Facebook ordered to stop collecting WhatsApp user data in Germany


Last month, WhatsApp announced that it was going to start sharing users’ phone numbers and other personal information with its parent company, Facebook.

So much for years of promises that it would never do exactly that.

The move was for ad targeting, of course, and to give businesses a way to communicate with users about other things, like letting your bank inform you about a potentially fraudulent transaction or getting a heads-up from an airline about a delayed flight.

For a window of 30 days, WhatsApp offered users the option of opting out of data sharing for the purposes of advertising, but no way to entirely opt out of the new data sharing scheme.

The move outraged privacy advocates. After all, at the time of its $19 billion acquisition by Facebook in 2014, it had promised never to share data.

That promise goes back further still. In November 2009, WhatsApp founder Jan Koum posted to the company’s blog this promise:

So first of all, let’s set the record straight. We have not, we do not and we will not ever sell your personal information to anyone. Period. End of story. Hopefully this clears things up.

Now, Germany has said Hell, nein! to the privacy policy switcheroo.

As The Guardian reports, the German data protection agency has ordered Facebook to stop collecting user data from its WhatsApp messenger app and to delete any data it’s already received on roughly 35 million German users.

The New York Times reports that the city of Hamburg’s data protection commissioner gave the order on Tuesday.

Facebook’s German activities are headquartered in that city.

In his Tuesday ruling, Hamburg’s Commissioner for Data Protection and Freedom of Information Johannes Caspar said that Facebook “neither has obtained an effective approval from the WhatsApp users, nor does a legal basis for the data reception exist”.

It has to be [the users’] decision whether they want to connect their account with Facebook. Facebook has to ask for their permission in advance.

Following WhatsApp backtracking on that promise with the August policy change, privacy groups have pushed back. The Electronic Privacy Information Center (EPIC) and The Center for Digital Democracy (CDD) have asked the US Federal Trade Commission (FTC) to obtain “express opt-in consent” from its existing users for the privacy policy change.

As the groups pointed out in their complaint, prior to the privacy policy update, WhatsApp’s privacy policy had promised that it didn’t use mobile phone numbers or other Personally Identifiable Information (PII) to send commercial or marketing messages without users’ consent.

According to the Guardian, Caspar said he was blocking WhatsApp to protect the privacy of not only German users but also that of people saved in each user’s address books, whose details might also be forwarded under the data-sharing arrangement.

The publication quoted a Facebook spokesperson who said that the company is working with the commissioner to iron it all out:

Facebook complies with EU data protection law. We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns.

This is just the latest in a bevvy of privacy migraines for Facebook in Europe.

In December 2015, Belgium ordered it to stop tracking non-users in the country or face fines of up to €250,000 EUR ($267,000 USD) a day.

In February, France told it to knock it off, too.

In July, Facebook won its appeal of the Belgian decision.

The German order only affects German users.