France: WhatsApp has no legal basis to share data with Facebook

Data privacy authority says WhatsApp has breached the Data Protection Act

WhatsApp has been handed an ultimatum by the French data protection watchdog that says it has one month to bring its data sharing policies in line with the country's privacy laws or it will face a substantial fine.

French data protection authority CNIL revealed on Monday that it had told WhatsApp it needed to review its procedures around the sharing of data with its parent company Facebook, particularly those linked to current policies for collecting consent from users.

CNIL said the social media site had failed in its obligation to work with the authority, and had no legal basis to share data with Facebook.

While the use of data sharing for security reasons is accepted by the French authority, the sharing of data for the use of improving application features, known as "business intelligence", can't be justified, according to today's statement.

Advertisement - Article continues below
Advertisement - Article continues below

"The President and the two Vice-Presidents of the CNIL have decided to publish this notice to ensure the highest level of transparency on the massive data transmission from a large number of users of WhatsApp to Facebook Inc. and thus alert to the need to put people in a position to maintain control of their data," a CNIL statement read.

"If the company does not comply with this formal notice within the time limit, the President may appoint a rapporteur who will propose if necessary to the restricted training of the CNIL, responsible for punishing breaches of the law, to impose a penalty."

WhatsApp has been locked in a regulatory battle with the European Union since it first announced it would be sharing user data with its parent company Facebook in 2016. The move raised immediate concerns among EU authorities that the process was automatic and that users were not being asked to give their consent.

WhatsApp was slapped with a warning in October 2016 after EU officials believed the company had done little to alleviate fears over its data sharing processes. A letter produced by the Article 29 Working Party, urged WhatsApp to halt its plans to share data until "appropriate legal protections can be assured".

The EU Commission would eventually hit Facebook with a 10 million fine in May this year for providing "misleading information" during the investigation into the company's acquisition of WhatsApp in 2014. Facebook had repeatedly told regulators that it would be impossible to automatically link Facebook profiles with WhatsApp accounts for the purpose of data sharing, something that was eventually implemented in 2016.

Today, the CNIL said that WhatsApp had failed to secure user consent for the sharing of data for "business intelligence" purposes and that while sharing of security data appeared to be fundamental to the functioning of the application, the sharing of data to improve features was not essential.

Advertisement - Article continues below

The CNIL added that "the only way to refuse the data transfer for "business intelligence" purpose is to uninstall the application".

WhatsApp has been repeatedly asked to provide a sample of data from French users, however the company has so far refused, as "the company has indicated that it is unable to provide this information to the extent that, being United States, it considers itself subject only to the legislation of that country," according to the statement.

While the ongoing dispute has so far only involved minor fines, the impending changes under GDPR will mean French data protection authorities will be able to issue sanctions of up to 4% of a company's global turnover.

Image: Bigstock

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020