WhatsApp? You still don't get EU privacy laws, that's WhatsApp

Data regulator taskforce formed to look into firm's data slurp

WhatsApp's privacy policies have come under fresh scrutiny from the European Union's data protection regulators, who say the Facebook-owned business has failed to smarten up its act.

The Article 29 Working Party, which comprises data regulators from EU nations and the EU itself, believes that WhatsApp's latest terms and conditions are at odds with the Union's data protection laws.

In a letter (PDF) to WhatsApp CEO Jan Koum, the group said it had now launched a taskforce, led by the UK's information commissioner Elizabeth Denham, to investigate the issue.

The group first raised its concerns last year after WhatsApp updated its small print. In November 2016, Facebook was forced to put a pause on the ad-fuelling data harvest from UK-based users.

WhatsApp then added a "notice for EU users" in August 2017, but this has done little to pacify the European data protection group, which says it "does not, however, sufficiently address the issues of non-compliance with data protection law".

In addition, the group expressed its frustration that "a satisfactory resolution to the issues previously raised has not yet been achieved despite a significant period of time having passed".

The crux of the issue is that WhatsApp, which slurps a lot of EU citizens’ data, does so on the legal basis of consent. The EU's data protection wonks don’t think those terms offer users enough information.

The letter unpicks the ways in which WhatsApp policy does not comply with the EU rules that consent must be informed, unambiguous, specific and freely given.

This includes the group's belief that WhatsApp's "take it or leave it" approach to service use doesn't constitute freely given consent, and the use of pre-ticked boxes is not "unambiguous".

The letter also expresses the opinion that "the information presented to users was seriously deficient as a means to inform their consent" and that consent "was insufficiently specific".

For instance, the initial screen "made no mention at all" of crucial information that would ensure users knew that clicking 'Agree' would see their data shared with the Facebook family.

In anticipation of the WhatsApp and Facebook arguing they need to process data to pursue their legitimate business interests, the regulators noted that if they do so, these interests must be clearly defined and specific.

"The legitimate interest ground cannot be relied upon to justify the general combination of user data across services within the Facebook family of companies without adequate user controls and safeguards," the group said.

The letter is the latest in a string of attempts by European data protection bodies to bring Facebook and co’s data slurping under control.

Most recently, last month Zuck’s crew was handed a €1.2m fine by the Spanish Data Protection Agency for breaking privacy laws after it used information from millions of users for advertising without seeking consent.

A WhatsApp spokesperson said: "Over the last year we have engaged with data protection authorities to explain how our 2016 terms and privacy policy update apply to people who use WhatsApp in Europe. We remain committed to respecting applicable law and will continue to work collaboratively with officials in Europe to address their questions." ®

Sponsored: Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

More from The Register


Privacy? Watchdogs? Fines? Whatever, nerds, more people than ever are using Facebook and filling its deep coffers

Zuck to Uncle Sam: Go ahead, regulate me, regulate me like the naughty little founder I am

Cough up, like, 1% of your valuation and keep up the good work, says FTC: In draft privacy deal, Facebook won't have to change a thing

Proposed settlement over Cambridge Analytica brouhaha slammed as ‘a mosquito bite’
business type refuses money

Juniper Networks gives SEC $12m to settle bribery charges but says everything's fine

Channel partners flying customers for holidays in Russia and China, that's fine!
Facebook's Calibra digital wallet app

Cyber-IOU notes. Voucher hell on wheels. However you want to define Facebook's Libra, the most ridiculous part is its privacy promise

Comment Digital currency tokens coming to WhatsApp, Messenger next year
Facebook CEO Mark Zuckerberg

Facebook: Not saying we've done anything wrong but... we're just putting $3bn profit aside for an FTC privacy fine

Net income halved as antisocial network preps for big slap

CEOs beg for America-wide privacy law... to protect their businesses from state privacy laws

Freedom is slavery, ignorance is strength, privacy is sharing

FTC fines Facebook $5bn for making users believe they actually had control over their data

Privacy Board to keep tabs on potential naughtiness at the antisocial network
panicked eye with Facebook logo reflected on surface

When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security

'This isn’t a mistake now, this is clearly an intentional product choice' says ex-CSO Stamos

Biting the hand that feeds IT © 1998–2019