France's CNIL: WhatsApp’s Data Sharing With Facebook Is Illegal

The French Data Protection Authority (CNIL) said that WhatsApp’s past and current data sharing practices with Facebook have no legal basis, and are therefore illegal. The agency notified Facebook to start obtaining proper consent from users as required by the French and European Union data protection laws.

WhatsApp Violates EU Privacy Laws

The Working Party 29 (WP29) group, which includes the chiefs of all the national data protection agencies in the European Union, has been investigating WhatsApp’s data sharing with Facebook ever since Facebook acquired WhatsApp. The WP29 observed that WhatsApp has been transferring its users’ data to Facebook for “business intelligence” and “security” purposes. This data included users’ phone numbers and their application use habits.

The Chair of CNIL considered that although the data collection for security purposes seemed acceptable, the data gathered for business intelligence was not in compliance with EU laws for data processing. CNIL noted that neither the users’ consent nor WhatsApp’s “legitimate interest” can be used as legal arguments for this type of data collection.

CNIL added that the consent is not validly collected because:

it is not specific to this purpose – when installing the application, users must accept that their data are processed for the messaging service, but also, in general, by FACEBOOK Inc. for accessory purposes such as the improvement of its service;it is not free – the only way to refuse the data transfer for “business intelligence” purpose is to uninstall the application.

WhatsApp Refused To Cooperate With CNIL

According to CNIL, WhatsApp refused to provide it with a sample of the data collected from EU citizens because, according to the company, the data was being stored in the U.S., and WhatsApp believes it has to comply only with U.S. laws in this situation.

This seems like a strange argument to make from Facebook, considering it should be abiding with the EU-U.S. Privacy Shield agreement. On the other hand, perhaps the Privacy Shield is simply not a well written piece of legislation if EU Data Protection Authorities can’t even investigate the type of data American companies gather on EU citizens and then transfer to their U.S. servers.

Because of this, CNIL was not able to fully investigate WhatsApp’s data sharing with Facebook. However, CNIL issued a formal notice to WhatsApp, demanding that it comply with the Data Protection Act within a month. If WhatsApp fails to do so, CNIL will appoint an investigator who may recommend sanctions against the company.

Earlier this year, CNIL fined Facebook for installing cookies on users' browsers that would collect data on them when browsing the web, even after signing off of Facebook.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.