The Article 29 Data Protection Working Party (WP29) issued a letter [PDF] to WhatsApp co-founder Jan Koum, saying that it has launched a taskforce, led by the United Kingdom Information Commissioner's office, to investigate the "deficiencies in the consent mechanism" the encrypted messaging service provider has employed.
"It's important that we have control over our personal information, even if services don't charge us a fee," Denham wrote at the time.
Facebook then agreed to pause its collection of WhatsApp user data for advertising purposes.
WhatsApp added a "notice for EU users" in August 2017, but the WP29 believes it does not "sufficiently address the issues of non-compliance with data protection law".
Under EU regulations, consent must "consist of a statement or clear affirmative action, be demonstrable, clearly distinguishable, intelligible and easily accessible, use clear language and be capable of being withdrawn", which WP29 claims is absent in the language WhatsApp uses in its notice of change.
The data regulator said the company has taken a "take it or leave it" approach in which users either signal their "consent" to the sharing of data or they are unable to use the service.
WhatsApp also failed to offer "sufficiently granular user controls" to let users opt out of data sharing activities, according to the WP29.
Both Facebook and WhatsApp have been invited to meet with the taskforce to clearly set out how these issues can be addressed.
In May, the European Commission fined the social media giant €110 million for providing "misleading information" regarding its takeover of WhatsApp in 2014.
The fine is in accordance with the commission's merger regulation, which requires companies in a merger investigation to provide the correct information for the commission to review mergers -- something that Facebook failed to do, according to the commission.
Last month, Facebook was fined €1.2 million by the Spanish Data Protection Agency for allegedly collecting personal information from users in Spain that could then be used for advertising without seeking consent.
The GDPR will require organisations around the world that hold data belonging to individuals from within the EU to provide a high level of protection and explicitly know where every piece of data is stored. Organisations that fail to comply with the regulation requirements could be fined up to €20 million, or, in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year -- whichever is higher.
PREVIOUS AND RELATED COVERAGE
WhatsApp is the latest service to be blocked in China, according to a report, as President Xi Jinping continues to tighten internet controls and restrictions.
WhatsApp, among others, apparently pose a serious threat to business security.
Amazon and WhatsApp scored in only two of the EFF's five categories on protecting customer data and privacy, while telecommunication carriers Verizon, AT&T, T-Mobile, and Comcast scored just one star.
As Brazil debates the extent to which communications privacy should be guaranteed, a taskforce led by WhatsApp co-founder defends the company's encryption policies and user rights.