It has been quite a busy time for the European’s Article 29 Data Protection Working Party (WP29). After writing an open letter to Yahoo addressing the data breach which caused over 500 million users personal details to be stolen, the WP29 has also written to WhatsApp.
The concern surrounds the change in WhatsApp’s privacy settings, where it allowed Facebook to access their users’ data.
Is this an infringement?
Issues with WhatsApp T&C’s
There has been an out roar regarding WhatsApp’s privacy terms and conditions since its changes in August of this year. It allows their parent company, Facebook, to access its users’ personal details, which includes phone numbers.
The change in privacy settings is thought to be for a range of purposes, including marketing and advertising. European privacy officials have asked Facebook and WhatsApp to stop sharing its users’ personal details “until the appropriate legal protections can be assured”, said WP29’s Chairwoman Isabelle Falque-Pierrotin.
Wide audience
Given the popularity of the messaging app, the change in its privacy settings could easily affect millions of citizens across the EU. The changes in its privacy settings came as a surprise for interested parties, as both companies had reportedly vowed in their public statements to never exchange their users’ data.
Terms and conditions
One of the main issues here is that, if you don’t accept their terms and conditions, you will not be able to access the app. In an era of ‘business terms and conditions’ that are hundreds of pages long, this gives companies the ‘upper-hand’ as users do not want to be scrawling through them. In effect, this could allow companies to write in terms that are unfair, unknowing to the average user. By mindlessly accepting their terms and conditions, there is an argument that the average user has not given proper informed consent. As such, there is an argument to say that, by exchanging data, WhatsApp and Facebook are possibly breaching their users’ data protection rights.
The open letter
In its letter, the WP29 are interested to find out:
- The exact categories of data, whether it be names, telephone numbers, email addresses and physical addresses.
- The source of the data, whether it be from the users’ mobile phones.
- A list of who will be receiving the data and what effects the data transfer will have on users and potential third persons.
The information WP29 gathers could determine whether the changes are compliant with European data protection principles. The WP29 said that they had received a letter from Facebook to address the same issue, but did not disclose further information. As a precaution, WhatsApp has received a warning: not to proceed with exchanging their users’ data until there are appropriate legal protections in place.
National Data Protection Authorities
Those legal protections will not be implemented until WhatsApp responds appropriately, detailing information on the data exchange. There is “great uncertainty” surrounding the data sharing, with Data Protection Authorities in the U.K. (the Information Commissioner’s Office) also putting forward their concerns and questioning the control mechanisms in place for users. In Germany, regulators have already banned the social messaging app from sharing their customers’ details.