France: WhatsApp has no legal basis to share data with Facebook

Data privacy authority says WhatsApp has breached the Data Protection Act

WhatsApp has been handed an ultimatum by the French data protection watchdog that says it has one month to bring its data sharing policies in line with the country's privacy laws or it will face a substantial fine.

French data protection authority CNIL revealed on Monday that it had told WhatsApp it needed to review its procedures around the sharing of data with its parent company Facebook, particularly those linked to current policies for collecting consent from users.

Advertisement - Article continues below

CNIL said the social media site had failed in its obligation to work with the authority, and had no legal basis to share data with Facebook.

While the use of data sharing for security reasons is accepted by the French authority, the sharing of data for the use of improving application features, known as "business intelligence", can't be justified, according to today's statement.

"The President and the two Vice-Presidents of the CNIL have decided to publish this notice to ensure the highest level of transparency on the massive data transmission from a large number of users of WhatsApp to Facebook Inc. and thus alert to the need to put people in a position to maintain control of their data," a CNIL statement read.

Advertisement
Advertisement - Article continues below

"If the company does not comply with this formal notice within the time limit, the President may appoint a rapporteur who will propose if necessary to the restricted training of the CNIL, responsible for punishing breaches of the law, to impose a penalty."

Advertisement - Article continues below

WhatsApp has been locked in a regulatory battle with the European Union since it first announced it would be sharing user data with its parent company Facebook in 2016. The move raised immediate concerns among EU authorities that the process was automatic and that users were not being asked to give their consent.

WhatsApp was slapped with a warning in October 2016 after EU officials believed the company had done little to alleviate fears over its data sharing processes. A letter produced by the Article 29 Working Party, urged WhatsApp to halt its plans to share data until "appropriate legal protections can be assured".

The EU Commission would eventually hit Facebook with a 10 million fine in May this year for providing "misleading information" during the investigation into the company's acquisition of WhatsApp in 2014. Facebook had repeatedly told regulators that it would be impossible to automatically link Facebook profiles with WhatsApp accounts for the purpose of data sharing, something that was eventually implemented in 2016.

Advertisement - Article continues below

Today, the CNIL said that WhatsApp had failed to secure user consent for the sharing of data for "business intelligence" purposes and that while sharing of security data appeared to be fundamental to the functioning of the application, the sharing of data to improve features was not essential.

The CNIL added that "the only way to refuse the data transfer for "business intelligence" purpose is to uninstall the application".

WhatsApp has been repeatedly asked to provide a sample of data from French users, however the company has so far refused, as "the company has indicated that it is unable to provide this information to the extent that, being United States, it considers itself subject only to the legislation of that country," according to the statement.

While the ongoing dispute has so far only involved minor fines, the impending changes under GDPR will mean French data protection authorities will be able to issue sanctions of up to 4% of a company's global turnover.

Image: Bigstock

Advertisement
Advertisement

Recommended

Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Most Popular

Visit/security/cyber-security/355200/spacex-bans-the-use-of-zoom
cyber security

Elon Musk's SpaceX bans Zoom over security fears

2 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020