An interesting development in Europe over how WhatsApp and Facebook will work together, which is also a victory of sorts for data protection and privacy advocates in the region. Today, the UK’s Information Commissioner’s Office (ICO) announced that it has closed an investigation into whether WhatsApp and its owner Facebook could legally share user data with each other; and one significant upshot of it is that the ICO has gotten WhatsApp to sign an undertaking in which it has committed publicly not to share personal data with Facebook until the two services can do it in a way that is compliant with General Data Protection Regulation (GDPR).
“Data protection law does not prevent a company from sharing personal data – they just have to follow the legal requirements,” writes Commissioner Elizabeth Denham, who also published her own letter to WhatsApp as part of her blog post.
This is a truce of sorts. Notably, Commissioner Denham also said that the ICO would not be fining Facebook as a result of its investigation, since — even if WhatsApp intended to do unlawful things, it never actually did, which is a win of sorts for Facebook, too.
“I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case,” she notes. “As WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as a ‘data processor’, as explained below), I would not be able to meet the criteria for issuing a civil monetary penalty under the Data Protection Act.”
GDPR is the wide-ranging data protection framework that essentially gives individuals more control over how and where their data is used across digital services. It comes into force in May across the European Union, and it’s bringing about a sweep of privacy changes among digital services to fall in line with the new rules.
The ICO investigation started back in August 2016, prompted by an update WhatsApp made to its privacy policy noting that it planned to start sharing user data with Facebook. In addition to being an unpopular move at the time, it flew directly into the face of assurances WhatsApp and Facebook had made before and during the acquisition period that there was no intention of ever turning WhatsApp customers into the “product” and using their data in such a way.
Denham said that her investigation found several issues with the idea of sharing data:
“WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.”
But, on the other hand, WhatsApp also managed to escape any fines as it halted the data program before it ever got off the ground.
Going forward, there are a few interesting loopholes for where data can be shared between the two platforms. Specifically, in cases where Facebook is a “data processor” and providing a support service to WhatsApp. For example, this would apply in the use of servers to run its messaging service, or perhaps in running a relay for a business who is taking out an ad in Facebook to refer people to its WhatsApp account. “My investigation has not been concerned about WhatsApp’s sharing of personal data with Facebook when Facebook are only providing a support service to WhatsApp,” she writes. “The technical term for such sharing is that WhatsApp can use Facebook as a data processor. This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns.”
As Denham points out, there are two other takeaways from this case.
The first is the public outcry and “broad concerns” that arose when the privacy policy was first updated in August 2016 and the message that this gives to tech companies, regulators and others involved in helping shape our digital world. “At the heart of these concerns lies a desire for improved transparency, control, and accountability, at a time when personal data is ever more central to the business models of key players in the digital economy,” she writes.
The second will be the wider European ramifications. In Germany, the Hamburg Commissioner of Data Protection and Freedom of Information said earlier this month that the Higher Administrative Court (OVG) Hamburg has now officially also banned Facebook from using WhatsApp user data for its own purposes, while in France the regulator CNIL is currently in the process of bringing enforcement actions of its own.
More generally, while a lot of companies are preparing how they will comply with GDPR, this case highlights how companies will likely challenge and test the framework as well. I’m not sure Facebook will give up so quickly and it will be worth watching what kind of workarounds, if any, it comes up with to continue in its wider strategy to “connect” us all.
