EU Privacy Chiefs: WhatsApp's Data Sharing With Facebook Not Compliant With Data Protection Laws

Last year, the Article 29 Working Party (WP29), which consists of all the leaders of the national Data Protection agencies in the European Union, started investigating WhatsApp over its data sharing with Facebook. Following its investigation, the group sent a letter to Facebook in which it notified the company that WhatsApp is still not abiding by European Union (EU) privacy laws.

Facebook’s Non-Compliance With Data Protection Law

The WP29 noted in its letter that Facebook is still not compliant with the old Data Protection directive (a more generic piece of legislation which EU members can implement however they see fit), nor the newer General Data Protection Regulation (a piece of legislation that all EU countries have to implement in the same way), which passed last year and will go into effect by mid-2018.

Facebook has managed to sidestep some of the Data Protection Authorities in the EU, usually on technical grounds, such as those countries not having jurisdiction over Facebook because the company’s EU headquarters lies in Ireland.

However, Facebook may not be able to dodge this one for much longer. Recently, the top advisor to the Court of Justice of the European Union (CJEU) published his opinion on an upcoming case, in which he said that any Data Protection Authority in the EU can take action against Facebook for breaching EU privacy laws. The CJEU has generally ruled similarly to this advisor's opinions, so multiple Data Protection Authorities may soon be able to fine Facebook over its non-compliance with the law.

WhatsApp has proposed that its data sharing with Facebook be done on legal grounds based on user consent. However, the WP29 said that WhatsApp’s consent mechanism is deficient.

The WP29 has defined consent as being “unambiguous, specific, informed, and freely given.”  In 2016, the new data protection regulation described consent in more detail. It specifies that consent “must consist of a statement or clear affirmative action, be demonstrable, clearly distinguishable, intelligible and easily accessible, use clear language and be capable of being withdrawn.”

Informed

WhatsApp seems to have been quite far off the mark when it comes to informing its users about its data sharing with Facebook. The users were only shown the following notification, earlier this year:

WhatsApp is updating our Terms and Privacy Policy to reflect new features like WhatsApp calling. Read our Terms and Privacy Policy and learn more about the choices you have. Please agree to the Terms and Privacy Policy to continue using WhatsApp. If you don’t wish to agree, you’ll need to discontinue using WhatsApp.

Although WP29 said that it acknowledges the fact that WhatsApp can’t present users with too much text, it also believes that WhatsApp could have at least told users that by agreeing to click the button, their data will be shared with Facebook.

Instead, WhatsApp seems to have used half of its paragraph to focus on warning users that if they don’t agree to the new Terms of Service, they won’t be able to use WhatsApp anymore.

Additionally, the WP29 noted that in its paragraph, WhatsApp seems to leave users with the impression that the new Privacy Policy update is due to the implementation of the new calling feature.

The privacy group is also not content with how WhatsApp described the data sharing with Facebook in the “read more” section, either. WhatsApp only mentioned that “account information” will be shared and that the phone number and chats will not be shared. However, it didn’t go into details about what other account information might be shared.

Freely Given & Specific

Because both Facebook and WhatsApp are deeply embedded into many Europeans’ lives by this point, the WP29 considers that WhatsApp didn’t give its users a real choice when it told them they can either accept the new terms or stop using the service.

WhatsApp could have given its users more granular controls that would have allowed them to decide if and when their data is shared with Facebook. The WP29 considers that this is also why the consent was not specific enough, as the users should be able to grant or withhold specific consent for the data that is shared with Facebook.

Unambiguous

According to the WP29, WhatsApp could not have obtained “unambiguous” consent from its users when it used a pre-ticked check box for the purpose of “improving Facebook ads and product experiences.”

The WP29 said that data processing must be fair. However, because of WhatsApp’s lack of transparency in regards to the data sharing it’s doing with Facebook, the WP29 considers that WhatsApp and Facebook’s data processing is unfair to the user.

The EU privacy group also called on WhatsApp to provide users with the ability to withdraw consent for their data sharing with Facebook at any time, as required by law.

WP29 Offers WhatsApp An Alternative

The WP29 reminded WhatsApp that it doesn’t have to collect data based on consent, if it finds that too difficult to implement. Instead, WhatsApp could use the “legitimate interest” legal ground, which would allow WhatsApp to collect data without obtaining consent from users.

However, there’s a catch. If WhatsApp chose this legal basis for the collection of data, then it would have to prove that the data it collects is used strictly for the functioning of the service. In other words, it can’t share user data for targeted ads with Facebook, nor can it sell that data to other companies.

Under this legitimate interest legal basis, WhatsApp would be under much stricter data protection rules, so one can see why Facebook and WhatsApp are not in a hurry to go down this path.

The WP29 said it’s a matter of “utmost importance” that WhatsApp’s data sharing with Facebook is put on hold until Facebook resolves the issues that the group has brought. The WP29 invited WhatsApp and Facebook to attend a meeting in the near future in which they can set out how all the concerns will be addressed.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.