The UK Information Commissioner’s Office (ICO) announced that WhatsApp has signed a public commitment not to share its users’ data with Facebook until such sharing will be fully compliant with the EU’s new General Data Protection Regulation (GDPR).
ICO’s Investigation Into WhatsApp Data Sharing
The ICO, which is UK’s Data Protection Authority (DPA), started its own investigation against WhatsApp’s data sharing with Facebook in 2016. The ICO’s investigation started in parallel with investigations from other European Union (EU) DPAs after Facebook purchased WhatsApp in 2014.
Two years after the acquisition, WhatsApp users received a message that within a month their data would be shared with Facebook. At the time, there was a limited opt-out option that let users avoid sharing only part of their data with Facebook.
The EU DPAs thought that WhatsApp users deserved a more fair warning, as well as a real opt-out option, without having to completely quit using the application. After all, one of the main promises WhatsApp made to build its user base in the first place was that it would never sell their data to anyone else or show them advertisements.
The ICO’s investigation found the following:
WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.
WhatsApp’s Public Commitment
The ICO didn’t find that WhatsApp had already begun sharing data with Facebook, possibly because the EU DPAs were quick to reach out to WhatsApp as soon as the users received the data sharing notification from the company. For this reason, the ICO will not fine or punish WhatsApp at this time, but it did get the company to make the aforementioned public commitment about not sharing data.
WhatsApp is still able to use Facebook as a “data processor,” which means Facebook can provide support service for WhatsApp. The ICO argued that if the data processing is done consistently with the law, then it shouldn’t raise any data protection concerns. The agency also clarified that data protection doesn’t mean that companies can’t share user data, just that they have to comply with the law when they do it.
Although the ICO seems content with WhatsApp signing the public commitment, it will continue to monitor WhatsApp’s adherence to it. Additionally, other countries’ DPAs will continue to investigate WhatsApp’s data sharing with Facebook. According to the ICO, France’s CNIL is preparing to bring enforcement action against WhatsApp, soon, but we don’t know yet what that could entail.