Whatsapp has access to email addresses and phone numbers, images and other media shared over the service, as well as information on when and where the application is used.
Facebook purchased the company in 2014, and Whatsapp updated its terms of service in 2016 to say it would transfer that kind of data to its new parent company.
Following an investigation, France’s National Data Protection Commission (Cnil) ruled that was in breach of French and European privacy laws.
“Users are not well enough informed, their consent is not requested, and they have no opportunity to oppose the transfer” of data, says Mathias Moulin, Cnil’s deputy director in charge of rights protection and sanctions.
“There are two major infringements, the first concerns the lack of legal basis for the transfer and the second one is related to the cooperation of Whatsapp. We consider they did not provide us with all the information we requested during the investigation.”
Whatsapp has a month to notify and give users options about the sharing of data if it wants to avoid a procedure that could lead to a fine of up to 3 million euros.
While that amount is a drop in the ocean considering Facebook’s revenue, Whatsapp on Tuesday showed some concern about the issue.
“Privacy is incredibly important to WhatsApp. It’s why we collect very little data, and encrypt every message,” a spokesperson told media.
“We will continue to work with the Cnil to ensure users understand what information we collect, as well as how it’s used.”
Merging of databases
Data sharing is a primary concern of digital rights and consumer advocates, especially when it comes to web giants like Facebook, Google and Amazon.
“If you live in a world where you don’t have control over your personal data, then that’s a world that raises security risks, privacy risks, and leaves you in a situation where companies generally know much more about you than you know about yourself,” says Joe McNamee of advocacy group European Digital Rights.
“[Whatsapp] were bought by Facebook and the database of Whatsapp was integrated with the database of Facebook,” he explains. “The amount of privacy intrusion that is generated from merging two databases is almost on an exponential scale, bigger than each of the databases themselves.”
Cnil’s investigation concerned three reasons given by Whatsapp for the use of personal data: security updates, which Cnil accepted; targeted advertising, which Cnil rejected but for which Whatsapp complied; and business intelligence, a term having to do with evaluation and implementation of services and whose vagueness was of concern to Cnil as well as advocates.
“This is an extremely broad and vague concept that would not allow a clear indication of the real purpose for which this data is being collected,” says Agustin Reyna, senior legal officer in the digital rights department of the European Consumer Organisation.
Power of dissuasion
The case could prove to be a precursor to others of its kind as the European Union-wide set of guidelines, the General Data Protection Regulation, is set to come into force in May 2018.
“There are very strict and concise rules,” says Agustin Reyna, senior legal officer in the digital rights department of the European Consumer Organisation.
“For example, the provision of vast amounts of personal data cannot be a condition to access the service,” Reyna continues, noting the new regulations are “a very important signal that the governments and the agencies have given to the market players, so they adapt in order to avoid fines and being found in infringement of the law.”
Because in addition to providing a framework for data protection across EU states, the new regulations would also increase the amount of financial penalties that could be laid against companies found to be in breach of privacy rules.
“Traditionally, big companies like to delay justice by as many appeals of possible, and also to use up the resources of the regulators that are trying to enforce the law,” says Joe McNamee.
“But the level of dissuasion that will be generated by the new rules should make it much more effective to protect citizen security and privacy.”