Kneppelhout & Korthals: WhatsApp and Facebook share user data. Can they do so?11/03/2016

The European privacy watchdog (WP29) thinks not. Last Friday, this Article 29-working party has sent a letter to WhatsApp in which it argues that they are not allowed to just share data among WhatsApp and Facebook.

Earlier, our colleague Robbert Santifort wrote about the privacy concerns of WhatsApp (in Dutch), especially after the acquisition by Facebook back in 2014. These concerns, despite WhatsApp’s recently-launched end-to-end-encryption, are justified. WhatsApp rather plays fast and loose with the data of its users as it now shares everything with Facebook.

After WhatsApp’s acquisition by Facebook in 2014, Facebook has modified the user terms and the privacy policy of WhatsApp for all users, including the newly acquired WhatsApp users. We can assume that the user terms and privacy policy of WhatsApp and Facebook did not match.

Why is this statement important for the WhatsApp user prior to the acquisition by Facebook?

When someone registers for an internet service, he will have to agree with the terms and conditions and the privacy policy that the concerning service applies. This is no different for someone who wants to use the services of Facebook or WhatsApp. Such terms and conditions state all the rules and guidelines for both the user and the company who offer the service. Among these terms and conditions is stated how you could use the service and under which conditions. The privacy policy could state under which conditions it may process your data. These italic words are italically written for a reason. A user has the right to decide for himself whether or not he agrees with the terms and conditions. This is usually done through a checkbox that says “I agree with the terms and conditions” and the same goes for the privacy policy. Still all good before the acquisition of WhatsApp by Facebook. The user has agreed to these terms from WhatsApp back then anyway.

Here comes the tricky part. Based on privacy legislation, a company has to add a description of the purpose of processing user data. This description will contain information on the terms and conditions it can process your data. In the end, it’s the user who grants permission to use the data for certain other purposes. The problem here lies in the fact that Facebook and WhatsApp did not have the same description for the use of user data prior to the acquisition of WhatsApp by Facebook.

For example, Facebook states in its description of the privacy policy that it is allowed to post targeted ads on the accounts of its users. Also, Facebook is allowed to use personal data from users for marketing purposes. Both have the aim to generate revenue for Facebook. However, WhatsApp did not have such purpose descriptions in the privacy policy. After Facebook has applied their terms and conditions to WhatsApp, you could question whether WhatsApp users would grant permission for the new way of processing data, while we can also question whether Facebook can go on and share data from WhatsApp users. According to the Article 29-working party, this is not allowed. They have major concerns on how things were handled. The privacy watchdog is requesting more information from WhatsApp for further investigation.

The Article 29-working party states another criticism in its letter to WhatsApp. They question the possibilities users have to exercise their rights. Furthermore, they wonder what the effects of sharing data will be for some WhatsApp users within Facebook as a whole. Not all WhatsApp users are Facebook users and vice versa. In such case, can personal data be shared just like that?

At us from Kneppelhout, another question arose. Facebook now owns such a large amount of personal data, did it take all the aligning technical and organizational measures to protect the personal data from users? What if Facebook is being hacked, what recently happened to Yahoo, and all 500 million personal data accounts get stolen? That will have an enormous impact. And the individual consequences for each user were not even taken into account yet. Anyway, we probably have to wait a bit for a response from WhatsApp.

Ady van Nieuwenhuizen, IP Lawyer
Talin Ghazarian, IP Lawyer