​France tells WhatsApp to stop sending user data to Facebook

France lays down another European challenge to WhatsApp's data sharing with Facebook.

Video: Broaching the security and privacy implications of the data age

France's privacy watchdog CNIL has ordered WhatsApp to stop transferring data to its parent company Facebook within 30 days.

CNIL says WhatsApp has violated France's Data Protection Act by sharing user data with Facebook for business intelligence purposes, intended to help improve the messaging app by analysing user behaviour.

Last year, WhatsApp changed its terms of service and privacy policy to inform users that their data would be transferred to Facebook for targeted advertising, security, and business intelligence purposes.

Following this, European data protection authorities in the Working Party 29 group asked WhatsApp to stop the transfer of data for use in targeted advertising, which Facebook agreed to.

Subsequently, CNIL began investigating WhatsApp's compliance with French privacy laws. The watchdog said that while Facebook never used the data from WhatsApp's 10 million French users for targeted advertising and validly used it to improve security, the use of the data for business intelligence violated French law.

CNIL points to a number of problems regarding the way WhatsApp gained user consent. For example, the regulator said, WhatsApp didn't ask users if it could use their private data for business intelligence purposes and there's no option to refuse the data transfer for this type of usage beyond uninstalling the app.

Additionally, WhatsApp's transfer to Facebook "does not provide adequate guarantees allowing to preserve the interest or the fundamental freedoms of users since there is no mechanism whereby they can refuse it while continuing to use the application".

CNIL also said WhatsApp had failed in its obligation to provide a sample of the French user data that has been transferred to Facebook.

WhatsApp has a month to meet the demands that CNIL set out in the formal notice, and may face a penalty if it fails to comply.

A WhatsApp spokesperson said the company faces conflicting concerns from different European authorities.

"Privacy is incredibly important to WhatsApp. It's why we collect very little data, and encrypt every message. We will continue to work with the CNIL to ensure users understand what information we collect, as well as how it's used," the spokesperson said in a statement to ZDNet.

"And we're committed to resolving the different, and at times conflicting concerns, we've heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018."

A number of European authorities have contested the transfer of local WhatsApp user data to Facebook.

A German court in April upheld an order from the Hamburg data protection commissioner to stop transferring user data from Germany's 35 million WhatsApp users to Facebook. Germany's consumer protection groups have also sued Facebook over the mass data transfer.

Separately, in May the EC's antitrust regulator fined Facebook €110m for misleading it during its inquiries regarding its 2014 acquisition of WhatsApp. Facebook told the EC that it was unable to automatically match user accounts between the two companies. Following WhatsApp's 2016 privacy policy update, the company revealed it had that capability at the time of the acquisition.

Recent and related coverage

WhatsApp, Facebook to face EU data protection taskforce

WhatsApp and its parent company Facebook have been invited to meet a data protection taskforce after alleged non-compliance with European data laws.

WhatsApp hits 1 billion daily active users

WhatsApp said 55 billion messages are sent each day on platform.

Europe fines Facebook €110m for misleading information on WhatsApp takeover

Facebook allegedly used profile matching between WhatsApp and Facebook accounts for advertising purposes, having originally told the European Commission twice that it wouldn't do so.

Read more on Facebook