On May 18, 2017, the EU Commission sentenced Facebook to a “proportionate and deterrent” fine of €110 million for providing misleading information during the investigation of Facebook’s acquisition of WhatsApp. This decision – that still can be appealed – reveals how acts infringing EU merger rules may also infringe EU data protection regulations and lead to high fines, as it will also be possible under the General Data Protection Regulation (GDPR) for data protection infringements.
During the acquisition notification procedure in 2014, the EU Commission had some concerns about Facebook’s ability to establish reliable automated matching between users’ accounts of both applications. Such matching could be a way for Facebook to introduce advertising on WhatsApp and/or to use personal data sourced from WhatsApp to improve its targeting advertisements. According to the EU Commission, if those new potential data combinations may have strengthen Facebook’s position in the online advertising market and hamper competition in such market, they also led to data protection issues. In its letter of October 2016, the Article 29 Working Party (WP29, gathering all EU data protection authorities) called into question the validity of the existing WhatsApp users’ consent, since, at the time they signed up, users were not informed that their data were to be shared among the “Facebook family of companies” for marketing and advertising purposes.
In the context of the increased sanctions under the GDPR, this decision demonstrates that companies engaged in a merger or acquisition should integrate data protection programs in addition to corporate and competition matters. Such programs should at least include the following measures:
- Map and assess the privacy risk involved in the new processing to be carried out in the context of the corporate operation (due diligence audits, international transfers, etc.), as well as the privacy risk involved in the new processing that will be carried after the operation.
- To the extent required by law, inform the data subjects (employees, clients, stakeholders, etc.) about those new processing and purposes, taking into account confidentiality issues.
- Take all steps necessary to make the new data processing, data transfers and processing purposes compliant with the various applicable data protection rules.