How do data breach notification laws apply to incidents involving WhatsApp numbers?

[muskanhossain]

Data breach notification laws mandate that organizations, including WhatsApp, must inform relevant authorities and, in some cases, affected individuals when a security incident leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, such as phone numbers. The specifics of these laws vary significantly by jurisdiction:

1. General Data Protection Regulation (GDPR) (Europe):

Notification to Supervisory Authority: WhatsApp Ireland Limited, as the controller for EEA and UK users, is legally obligated under Article 33 of the GDPR to notify the relevant supervisory authority (e.g., the Irish Data Protection Commission) of a personal data breach without undue delay, and where feasible, not later than 72 hours after becoming korea whatsapp number data aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Notification to Data Subjects: If the data breach is likely to result in a high risk to the rights and freedoms of individuals, Article 34 of the GDPR requires WhatsApp to communicate the breach to the affected data subjects without undue delay. This notification must describe the nature of the breach and include contact information for the data protection officer and measures taken to address the breach.
2. Other International Frameworks:

Jurisdictions like the United States (e.g., under state-specific data breach notification laws like California's), and other countries with data protection legislation, have their own requirements for data breach notification. These often include timelines for notification and the specific information that must be provided to both regulatory bodies and affected individuals.
3. Legal Landscape in Bangladesh:

As of May 2025, Bangladesh does not have a comprehensive and dedicated data breach notification law that mandates specific timelines and procedures for reporting data breaches involving personal data like phone numbers.
The Digital Security Act, 2018 (DSA) addresses cyber offenses, including unauthorized access to data, but it does not explicitly outline mandatory data breach notification requirements in the same way as GDPR.
The draft Personal Data Protection Act, 2023, includes provisions for data breach notification. Section 28 of the draft mandates data fiduciaries to notify the Data Protection Board within 72 hours of a data breach. However, it's crucial to note that this law is still in draft form and not yet enacted. Therefore, there is no current legal obligation for data breach notification in Bangladesh specifically for personal data breaches.
4. WhatsApp's Global Practices:

Even in the absence of specific local laws like GDPR, WhatsApp generally follows principles of good data security and user communication. If a significant data breach involving user phone numbers were to occur in Bangladesh, WhatsApp might still choose to inform affected users as a matter of best practice and user trust, even if not strictly legally mandated by local law. Their global policies and potential obligations under laws in other jurisdictions where their users reside would likely influence their response.
In Conclusion:
Data breach notification laws, most notably GDPR in Europe, impose strict obligations on WhatsApp to report incidents involving personal data like phone numbers to regulatory authorities and affected users under certain circumstances. While Bangladesh currently lacks a dedicated data breach notification law, the anticipated Personal Data Protection Act may introduce such requirements in the future. For now, WhatsApp's practices in Bangladesh would likely be guided by general principles of data protection and any obligations stemming from laws in other regions where their users are located.