momius - stock.adobe.com
In what has been hailed as a victory for UK consumers, WhatsApp has signed a public commitment not to share personal data with its parent company, Facebook, until data protection rules can be met.
News of Facebook’s planned acquisition of WhatsApp for $19bn in 2014 raised the concerns of privacy groups and led to calls for the acquisition to be halted until Facebook made it clear how it planned to use the personal data of WhatsApp members.
The signing of the commitment follows an investigation by the UK’s Information Commissioner’s Office (ICO) into whether WhatsApp could legally share users’ data with Facebook in the way it planned.
Since her appointment in July 2016, information commissioner Elizabeth Denham has regularly said consumer trust is “essential” to achieving growth, and can be best achieved by following the law and following the principle of privacy by design.
In September 2016, Denham said the ICO would choose its investigations carefully to make sure they are relevant to the public, and revealed that the ICO had begun a review of data sharing between WhatsApp and other Facebook companies.
She warned that the ICO expects to see organisations taking responsibility for their actions, despite the pace of technological change, saying it is up to individual businesses to understand the risks they are creating for others, and to mitigate them.
The Information Commissioner’s Office (ICO) has completed its investigation into WhatsApp. It found that:
- WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
- WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data.
- In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained.
“I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act,” Denham wrote in a blog post.
“I am pleased to state that WhatsApp has now signed an ‘undertaking’ wherein they have given a public commitment not to share personal data with Facebook until they can do so in compliance with the upcoming General Data Protection Regulation (GDPR), which comes into force in May this year.”
Denham said she had reached the conclusion that an undertaking was the most effective regulatory tool to use in this case, and in light of WhatsApp’s assurances that no UK user data has ever been shared with Facebook other than as a “data processor”, the ICO has not issued a monetary penalty under the Data Protection Act against WhatsApp.
Denham said UK consumers need not take any action, noting that the ICO had not been concerned about WhatsApp’s sharing of personal data with Facebook when Facebook is only providing a support service to WhatsApp.
“The technical term for such sharing is that WhatsApp can use Facebook as a data processor. This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns,” she wrote, noting that data protection law does not prevent a company from sharing personal data, it just means they have to follow the legal requirements.
“I therefore compliment WhatsApp in signing this undertaking, which I believe will build trust amongst their many UK users. I would also like to stress that signing an undertaking is not the end of e story and I will closely monitor WhatsApp’s adherence to it,” said Denham.
“At the heart of these concerns lies a desire for improved transparency, control and accountability, at a time when personal data is ever more central to the business models of key players in the digital economy,” she said.
As a result, the issue was taken up by the Article 29 Working Group of European Data Protection Authorities. As chair of the Article 29 Task Force on WhatsApp-Facebook data sharing, the ICO worked with European colleagues to bring a common focus and information base to the investigation.
The Article 29 Working Party wrote collectively to WhatsApp to set out our concerns in October 2017; the Hamburg Commissioner of Data Protection and Freedom of Information issued a press release on 2 March 2018, indicating that the Higher Administrative Court (OVG) Hamburg had confirmed his administrative order, banning Facebook from using WhatsApp user data for its own purposes; the French data protection authority (CNIL) is in the process of bringing enforcement action against WhatsApp; and other EU Data Protection Authorities also have ongoing investigations, said Denham.
“The GDPR strengthens the rules on what constitutes ‘consent’. It also provides a stronger emphasis on effective transparency and accessible information for the public. This will be good news for UK users of social media services. We will be monitoring changes to WhatsApp’s privacy and terms and conditions under the new legislation,” she said.