WhatsApp, Facebook to face EU data protection taskforce

WhatsApp and its parent company Facebook have been invited to meet a data protection taskforce after alleged non-compliance with European data laws.
Written by Tas Bindi, Contributor

WhatsApp is continuing to face scrutiny from the European Union's data protection regulators, who say the Facebook-owned company has failed to address the concerns raised around its privacy policy "despite a significant period of time having passed".

The Article 29 Data Protection Working Party (WP29) issued a letter [PDF] to WhatsApp co-founder Jan Koum, saying that it has launched a taskforce, led by the United Kingdom Information Commissioner's office, to investigate the "deficiencies in the consent mechanism" the encrypted messaging service provider has employed.

In August last year, WhatsApp changed its privacy policy to allow more data -- including phone numbers -- to be shared with the "Facebook family of companies", which includes Instagram and Messenger. People using WhatsApp were given 30 days to opt out of the data exchange policy and were notified of the changes on the first updated use of the app.

The WP29 wrote to WhatsApp in October last year highlighting that it had serious concerns [PDF] about the manner in which user data is being shared across the Facebook-owned services. The UK information commissioner Elizabeth Denham then in November penned a blog post advising WhatsApp to better explain its privacy policy changes to consumers so they have an "unambiguous choice" before Facebook uses their data "for advertisement and product improvement purposes".

"It's important that we have control over our personal information, even if services don't charge us a fee," Denham wrote at the time.

Facebook then agreed to pause its collection of WhatsApp user data for advertising purposes.

WhatsApp added a "notice for EU users" in August 2017, but the WP29 believes it does not "sufficiently address the issues of non-compliance with data protection law".

In its letter, the pan-European data regulator expresses the ways in which WhatsApp's privacy policy does not comply with EU rules around consent, which needs to be "unambiguous, specific, informed, and freely given" to be considered valid.

Under EU regulations, consent must "consist of a statement or clear affirmative action, be demonstrable, clearly distinguishable, intelligible and easily accessible, use clear language and be capable of being withdrawn", which WP29 claims is absent in the language WhatsApp uses in its notice of change.

"WhatsApp is updating our Terms and Privacy Policy to reflect new features like WhatsApp calling. Read our Terms and Privacy Policy and learn more about the choices you have. Please agree to the Terms and Privacy Policy to continue using WhatsApp. If you don't wish to agree, you'll need to discontinue using WhatsApp," the WhatsApp notice of change states, according to the WP29.

The data regulator said the company has taken a "take it or leave it" approach in which users either signal their "consent" to the sharing of data or they are unable to use the service.

When users slide up to read more about the updates to WhatsApp's terms of use and privacy policy, a pre-ticked check-box appears saying that the user consents to share their "WhatsApp account information with Facebook" to improve their Facebook ads and product experiences. The WP29 said this is not "unambiguous" as it's unclear what constitutes "WhatsApp account information" and for what specific purpose they will be shared with Facebook's other products.

Expecting that the companies will argue that they need data to pursue their legitimate business interests, the WP29 said that the legitimate interests ground can not be invoked when such interests are "overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data." As such, those business interests need to be clearly specified in its privacy policy.

WhatsApp also failed to offer "sufficiently granular user controls" to let users opt out of data sharing activities, according to the WP29.

Both Facebook and WhatsApp have been invited to meet with the taskforce to clearly set out how these issues can be addressed.

In May, the European Commission fined the social media giant €110 million for providing "misleading information" regarding its takeover of WhatsApp in 2014.

The fine is in accordance with the commission's merger regulation, which requires companies in a merger investigation to provide the correct information for the commission to review mergers -- something that Facebook failed to do, according to the commission.

Last month, Facebook was fined €1.2 million by the Spanish Data Protection Agency for allegedly collecting personal information from users in Spain that could then be used for advertising without seeking consent.

In May 2018, a new data-privacy policy will take effect across Europe called the General Data Protection Regulation. The updated rules, which will replace the ones established in 1995, aim to unify data privacy across Europe to simplify regulations for international businesses doing business in Europe.

The GDPR will require organisations around the world that hold data belonging to individuals from within the EU to provide a high level of protection and explicitly know where every piece of data is stored. Organisations that fail to comply with the regulation requirements could be fined up to €20 million, or, in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year -- whichever is higher.


    China blocks WhatsApp ahead of Communist Party gathering

    WhatsApp is the latest service to be blocked in China, according to a report, as President Xi Jinping continues to tighten internet controls and restrictions.

    WhatsApp is among the most blacklisted apps in the enterprise

    WhatsApp, among others, apparently pose a serious threat to business security.

    Amazon and WhatsApp almost as bad as US telcos at protecting privacy: EFF

    Amazon and WhatsApp scored in only two of the EFF's five categories on protecting customer data and privacy, while telecommunication carriers Verizon, AT&T, T-Mobile, and Comcast scored just one star.

    WhatsApp executives come to Brazil to avoid new bans

    As Brazil debates the extent to which communications privacy should be guaranteed, a taskforce led by WhatsApp co-founder defends the company's encryption policies and user rights.

    Editorial standards