German regulators have slapped down WhatsApp’s move to share its users’ data with parent company Facebook, calling it an “infringement of national data protection law”.
Despite Facebook and WhatsApp publicly committing in 2014 (when Facebook bought WhatsApp) that users’ data would not be shared between the two companies, recent changes to WhatsApp’s terms and conditions have reversed this position. The new terms and conditions state that user data (including the mobile number and device information of the WhatsApp user) will be shared with Facebook, including for targeted advertising purposes. The terms and conditions automatically opt in users to the data-sharing arrangement.
However, in the last few days of September, the Hamburg data protection commissioner issued an administrative order which:
- prohibits Facebook from collecting and storing the data of German WhatsApp users; and
- compels Facebook to destroy any data which has already been collected from German WhatsApp users.
The Hamburg data protection commissioner has said that the WhatsApp user’s consent needs to be obtained to the data-sharing for it to be lawful, and this had not happened.
Facebook is appealing the decision.
The changes to WhatsApp’s terms and conditions have caused widespread controversy since being announced, and have caused concern with data regulators around the world.
The UK’s data protection regulator (the ICO) has announced that it is investigating the data-sharing on behalf of WhatsApp users in the UK. Elizabeth Denham (the new information commissioner) commented in an interview with BBC’s Radio 4 that there was a “lot of anger” amongst the UK’s WhatsApp users. Ms Denham also addressed the WhatsApp / Facebook data-sharing arrangement in her first speech as information commissioner on 29 September 2016, commenting that “all of this is about transparency and individual control”.
Transparency and trust were the central themes of Ms Denham’s first speech, where she explained that her fundamental objective as information commissioner was to build a culture of data confidence in the UK. She noted her concern that an ICO survey from earlier in the year had shown that only 1 out of every 4 adults trust businesses with their personal data.
Ms Denham made clear that the ICO would pick and choose its investigations carefully, making sure that those investigations were relevant to the public. Unsurprisingly, she said that technology “is already at the forefront” of most of the ICO’s major investigations. For example, in addition to investigating the change in WhatsApp terms and conditions, the ICO has in the last few weeks asked questions about the major Yahoo data breach.
The ICO has indicated that it will be putting out an update soon on its WhatsApp/Facebook investigation. It will be interesting to see whether the ICO follows the approach of the German regulators.