Telegram’s Crackdown on Illegal Content: Implications for Organisations and Individual Rights

In a bold move, Pavel Durov, founder and CEO of Telegram, recently announced a crackdown on illegal content circulating on the platform. This decision follows his arrest in France, where he was charged with failing to prevent the use of Telegram for criminal activities, including the sale of illegal goods. With over a billion users worldwide, Telegram’s role in balancing privacy, compliance with government regulations, and the responsibility to combat illicit activities has significant ramifications for both organisations and individuals.

But what does this mean from a data protection standpoint? As a consultancy focusing on GDPR and data privacy compliance, we believe it’s crucial to examine the implications of Telegram’s shift in policy on organisations and individual rights.

Telegram’s Proactive Approach: A Shift in Privacy

Telegram has long been a platform celebrated for its strong privacy protections, with end-to-end encryption and a commitment to user anonymity. However, Durov’s recent statements indicate a shift in how the platform will handle compliance with government requests, especially when it comes to illegal activities.

Telegram has updated its terms of service and privacy policy, explicitly stating that the platform will share infringers’ details, such as IP addresses and phone numbers, in response to legal requests. For organisations that use Telegram for communication, marketing, or customer interaction, this change means reassessing how the platform aligns with data protection obligations, especially under the General Data Protection Regulation (GDPR).

Legal and Compliance Considerations for Organisations

Organisations operating within the UK and EU are bound by strict data protection laws, including the GDPR. One of the central tenets of the GDPR is data minimisation and transparency, ensuring that personal data is processed lawfully, fairly, and in a way that is transparent to individuals. Telegram’s new proactive stance on sharing user information with authorities raises several points of concern:

1. Data Sharing with Authorities: Organisations using Telegram for business must be aware that the platform may now provide user data, including personal identifiers, to authorities in response to legal requests. This could potentially expose individuals’ personal information, leading to a conflict between organisational commitments to user privacy and Telegram’s compliance with legal demands.
2. Data Retention: How long is Telegram holding onto the personal data of users, and is this in line with the data retention policies of the organisation? It’s crucial for organisations to ensure that their own privacy policies are not at odds with Telegram’s data handling practices.
3. Security and Breach Reporting: With more sensitive user data being shared with authorities, the risk of breaches increases. Under the GDPR, organisations must notify the Information Commissioner’s Office (ICO) and affected individuals when a data breach occurs that puts personal data at risk. Organisations need to assess whether using Telegram adds to this risk, and if so, how to mitigate it.
4. Consent: If an organisation collects personal data via Telegram, it must ensure that it has obtained explicit consent from individuals for the collection and sharing of this data. The GDPR requires clear, informed consent for data processing, especially when it involves sharing with third parties like government agencies.

What This Means for Individual Rights

For individual users of Telegram, this change is equally impactful. Privacy and data protection are core elements of digital rights under GDPR, and Telegram’s shift in policy raises concerns about how well these rights are being upheld.

1. Right to Be Informed: Users must be informed about how their data is being used and shared. Telegram’s update to its privacy policy is a step in this direction, but how many users are fully aware of these changes? Organisations relying on Telegram must be transparent with users about how their data could be shared.
2. Right to Access and Erasure: Under GDPR, individuals have the right to access their data and request its deletion. Users may now question whether Telegram’s data-sharing practices complicate their ability to exercise this right, especially if their data has been passed on to authorities.
3. Increased Scrutiny on End-to-End Encryption: While Telegram maintains its commitment to encryption, the platform’s new stance on illegal content reporting may raise questions about whether encrypted messages are truly safe from third-party access. For individuals who value Telegram for its privacy features, this could prompt a shift towards more secure, privacy-focused platforms.

Balancing Compliance and Privacy: The Challenges Ahead

For Telegram, the challenge lies in striking the right balance between protecting user privacy and adhering to government regulations. On the one hand, platforms like Telegram have a responsibility to ensure they are not used as a tool for criminal activity. On the other hand, the collection and sharing of personal data with authorities risk compromising the very privacy features that have made Telegram so popular.

From a data protection consultancy perspective, this highlights a broader issue that all organisations must navigate: how to balance compliance with privacy. Organisations must keep a close eye on any platforms they use to communicate with customers or store personal data, ensuring that these platforms align with their data protection obligations.

Conclusion: What Should Organisations Do Next?

For organisations and individuals alike, the recent changes at Telegram serve as a reminder of the delicate balance between privacy and compliance. Organisations should:

• Reassess their use of Telegram and consider how its updated policies might impact their data protection obligations under GDPR.
• Review their data-sharing policies and ensure they are transparent with users about how their data might be shared with authorities.
• Conduct a Data Protection Impact Assessment (DPIA) to evaluate the risks associated with using Telegram, especially if sensitive personal data is involved.

At Data Protection People, we help organisations navigate these complex challenges, ensuring compliance with data protection laws while maintaining trust with users. If your organisation uses Telegram or any other digital platform, get in touch to learn how we can help you manage your data protection risks effectively.