The Article 29 Working Party (WP29), which consists of privacy chiefs from across the 28 nations in the European Union (EU), informed WhatsApp in an official letter that it has “serious concerns” about its sharing of user data with Facebook. The group also sent a letter to Yahoo about the 2014 breach and reports that it scanned its entire user database for U.S. law enforcement.
Recently, Facebook announced that it’s going to change its privacy policy to allow sharing of WhatsApp user data with its social network service for advertising purposes. The data sharing would be automatic, but users would have an option for a limited opt-out within the first 30 days of the announcement. WhatsApp will continue to share basic data with Facebook, even after the opt-out.
EU Has "Serious Concerns" With WhatsApp/Facebook Data Sharing
The EU’s privacy chiefs seem to take issue with the data sharing because WhatsApp promised both in public posts (and in its privacy policy) that it would never share data for advertising purposes. WhatsApp users may now feel that the company may have been tricked them because it has begun sharing their data with Facebook. The EU Data Protection authorities seem to feel the same way.
The WP29 also worries that the data sharing will also have an effect on people who may not even be members of Facebook’s services. For instance, WhatsApp already sees your full contact list on your phone and can identify which of the people on the list are on WhatsApp, or aren’t. WhatsApp may share that contact information with Facebook.
Therefore, the privacy chiefs are requesting that WhatsApp and Facebook further detail about the information that it is sharing between the two services, as well as to reveal the sources of the data they collect about users.
EU Wants Answers For Yahoo Data Breach/U.S. Surveillance
The WP29 group also sent an official letter to Yahoo to request information about the 2014 data breach that exposed a record 500 million user accounts, which the company only recently unveiled.
The privacy chiefs want Yahoo to communicate all aspects of the data breach, notify all affected EU citizens about the adverse effects of the data breach, and cooperate with potential upcoming national investigations from multiple EU countries.
The EU recently passed new cybersecurity and data protection rules that mandate that all large companies must notify both EU authorities and the users “without undue delay.” Yahoo’s two-year delay doesn’t seem to match that definition. However, the new rules haven’t gone into effect yet, so it is unclear if the company can get in trouble for not notifying users and authorities on time.
The Data Protection authorities also want to know the legal basis and justification for Yahoo’s scanning of all of its users’ emails for the U.S. government and for allowing it to install backdoors on its systems. The EU authorities want Yahoo to describe how these activities were compliant with the EU law because EU citizens comprise a good part of Yahoo’s user base.
How the companies resolve these issues will show how effective the new “Privacy Shield” data-sharing agreement between the U.S. and the EU really is. The new agreement was supposed to limit U.S. intelligence abuses after the previous “Safe Harbor” agreement was made invalid by the EU top court for this same reason.
The European Commission appeared to have entered the negotiations thinking that the U.S. government would act in good faith by guaranteeing it won’t perform mass surveillance of EU citizens in the future. However, if the Yahoo/NSA allegations are true, then nothing may have changed, and the Privacy Shield agreement may be as ineffective as the previous Safe Harbor agreement.
This time, EU citizens may have a little more power to sue the U.S. government with the help of EU authorities (ombudsman mechanism) due to the passing of the U.S. Judicial Redress Act, which gives foreigners the ability to sue the U.S. government over indiscriminate surveillance.
“The new arrangement includes commitments and assurance by the US that the competencies under US law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals in relation to possible access by national intelligence services.” - The European Commission when it announced the Privacy Shield agreement earlier this year.
The WP29 enforcement subgroup will discuss both the WhatsApp’s data sharing with Facebook, the Yahoo data breach and its alleged involvement in U.S. mass surveillance at its November meeting.
