WhatsApp in a tax firm — allowed or risky?

Why WhatsApp is so popular in firms

WhatsApp has more than two billion users worldwide. For many clients — especially individuals and small business owners — it is the communication channel they reach for without thinking. Compared with a client portal that requires a login, a special app to install, or an email thread that takes hours to get a reply, WhatsApp feels frictionless. Advisors who have adopted it report quicker document turnaround and fewer missed calls. That is not nothing. Any realistic alternative has to acknowledge why the tool became so embedded in the first place.

The problem: contacts and metadata flow to a third party

The central issue is not whether WhatsApp encrypts message content — it does, using the Signal protocol for end-to-end encryption of individual chats. The deeper problem is everything surrounding those messages.

• Contact-book upload. When WhatsApp is installed or updated, it typically requests access to the device's full address book and uploads hashed versions of those contacts to Meta's servers. This means the mere fact that a client is in your phone — their name, number, and any notes you have added — can reach a US-based parent company. That person has not consented to this and may be entirely unaware of it.
• Metadata. Even where message content is encrypted, metadata is not. Who communicated with whom, when, how often, and from which device is visible to the platform and is routinely used for advertising and product-improvement purposes under Meta's terms.
• Cloud backups. On Android and iOS, WhatsApp messages are backed up by default to Google Drive or iCloud. Unless a user has deliberately enabled end-to-end encrypted backups — a non-default setting most clients will never touch — those backups are stored in the cloud in a form the backup provider can access.
• US data transfers. Meta is a US corporation. EU client data processed by its servers is subject to ongoing international data-transfer scrutiny. Adequacy decisions and standard contractual clauses provide a legal framework, but that framework has been challenged repeatedly and varies in its robustness.

For a tax firm, this combination creates a specific tension. Clients share wage slips, bank statements, and company accounts. That information is among the most sensitive personal and commercial data that exists. The moment it passes through a channel that feeds metadata to an advertising platform and uploads the address book to servers outside the EEA, the firm is no longer fully in control of who can infer what about that client relationship.

GDPR and professional confidentiality in conflict

Two separate legal frameworks apply here, and they pull in the same direction.

GDPR considerations

Under the GDPR, a tax firm is a data controller. Processing client personal data through a third-party platform makes that platform a data processor. Article 28 requires a written data-processing agreement (DPA) with any such processor, specifying what data is processed, for what purpose, and under what safeguards. WhatsApp offers a DPA for business accounts through the WhatsApp Business product, but even with that in place, the controller must be able to demonstrate that the processing is necessary, proportionate, and covered by a lawful basis. Given that alternatives exist, necessity is harder to establish. And because Meta may use metadata for its own purposes beyond what a DPA covers, the data-minimisation and purpose-limitation principles under Articles 5 and 25 become difficult to satisfy.

Additionally, uploading a client's contact details to Meta — which happens when WhatsApp accesses the address book — processes that person's data without their knowledge or consent. The firm would need a lawful basis for that processing too, and legitimate interest is a stretch when the client has no reasonable expectation that their contact details are being shared with an advertising platform.

Professional confidentiality

Beyond data-protection law, tax advisors in most European jurisdictions are bound by professional confidentiality obligations — the precise scope varies by country and professional body, but the common thread is that information shared by a client in a professional context must not reach unauthorised third parties. Whether metadata in the hands of a platform counts as a breach is not settled law, but the safer reading — and the one most bar associations and supervisory bodies are converging on — is that routing client communications through a channel that shares metadata and contact data with a US advertising conglomerate is at minimum a grey area and potentially a disciplinary risk. Some national guidance has gone further, explicitly advising against WhatsApp for professional client communication.

It is also worth noting that WhatsApp for personal use and WhatsApp Business are different products, but neither was designed with the confidentiality standards of a regulated profession in mind. Using personal WhatsApp for client matters compounds the risk because there is no business account, no DPA, and no separation from private contacts.

A secure alternative without forcing an app

The practical obstacle to most secure alternatives is that they require the client to do something — download an app, create an account, remember a password. That friction is real, and it is exactly why WhatsApp wins by default. The question is whether there is a setup that preserves security without putting that burden on the client.

Browser-based, peer-to-peer tools address this directly. In this model, the advisor generates an encrypted session link and sends it to the client. The client opens the link in any browser — no installation, no registration, no account. The conversation is established directly between the two devices using WebRTC. Because it is peer-to-peer, no central server ever holds a copy of the messages. Because the encryption key lives only in the URL fragment, it never leaves the devices and is never visible to the signaling server that helped establish the connection.

This approach also avoids the contact-book problem entirely. The advisor does not need to add the client to a phone's address book or grant any platform access to their contacts. The link can be shared through an existing email thread, a text message, or any other channel. Once the session ends, there is nothing left on a server to subpoena, breach, or export.

For larger file transfers — sending a completed tax return, receiving scanned documents — the same encrypted channel can carry files directly between devices without routing them through a cloud storage provider. This keeps the data out of any backup infrastructure and under the control of the two parties who are actually party to the exchange.

• No app to install — clients join from a browser link.
• End-to-end encrypted: the key never reaches a server.
• Peer-to-peer: no platform holds a copy of the conversation.
• No contact-book access required on either side.
• Signaling infrastructure located in Germany, relevant for EU data-residency considerations.

This does not mean a tax firm must abandon email or phone calls for every interaction. It means having a channel available for the moments when a client wants the convenience of a quick back-and-forth — a question about a deadline, a document that needs to change hands quickly — where the firm can offer something as simple as WhatsApp, without the regulatory exposure that comes with it.