CNIL investigated the information transfer and found that Whatsapp violated the French Data Protection Act because the consent for the transfer was not validly collected. Under the Act, a transfer of personal information must be specific to accomplish a purpose and it must be free. CNIL found that targeted advertising and improvement of services were not specific purposes. Additionally, CNIL found the transfer was not “free” because the only way to refuse the data transfer was to uninstall the application.
As a result of these violations, CNIL issued formal notice requiring that Whatsapp comply with the Data Protection Act within one month. If Whatsapp does not comply, the company may face sanctions.
TIP: Companies should review their consent provisions and processes to ensure that they comply with foreign data protection laws, including accurately stating the purpose of information transfer.