A win for the data protection of UK consumers – WhatsApp signs public commitment not to share personal data with Facebook until data protection concerns are addressed

By Information Commissioner Elizabeth Denham.

People have a right to have their personal data kept safe, only used in ways that are properly explained to them, and for certain uses of their data, to which they expressly consent. This is a requirement of the Data Protection Act.

My office has just completed an investigation, which commenced in August 2016, into whether WhatsApp could legally share users’ data with Facebook in the manner they were considering. In 2014 Facebook acquired WhatsApp, which offers an instant messaging service for smartphones.

My investigation found:

  1. WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
  2. WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
  3. In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
  4. I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.

I am pleased to state that WhatsApp has now signed an ‘undertaking’ wherein they have given a public commitment not to share personal data with Facebook until they can do so in compliance with the upcoming General Data Protection Regulation (GDPR), which comes into force in May this year. I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case. As WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as a ‘data processor’, as explained below), I would not be able to meet the criteria for issuing a civil monetary penalty under the Data Protection Act.

For those of you who wish to read this undertaking, I have enclosed a copy. As outlined in the undertaking, WhatsApp has assured us that it shall not, from the date of the undertaking, share personal data with companies in the Facebook family, for Facebook’s own purposes, until it can satisfy the requirements of the GDPR.

It is also important to state that UK consumers do not need to take any action as a result of this update.

My investigation has not been concerned about WhatsApp’s sharing of personal data with Facebook when Facebook are only providing a support service to WhatsApp. The technical term for such sharing is that WhatsApp can use Facebook as a data processor. This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns.

Data protection law does not prevent a company from sharing personal data – they just have to follow the legal requirements.

I therefore compliment WhatsApp in signing this undertaking, which I believe will build trust amongst their many UK users. I would also like to stress that signing an undertaking is not the end of story and I will closely monitor WhatsApp’s adherence to it.

There are two other interesting elements to this investigation that merit mention.

The first is the possibility of WhatsApp and Facebook sharing data and the broad concerns raised both in the community and the world of regulators. Concerns about possible inappropriate data sharing were raised by media reports, civil society groups, and data protection authorities globally as a result of WhatsApp updating their terms and conditions and privacy policy. At the heart of these concerns lies a desire for improved transparency, control, and accountability, at a time when personal data is ever more central to the business models of key players in the digital economy.

The issue was seized by European Data Protection Authorities of which I am a member. As Chair of the Article 29 Task Force on WhatsApp-Facebook data sharing, we actively worked with our European colleagues to bring a common focus and information base to our investigation. The Article 29 Working Party wrote collectively to WhatsApp to set out our concerns in October 2017.

The Hamburg Commissioner of Data Protection and Freedom of Information issued a press release on 2 March 2018, indicating that the Higher Administrative Court (OVG) Hamburg had confirmed his administrative order, banning Facebook from using WhatsApp user data for its own purposes.

The French data protection authority (CNIL) is in the process of bringing enforcement action against WhatsApp.

Other EU Data Protection Authorities also have ongoing investigations.

The second element of interest is the path ahead. The GDPR strengthens the rules on what constitutes ‘consent’. It also provides a stronger emphasis on effective transparency and accessible information for the public. This will be good news for UK users of social media services. We will be monitoring changes to WhatsApp’s privacy and terms and conditions under the new legislation.

Finally, in the interest of transparency I am enclosing a copy of my letter to WhatsApp dated 16 February 2018, which outlines the history and results of the investigation.

elizabeth-denham-blogElizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
This entry was posted in Elizabeth Denham and tagged , , . Bookmark the permalink.

9 Responses to A win for the data protection of UK consumers – WhatsApp signs public commitment not to share personal data with Facebook until data protection concerns are addressed

  1. The link to “The Article 29 Working Party wrote collectively to WhatsApp to set out our concerns in October 2017” appears to be to a web server on a private network, and WP29 does not appear to have published it at http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 . Can the letter be uploaded / the URL corrected?

  2. Anonymous says:

    liar liar pants on fire

  3. I just downloaded my data from Facebook and as far as i can see it did not include the facial recognition data that they use to suggest tagging in photographs. Should I be concerned or is this a myth that FB can recognise my face?

  4. Dr V Cheryl Lee says:

    Dear Elizabeth,
    I was interested to see you on CBC the National regarding Cambridge Analytica….Perhaps you remember me…I was your female dentist in Calgary 100 years ago . I will be in London April 9 – 13.
    Dr V Cheryl Lee

  5. Raul Dhruva says:

    Great Article.It is really helpful for getting in depth knowledge about this recent data privacy issue. In addition to this we have also published one blog regarding how we can avoid such vulnerability of our account. Hope that you will consider sparing some time reading this short article which might help you and your audiences as well.

  6. Nurul nisa says:

    Thanks. Is this true?

  7. Dominica Grigoryeva says:

    Great Article.It is really helpful for getting in depth knowledge about this recent data privacy issue. That was very interesting. I’m very happy to know this subject. Scidex is a new scientific market space and i have been keeping an eye open on this new science market space.

  8. Nesha says:

    Dear sir very thanks for information data centre and sending data and safety data your article very help me please keep up post I follow you

Leave a Reply