Thought leadership

Facebook and WhatsApp are set to be probed by an EU data protection authority for not obtaining appropriate user consent for their data sharing plans.

The EU data protection authority believes WhatsApp was negligent in informing users that their data will be shared with Facebook.

Facebook has been at the receiving end of an intense scrutiny from the European Union’s data protection watchdog, the Article 29 Data Protection Working Party, for not being clear about its data-sharing plans with its subsidiary WhatsApp.

The Data Protection Working Party believes that the information presented by WhatsApp to its users on data sharing with Facebook was ‘seriously deficient as a means to inform their consent’. In a letter addressed to Jan Koum, chief executive of WhatsApp, the watchdog stated that notices given to users did not make it clear that their personal data would be shared with Facebook.

In fact, all that WhatsApp did was share a new privacy policy via a pop-up notification, informing users that the policy had been updated to ‘reflect new features’. At the same time, the checkbox for users to accept the new policy was pre-ticked. The working party found this approach ‘misleading‘.

It added that WhatsApp users were not offered “sufficiently granular user controls” to opt out of the new privacy policy as well, thereby resulting in a breach of the EU’s regulations on user consent.

Back in May, the European Commission fined Facebook €110 millionfor lying to it in 2014 about its plans to share user data with WhatsApp. During the EU’s investigation into Facebook’s merger with WhatsApp in 2014, the social media giant told the Commission that it would be unable to establish reliable automated matching between Facebook users’ accounts and WhatsApp users’ accounts.

However, in August 2016, WhatsApp updated its privacy policy and terms & conditions to include the ability to link WhatsApp users’ phone numbers with Facebook users’ identities.

‘The Commission has found that, contrary to Facebook’s statements in the 2014 merger review process, the technical possibility of automatically matching Facebook and WhatsApp users’ identities already existed in 2014, and that Facebook staff were aware of such a possibility,’ the Commission noted.

‘This is the first time that the Commission has adopted a decision imposing fines on a company for provision of incorrect or misleading information since the entry into force of the 2004 Merger Regulation,’ it added.

‘It’s good to see data protection watchdogs clamping down on WhatsApp and Facebook’s irresponsible approach to user consent. A simple pop-up notice is clearly not a sufficient attempt to inform users that their previously private data would now be exploited for advertising purposes,’ says Rafael Laguna, CEO of Open-Xchange.

‘However we’re seeing this aggressive approach towards gathering user ‘consent’ across countless internet services and advertising platforms. If the Data Protection Working Party applied the same level of scrutiny to all instances of abuse of user consent the technological landscape in Europe would be very different. Service providers have a real opportunity to stand out in Europe by prioritising data privacy and user consent,’ he adds.

WhatsApp’s controversial privacy policy, which was updated in August last year, immediately attracted the attention of the Information Commissioner’s Office who promptly ordered an investigation. Facebook had initially announced that it would harvest data from its messaging app and share it with its social network for advertising and product improvement purposes. However, it was forced to pause the data sharing as a result of the investigation.

‘I had concerns that consumers weren’t being properly protected, and it’s fair to say the enquiries my team have made haven’t changed that view,’ said information commissioner Elizabeth Denham.

‘I don’t think users have been given enough information about what Facebook plans to do with their information, and I don’t think WhatsApp has got valid consent from users to share the information. I also believe users should be given ongoing control over how their information is used, not just a 30-day window,’ she added.

You may also like...

Keep Up To Date - Subscribe To Our Email Newsletter Today

Get the latest industry news direct to your inbox on all your devices.

We may use your information to send you details about goods and services which we feel may be of interest to you. We will process your data in accordance with our Privacy Policy as displayed on our parent website