Facebook, WhatsApp and the controversies of data sharing

27th October 2016

This article was first published on Lexis®PSL IP & IT on 19 October 2016. Click for a free trial of Lexis®PSL.

IP & IT analysis: When WhatsApp announced that it was going to start sharing the personal data of its users with its parent company, Facebook, despite its previous assurances that this wouldn’t happen, there was a huge public outcry. On 27 September 2016, the German data protection authority in Hamburg ordered WhatsApp to stop sharing data with Facebook immediately and ordered Facebook to delete all data it had already received. The Regulatory Team at Walker Morris look at what has happened in more detail and considers what this might mean for Facebook going forward.

Original news

Germany prohibits WhatsApp-Facebook data sharing, LNB News 28/09/2016 43

Independent, 28 September 2016: An administrative order has been issued by the Hamburg Data Protection Commissioner banning Facebook from sharing information with WhatsApp across Germany. Criticisms were made of the data sharing arrangement as Facebook doesn’t have approval from WhatsApp users.

What information is WhatsApp sharing with Facebook and why?

WhatsApp’s privacy policy states that it shares some of a user’s account information, including the user’s phone number and details of when they last used the service, with the Facebook family of companies.

According to the policy, sharing this information is intended to help operate, provide, improve, understand, customise, support and market both WhatsApp’s services and the offerings of the Facebook family of companies. This includes helping improve infrastructure and delivery systems, understanding how the services provided by WhatsApp and the other Facebook companies are used, securing systems and fighting spam, abuse or infringement activities.

The information may also be used to improve user experiences such as ‘making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads’.

It’s not entirely clear from this exactly what user data WhatsApp will share with Facebook. However, WhatsApp does promise that, provided both users are using the latest version of WhatsApp, messages (including photos and videos) will be encrypted by default and that no one (including WhatsApp and Facebook) will be able to read them.

Why has WhatsApp’s announcement caused such controversy?

On 29 December 2012, WhatsApp posted a blog entitled ‘Why we don’t sell ads’ from its creators, which set out in no uncertain terms that WhatsApp wasn’t about collecting personal data:

‘At WhatsApp, our engineers spend all their time fixing bugs, adding new features and ironing out all the little intricacies in our task of bringing rich, affordable, reliable messaging to every phone in the world. That’s our product and that’s our passion. Your data isn’t even in the picture. We are simply not interested in any of it’.

When Facebook acquired WhatsApp back in 2014, both WhatsApp and Facebook were keen to reassure everyone that the relationship with Facebook wouldn’t change anything:

‘…we built WhatsApp around the goal of knowing as little about you as possible: You don’t have to give us your name and we don’t ask for your email address. We don’t know your birthday. We don’t know your home address. We don’t know where you work. We don’t know your likes, what you search for on the internet or collect your GPS location. None of that data has ever been collected and stored by WhatsApp, and we really have no plans to change that.

If partnering with Facebook meant that we had to change our values, we wouldn’t have done it. Instead, we are forming a partnership that would allow us to continue operating independently and autonomously. Our fundamental values and beliefs will not change. Our principles will not change’.

The announcement on 25 August 2016 of a U-turn, both on sharing data with Facebook and on advertising to users, has caused an angry backlash. It is seen by many as Facebook breaking its promises on data privacy.

Can users opt out of their personal data being shared with Facebook?

Yes, at least to some extent.

Existing users can choose not to share their account information with Facebook for the purposes of improving their Facebook ads and products experiences. However, Facebook will still receive and use information for other purposes, such as improving infrastructure and delivery systems, understanding how WhatsApp or Facebook’s services are used, securing systems, and fighting spam, abuse or infringement activities.

Again, it’s not clear exactly what information Facebook will receive and whether or not this will be anonymised.

Users can opt out of sharing information with Facebook when they accept WhatsApp’s updated terms of service and privacy policy for the first time. Where users have already accepted the updated terms, they have an additional 30 days to opt out.

More details on how to opt out are set out in WhatsApp’s FAQs.

Can users refuse to share any information with Facebook?

No. If users don’t want to share any information at all with Facebook, then they need to refuse to accept the updated WhatsApp’s terms and privacy policy. If they don’t accept the updated terms, they will not be able to continue using WhatsApp.

How have the German data protection authorities reacted to the announcement?

On 27 September 2016, the Hamburg Commissioner for Data Protection and Freedom of Information issued an administrative order prohibiting Facebook with immediate effect from collecting and storing data of German WhatsApp users. Facebook has also been ordered to delete all data that has already been forwarded by WhatsApp.

Why has the Hamburg commissioner issued the administrative order?

The commissioner says in the administrative order that he is acting to protect the privacy of Germany’s 35 million WhatsApp users. He is also concerned about the privacy of the individuals whose contact details are saved in each WhatsApp user’s address books and whose data might also be transferred to Facebook, even if those individuals don’t have a Facebook or WhatsApp account.

The order states that it has to be the decision of each WhatsApp user whether they want to connect their WhatsApp account with Facebook and Facebook must ask for their permission in advance, which so far hasn’t happened. The Commissioner goes on to say that, having issued public assurances that the personal data of WhatsApp users would not be shared between them, Facebook and WhatsApp are misleading both their users and the public by now sharing that data.

Under data protection law, the transfer of personal data to Facebook is only permitted if either WhatsApp users have given a valid consent to the transfer or if there is another permitted legal basis for the transfer. However, the order states that Facebook has not obtained an effective approval from WhatsApp users and that there is no other legal basis for Facebook to receive the data.

The transfer of personal data to Facebook would therefore be a breach of data protection law and, to prevent this from happening, the Commissioner has issued the order which states that:

‘…according to Facebook, this gigantic amount of data has not yet been collected. Facebook’s answer, that this has merely not been done for the time being, is cause for concern that the gravity of the data protection breach will have [a much] more severe impact’.

How have the changes been received in the US?

The administrative order comes about a week after a number of consumer privacy groups sent a letter to the US Federal Trade Commission (FTC) urging the FTC to investigate the proposed changes.

The letter supports a complaint previously filed with the FTC by the Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD), which also requested the FTC to investigate and prevent the proposed transfer and use of WhatsApp users’ data. The complaint claims that relying on an opt-out rather than obtaining the express affirmative consent of WhatsApp users to use data in a manner that is materially inconsistent with promises made at the time the data was collected:

• breaches the FTC’s order issued against Facebook in 2011, which requires Facebook and its subsidiaries to obtain consumers’ affirmative express consent before sharing their non-public information in a manner that materially exceeds any privacy setting, and
• could be a deceptive and unfair practice under section 5 of the Federal Trade Commission Act

The FTC has said that it will ‘carefully review’ the complaint, but as FTC investigations are non-public until the FTC decides to issue a formal complaint or close the investigation, the FTC can neither confirm nor deny whether there is an ongoing investigation into the issues raised in the complaint. However, given that the FTC wrote to WhatsApp and Facebook at the time of the acquisition reminding them of the promises that they were making in respect of users’ personal data and that they needed to obtain affirmative express consent from users before making any changes, it is likely that the FTC will indeed ‘carefully review’ the complaint.

Is it likely that the UK and other EU Member States will now take similar action?

A number of data protection authorities in other Member States have also raised concerns over the data sharing scheme.

The UK’s Information Commissioner’s Office (ICO) has said that, although organisations do not need to get prior approval from the ICO to change their approach, they must stay within the data protection laws and the ICO will be looking into the changes. The ICO has also indicated that they are reviewing the data sharing between WhatsApp and Facebook (see LNB News 03/10/2016 124).

Meanwhile, the Italian data protection authority has launched an investigation, asking WhatsApp to explain what information it plans to share with Facebook and what is being done to explain to users how their data might be used—the French data protection authority, the CNIL, has also said that its privacy watchdogs will be monitoring the change to WhatsApp’s policy with great vigilance.

What is likely to happen next?

Facebook has issued a statement stating that it complies with EU data protection law and that it will work with the Hamburg Data Protection Authority in an effort to address their questions and resolve any concerns. Facebook has also stated that it will appeal the order.

In the meantime, the EU competition commissioner, Margrethe Vestager has announced that EU officials will be ‘asking some follow-up questions’ about the changes. Facebook’s emailed statement stated that it was ‘cooperating with the Commission and will continue to provide detailed information to address its concerns’.

Although Facebook’s statement that it wouldn’t share the personal data of WhatsApp’s users wasn’t a binding pledge to the EU regulators who approved the WhatsApp acquisition, Facebook will most likely be keen to allay the Commission’s concerns given that the EU’s approval of the acquisition can be revoked if Facebook provided incorrect information during the approval process.

Interviewed by Alex Heshmaty.