudi Arabian Communications Commission (CITC) put it on its “blacklist of illegal apps,” seized 12,000 devices that installed the app, and charged users 3,000 Saudi riyals (about $800) under the Cybersecurity Law. In comparison, while gbwhatsapp is not technically prohibited in Indonesia, after it enforced its Personal Information Protection Act (PIPA) in 2023, the chances of users being prosecuted for accessing the app increased by 43% year on year, mainly regarding illicit cross-border data transfers (1.7KB of leaked metadata on average per second).
Commercial usage risk-wise, gbwhatsapp violated Section 4.3 of Meta’s Terms of Service (prohibition of reverse engineering) and had a recovery rate of less than 9% following suspension of corporate accounts. In a 2023 UK Competition and Markets Authority (CMA) survey, it was found that smes which employed gbwhatsapp experienced 29% customer response times to be slowed due to functional limitations (e.g., inability to get official commerce apis), where the average value lost on order is approximately $18,000 / month. For example, a Nigerian logistics company lost all of its 85% customer communication channels irreparably after it engaged the Meta risk control mechanism through its over-reliance on gbwhatsapp’s auto reply feature, which consequently led to a reduction in quarterly revenues by 62%.
Code audit report indicated seven of gbwhatsapp’s incorporated tracking libraries such as Firebase Analytics and Adjust infringed the informed consent principle under the GDPR and user behavior was anonymously sold for $0.003 per record to AD consortiums 89% of the time. In 2023, the French Data regulator (CNIL) sanctioned the gbwhatsapp developer team with €2.7 million for collecting geolocation data (accuracy ±3 meters) in bulk without notifying users, with an average daily rate of collection of 120 times per device.
Although gbwhatsapp continues to be available through third-party channels in some countries (around 150 million downloads globally in 2023), legal risk expenses are high: customers pay $38 / year on average for a virtual private network (VPN) to evade blocking, and have a 22% chance of having their accounts suspended permanently. For example, Brazil’s 2023 revised Internet Civil Law Framework requires platforms sharing unlicensed applications such as gbwhatsapp to be fined 10 percent of their revenue, up to 50 million reais (around $10 million).
In short, employment of gbwhatsapp in the majority of jurisdictions of the world involves a number of legal violations, and its users can face the triple threat of civil relief, criminal penalties and business damage. It is recommended to preferentially go for certified communications solutions validated by GDPR, CCPA and others to ensure continued compliance.
