A dramatic privacy about-face by messaging app WhatsApp this summer, in which it revealed an update to its T&Cs would for the first time allow the sharing of its user data with parent company Facebook, is getting the pair into hot water in Europe.
This week Facebook was ordered to stop harvesting data on WhatsApp users in Germany by the Hamburg city DPA, which hit out at the controversial change to WhatsApp’s T&Cs as both misleading to users and a breach of national data protection law. (Facebook disagrees, and is appealing the order in Germany.)
It now looks the UK’s national data protection watchdog, the ICO, is preparing to ramp up its action too. The ICO had already been — in its words — “considering” the deal, questioning whether the two companies were being transparent with users about how their data is being shared and used.
But speaking to the BBC’s PM program on Radio 4 yesterday, information commissioner Elizabeth Denham said it has launched “an investigation into the data-sharing”.
Asked by the BBC whether the ICO intends to follow the Hamburg DPA’s lead and order the data-sharing to be stopped, Denham said: “My intervention is an advocacy intervention on behalf of all of the WhatsApp users in the UK — and boy have we heard from them! They are quite concerned.
There’s a lot of anger out there. And again it goes back to promises, commitment, fairness and transparency.
“There’s a lot of anger out there. And again it goes back to promises, commitment, fairness and transparency. We have launched an investigation into the data-sharing, remembering that in 2014 when Facebook bought WhatsApp there was a commitment made that between the two companies they would not share information.”
The new WhatsApp T&Cs state that user data — including the mobile number used to register to use the service and a user’s last seen time within the app — will be shared with Facebook and the “Facebook family of companies”, including for marketing and ad targeting purposes.
Users reading the T&Cs before clicking ‘I agree’ might notice that there is a way to opt out of the data-sharing for ad targeting — but the agreement default opts users in, and the text next to the toggle to refuse to share is arguably confusingly worded. So it’s likely that many WhatsApp users will have agreed to the new privacy policy without realizing that means they are now handing data to Facebook.
“It’s an active and important investigation,” Denham added, during the PM interview. “I know the public wants to hear from us as to what we’re doing — and you will hear from us very shortly.”
A spokeswoman for the ICO could not confirm whether or not the ICO has a formal investigation into the data-sharing underway at this point, but did say it would be putting out an update soon, perhaps later today or on Monday.
In the PM interview, Denham was also pressed on whether the ICO is doing anything to stop data flowing now, while it probes the arrangement, but she said she thinks no data is yet flowing from UK WhatsApp users to Facebook.
“We are told that data is not yet being shared — so I am hoping that there is a pause in the data-sharing, and some rethinking of the terms and the consent and what data is being shared,” she said.
We’ve asked Facebook to confirm whether or not it is harvesting UK WhatsApp data at this point or not and will update this post with any response.
Making a general statement about the data-sharing agreement earlier this month, Europe’s Article 29 Working Party, the data protection body that represents the collective views of the DPAs of all 28 Member State of the EU, asserted that: “Users should keep control of their data when Internet giants massively compile it.”
Denham also referenced the WhatsApp-Facebook privacy controversy in other public comments this week, making her first public speech since taking over the role from the prior ICO, Christopher Graham.
Speaking at an event in London she noted: “We are currently reviewing data sharing between WhatsApp and other Facebook companies — all of this is about transparency and individual control.”
(Ironically that event, a one day conference entitled Personal Information Economy 2016, organized by a business consultancy called Ctrl–Shift, was funded with the help of Facebook cash — the event organizers confirmed to TechCrunch Facebook was one of the sponsors. So no surprise another of the speakers was Facebook’s Stephen Deadman, aka its global deputy “Chief Privacy Officer”. Ctrl Shift said all sponsors for the event were “printed clearly” in the event brochure that was shared with delegates on the day.)
In a wide-ranging first public speech that set our her priorities for leading the UK regulator through turbulent post-Brexit times, Denham said the ICO intends to pick and choose its investigations with the aim of maximizing its impact — to, as she put it, “enable results which can cascade across a sector”.
She added that technology is “already at the forefront of most of our major investigations”, noting that the ICO has also been asking questions about the massive Yahoo data breach, finally confirmed last week.
“As an independent regulator we have powers to issue fines of up to half a million pounds which could eventually rise to four percent of a business’ global turnover,” she warned. “In an ideal world we wouldn’t need to enforce, but we will use the stick in the cupboard when necessary. And remember it’s not just about the money — it’s about your reputation too, with your customers, the public and in the media spotlight.”
EC’s competition commissioner also eyeing big data and privacy
The Facebook-WhatsApp data-sharing agreement has also caught the attention of the EC’s competition commissioner, Margrethe Vestager, who earlier this month revealed her department was asking questions about the privacy policy changes, noting that the fact they didn’t merge data was factored in when the acquisition was approved.
Speaking at a conference on big data in Brussels this week, Vestager argued for the need for EU-wide regulation on data — referencing the Facebook-WhatsApp controversy and suggesting new rules are needed to enable the region’s regulators to keep up with tech giants’ use (and potential misuse) of data.
“Europe’s competition enforcers need to work together on big data — not just the Commission, but the national competition authorities as well,” she said. “Many of them are already doing that. Our French colleagues have launched a sector inquiry on big data. And the German authority is looking at whether Facebook may have misused its power to impose unfair privacy terms.
“But if we want to be able to deal with big data issues throughout the EU, then every national authority has to have the tools it needs to enforce the rules… I think there’s a strong case for new EU rules as part of the answer.”
Big data as a currency that can be used by tech giants to stifle competition is a theme Vestager has spoken on several times before.
This post was updated to include Vestager’s comments on Facebook-WhatsApp sharing data