Data sharing is once again at the forefront as WhatsApp to come under pressure from EU regulators

• Ireland

• General

09-11-2017

WhatsApp and its parent company, Facebook, have been invited to engage with a newly formed taskforce to achieve a “satisfactory resolution” and pacify EU data protection regulators. 

A change to WhatsApp’s privacy policy that would have allowed data to be shared with the “Facebook family of companies” initially prompted the Article 29 Working Party (“WP29”) to issue a warning to the instant messaging giant more than a year ago. 

This warning was given against a backdrop of broader action being taken against the Facebook group, including a €110m fine handed down in May of this year due to Facebook providing “misleading information” during the takeover of WhatsApp in 2014 about whether user accounts would be matched across the two platforms.  During the acquisition, both companies had denied that data sharing would ever take place.

The letter issued on Tuesday 24 October 2017 is the third sent on this matter to WhatsApp chief executive Jan Koum and also copied Facebook, whose European headquarters are based here in Dublin. 

In the letter, WP29 took particular issue with the most recent step taken by WhatsApp in an attempt to comply with EU data protection laws.  The messaging service had posted a “Notice for EU Users” on the FAQ section of its website, which gave certain information about the nature and purposes of the sharing of personal data with Facebook. 

WP29 noted that WhatsApp’s consent mechanism for the data sharing was “seriously deficient” in that it did not provide enough information, gave a misleading impression of the implications of consent and was in the form of a “pre-ticked check-box”.  Of particular concern was the fact that WhatsApp stated that the reason the terms and policies where being updated was to “reflect new features like WhatsApp calling”.  There was no specific mention that data would be shared with Facebook. 

The regulator also considered that the dominance of WhatsApp in the messaging market in Europe meant that the “take it or leave it” approach could not amount to freely given consent.  The preferred approach would have been user controls to allow for control of the sharing of data and the possibility of granting or withholding consent for specific purposes.

WP29 decided to form a taskforce, chaired by the UK’s Information Commissioner’s Office, and encouraged both WhatsApp and Facebook to “engage positively” with it.  The UK’s Information Commissioner, Elizabeth Denham, stated that “the efforts of WhatsApp and Facebook to resolve the issues have not yet addressed our concerns. We remain committed to leading a European-level response to these concerns, which affect millions of users in the UK and across the EU”.

In August, Ireland’s Data Protection Commissioner confirmed that the data sharing suspension currently in place would continue during continuing engagement with the taskforce, and that this particular data sharing would not be activated for EU-based WhatsApp users.

A spokesperson for WhatsApp said “Over the last year we have engaged with data protection authorities to explain how our 2016 terms and privacy policy update apply to people who use WhatsApp in Europe. We remain committed to respecting applicable law and will continue to work collaboratively with officials in Europe to address their questions.”

WhatsApp will no doubt also be cognisant of the introduction in May 2018 of the General Data Protection Regulation, which will give regulators the power to impose fines of up to 4% of an undertaking’s global turnover.      

• Marie McGinley
• Partner
• +353 1 6441 457
• +353 1 6441 457

< Go back