WhatsApp? You still don't get EU privacy laws, that's WhatsApp

WhatsApp's privacy policies have come under fresh scrutiny from the European Union's data protection regulators, who say the Facebook-owned business has failed to smarten up its act.

The Article 29 Working Party, which comprises data regulators from EU nations and the EU itself, believes that WhatsApp's latest terms and conditions are at odds with the Union's data protection laws.

In a letter (PDF) to WhatsApp CEO Jan Koum, the group said it had now launched a taskforce, led by the UK's information commissioner Elizabeth Denham, to investigate the issue.

The group first raised its concerns last year after WhatsApp updated its small print. In November 2016, Facebook was forced to put a pause on the ad-fuelling data harvest from UK-based users.

WhatsApp then added a "notice for EU users" in August 2017, but this has done little to pacify the European data protection group, which says it "does not, however, sufficiently address the issues of non-compliance with data protection law".

In addition, the group expressed its frustration that "a satisfactory resolution to the issues previously raised has not yet been achieved despite a significant period of time having passed".

The crux of the issue is that WhatsApp, which slurps a lot of EU citizens’ data, does so on the legal basis of consent. The EU's data protection wonks don’t think those terms offer users enough information.

The letter unpicks the ways in which WhatsApp policy does not comply with the EU rules that consent must be informed, unambiguous, specific and freely given.

This includes the group's belief that WhatsApp's "take it or leave it" approach to service use doesn't constitute freely given consent, and the use of pre-ticked boxes is not "unambiguous".

The letter also expresses the opinion that "the information presented to users was seriously deficient as a means to inform their consent" and that consent "was insufficiently specific".

For instance, the initial screen "made no mention at all" of crucial information that would ensure users knew that clicking 'Agree' would see their data shared with the Facebook family.

In anticipation of the WhatsApp and Facebook arguing they need to process data to pursue their legitimate business interests, the regulators noted that if they do so, these interests must be clearly defined and specific.

"The legitimate interest ground cannot be relied upon to justify the general combination of user data across services within the Facebook family of companies without adequate user controls and safeguards," the group said.

The letter is the latest in a string of attempts by European data protection bodies to bring Facebook and co’s data slurping under control.

Most recently, last month Zuck’s crew was handed a €1.2m fine by the Spanish Data Protection Agency for breaking privacy laws after it used information from millions of users for advertising without seeking consent.

A WhatsApp spokesperson said: "Over the last year we have engaged with data protection authorities to explain how our 2016 terms and privacy policy update apply to people who use WhatsApp in Europe. We remain committed to respecting applicable law and will continue to work collaboratively with officials in Europe to address their questions." ®