WhatsApp U-turn On Privacy Gets EU Challenge
A seismic shift in privacy policy by messaging app WhatsApp this summer, when it said it would begin sharing user data with parent company Facebook including for ad targeting, has now attracted the attention of European’s data protection watchdog group, the Article 29 Working Party.
The WP29 group wrote to WhatsApp founder Jan Koum yesterday, setting out its concerns about the privacy policy U-turn, including how the shift was communicated to users.
“The Article 29 Working Party (WP29) has serious concerns regarding the manner in which the information relating to the updated Terms of Service and Privacy Policy was provided to users and consequently about the validity of the users’ consent,” it writes.
“WP29 also questions the effectiveness of control mechanisms offered to users to exercise their rights and the effects that the data sharing will have on people that are not a user of any other service within the Facebook family of companies.”
It adds that its various members, so basically all the national DPAs of EU Member States, will “act in a coordinated way” to target any problems they identify, with a dedicated working group for enforcement actions set to address the WhatsApp issue specifically.
The letter asks WhatsApp for details of the specific data being shared, including data categories, source and recipients, and the effects of the data transfer on users and on “potential third persons”, so the working group can assess whether changes are necessary to ensure legal compliance.
The Wp29 group also urges WhatsApp to stop passing user data to Facebook while it investigates the legality of the arrangement.
WhatsApp declined to specify whether it would be halting data-sharing in Europe, per the WP29’s request, when we asked.
WhatsApp made the following statement: “We’re working with data protection authorities to address their questions. We’ve had constructive conversations, including before our update, and we remain committed to respecting applicable law.”
The WhatsApp-Facebook privacy policy U-turn had already drawn criticism from individual European Union member country data protection agencies, including the ICO in the UK and the Hamburg City DPA in Germany.
Europe’s competition commissioner, Margrethe Vestager, has also publicly flagged the arrangement as a concern, suggesting new rules are needed to enable the region’s regulators to keep up with tech giants’ use of data.