WhatsApp and Facebook told to stop sharing data

Hör auf! Stop it! Arrête ça!

That’s the order of European countries who’ve laid it on the line to WhatsApp: Germany told it to stop sharing German users’ data with parent company Facebook in September 2016, the UK told it in November 2016 to back off before Facebook even started, and now France has joined the “get-your-hands-off!” countries.

The order came on Monday from France’s ultra-vigilant privacy watchdog, the Chair of the National Data Protection Commission (CNIL).

CNIL gave WhatsApp a month to comply. In its public notice, it said that the messaging app will face sanctions for sharing user phone numbers and usage data for “business intelligence” purposes if it doesn’t comply.

The watchdog explained that it started looking into the matter last year, after WhatsApp announced that it was going to start sharing users’ phone numbers and other personal information with Facebook, in spite of years of promises that it would never, ever do such a thing.

The move was for ad targeting, of course, and to give businesses a way to communicate with users about other things, like letting your bank inform you about a potentially fraudulent transaction or getting a heads-up from an airline about a delayed flight. The reasons fell into three buckets: targeted advertising, security, and evaluation and improvement of services (“business intelligence”).

For a window of 30 days, WhatsApp offered users the option of opting out of data sharing for the purposes of advertising, but no way to entirely opt out of the new data sharing scheme.

The move outraged privacy advocates. After all, at the time of its $19 billion acquisition by Facebook in 2014, it had promised never to share data.

That promise goes back further still. In November 2009, WhatsApp founder Jan Koum posted to the company’s blog this promise:

So first of all, let’s set the record straight. We have not, we do not and we will not ever sell your personal information to anyone. Period. End of story. Hopefully this clears things up.

CNIL wanted an explanation of how the data was processed and transferred, and it asked WhatsApp to hold off on targeted advertising in the meantime.

In its efforts to verify that WhatsApp’s data processing was being done legally, CNIL carried out online inspections, sent a questionnaire to the company and then beckoned WhatsApp to a hearing. WhatsApp told CNIL that the data of 10 million French users had actually never been used for targeted advertising, but no matter: the CNIL says it uncovered violations of the French Data Protection Act during its investigations.

CNIL says the security purpose for the data transfer seemed to be essential for the app to function, so that part of the data transfer between WhatsApp and Facebook is legal. But not so the business intelligence – i.e., the sharing of non-essential information to improve the function of the app – given that users couldn’t opt out. From CNIL’s statement:

The only way to refuse the data transfer for ‘business intelligence’ purpose is to uninstall the application.

CNIL said that it had repeatedly asked WhatsApp to provide a sample of the French users’ data it had transferred to Facebook, but the company balked. WhatsApp explained that since it’s located in the US, it figures that it’s only subject to that country’s laws.

Umm, no, said CNIL, which says it has the power to regulate “the moment an operator processes data in France.”

WhatsApp said in a statement that it’s only collecting a smidgen of data because privacy is “incredibly important” to the company.

It’s why we collect very little data, and encrypt every message.

WhatsApp says it will continue to work with the CNIL “to ensure users understand what information we collect, as well as how it’s used,” and in spite of all these data protection authorities barking out differing orders:

We’re committed to resolving the different, and at times conflicting, concerns we’ve heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018.

The EU’s influential privacy body, the Article 29 Working Party (WP29), has been demanding answers from WhatsApp about its policy change since a few months after it was announced. The WP29 published an open letter that warned the chat app about sharing user data with the wider group of Facebook companies, forcing WhatsApp to pause data transfer.

In October, the WP29 once again turned its steely gaze WhatsApp-ward to step up action over user consent and privacy following Facebook’s failure to address breaches of EU law – failure that resulted in a £94m fine for “misleading” the EU over its WhatsApp takeover.