Video: Broaching the security and privacy implications of the data age
France's privacy watchdog CNIL has ordered WhatsApp to stop transferring data to its parent company Facebook within 30 days.
CNIL says WhatsApp has violated France's Data Protection Act by sharing user data with Facebook for business intelligence purposes, intended to help improve the messaging app by analysing user behaviour.
Following this, European data protection authorities in the Working Party 29 group asked WhatsApp to stop the transfer of data for use in targeted advertising, which Facebook agreed to.
Subsequently, CNIL began investigating WhatsApp's compliance with French privacy laws. The watchdog said that while Facebook never used the data from WhatsApp's 10 million French users for targeted advertising and validly used it to improve security, the use of the data for business intelligence violated French law.
CNIL points to a number of problems regarding the way WhatsApp gained user consent. For example, the regulator said, WhatsApp didn't ask users if it could use their private data for business intelligence purposes and there's no option to refuse the data transfer for this type of usage beyond uninstalling the app.
Additionally, WhatsApp's transfer to Facebook "does not provide adequate guarantees allowing to preserve the interest or the fundamental freedoms of users since there is no mechanism whereby they can refuse it while continuing to use the application".
CNIL also said WhatsApp had failed in its obligation to provide a sample of the French user data that has been transferred to Facebook.
WhatsApp has a month to meet the demands that CNIL set out in the formal notice, and may face a penalty if it fails to comply.
A WhatsApp spokesperson said the company faces conflicting concerns from different European authorities.
"Privacy is incredibly important to WhatsApp. It's why we collect very little data, and encrypt every message. We will continue to work with the CNIL to ensure users understand what information we collect, as well as how it's used," the spokesperson said in a statement to ZDNet.
"And we're committed to resolving the different, and at times conflicting concerns, we've heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018."
A number of European authorities have contested the transfer of local WhatsApp user data to Facebook.
A German court in April upheld an order from the Hamburg data protection commissioner to stop transferring user data from Germany's 35 million WhatsApp users to Facebook. Germany's consumer protection groups have also sued Facebook over the mass data transfer.
Recent and related coverage
WhatsApp and its parent company Facebook have been invited to meet a data protection taskforce after alleged non-compliance with European data laws.
WhatsApp said 55 billion messages are sent each day on platform.
Facebook allegedly used profile matching between WhatsApp and Facebook accounts for advertising purposes, having originally told the European Commission twice that it wouldn't do so.
Read more on Facebook
- Facebook wants to get rid of engagement bait with machine learning
- Facebook's AR Studio is now open to all third-party developers
- Facebook launches parent-controlled Messenger app for kids
- Almost half of social purchases made via Facebook
- 4 new features for Facebook Workplace that could make it a better business tool (TechRepublic)
- How to tell if your Facebook has been hacked (and what to do) (CNET)