Facebook and WhatsApp will face EU data protection body

27 Oct 2017

WhatsApp on mobile. Image: Alex Ruhl/Shutterstock

EU data protection regulators say that WhatsApp has failed to address the concerns raised around its privacy policy.

The EU Article 29 Working Party (WP29) has issued a letter to WhatsApp co-founder Jan Koum, revealing that it has launched a taskforce led by the UK Information Commissioner’s Office to investigate what it states to be deficiencies in the consent mechanism that the messaging service has been using in terms of data sharing with its parent company, Facebook.

In August 2016, WhatsApp changed its privacy policy to allow more data, including phone numbers, to be shared with the “Facebook family of companies”, including Instagram and Facebook Messenger. Users were given 30 days to opt out of the data exchange policy and were notified of the changes in their first updated use of WhatsApp.

Last October, WP29 issued a letter to Koum saying: “It is of the utmost importance that your company communicates all the available information. This includes not only, but specifically, information on the exact categories of data (eg names, telephone numbers, email, postal address etc) and the source of such (eg data from the users’ phones or data already stored on company servers) as well as a list of recipients of the data and the effects of the data transfer on the users and potential third persons.”

Issues not sufficiently tackled by WhatsApp

Facebook then agreed to pause its collection of data for advertising purposes, and WhatsApp added a ‘notice for EU users’ but the WP29 said it “does not sufficiently address the issues of non-compliance with data protection law”.

The issues included the pop-up notice on WhatsApp, which did not make it clear that users’ personal data would be shared with Facebook and it gave a “misleading impression” by saying the privacy policy had been updated to reflect new features.

The WP29 also took issue with WhatsApp using a pre-ticked check box to accept the new terms, saying it did not indicate “unambiguous consent”. According to the watchdog, WhatsApp didn’t offer “sufficiently granular user controls” to let people opt out of data sharing.

Both companies must now meet with the taskforce.

The letter concluded: “Given the impact of these issues on European citizens, the WP29 considers it a matter of utmost importance that a clear, comprehensive resolution is put in place and that the pause in data sharing for the purpose of improving Facebook products and enhancing targeted advertising on Facebook continues until such time as the matter is resolved to the satisfaction of data protection authorities.”

WhatsApp on mobile. Image: Alex Ruhl/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects