The Hamburg privacy office ordered Facebook this year to stop collecting and to delete all the data it holds from German WhatsApp users after finding that there is no legal basis for Facebook to use such information. The order followed an investigation by the Office of the data-sharing activities between Facebook and WhatsApp. The Office feared that data exchanged between the two platforms could “just be the beginning” of a mass data exchange between the two companies. German officials were also concerned the companies’ activities were “misleading of their users and the public” but also an “infringement of national data protection law.” The Office used a European Court of Justice judgment as a basis for investigating the data sharing activities between the two entities because Facebook undertook data sharing activities through its subsidiary in Hamburg, noting that as a result of the judgment, “national data protection laws are applicable if a company processes data in connection with a national subsidiary”.
During the acquisition of WhatsApp in October 2014, both Facebook and WhatsApp had publicly assured users that data would not be shared between the two platforms. This position was reversed in August 2016, when WhatsApp updated its terms and conditions and started providing user data to Facebook, arguing that the pre-ticked box in WhatsApp’s terms and conditions constituted the user’s consent. Facebook subsequently announced that they would start using data from WhatsApp to allow advertisers to better target users on apps, i.e. Facebook and Instagram, as well as allowing advertisers to send unsolicited messages to WhatsApp users directly. The Office did not find this sufficient to constitute the user’s consent, and noted that the terms and conditions failed to specify the extent and the usage of the data that will be shared between the two platforms. They also noted that even users with no connection to WhatsApp or Facebook had their data taken from other users’ address books, and that although Facebook had stated that they have not yet “collected” this data, they had unlawfully accessed the information. The Office concluded "it has to be [the user’s] decision as to whether they want to connect their account with Facebook. Therefore, Facebook has to ask for their permission in advance." This finding also mirrors the U.S. Federal Trade Commission’s letter that was sent to both WhatsApp and Facebook at the time of the 2014 acquisition, stating that should Facebook change WhatsApp’s privacy policies following the acquisition, they would need to obtain consent from users and should not misrepresent to WhatsApp members how their user data will be used and maintained.
Since Germany’s order, reports have stated that the privacy offices of Italy and Spain have announced that they are also investigating the data-sharing activities between Facebook and WhatsApp, but no findings have yet been reported. The UK’s Information Commissioner’s Office (ICO) have also posted a blog update into what they have done to investigate Facebook’s data sharing activities with WhatsApp, in which they announced that Facebook have agreed to pause using data from UK WhatsApp users for advertisements or product improvement purposes, but it is not stated how long this “pause” is to last. The ICO also have asked Facebook and WhatsApp to sign an undertaking committing to better explaining to customers how their data will be used and shared, but this is yet to be signed. The Irish Data Protection Commissioner has also had Facebook Ireland agree not to process data from any WhatsApp users in the EU, this followed on from a warning letter by European privacy watchdogs about sharing user data with parent company Facebook.
TIP: International regulators will monitor the transfer of data between entities following an acquisition. Transacting parties should be mindful of all applicable international privacy issues and risks when acquiring businesses that handle personal data.